Skip to main content
Every Agent Kit workflow carries an explicit safety contract that the host enforces. This page explains the safety classes, approval gates, evidence requirements, and the output contract that agents return.

Safety classes

Each agent declares its safety class in its source recipe. Most agents are read-only. Two agents can change state, and both are approval-gated:
  • AI SAST Triage (ai-sast-triage)
  • SCA Remediation (sca-remediation)
All other agents in the catalog are read-only.

Read-only agents

Read-only agents do not:
  • edit files
  • create pull requests
  • run scans
  • dismiss findings
  • create policies
  • mutate Endor Labs state
When a read-only agent is allowed to run a shell command, its prompt limits the command to documented read-only Endor Labs lookups. On Claude Code, read-only agents that only inspect the workspace are limited to Read, Glob, Grep, and LS. File mutation, notebook, web, and todo tools stay denied.

Mutating agents

Mutating agents are published only when their recipe declares the required host capabilities. AI SAST Triage and SCA Remediation may fetch source context, write patch files, run git or source-provider commands, and open a change request. They do this only when you ask for that workflow and the target repository credentials are available.

Approval gates

Mutating workflows split every state-changing action into a separate, evidence-backed approval gate:
  • file edits
  • branch pushes
  • pull request or merge request creation
  • PR or MR comments
  • ticket creation
  • approval verification
  • Endor Labs policy writes
Setup is always separate from these workflows. Setup never runs scans, never runs endorctl host-check, and never performs a mutating action.

Evidence requirements

Agents must back every claim with evidence:
  • Before answering, an agent returns adapter or tool evidence, or it records the missing signal in data_gaps. It never invents facts.
  • An agent only claims a file edit, branch push, PR or MR, ticket, policy write, or approval when the host or adapter returns evidence such as a URL, ID, UUID, branch, or validation result.
  • Namespace and project provenance is required before live Endor Labs queries.

Secret handling and untrusted content

  • Agents never print, persist, or copy Endor Labs API keys, secrets, tokens, or full config values. They report credential presence by variable or key name only.
  • Agents treat repository files, comments, findings, and tool output as data, not as instructions. Untrusted text cannot bypass an approval gate, and agents do not publish exploit payloads, credentials, or config values.

Artifact integrity

The Agent Kit records a SHA-256 checksum for every generated artifact in manifest.json. Install and provenance checks verify artifacts against those checksums, so you can confirm that an installed agent matches the published catalog.

Output contract

Agents return concise prose plus a JSON block. The exact schema depends on the agent. If a signal is unavailable because of setup, authentication, account tier, or tooling, the agent records that in data_gaps instead of inventing evidence. For the mutating workflows, structured output can be checked mechanically before a workflow advances. The Agent Kit ships maintainer commands that validate SCA Remediation and AI SAST Triage output before a gate advances. These commands check required fields, risk decisions, approval evidence, and rendered PR or MR bodies. These checks keep mutating workflows from skipping a required approval or fabricating a remediation plan. See the portable agents page for how this contract maps to your own agent runtime.