{"slug": "show-hn-agent-gate-a-deterministic-ci-firewall-for-ai-generated-prs", "title": "Show HN: Agent Gate – a deterministic CI firewall for AI-generated PRs", "summary": "Agent Gate, a deterministic CI firewall for AI-generated pull requests, has been released as a pre-release v0.1.0 on GitHub. The tool blocks PRs that violate contracts, escalate workflow permissions, or lack test evidence, without executing untrusted code or making LLM calls. It aims to enforce safety policies for AI-generated code contributions.", "body_md": "No AI PR gets merged without proof.\n\nAgent Gate is a deterministic CI firewall for AI-generated pull requests. It checks PR contracts, risky paths, agent instruction drift, workflow permissions, and test evidence before merge.\n\nThe Action uses no checkout of PR code, no runtime LLM calls, no repository script execution, and no policy loaded from an untrusted PR head. The same analyzer also powers local replay fixtures for deterministic demos.\n\nAgent Gate is pre-release. `v0.1.0`\n\nis available as a GitHub prerelease. The core analyzer, CLI replay, root GitHub Action, PR comments, self-dogfooding workflow, and CI are implemented. APIs and rule names may change in later releases.\n\nFor released installs, prefer `@v0.1.0`\n\nor a pinned commit SHA. `@main`\n\ntracks ongoing development.\n\nSee `docs/v0.1.0-release-notes.md`\n\nand `docs/release-verification-v0.1.0.md`\n\nfor release notes and verification.\n\nSee `docs/repository-governance.md`\n\nfor recommended branch protection and release safety settings.\n\nSee `docs/launch-announcement-draft.md`\n\nfor a reusable launch announcement draft.\n\nFeedback on AI-generated PR safety policies is welcome in [#27](https://github.com/sjh9714/Agent-Gate/issues/27).\n\n- Out-of-contract edits: agent PRs changing files outside their declared scope.\n- Workflow permission escalation: Actions workflows gaining broader write access.\n- Agent control-plane drift (\n`agent-control-plane/drift`\n\n): instruction or tool config changes that affect future agents. - Missing test evidence: high-risk source changes without matching test file changes.\n- MCP config drift:\n`.mcp.json`\n\nchanges that alter which tools agents can call.\n\nAI agents can open pull requests. Tests do not always catch:\n\n- out-of-scope edits\n- workflow permission escalation\n- agent control-plane drift\n- missing test evidence\n- MCP config drift\n\nHuman-readable output for demos:\n\n```\npnpm --filter agent-gate build\nnode packages/cli/dist/main.js replay fixtures/unsafe-pr-zoo/workflow-permission-escalation\n```\n\nExample output:\n\n```\nAgent Gate: BLOCKED\n\nERROR workflow/permission-escalation\ncontents permission increased from read to write.\nPath: .github/workflows/release.yml\n\nERROR workflow/dangerous-pattern\n.github/workflows/release.yml contains a dangerous GitHub Actions workflow pattern.\nPath: .github/workflows/release.yml\n```\n\nMachine-readable JSON report:\n\n```\nnode packages/cli/dist/main.js replay fixtures/unsafe-pr-zoo/workflow-permission-escalation --format json\n```\n\nExpected result: Agent Gate reports a blocked PR with `workflow/permission-escalation`\n\nand `workflow/dangerous-pattern`\n\nfindings.\n\nAdditional unsafe-pr-zoo demos:\n\n`agent-control-plane-drift`\n\n: blocks`AGENTS.md`\n\nchanges because they can change future agent behavior.`out-of-scope-agent-edit`\n\n: blocks a payment webhook edit outside the PR contract's`allowed_paths`\n\n.`missing-test-evidence`\n\n: blocks an auth logic change without matching auth test changes.`mcp-config-drift`\n\n: blocks`.mcp.json`\n\nchanges because MCP config can change which tools an agent can call.\n\n```\nnode packages/cli/dist/main.js replay fixtures/unsafe-pr-zoo/agent-control-plane-drift\nnode packages/cli/dist/main.js replay fixtures/unsafe-pr-zoo/out-of-scope-agent-edit\nnode packages/cli/dist/main.js replay fixtures/unsafe-pr-zoo/missing-test-evidence\nnode packages/cli/dist/main.js replay fixtures/unsafe-pr-zoo/mcp-config-drift\n```\n\nAdd Agent Gate to a repository with a pull request workflow. No checkout step is required.\n\n```\nname: Agent Gate\n\non:\n pull_request:\n types:\n - opened\n - synchronize\n - reopened\n - edited\n - labeled\n - unlabeled\n - ready_for_review\n\npermissions:\n contents: read\n pull-requests: read\n\njobs:\n agent-gate:\n runs-on: ubuntu-latest\n steps:\n - uses: sjh9714/Agent-Gate@v0.1.0\n with:\n github-token: ${{ secrets.GITHUB_TOKEN }}\n mode: warn\n fail-on-block: false\n```\n\nAgent Gate loads policy from the PR base branch and does not execute PR branch code. Start with `mode: warn`\n\nand `fail-on-block: false`\n\n, tune the findings, then move to `mode: block`\n\nwhen ready.\n\nTo let Agent Gate create or update a PR report comment, add `issues: write`\n\nto the workflow permissions and set `comment: true`\n\n. Keep `contents: read`\n\nand `pull-requests: read`\n\n; no checkout step is needed. On fork pull requests, GitHub may still provide a read-only token, so comment failures are reported as warnings instead of failing the action.\n\n```\npermissions:\n contents: read\n pull-requests: read\n issues: write\n\nwith:\n comment: true\n```\n\nCreate `agent-gate.yml`\n\nin the repository root:\n\n```\nversion: 1\nmode: warn\n\ncontract:\n required_for:\n - agent\n allow_missing_in_observe_mode: true\n\nagent_detection:\n authors:\n - github-copilot[bot]\n labels:\n - ai\n - agent\n - codex\n branch_patterns:\n - \"codex/**\"\n - \"ai/**\"\n\nhigh_risk_paths:\n workflows:\n paths:\n - \".github/workflows/**\"\n severity: error\n```\n\nTeams can add auth, payments, infra, and agent-control-plane paths as their policy matures.\n\n`packages/core`\n\n: pure analysis engine, built-in deterministic rules, and JSON/Markdown report renderers.`packages/cli`\n\n:`agent-gate replay `\n\nfor deterministic local fixture demos.`packages/action`\n\n: Node 20 GitHub Action package that reads pull request data through GitHub APIs and calls the core analyzer.\n\nExternal users should prefer the root action with `sjh9714/Agent-Gate@`\n\n. The package-local action remains at `packages/action/action.yml`\n\nfor this repository's own development workflow. Both use REST APIs only: they load `agent-gate.yml`\n\nfrom the PR base ref, read changed-file metadata and file contents from the API, run `@agent-gate/core`\n\n, write JSON/Markdown reports, set action outputs, write the job summary, and optionally upsert one marked PR report comment. They do not checkout the pull request or execute repository scripts.\n\nAgent Gate runs against this repository's pull requests through `.github/workflows/agent-gate.yml`\n\n. The workflow uses `sjh9714/Agent-Gate/packages/action@main`\n\n, so pull requests do not execute Action code from their own branches while the action itself is under development. It starts in non-blocking `warn`\n\nmode while the project tunes early policy.\n\n```\npnpm install\npnpm test\npnpm typecheck\npnpm lint\npnpm build\n```\n\nAgent Gate must not call LLMs at runtime, execute PR-controlled code, or load policy from an untrusted PR head. The core analysis package must remain independent from GitHub APIs.", "url": "https://wpnews.pro/news/show-hn-agent-gate-a-deterministic-ci-firewall-for-ai-generated-prs", "canonical_source": "https://github.com/sjh9714/Agent-Gate", "published_at": "2026-06-14 04:38:42+00:00", "updated_at": "2026-06-14 04:59:49.507043+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents", "developer-tools", "ai-policy", "ai-tools"], "entities": ["Agent Gate", "GitHub", "sjh9714"], "alternates": {"html": "https://wpnews.pro/news/show-hn-agent-gate-a-deterministic-ci-firewall-for-ai-generated-prs", "markdown": "https://wpnews.pro/news/show-hn-agent-gate-a-deterministic-ci-firewall-for-ai-generated-prs.md", "text": "https://wpnews.pro/news/show-hn-agent-gate-a-deterministic-ci-firewall-for-ai-generated-prs.txt", "jsonld": "https://wpnews.pro/news/show-hn-agent-gate-a-deterministic-ci-firewall-for-ai-generated-prs.jsonld"}}