Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
version: 2
updates:
# Python dependencies (mcp, pytest, etc.)
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5
groups:
python:
patterns: ["*"]

# GitHub Actions — keeps the SHA-pinned actions current
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5
groups:
actions:
patterns: ["*"]
36 changes: 31 additions & 5 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@ on:
branches: [main]
pull_request:

permissions:
contents: read

jobs:
test:
runs-on: ubuntu-latest
Expand All @@ -13,11 +16,34 @@ jobs:
matrix:
python-version: ["3.11", "3.12", "3.13"]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: ${{ matrix.python-version }}
- name: Install (with MCP SDK)
run: pip install -e ".[dev]"
- name: Run tests
run: python -m pytest -q
run: pip install -e ".[dev]" pytest-cov
- name: Run tests + coverage gate
run: python -m pytest -q --cov=agent_gate --cov-report=term-missing --cov-fail-under=90

coverage:
# Produces the coverage badge + a per-PR coverage comment (self-contained,
# no third-party service). Runs single-version; the gate above is the matrix.
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: "3.12"
- name: Install
run: pip install -e ".[dev]" coverage
- name: Measure coverage
run: |
coverage run -m pytest
coverage report
- name: Coverage badge + PR comment
uses: py-cov-action/python-coverage-comment-action@cc6cde2639ed103404ce0da9e75114ae9561e691 # v3
with:
GITHUB_TOKEN: ${{ github.token }}
35 changes: 35 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: CodeQL

on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: "27 3 * * 1" # weekly, Monday 03:27 UTC

permissions:
contents: read

jobs:
analyze:
name: Analyze (python)
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Initialize CodeQL
uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
with:
languages: python
queries: security-extended

- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
with:
category: "/language:python"
6 changes: 3 additions & 3 deletions .github/workflows/publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,9 @@ jobs:
permissions:
id-token: write # trusted publishing
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: "3.12"
- run: python -m pip install build && python -m build
- uses: pypa/gh-action-pypi-publish@release/v1
- uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
5 changes: 5 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,8 @@ build/
dist/
receipts.jsonl
.agent-gate/

# coverage artifacts
.coverage
coverage.xml
htmlcov/
12 changes: 12 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@
# agent-gate

[![ci](https://github.com/Jott2121/agent-gate/actions/workflows/ci.yml/badge.svg)](https://github.com/Jott2121/agent-gate/actions/workflows/ci.yml)
[![CodeQL](https://github.com/Jott2121/agent-gate/actions/workflows/codeql.yml/badge.svg)](https://github.com/Jott2121/agent-gate/actions/workflows/codeql.yml)
[![Coverage](https://raw.githubusercontent.com/Jott2121/agent-gate/python-coverage-comment-action-data/badge.svg)](https://github.com/Jott2121/agent-gate/actions/workflows/ci.yml)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
[![Python](https://img.shields.io/badge/Python-3.11+-3776AB?logo=python&logoColor=white)](https://www.python.org/)
[![MCP](https://img.shields.io/badge/MCP-server-blueviolet.svg)](https://modelcontextprotocol.io/)
Expand Down Expand Up @@ -134,6 +136,16 @@ Run it yourself: `PYTHONPATH=. python3 examples/demo.py`
chain_intact: True
```

## This repo gates itself

`agent-gate` is about not shipping unverified work, so the repository holds itself to the same bar:

- **Coverage-gated test matrix** — `ci.yml` runs pytest on Python 3.11–3.13 and fails the build if line coverage drops below the threshold (currently 97% covered).
- **CodeQL** — static analysis (`security-extended`) runs on every push, PR, and weekly; findings surface in the Security tab.
- **Pinned supply chain** — every GitHub Action is pinned to a full commit SHA; **Dependabot** keeps those pins and the Python deps current.
- **Branch protection** — `main` requires the CI and CodeQL checks to pass before a merge.
- **Disclosure policy** — see [SECURITY.md](SECURITY.md).

## Contributing

See [CONTRIBUTING.md](CONTRIBUTING.md).
Expand Down
40 changes: 40 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Security Policy

## Supported versions

`agent-gate` is actively maintained. Security fixes target the latest released
version on the `main` branch.

| Version | Supported |
| ---------------- | --------- |
| latest (`main`) | ✅ |
| older tags | ❌ |

## Reporting a vulnerability

Please **do not** open a public issue for security vulnerabilities.

Report privately through GitHub's
[**Report a vulnerability**](https://github.com/Jott2121/agent-gate/security/advisories/new)
flow (the repository's **Security → Advisories** tab). I aim to acknowledge
reports within 72 hours and to ship a fix or mitigation for confirmed issues as
quickly as is practical.

When reporting, please include:

- a description of the issue and its impact,
- steps to reproduce (a minimal proof-of-concept if possible), and
- any suggested remediation.

## Scope

`agent-gate` is a small, dependency-light MCP server. Findings of particular
interest:

- injection or unsafe deserialization in gate / ledger handling,
- tampering with the append-only, hash-chained receipt ledger,
- secret leakage through tool output, and
- supply-chain risks in CI (this repository pins its GitHub Actions to commit
SHAs and runs CodeQL + Dependabot to reduce that surface).

Thanks for helping keep it solid.
5 changes: 5 additions & 0 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,8 @@ include = ["agent_gate*"]

[tool.pytest.ini_options]
testpaths = ["tests"]

[tool.coverage.run]
source = ["agent_gate"]
# relative_files lets the coverage-comment action resolve paths from a checkout
relative_files = true
9 changes: 9 additions & 0 deletions tests/test_gate.py
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,15 @@ def test_non_true_values_do_not_pass(self):
self.assertFalse(g.evaluate({"a": "yes"}).passed) # only literal True passes
self.assertFalse(g.evaluate({"a": 1}).passed)

def test_get_gate_returns_registered_gate(self):
self.assertIs(G.get_gate(), G.DEFAULT_SHIP_GATE) # defaults to "ship"
self.assertIs(G.get_gate("ship"), G.DEFAULT_SHIP_GATE)

def test_get_gate_unknown_name_raises(self):
with self.assertRaises(ValueError) as ctx:
G.get_gate("does_not_exist")
self.assertIn("does_not_exist", str(ctx.exception)) # names the bad gate


if __name__ == "__main__":
unittest.main()
Loading