checks.json

{
  "$id": "https://raw.githubusercontent.com/ThreeMoonsLab/agents-shipgate/main/docs/checks.json",
  "checks": [
    {
      "autofix_safe": false,
      "category": "action_surface",
      "default_severity": "critical",
      "description": "Action approval policy was removed.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-action-approval-removed",
      "evidence_fields": [
        "change"
      ],
      "fires_when": "Base action approval.required was true and head no longer requires approval.",
      "floor_severity": null,
      "id": "SHIP-ACTION-APPROVAL-REMOVED",
      "rationale": "Removing approval weakens the release boundary for an existing action.",
      "recommendation": "Restore action_surface.actions[].approval.required: true or document the reviewed exception under action_surface.actions[].evidence.approval_ticket.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "action_surface",
      "default_severity": "high",
      "description": "Action declaration weakens an inherited approval or safeguard control.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-action-control-downgrade",
      "evidence_fields": [
        "action_id",
        "path",
        "inherited",
        "declared"
      ],
      "fires_when": "action_surface.actions.approval or safeguards sets an inherited true control to false.",
      "floor_severity": null,
      "id": "SHIP-ACTION-CONTROL-DOWNGRADE",
      "rationale": "Manifest-wide approval and safeguard controls are governance requirements; per-action metadata should not silently weaken them.",
      "recommendation": "Keep the inherited action_surface.actions[] approval/safeguard control enabled or remove the weakening declaration.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "action_surface",
      "default_severity": "critical",
      "description": "New destructive action lacks approval or rollback controls.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-action-destructive-rollback-missing",
      "evidence_fields": [
        "action_id",
        "missing"
      ],
      "fires_when": "An added destructive action lacks approval.required or safeguards.rollback.",
      "floor_severity": null,
      "id": "SHIP-ACTION-DESTRUCTIVE-ROLLBACK-MISSING",
      "rationale": "Destructive actions need explicit approval and rollback evidence before release.",
      "recommendation": "Declare approval.required and safeguards.rollback or remove the destructive action.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "action_surface",
      "default_severity": "high",
      "description": "Action declaration weakens the inferred effect.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-action-effect-downgrade-declared",
      "evidence_fields": [
        "action_id",
        "inferred_effect",
        "declared_effect"
      ],
      "fires_when": "action_surface.actions.effect is lower risk than the effect inferred from the loaded tool metadata.",
      "floor_severity": null,
      "id": "SHIP-ACTION-EFFECT-DOWNGRADE-DECLARED",
      "rationale": "Per-action metadata should not be able to declare away a higher-risk operation inferred from the tool surface.",
      "recommendation": "Set action_surface.actions[].effect to the inferred operation effect or remove the weaker declaration.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "action_surface",
      "default_severity": "critical",
      "description": "Action effect escalated compared with the base surface.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-action-effect-escalated",
      "evidence_fields": [
        "change"
      ],
      "fires_when": "An action changes to a higher-risk effect such as read to write or write to destructive.",
      "floor_severity": null,
      "id": "SHIP-ACTION-EFFECT-ESCALATED",
      "rationale": "Effect escalation changes what the agent can do in the real world and needs explicit review.",
      "recommendation": "Review action_surface.actions[].effect; restore the prior effect or document approval/evidence for the escalation.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "action_surface",
      "default_severity": "high",
      "description": "New external communication action lacks audit evidence.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-action-external-communication-audit-missing",
      "evidence_fields": [
        "action_id",
        "missing"
      ],
      "fires_when": "An added external_communication action lacks safeguards.audit_log.",
      "floor_severity": null,
      "id": "SHIP-ACTION-EXTERNAL-COMMUNICATION-AUDIT-MISSING",
      "rationale": "External communication changes agent blast radius and should be auditable.",
      "recommendation": "Declare safeguards.audit_log for the external communication action.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "action_surface",
      "default_severity": "critical",
      "description": "New financial write action lacks required controls.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-action-financial-write-control-missing",
      "evidence_fields": [
        "action_id",
        "missing"
      ],
      "fires_when": "An added action is financial_write and lacks approval.required, safeguards.audit_log, or safeguards.idempotency.",
      "floor_severity": null,
      "id": "SHIP-ACTION-FINANCIAL-WRITE-CONTROL-MISSING",
      "rationale": "Financial write actions need approval, audit, and idempotency evidence before release.",
      "recommendation": "Declare approval.required, safeguards.audit_log, and safeguards.idempotency.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "action_surface",
      "default_severity": "high",
      "description": "An action-surface policy requirement is not satisfied.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-action-policy-violation",
      "evidence_fields": [
        "policy_id",
        "action_id",
        "missing"
      ],
      "fires_when": "A user-declared action_surface.policies rule matches an action and one or more required dot-path values are absent or different.",
      "floor_severity": null,
      "id": "SHIP-ACTION-POLICY-VIOLATION",
      "rationale": "Action Surface Diff policies are the reviewer-facing release boundary for external action capability.",
      "recommendation": "Satisfy the action-surface policy requirements or remove/narrow the action.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "action_surface",
      "default_severity": "high",
      "description": "Action safeguard was removed.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-action-safeguard-removed",
      "evidence_fields": [
        "change"
      ],
      "fires_when": "A previously true action safeguard is false or absent in the head surface.",
      "floor_severity": null,
      "id": "SHIP-ACTION-SAFEGUARD-REMOVED",
      "rationale": "Removing audit, idempotency, rollback, or dry-run safeguards expands blast radius.",
      "recommendation": "Restore the removed action_surface.actions[].safeguards field or document the reviewed exception under action_surface.actions[].evidence.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "action_surface",
      "default_severity": "high",
      "description": "A loaded tool lacks explicit action-surface metadata.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-action-undeclared",
      "evidence_fields": [
        "action_id",
        "tool_name"
      ],
      "fires_when": "action_surface.require_explicit_actions is true and a loaded tool has no matching action_surface.actions entry.",
      "floor_severity": null,
      "id": "SHIP-ACTION-UNDECLARED",
      "rationale": "Action Surface Diff depends on reviewer-visible action metadata for release decisions.",
      "recommendation": "Add action_surface.actions metadata for the tool or disable require_explicit_actions.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "action_surface",
      "default_severity": "critical",
      "description": "Action surface includes a wildcard or admin-like scope.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-action-wildcard-scope",
      "evidence_fields": [
        "action_id",
        "scopes",
        "change"
      ],
      "fires_when": "An added action declares a broad scope, or a modified action expands into a broad scope.",
      "floor_severity": null,
      "id": "SHIP-ACTION-WILDCARD-SCOPE",
      "rationale": "Wildcard scopes make action blast radius too broad for deterministic release review.",
      "recommendation": "Replace action_surface.actions[].scopes with operation-specific scopes; remove wildcard/admin scopes.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "adk",
      "default_severity": "high",
      "description": "Google ADK toolset cannot be statically enumerated.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-adk-dynamic-toolset-not-enumerable",
      "evidence_fields": [
        "toolset",
        "explicit_inventory"
      ],
      "fires_when": "A Google ADK toolset is dynamic or unresolved and no explicit MCP/OpenAPI/tool inventory input is declared.",
      "floor_severity": null,
      "id": "SHIP-ADK-DYNAMIC-TOOLSET-NOT-ENUMERABLE",
      "rationale": "Release review needs an explicit tool inventory; ADK MCP/OpenAPI toolsets may resolve tools dynamically at runtime.",
      "recommendation": "Provide explicit MCP/OpenAPI/tool inventory inputs for dynamic ADK toolsets.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "adk",
      "default_severity": "medium",
      "description": "Google ADK eval coverage is not declared.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-adk-eval-coverage-missing",
      "evidence_fields": [
        "agent_count",
        "eval_file_count"
      ],
      "fires_when": "Google ADK inputs target production_like or production and no eval files are declared.",
      "floor_severity": null,
      "id": "SHIP-ADK-EVAL-COVERAGE-MISSING",
      "rationale": "ADK releases should include response and tool-trajectory eval evidence before promotion.",
      "recommendation": "Declare ADK eval files for expected responses and tool-use trajectories.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "adk",
      "default_severity": "medium",
      "description": "Google ADK function tool lacks static metadata.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-adk-function-tool-metadata-missing",
      "evidence_fields": [
        "missing",
        "source_type"
      ],
      "fires_when": "A Google ADK function/config tool lacks description or parameter metadata.",
      "floor_severity": null,
      "id": "SHIP-ADK-FUNCTION-TOOL-METADATA-MISSING",
      "rationale": "Static review depends on descriptions and parameter schemas because user ADK code is not imported.",
      "recommendation": "Add docstrings, annotations, or explicit local inventory metadata.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "adk",
      "default_severity": "high",
      "description": "High-risk Google ADK tools lack static guardrail evidence.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-adk-guardrail-evidence-missing",
      "evidence_fields": [
        "tools"
      ],
      "fires_when": "High-risk ADK tools are present without callbacks, plugins, or equivalent manifest policy evidence.",
      "floor_severity": null,
      "id": "SHIP-ADK-GUARDRAIL-EVIDENCE-MISSING",
      "rationale": "Callbacks and plugins are the static ADK surface where release reviewers can see guardrail intent.",
      "recommendation": "Attach ADK callbacks/plugins or manifest policies that document guardrails.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "adk",
      "default_severity": "high",
      "description": "Google ADK long-running tool lacks an operation contract.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-adk-longrunning-contract-missing",
      "evidence_fields": [
        "output_schema"
      ],
      "fires_when": "A LongRunningFunctionTool lacks structured status/progress and operation id output evidence.",
      "floor_severity": null,
      "id": "SHIP-ADK-LONGRUNNING-CONTRACT-MISSING",
      "rationale": "Long-running tools need explicit status and operation-id semantics for safe continuation.",
      "recommendation": "Document operation id, status/progress fields, and completion behavior.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "adk",
      "default_severity": "high",
      "description": "Google ADK McpToolset lacks a static tool filter.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-adk-mcp-toolset-unfiltered",
      "evidence_fields": [
        "source_ref",
        "agent_name",
        "inventory_path"
      ],
      "fires_when": "A Google ADK McpToolset has no static tool_filter.",
      "floor_severity": null,
      "id": "SHIP-ADK-MCP-TOOLSET-UNFILTERED",
      "rationale": "Unfiltered MCP toolsets can expose more tools than reviewers expect.",
      "recommendation": "Declare a tool_filter and provide a local MCP tool inventory.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "api",
      "default_severity": "high",
      "description": "OpenAI API function schema is not strict enough for reliable tool calls.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-api-function-schema-strictness",
      "evidence_fields": [
        "issues",
        "risk_tags"
      ],
      "fires_when": "An OpenAI API function lacks strict=true, object parameters, additionalProperties=false, complete required fields, or bounded risky fields.",
      "floor_severity": null,
      "id": "SHIP-API-FUNCTION-SCHEMA-STRICTNESS",
      "rationale": "Strict schemas reduce ambiguous tool arguments and downstream side-effect risk.",
      "recommendation": "Use strict function schemas with explicit required fields and constrained risky parameters.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "api",
      "default_severity": "medium",
      "description": "Deprecated compatibility alias for the v0.3 OpenAI API operational readiness bundle.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-api-operational-readiness",
      "evidence_fields": [
        "legacy_check_id"
      ],
      "fires_when": "Not emitted by v0.4 scans; matching configuration expands to the v0.4 atomic OpenAI API operational readiness checks.",
      "floor_severity": null,
      "id": "SHIP-API-OPERATIONAL-READINESS",
      "rationale": "v0.4 emits atomic OpenAI API readiness check IDs, but this ID remains available for existing suppressions, severity overrides, baselines, SARIF consumers, and explain/list-checks workflows during the deprecation window.",
      "recommendation": "Migrate suppressions, severity overrides, and baselines to the specific v0.4 SHIP-API-* readiness check IDs.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "api",
      "default_severity": "high",
      "description": "Prompt scope contradicts enabled OpenAI API tools.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-api-prompt-tool-scope-mismatch",
      "evidence_fields": [
        "tools"
      ],
      "fires_when": "Prompt text says read-only/advice-only while write tools are enabled, or high-risk tools lack approval/confirmation instructions.",
      "floor_severity": null,
      "id": "SHIP-API-PROMPT-TOOL-SCOPE-MISMATCH",
      "rationale": "Prompt instructions should match the actual write/high-risk tool surface.",
      "recommendation": "Align prompt scope with enabled tools and add approval/confirmation instructions.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "api",
      "default_severity": "medium",
      "description": "OpenAI API high-risk flow lacks retry policy metadata.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-api-retry-policy-missing",
      "evidence_fields": [
        "high_risk_tools"
      ],
      "fires_when": "High-risk OpenAI API tools exist and no retry_policy is declared.",
      "floor_severity": null,
      "id": "SHIP-API-RETRY-POLICY-MISSING",
      "rationale": "Retries need explicit policy metadata so reviewers can reason about duplicate side effects.",
      "recommendation": "Declare retry_policy in openai_api.policy_rules or model_config.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "api",
      "default_severity": "high",
      "description": "OpenAI API write tool may be retried without idempotency evidence.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-api-retry-without-idempotency",
      "evidence_fields": [
        "retry_policy",
        "risk_tags"
      ],
      "fires_when": "Retry policy is declared and a risky write tool lacks idempotency evidence.",
      "floor_severity": null,
      "id": "SHIP-API-RETRY-WITHOUT-IDEMPOTENCY",
      "rationale": "Retries against non-idempotent writes can duplicate financial, destructive, or external side effects.",
      "recommendation": "Add idempotency evidence for retried risky OpenAI API tools or avoid retrying those side effects.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "api",
      "default_severity": "medium",
      "description": "OpenAI API structured output schema is missing or under-specified.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-api-structured-output-readiness",
      "evidence_fields": [
        "path",
        "issues",
        "high_risk_tools"
      ],
      "fires_when": "No response format exists, a response schema is too broad, decision/status fields lack enums, or refusal/needs_review/error modeling is absent.",
      "floor_severity": null,
      "id": "SHIP-API-STRUCTURED-OUTPUT-READINESS",
      "rationale": "Downstream release decisions need explicit, structured success/refusal/review modeling.",
      "recommendation": "Declare a strict response format with decision/status enums, needs_review/refusal/error fields, and critical fields.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "api",
      "default_severity": "medium",
      "description": "OpenAI API high-risk flow lacks test case metadata.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-api-test-cases-missing",
      "evidence_fields": [
        "high_risk_tools"
      ],
      "fires_when": "High-risk OpenAI API tools exist and no test cases are declared.",
      "floor_severity": null,
      "id": "SHIP-API-TEST-CASES-MISSING",
      "rationale": "High-risk tool-call flows should have release evidence before promotion.",
      "recommendation": "Add simple OpenAI API test cases for high-risk tool-call flows.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "api",
      "default_severity": "medium",
      "description": "OpenAI API high-risk flow lacks timeout metadata.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-api-timeout-missing",
      "evidence_fields": [
        "high_risk_tools"
      ],
      "fires_when": "High-risk OpenAI API tools exist and no timeout metadata is declared.",
      "floor_severity": null,
      "id": "SHIP-API-TIMEOUT-MISSING",
      "rationale": "Timeouts define failure behavior and reduce ambiguous tool-call continuation.",
      "recommendation": "Declare tool-call timeout metadata for high-risk OpenAI API flows.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "api",
      "default_severity": "medium",
      "description": "OpenAI API high-risk tool lacks success/failure output modeling.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-api-tool-output-schema-missing",
      "evidence_fields": [
        "tool_output_schemas"
      ],
      "fires_when": "A high-risk OpenAI API tool lacks declared success/failure output schema metadata.",
      "floor_severity": null,
      "id": "SHIP-API-TOOL-OUTPUT-SCHEMA-MISSING",
      "rationale": "Tool output schemas help release reviewers reason about downstream failure handling.",
      "recommendation": "Declare success_fields and failure_fields for high-risk OpenAI API tools.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "api",
      "default_severity": "medium",
      "description": "OpenAI API trace sample shows a policy-controlled tool without approval.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-api-trace-approval-missing",
      "evidence_fields": [
        "tool_name",
        "approved"
      ],
      "fires_when": "A trace sample marks approved=false for a tool with approval policy evidence.",
      "floor_severity": null,
      "id": "SHIP-API-TRACE-APPROVAL-MISSING",
      "rationale": "Trace samples should demonstrate approval behavior for tools that require approval.",
      "recommendation": "Require approval before calling policy-controlled OpenAI API tools.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "api",
      "default_severity": "medium",
      "description": "OpenAI API trace sample shows a policy-controlled tool without confirmation.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-api-trace-confirmation-missing",
      "evidence_fields": [
        "tool_name",
        "confirmed"
      ],
      "fires_when": "A trace sample marks confirmed=false for a tool with confirmation policy evidence.",
      "floor_severity": null,
      "id": "SHIP-API-TRACE-CONFIRMATION-MISSING",
      "rationale": "Trace samples should demonstrate explicit confirmation for tools that require confirmation.",
      "recommendation": "Require explicit confirmation before calling policy-controlled OpenAI API tools.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "auth",
      "default_severity": "high",
      "description": "Manifest declares broad permission scopes.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-auth-manifest-broad-scope",
      "evidence_fields": [
        "scopes"
      ],
      "fires_when": "permissions.scopes contains wildcard/admin-like scopes.",
      "floor_severity": null,
      "id": "SHIP-AUTH-MANIFEST-BROAD-SCOPE",
      "rationale": "Broad manifest scopes weaken least-privilege review.",
      "recommendation": "Replace with operation-specific scopes.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "auth",
      "default_severity": "high",
      "description": "Scope-requiring tool lacks declared auth scopes.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-auth-missing-scope",
      "evidence_fields": [
        "risk_tags"
      ],
      "fires_when": "A write or sensitive-data tool has no auth scopes.",
      "floor_severity": null,
      "id": "SHIP-AUTH-MISSING-SCOPE",
      "rationale": "Reviewers cannot assess least privilege without scope metadata.",
      "recommendation": "Declare scopes in OpenAPI, MCP, or manifest metadata.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "auth",
      "default_severity": "high",
      "description": "Tool-required scopes are not covered by manifest permissions.scopes.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-auth-scope-coverage-missing",
      "evidence_fields": [
        "tool_scopes",
        "manifest_scopes",
        "missing_scopes"
      ],
      "fires_when": "A tool scope is absent from permissions.scopes and not covered by a wildcard.",
      "floor_severity": null,
      "id": "SHIP-AUTH-SCOPE-COVERAGE-MISSING",
      "rationale": "The manifest should describe the actual permissions needed by the release.",
      "recommendation": "Add or reconcile required scopes.",
      "requires_human_review": true,
      "suggested_patch_kind": "append_pointer"
    },
    {
      "autofix_safe": false,
      "category": "auth",
      "default_severity": "high",
      "description": "Tool declares broad auth scopes.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-auth-tool-broad-scope",
      "evidence_fields": [
        "scopes"
      ],
      "fires_when": "A tool auth scope is wildcard/admin-like.",
      "floor_severity": null,
      "id": "SHIP-AUTH-TOOL-BROAD-SCOPE",
      "rationale": "Tool-level broad scopes may grant more power than the operation needs.",
      "recommendation": "Use narrower tool scopes.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "codex_plugin",
      "default_severity": "medium",
      "description": "Codex plugin app connector surface is not statically enumerable.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-codex-plugin-app-surface-not-enumerable",
      "evidence_fields": [
        "plugin",
        "app",
        "connector_id",
        "path"
      ],
      "fires_when": "A Codex plugin declares an app connector without an explicit local enumerable tool surface.",
      "floor_severity": null,
      "id": "SHIP-CODEX-PLUGIN-APP-SURFACE-NOT-ENUMERABLE",
      "rationale": "Connector-backed app capabilities are externally mediated and cannot be proven from local plugin metadata alone.",
      "recommendation": "Treat connector app capabilities as a review item or provide explicit local inventory/policy evidence.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "codex_plugin",
      "default_severity": "high",
      "description": "Codex plugin component path cannot be loaded.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-codex-plugin-component-path-missing",
      "evidence_fields": [
        "plugin",
        "component",
        "path",
        "reason"
      ],
      "fires_when": "A plugin component path is missing, outside the plugin root, or outside the manifest directory.",
      "floor_severity": null,
      "id": "SHIP-CODEX-PLUGIN-COMPONENT-PATH-MISSING",
      "rationale": "Release review cannot inspect declared skills, MCP servers, apps, or hooks when component paths are missing or escape the package.",
      "recommendation": "Fix component paths so every declared plugin artifact resolves locally.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "codex_plugin",
      "default_severity": "medium",
      "description": "Codex plugin marketplace entry lacks policy metadata.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-codex-plugin-marketplace-policy-missing",
      "evidence_fields": [
        "marketplace",
        "plugin",
        "missing"
      ],
      "fires_when": "A marketplace plugin entry lacks policy.installation, policy.authentication, or category.",
      "floor_severity": null,
      "id": "SHIP-CODEX-PLUGIN-MARKETPLACE-POLICY-MISSING",
      "rationale": "Marketplace installation and authentication policy are part of the release surface coding agents need to review.",
      "recommendation": "Add policy.installation, policy.authentication, and category to the marketplace entry.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "codex_plugin",
      "default_severity": "high",
      "description": "Codex plugin MCP server is declared but not statically enumerable.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-codex-plugin-mcp-server-not-enumerable",
      "evidence_fields": [
        "plugin",
        "server",
        "path",
        "inventory_path"
      ],
      "fires_when": "A Codex plugin declares an MCP server and no matching codex_plugins.mcp_tool_inventories entry loaded successfully.",
      "floor_severity": null,
      "id": "SHIP-CODEX-PLUGIN-MCP-SERVER-NOT-ENUMERABLE",
      "rationale": "Agents Shipgate does not execute MCP commands, so reviewer-visible tool metadata requires an explicit local inventory.",
      "recommendation": "Provide a local MCP tool inventory for the plugin server.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "codex_plugin",
      "default_severity": "medium",
      "description": "Codex plugin package metadata is incomplete or ambiguous.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-codex-plugin-metadata-missing",
      "evidence_fields": [
        "plugin",
        "source_id",
        "manifest_path",
        "issues"
      ],
      "fires_when": "A Codex plugin manifest is missing required identity metadata, its name does not match the package root, or duplicate plugin names are present.",
      "floor_severity": null,
      "id": "SHIP-CODEX-PLUGIN-METADATA-MISSING",
      "rationale": "Plugin identity needs to be stable before publication or downstream agent adoption.",
      "recommendation": "Fill required plugin metadata and make plugin names unambiguous.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "codex_plugin",
      "default_severity": "medium",
      "description": "Codex plugin skill metadata is missing or duplicated.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-codex-plugin-skill-metadata-missing",
      "evidence_fields": [
        "plugin",
        "skill",
        "path",
        "missing_fields",
        "duplicate"
      ],
      "fires_when": "A SKILL.md lacks name or description frontmatter, or two skills in the same plugin share a name.",
      "floor_severity": null,
      "id": "SHIP-CODEX-PLUGIN-SKILL-METADATA-MISSING",
      "rationale": "Skill frontmatter is the static routing surface agents use to decide whether a skill applies.",
      "recommendation": "Give each skill a unique name and clear description frontmatter.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "crewai",
      "default_severity": "high",
      "description": "CrewAI tool surface cannot be statically enumerated.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-crewai-dynamic-tool-surface-not-enumerable",
      "evidence_fields": [
        "surface",
        "explicit_inventory"
      ],
      "fires_when": "A CrewAI agent tool binding is dynamic or unresolved and no explicit local inventory is declared.",
      "floor_severity": null,
      "id": "SHIP-CREWAI-DYNAMIC-TOOL-SURFACE-NOT-ENUMERABLE",
      "rationale": "CrewAI exposes ad hoc agent-bound tool lists rather than a consistent toolset abstraction, so the check names the broader tool surface instead of ADK's toolset.",
      "recommendation": "Provide explicit MCP-style tool inventory metadata for dynamic CrewAI tool lists.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "crewai",
      "default_severity": "medium",
      "description": "CrewAI function tool lacks static metadata.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-crewai-function-tool-metadata-missing",
      "evidence_fields": [
        "missing",
        "source_type"
      ],
      "fires_when": "A CrewAI @tool or BaseTool class lacks description or parameter metadata.",
      "floor_severity": null,
      "id": "SHIP-CREWAI-FUNCTION-TOOL-METADATA-MISSING",
      "rationale": "Static review depends on descriptions and parameter schemas because user CrewAI code is not imported.",
      "recommendation": "Add docstrings, descriptions, type annotations, args_schema, or explicit local inventory metadata.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "security",
      "default_severity": "medium",
      "description": "Tool description contains instruction-override-like language.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-doc-injection-risk",
      "evidence_fields": [
        "matched"
      ],
      "fires_when": "Description text matches instruction override patterns. Severity is high only when multiple patterns match on a write/high-risk tool.",
      "floor_severity": null,
      "id": "SHIP-DOC-INJECTION-RISK",
      "rationale": "Tool metadata can be placed into model context and should not contain prompt-like directives.",
      "recommendation": "Rewrite the description as neutral metadata.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "documentation",
      "default_severity": "medium",
      "description": "Tool description is missing or too short.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-doc-missing-description",
      "evidence_fields": [
        "description_length"
      ],
      "fires_when": "A tool description is missing or shorter than the minimum.",
      "floor_severity": null,
      "id": "SHIP-DOC-MISSING-DESCRIPTION",
      "rationale": "Poor tool descriptions increase wrong-tool and reviewer misunderstanding risk.",
      "recommendation": "Add a clear capability description.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "security",
      "default_severity": "medium",
      "description": "Tool description contains a secret-like value.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-doc-secret-in-description",
      "evidence_fields": [
        "matched"
      ],
      "fires_when": "Description contains known key formats or labeled secret-like values. Severity is high only when multiple patterns match on a write/high-risk tool.",
      "floor_severity": null,
      "id": "SHIP-DOC-SECRET-IN-DESCRIPTION",
      "rationale": "Credentials in tool metadata can leak into reports, prompts, or logs.",
      "recommendation": "Remove and rotate the exposed secret.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "evidence",
      "default_severity": "high",
      "description": "Local HITL approval trace evidence is missing or incomplete for an approval-required tool.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-evidence-approval-trace-missing",
      "evidence_fields": [
        "tool_name",
        "required",
        "reason",
        "trace_files",
        "approved_tools",
        "source_provenance"
      ],
      "fires_when": "validation.required_evidence.approval_trace_required is true and no loaded local approval trace shows approved=true for an approval-required tool.",
      "floor_severity": null,
      "id": "SHIP-EVIDENCE-APPROVAL-TRACE-MISSING",
      "rationale": "Limited automation review depends on reviewer-visible local evidence that approval-controlled actions were approved before the tool call; absence of local evidence does not prove the runtime control is absent.",
      "recommendation": "Add or fix local approval trace evidence, or change the validation review posture.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "evidence",
      "default_severity": "high",
      "description": "Local high-risk auto-approval exclusion evidence is missing or incomplete.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-evidence-high-risk-exclusion-missing",
      "evidence_fields": [
        "required",
        "reason",
        "risk_tags",
        "exclusion_files",
        "excluded_tools",
        "source_provenance"
      ],
      "fires_when": "validation.required_evidence.high_risk_auto_approval_exclusion_required is true and a high-risk tool with declared approval policy is not listed in loaded high_risk_auto_approval_exclusions.",
      "floor_severity": null,
      "id": "SHIP-EVIDENCE-HIGH-RISK-EXCLUSION-MISSING",
      "rationale": "High-risk tools that already declare approval policy need separate local evidence that they are excluded from auto-approval review posture; absence of local evidence does not prove the runtime control is absent.",
      "recommendation": "Document high-risk approval-controlled tools in local high_risk_auto_approval_exclusions with reasons.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "evidence",
      "default_severity": "high",
      "description": "Local HITL promotion criteria evidence is missing or incomplete.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-evidence-hitl-promotion-criteria-missing",
      "evidence_fields": [
        "target_review_posture",
        "reason",
        "criteria_files",
        "manifest_flags_missing",
        "criteria_flags_missing",
        "source_provenance"
      ],
      "fires_when": "validation.target_review_posture is limited_auto_approval and promotion criteria are absent, unloadable, or the canonical required-evidence flags are not true in the manifest and criteria file.",
      "floor_severity": null,
      "id": "SHIP-EVIDENCE-HITL-PROMOTION-CRITERIA-MISSING",
      "rationale": "A limited auto-approval review posture needs local criteria evidence; Shipgate structures the missing evidence for reviewers but does not certify runtime enforcement.",
      "recommendation": "Add or fix local promotion criteria evidence documenting the review posture and required evidence flags.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "evidence",
      "default_severity": "high",
      "description": "Local HITL override reason evidence is missing or incomplete.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-evidence-override-reason-missing",
      "evidence_fields": [
        "required",
        "reason",
        "override_log_files",
        "events_missing_reason",
        "source_provenance"
      ],
      "fires_when": "validation.required_evidence.override_reason_required is true and override logs are absent, empty, unloadable, or contain events without non-empty reasons.",
      "floor_severity": null,
      "id": "SHIP-EVIDENCE-OVERRIDE-REASON-MISSING",
      "rationale": "Override, bypass, and auto-approval events need reviewer-visible local reasons for governance review; absence of local evidence does not prove the runtime control is absent.",
      "recommendation": "Record non-empty reasons in local override, bypass, and auto-approval evidence.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "inventory",
      "default_severity": "high",
      "description": "Production target includes low-confidence tool extraction.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-inventory-low-confidence-production-surface",
      "evidence_fields": [
        "tools"
      ],
      "fires_when": "environment.target is production and tools include lower-confidence extraction.",
      "floor_severity": null,
      "id": "SHIP-INVENTORY-LOW-CONFIDENCE-PRODUCTION-SURFACE",
      "rationale": "Production promotion should not depend primarily on best-effort SDK inference.",
      "recommendation": "Declare those tools through manifest, MCP, or OpenAPI inputs.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "inventory",
      "default_severity": "high",
      "description": "Tool surface cannot be enumerated from declared inputs.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-inventory-not-enumerable",
      "evidence_fields": [
        "tool_sources"
      ],
      "fires_when": "No tools are loaded from required manifest sources.",
      "floor_severity": null,
      "id": "SHIP-INVENTORY-NOT-ENUMERABLE",
      "rationale": "A release gate must fail closed when it cannot see the agent's tools.",
      "recommendation": "Declare at least one local MCP JSON or OpenAPI tool source.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "inventory",
      "default_severity": "medium",
      "description": "Tool surface exceeds the MVP review threshold.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-inventory-tool-surface-too-large",
      "evidence_fields": [
        "tool_count",
        "threshold"
      ],
      "fires_when": "The normalized tool count exceeds the built-in threshold.",
      "floor_severity": null,
      "id": "SHIP-INVENTORY-TOOL-SURFACE-TOO-LARGE",
      "rationale": "Large tool surfaces are harder to reason about during promotion.",
      "recommendation": "Split or reduce the tool surface before release.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "inventory",
      "default_severity": "high",
      "description": "Wildcard or all-tools exposure is declared.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-inventory-wildcard-tools",
      "evidence_fields": [
        "source_id",
        "source_ref"
      ],
      "fires_when": "A source declares all tools or wildcard exposure.",
      "floor_severity": null,
      "id": "SHIP-INVENTORY-WILDCARD-TOOLS",
      "rationale": "Wildcard tools make review and least-privilege reasoning impossible.",
      "recommendation": "Replace wildcard exposure with an explicit allowlist.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "langchain",
      "default_severity": "high",
      "description": "LangChain tool surface cannot be statically enumerated.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-langchain-dynamic-tool-surface-not-enumerable",
      "evidence_fields": [
        "surface",
        "explicit_inventory"
      ],
      "fires_when": "A LangChain or LangGraph tool binding is dynamic or unresolved and no explicit local inventory is declared.",
      "floor_severity": null,
      "id": "SHIP-LANGCHAIN-DYNAMIC-TOOL-SURFACE-NOT-ENUMERABLE",
      "rationale": "LangChain and LangGraph expose ad hoc tool lists and agent-bound tools rather than a consistent toolset abstraction, so the check names the broader tool surface instead of ADK's toolset.",
      "recommendation": "Provide explicit MCP-style tool inventory metadata for dynamic LangChain tool lists.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "langchain",
      "default_severity": "medium",
      "description": "LangChain function tool lacks static metadata.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-langchain-function-tool-metadata-missing",
      "evidence_fields": [
        "missing",
        "source_type"
      ],
      "fires_when": "A LangChain @tool or StructuredTool lacks description or parameter metadata.",
      "floor_severity": null,
      "id": "SHIP-LANGCHAIN-FUNCTION-TOOL-METADATA-MISSING",
      "rationale": "Static review depends on descriptions and parameter schemas because user LangChain code is not imported.",
      "recommendation": "Add docstrings, descriptions, type annotations, args_schema, or explicit local inventory metadata.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "manifest",
      "default_severity": "high",
      "description": "Production high-risk tool has no declared owner.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-manifest-high-risk-owner-missing",
      "evidence_fields": [
        "environment",
        "risk_tags"
      ],
      "fires_when": "environment.target is production_like or production and a high-risk tool lacks owner metadata.",
      "floor_severity": null,
      "id": "SHIP-MANIFEST-HIGH-RISK-OWNER-MISSING",
      "rationale": "High-risk production tools need an accountable owning team for review and remediation.",
      "recommendation": "Declare an owner for each high-risk production tool.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "manifest",
      "default_severity": "medium",
      "description": "A policy references a missing tool.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-manifest-stale-policy",
      "evidence_fields": [
        "policy",
        "tool"
      ],
      "fires_when": "A policy entry names a tool that is not loaded.",
      "floor_severity": null,
      "id": "SHIP-MANIFEST-STALE-POLICY",
      "rationale": "Approval, confirmation, and idempotency policies should map to the actual release surface.",
      "recommendation": "Remove stale policy entries or update them to current tool names.",
      "requires_human_review": true,
      "suggested_patch_kind": "remove_pointer"
    },
    {
      "autofix_safe": false,
      "category": "manifest",
      "default_severity": "medium",
      "description": "A risk override references a missing tool.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-manifest-stale-risk-override",
      "evidence_fields": [
        "tool"
      ],
      "fires_when": "risk_overrides.tools contains a tool that is not loaded.",
      "floor_severity": null,
      "id": "SHIP-MANIFEST-STALE-RISK-OVERRIDE",
      "rationale": "Risk overrides should not outlive the tool they describe.",
      "recommendation": "Remove stale risk overrides or update them to current tool names.",
      "requires_human_review": true,
      "suggested_patch_kind": "remove_pointer"
    },
    {
      "autofix_safe": false,
      "category": "manifest",
      "default_severity": "medium",
      "description": "A suppression references a missing check or tool.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-manifest-stale-suppression",
      "evidence_fields": [
        "check_id",
        "tool",
        "issues"
      ],
      "fires_when": "checks.ignore contains an unknown check_id or a tool name that is not loaded.",
      "floor_severity": null,
      "id": "SHIP-MANIFEST-STALE-SUPPRESSION",
      "rationale": "Stale suppressions hide intent and make release review harder to audit.",
      "recommendation": "Remove stale suppressions or update them to current check IDs and tool names.",
      "requires_human_review": true,
      "suggested_patch_kind": "remove_pointer"
    },
    {
      "autofix_safe": false,
      "category": "manifest",
      "default_severity": "medium",
      "description": "Manifest declares permission scopes unused by loaded tools.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-manifest-unused-scope",
      "evidence_fields": [
        "scope",
        "tool_scopes"
      ],
      "fires_when": "permissions.scopes includes a scope not required by any loaded tool.",
      "floor_severity": null,
      "id": "SHIP-MANIFEST-UNUSED-SCOPE",
      "rationale": "Unused permissions weaken least-privilege review and often indicate stale config.",
      "recommendation": "Remove unused scopes or add tool metadata showing why they are required.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "n8n",
      "default_severity": "medium",
      "description": "n8n AI-exposed tool lacks static metadata.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-n8n-ai-tool-metadata-missing",
      "evidence_fields": [
        "missing",
        "source_type"
      ],
      "fires_when": "An n8n AI-exposed tool lacks description or static parameter metadata.",
      "floor_severity": null,
      "id": "SHIP-N8N-AI-TOOL-METADATA-MISSING",
      "rationale": "Static review depends on descriptions and parameter schemas because Shipgate does not execute n8n workflows.",
      "recommendation": "Add n8n tool descriptions, $fromAI() parameter metadata, workflow input schemas, or explicit inventory metadata.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "n8n",
      "default_severity": "high",
      "description": "n8n credential stubs are not declared.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-n8n-credential-evidence-missing",
      "evidence_fields": [
        "credential_ref_count",
        "credential_stub_file_count"
      ],
      "fires_when": "Production-like n8n workflows reference credentials but no local credential stubs are declared.",
      "floor_severity": null,
      "id": "SHIP-N8N-CREDENTIAL-EVIDENCE-MISSING",
      "rationale": "Credential type evidence lets reviewers assess high-risk integrations without exposing secret values.",
      "recommendation": "Declare local n8n credential stubs.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "n8n",
      "default_severity": "high",
      "description": "n8n tool surface cannot be statically enumerated.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-n8n-dynamic-tool-surface-not-enumerable",
      "evidence_fields": [
        "surface",
        "explicit_inventory"
      ],
      "fires_when": "An n8n workflow has an unresolved DB workflow id, runtime expression in a tool name, wildcard MCP Server/Client exposure without an inventory, or an uninventoried community/custom tool node.",
      "floor_severity": null,
      "id": "SHIP-N8N-DYNAMIC-TOOL-SURFACE-NOT-ENUMERABLE",
      "rationale": "Release review needs an explicit local inventory when n8n workflow JSON uses runtime tool names, unresolved workflow references, wildcard MCP exposure, or community tool nodes without static metadata. This is high severity in every environment because static release evidence cannot prove the actual tool inventory.",
      "recommendation": "Provide explicit local n8n/MCP tool inventory metadata or replace runtime/wildcard n8n tool exposure.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "n8n",
      "default_severity": "medium",
      "description": "n8n eval coverage is not declared.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-n8n-eval-coverage-missing",
      "evidence_fields": [
        "workflow_count",
        "ai_agent_count",
        "eval_file_count"
      ],
      "fires_when": "n8n inputs target production_like or production and no eval files are declared.",
      "floor_severity": null,
      "id": "SHIP-N8N-EVAL-COVERAGE-MISSING",
      "rationale": "n8n AI workflow releases should include response and tool-trajectory eval evidence before promotion.",
      "recommendation": "Declare n8n eval files for expected responses and tool-use trajectories.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "n8n",
      "default_severity": "high",
      "description": "n8n MCP Client Tool exposes an unfiltered toolset.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-n8n-mcp-client-toolset-unfiltered",
      "evidence_fields": [
        "source_ref",
        "node_id",
        "selection_mode",
        "explicit_inventory"
      ],
      "fires_when": "An n8n MCP Client Tool uses All or All Except selection and no explicit local inventory is declared.",
      "floor_severity": null,
      "id": "SHIP-N8N-MCP-CLIENT-TOOLSET-UNFILTERED",
      "rationale": "All-tools and all-except MCP client selections can expose more tools than reviewers expect. The check is environment-sensitive because the selector is straightforward to narrow before production, while production-like use increases blast radius.",
      "recommendation": "Select an explicit MCP tool allowlist in n8n or provide a local MCP inventory.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "security",
      "default_severity": "high",
      "description": "n8n workflow JSON contains a secret-like value.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-n8n-secret-in-workflow-parameter",
      "evidence_fields": [
        "source_ref",
        "parameter_pointer",
        "secret_kind"
      ],
      "fires_when": "A static n8n workflow parameter, node note, pinData entry, or staticData entry matches a secret-like token pattern. Evidence is redacted and contains only source location and secret kind, never a secret verifier.",
      "floor_severity": null,
      "id": "SHIP-N8N-SECRET-IN-WORKFLOW-PARAMETER",
      "rationale": "Workflow JSON, pinned data, static data, and node notes can be committed or reported; hardcoded secret-like values should be moved into credentials or variables.",
      "recommendation": "Move secret values into n8n credentials or variables and rotate the exposed value.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "policy",
      "default_severity": "critical",
      "description": "High-risk tool lacks a declared approval policy.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-policy-approval-missing",
      "evidence_fields": [
        "risk_tags",
        "policy_match"
      ],
      "fires_when": "Financial/destructive/infrastructure/code-exec risk exists without approval policy.",
      "floor_severity": null,
      "id": "SHIP-POLICY-APPROVAL-MISSING",
      "rationale": "High-risk actions need explicit approval before promotion.",
      "recommendation": "Declare an approval policy or remove the tool.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "policy",
      "default_severity": "high",
      "description": "Destructive/external/customer-communication tool lacks a confirmation policy.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-policy-confirmation-missing",
      "evidence_fields": [
        "risk_tags",
        "policy_match"
      ],
      "fires_when": "Risk tags require confirmation but no confirmation policy matches.",
      "floor_severity": null,
      "id": "SHIP-POLICY-CONFIRMATION-MISSING",
      "rationale": "Destructive and external actions should require explicit confirmation.",
      "recommendation": "Declare confirmation policy or remove the tool.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "schema",
      "default_severity": "high",
      "description": "Action-like tool accepts broad free-form input.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-schema-broad-free-text",
      "evidence_fields": [
        "parameter",
        "type"
      ],
      "fires_when": "A write/action-like tool has free-form command/action/update-style parameters.",
      "floor_severity": null,
      "id": "SHIP-SCHEMA-BROAD-FREE-TEXT",
      "rationale": "Broad action/body/update fields increase blast radius for write tools.",
      "recommendation": "Constrain the field with structured schema or enums.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "schema",
      "default_severity": "medium",
      "description": "Tool returns free-form string output.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-schema-freeform-output",
      "evidence_fields": [
        "output_schema"
      ],
      "fires_when": "A tool output schema is string or an SDK function returns str.",
      "floor_severity": null,
      "id": "SHIP-SCHEMA-FREEFORM-OUTPUT",
      "rationale": "Free-form tool output may carry prompt injection into later model context.",
      "recommendation": "Prefer structured output for model-consumed tool results.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "schema",
      "default_severity": "high",
      "description": "Risky numeric parameter lacks a maximum bound.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-schema-missing-bounds",
      "evidence_fields": [
        "parameter",
        "type"
      ],
      "fires_when": "A risky numeric parameter lacks a maximum.",
      "floor_severity": null,
      "id": "SHIP-SCHEMA-MISSING-BOUNDS",
      "rationale": "Unbounded counts or financial amounts weaken blast-radius control.",
      "recommendation": "Add a maximum or equivalent policy limit.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "scope",
      "default_severity": "high",
      "description": "Tool appears to overlap with a manifest prohibited action.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-scope-prohibited-tool-present",
      "evidence_fields": [
        "prohibited_action",
        "risk_tags"
      ],
      "fires_when": "Tool name/description/risk tags overlap prohibited_actions without a mitigating policy.",
      "floor_severity": null,
      "id": "SHIP-SCOPE-PROHIBITED-TOOL-PRESENT",
      "rationale": "Prohibited actions should not be contradicted by attached tool capabilities.",
      "recommendation": "Remove or narrow the tool, or revise policy/scope text.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "scope",
      "default_severity": "high",
      "description": "Write-capable tool contradicts a read-only declared purpose.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-scope-tool-outside-purpose",
      "evidence_fields": [
        "declared_purpose",
        "risk_tags"
      ],
      "fires_when": "Purpose text is read-only but attached tools are write-capable.",
      "floor_severity": null,
      "id": "SHIP-SCOPE-TOOL-OUTSIDE-PURPOSE",
      "rationale": "Declared purpose should constrain the attached tool surface.",
      "recommendation": "Remove the tool or update release scope.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    },
    {
      "autofix_safe": false,
      "category": "side_effects",
      "default_severity": "high",
      "description": "Risky write tool lacks idempotency evidence; critical when retry is known.",
      "docs_url": "https://github.com/ThreeMoonsLab/agents-shipgate/blob/main/docs/checks.md#ship-sidefx-idempotency-missing",
      "evidence_fields": [
        "risk_tags",
        "retry_policy_known"
      ],
      "fires_when": "Risky write tool lacks idempotency annotation, key, or policy.",
      "floor_severity": null,
      "id": "SHIP-SIDEFX-IDEMPOTENCY-MISSING",
      "rationale": "Retries against non-idempotent writes can duplicate financial or external side effects.",
      "recommendation": "Add idempotency evidence or policy.",
      "requires_human_review": true,
      "suggested_patch_kind": "manual"
    }
  ],
  "description": "Machine-readable catalog of built-in checks. Generated from agents_shipgate.checks.registry.check_catalog(). Do not edit by hand.",
  "title": "Agents Shipgate Check Catalog"
}