Release-readiness gates for AI agents: replay known incidents, apply policy-as-code gates, and produce ship/warn/block evidence before an agent, prompt, model, or tool-policy change ships.
Project description
Agent Release Safety Gates
Release-readiness gates for AI agents — replay known incidents, apply policy-as-code, and produce ship / warn / block evidence before a changed agent, prompt, model, or tool policy ships.
Quickstart
pip install agent-release-gates
# Run the deterministic release gate on a built-in pack → exits non-zero on a block.
agent-safety release-gate
# Score your own agent: materialize an example pack, convert your logs, gate them.
agent-safety init-example --dest incident_pack_minimal
agent-safety export-candidate-results --input incident_pack_minimal/agent_run_log.jsonl \
--output candidate_results.jsonl --candidate-id my_agent_v1
agent-safety release-gate --incident-pack incident_pack_minimal \
--candidate-results candidate_results.jsonl
# Or run the incident-replay suite under Inspect (UK AISI).
pip install inspect_ai
inspect eval agent-release-gates/incident_replay --model openai/gpt-4.1-mini
See the evaluate-your-agent quickstart for the full pip-only workflow.
The core install is intentionally lean (only pydantic) and ships the CLI, the Inspect suite, the real-agent runner, and the scoring logic. The API and dashboard are opt-in extras:
pip install "agent-release-gates[api]" # FastAPI evidence service
pip install "agent-release-gates[dashboard]" # Streamlit reviewer dashboard
[!NOTE] These results are engineering evidence over controlled, synthetic benchmarks — not claims of real-world production performance. This project is not a clone, assessment, or reverse-engineering of any company's internal AI system. The operations benchmark is synthetic by design; TechQA and WixQA are used separately as public retrieval-validation datasets.
What it does
Before a changed agent ships, the lab answers five release questions and turns the answers into a reproducible gate:
- Grounding — does the agent retrieve the right evidence and cite it?
- Refusal — does it abstain when evidence is weak, unsafe, or prompt-injected?
- Approval — does it require sign-off before side-effecting tool calls?
- Auditability — does it leave enough trace, audit, and monitoring evidence?
- Replay — does it pass incident replay and policy-as-code release gates?
The first module is an Incident Replay Suite that turns redacted synthetic incidents into regression fixtures, replay results, release gates, and incident memos. The output is a reproducible evaluation artifact — deterministic runners, generated reports, CI checks, a Dockerized runtime, a Streamlit dashboard, and a GitHub Pages report — rather than a one-off dashboard.
How it works
incidents ──▶ replay matrix ──▶ policy gates ──▶ ship / warn / block ──▶ evidence + memo
(synthetic) (deterministic) (policy-as-code) (CLI exit code) (report / audit)
Point it at your own agent by exporting candidate results (generic logs or LangChain/LangSmith-style traces) and scoring them against the gates. See the evaluate-your-agent quickstart, incident pack schema, and candidate results schema.
Evidence snapshot
| Area | Current result |
|---|---|
| Controlled benchmark | 358 synthetic golden cases, 60 red-team cases, 180 synthetic operations tickets |
| Retrieval | 100.00% synthetic retrieval hit rate@3 with local TF-IDF/vector-style retrievers |
| Public RAG validation | 160 TechQA cases and 80 WixQA cases evaluated separately from the synthetic benchmark |
| Safety | 90.91% classifier recall, 0 high-severity false negatives in the current challenge set |
| Agent governance | 100.00% mock side-effect block rate and approval audit rate |
| Incident replay | 8 seeded synthetic incidents replayed, 100.00% closure rate, 0 replay must-not violations |
| Intervention study | 3 deterministic safety studies plus public RAG grounding and memory/context studies |
| Hosted judge calibration | Reviewed OpenAI and Anthropic judge runs with public-safe provider comparison |
Key findings
- Safety scores are not meaningful alone — the lab reports over-review cost, benign auto-blocks, weak-evidence handling, and unsafe misses beside the headline numbers.
- Layered safeguards reduce selected prompt-injection, unsafe-action, and unsafe-request failures in controlled studies while making review burden visible.
- Public RAG grounding thresholds reduce unsupported answer attempts while keeping abstention and review cost visible.
- Memory/context controls reduce polluted-memory following while preserving benign memory usefulness; goal-conflict arbitration reduces unsafe goal-following while preserving benign task completion.
- The strongest next validation step is independent human labelling, followed by broader multi-model comparison.
What's included
- Evaluation runners for retrieval, extraction, safety classification, controlled-agent behavior, and observability.
- Baseline-vs-intervention studies for instruction hierarchy, action-risk gates, safety-classifier review policy, RAG grounding, memory/context pollution, and goal conflict.
- Incident replay suite with seeded incidents, replay matrix, release gates, regression fixtures, and generated memos.
- Candidate-results exporters for generic agent logs and LangChain/LangSmith-style traces.
- Streamlit dashboard, GitHub Pages report + PDF, and a benchmark/dataset/failure-taxonomy documentation set.
- CI, Docker, Docker Compose, linting, tests, and deterministic report regeneration.
Run from source
uv sync
uv run python scripts/run_all_evals.py
# Release gate (console command); exits non-zero on a blocking failure.
uv run agent-safety release-gate --policy config/incident_release_policy.json
# Interactive dashboard → http://localhost:8510
uv run streamlit run streamlit_app.py --server.port 8510
Run the API and dashboard together with docker compose up --build, then open http://localhost:8510 and http://localhost:8000/health.
Drive a real LLM through the release gate:
# Any OpenAI-compatible / self-hosted open-model endpoint.
$env:AGENT_RUNNER_API_KEY = "..."
uv run python scripts/run_real_agent_replay.py
Verification commands
uv run ruff check .
uv run pytest
uv run python scripts/run_all_evals.py
uv run agent-safety release-gate --policy config/incident_release_policy.json
uv run python scripts/build_public_site.py
docker build -t agent-release-safety-gates:local .
CI runs linting, tests, deterministic report checks, local OpenTelemetry smoke testing, Dockerized collector verification, and Docker build verification.
Documentation
| Topic | Link |
|---|---|
| Evaluate your agent (quickstart) | docs/evaluate_your_agent_quickstart.md |
| Benchmark card | docs/benchmark_card.md |
| Dataset card | docs/dataset_card.md |
| Failure taxonomy | docs/failure_taxonomy.md |
| Agent-safety intervention study | docs/agent_safety_intervention_study.md |
| RAG grounding intervention | reports/rag_grounding_intervention.md |
| Memory/context intervention | reports/memory_context_intervention.md |
| Goal-conflict intervention | reports/goal_conflict_intervention.md |
| Incident pack schema | docs/incident_pack_schema.md |
| Candidate results schema | docs/candidate_results_schema.md |
| Reviewer handoff pack | docs/reviewer_handoff_pack.md |
| Technical artifact index | docs/technical_artifacts.md |
| Dashboard deployment | docs/dashboard.md |
| Contributing | CONTRIBUTING.md |
Limitations
- The controlled benchmark is synthetic and still partly templated.
- Public TechQA and WixQA tracks use compact samples, not the full upstream datasets.
- Human-review labels are currently simulated workflow labels; independent reviewer labels are prepared but not yet published.
- Hosted-model evidence includes reviewed judge-calibration runs, not a broad multi-model agent comparison.
- Provider-backed embedding and reranker adapters are prepared, but credentialed hosted results are not claimed until reviewed.
Roadmap
- Collect independent human labels using the prepared review packet.
- Add reproducible multi-model comparison across hosted and open-source models.
- Expand public RAG validation beyond the current compact TechQA and WixQA samples.
- Add more framework-specific candidate-results exporters.
- Extend the intervention report with external-reviewer disagreement analysis.
[!TIP] Want to help validate this? External review is explicitly invited — start with the reviewer handoff pack and CONTRIBUTING.md.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file agent_release_gates-0.1.1.tar.gz.
File metadata
- Download URL: agent_release_gates-0.1.1.tar.gz
- Upload date:
- Size: 1.0 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.24 {"installer":{"name":"uv","version":"0.11.24","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":null,"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
13e6a9d024dcc732b672dfcf04e08e626d96629c1612bd31ac7c88486ebd9da4
|
|
| MD5 |
c4b3ca46f1358f1ebe7530fefe963ac6
|
|
| BLAKE2b-256 |
9728b526ab6663f557ce7a03537c8d57e584c3ed28820a5eecbf09129af28c14
|
File details
Details for the file agent_release_gates-0.1.1-py3-none-any.whl.
File metadata
- Download URL: agent_release_gates-0.1.1-py3-none-any.whl
- Upload date:
- Size: 227.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.24 {"installer":{"name":"uv","version":"0.11.24","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":null,"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f24081ee94da5e5cfe0c45fa907f40a0eb247905a3fbbd3018085a9bb7f83476
|
|
| MD5 |
87c853bac8e4b45a25231570c31e994e
|
|
| BLAKE2b-256 |
644f240ef49834ad14e159360defb4a4b5bcf2ee31e893df4658cc9d6c19b732
|