Release Evidence Packet

Project: support-refund-agent · Agent: refund-assistant · Environment: production_like
Run id: agents_shipgate_ebb71d7248235cc3 · Generated at: 2026-01-01T00:00:00+00:00 · Packet schema: 0.6

This packet is a reviewer-shaped synthesis of a static Agents Shipgate scan. See §10 for what the packet does not prove.

§1 Release decision — BLOCKED

Decision: blocked
Reason: 2 active findings block release.
Blockers: 2
Review items: 16

CI gate behavior (informational)

ci_mode: advisory, would_fail_ci: false, exit code: 0
Note: CI behavior is metadata about the run gate, not the verdict. The verdict above derives from release_decision.decision.

Blockers

SHIP-POLICY-APPROVAL-MISSING (critical): stripe.create_refund lacks a declared approval policy
SHIP-SIDEFX-IDEMPOTENCY-MISSING (critical): stripe.create_refund lacks idempotency evidence

Review items

SHIP-INVENTORY-WILDCARD-TOOLS (high): Wildcard tool exposure declared
SHIP-SCHEMA-MISSING-BOUNDS (high): stripe.create_refund.amount has no maximum bound
SHIP-SCHEMA-BROAD-FREE-TEXT (high): zendesk.update_ticket accepts broad free-form action input
SHIP-SCHEMA-BROAD-FREE-TEXT (high): gmail.send_customer_email accepts broad free-form action input
SHIP-SCHEMA-FREEFORM-OUTPUT (medium): send_email_preview returns free-form text output
SHIP-AUTH-MANIFEST-BROAD-SCOPE (high): Manifest declares broad permission scopes
SHIP-AUTH-SCOPE-COVERAGE-MISSING (high): shopify.cancel_order requires scopes not declared in the manifest
SHIP-AUTH-SCOPE-COVERAGE-MISSING (high): support.search_kb requires scopes not declared in the manifest
SHIP-AUTH-SCOPE-COVERAGE-MISSING (high): gmail.send_customer_email requires scopes not declared in the manifest
SHIP-SCOPE-PROHIBITED-TOOL-PRESENT (high): stripe.create_refund appears to overlap with a prohibited action
SHIP-SCOPE-PROHIBITED-TOOL-PRESENT (high): gmail.send_customer_email appears to overlap with a prohibited action
SHIP-POLICY-CONFIRMATION-MISSING (high): stripe.create_refund lacks a declared confirmation policy
SHIP-POLICY-CONFIRMATION-MISSING (high): gmail.send_customer_email lacks a declared confirmation policy
SHIP-SIDEFX-IDEMPOTENCY-MISSING (high): gmail.send_customer_email lacks idempotency evidence
SHIP-MANIFEST-HIGH-RISK-OWNER-MISSING (high): shopify.cancel_order is high-risk but has no owner
SHIP-MANIFEST-UNUSED-SCOPE (medium): Manifest declares unused permission scope zendesk:tickets:read

§1A Evidence matrix — compact review summary

Evidence Matrix Light is derived from public report.json only. Release decisions, CI exit behavior, and baseline semantics remain owned by release_decision. Domain rows intentionally overlap; a single finding can appear in multiple rows when it is relevant to each review lens.

Domain	Evidence present	Evidence source	Confidence	Missing controls	Blocking findings	Review items
Inventory	partial	tool_inventory; tool_surface; +2 more	high	SHIP-INVENTORY-WILDCARD-TOOLS on wildcard_mcp_tools.*: Wildcard tool exposure declared	—	SHIP-INVENTORY-WILDCARD-TOOLS (high)
Schema	partial	tool_surface_facts.tools[].hashes; findings[]	mixed	SHIP-SCHEMA-MISSING-BOUNDS on stripe.create_refund: stripe.create_refund.amount has no maximum bound; SHIP-SCHEMA-BROAD-FREE-TEXT on zendesk.update_ticket: zendesk.update_ticket accepts broad free-form action input; +2 more	—	SHIP-SCHEMA-MISSING-BOUNDS (high); SHIP-SCHEMA-BROAD-FREE-TEXT (high); +2 more
Auth	partial	tool_surface_facts.scopes; tool_inventory[].auth_scopes; +1 more	mixed	SHIP-AUTH-MANIFEST-BROAD-SCOPE: Manifest declares broad permission scopes; SHIP-AUTH-SCOPE-COVERAGE-MISSING on shopify.cancel_order: shopify.cancel_order requires scopes not declared in the manifest; +3 more	—	SHIP-AUTH-MANIFEST-BROAD-SCOPE (high); SHIP-AUTH-SCOPE-COVERAGE-MISSING (high); +3 more
Approval	partial	tool_surface_facts.controls[kind=approval_policy]; findings[]	high	SHIP-POLICY-APPROVAL-MISSING on stripe.create_refund: stripe.create_refund lacks a declared approval policy	SHIP-POLICY-APPROVAL-MISSING (critical)	—
Confirmation	partial	tool_surface_facts.controls[kind=confirmation_policy]; findings[]	high	SHIP-POLICY-CONFIRMATION-MISSING on stripe.create_refund: stripe.create_refund lacks a declared confirmation policy; SHIP-POLICY-CONFIRMATION-MISSING on gmail.send_customer_email: gmail.send_customer_email lacks a declared confirmation policy	—	SHIP-POLICY-CONFIRMATION-MISSING (high); SHIP-POLICY-CONFIRMATION-MISSING (high)
Idempotency	partial	tool_surface_facts.controls[kind=idempotency_evidence]; action_surface_facts.actions[].safeguards.idempotency; +1 more	mixed	SHIP-SIDEFX-IDEMPOTENCY-MISSING on stripe.create_refund: stripe.create_refund lacks idempotency evidence; SHIP-SIDEFX-IDEMPOTENCY-MISSING on gmail.send_customer_email: gmail.send_customer_email lacks idempotency evidence	SHIP-SIDEFX-IDEMPOTENCY-MISSING (critical)	SHIP-SIDEFX-IDEMPOTENCY-MISSING (high)
Side effects	partial	tool_inventory[].risk_tags; action_surface_facts.actions[].effect; +1 more	mixed	SHIP-SCHEMA-BROAD-FREE-TEXT on zendesk.update_ticket: zendesk.update_ticket accepts broad free-form action input; SHIP-SCHEMA-BROAD-FREE-TEXT on gmail.send_customer_email: gmail.send_customer_email accepts broad free-form action input; +5 more	SHIP-POLICY-APPROVAL-MISSING (critical); SHIP-SIDEFX-IDEMPOTENCY-MISSING (critical)	SHIP-SCHEMA-BROAD-FREE-TEXT (high); SHIP-SCHEMA-BROAD-FREE-TEXT (high); +3 more
Memory isolation	not_declared	—	unknown	—	—	—
Human-in-the-loop evidence	not_declared	—	unknown	—	—	—
Prompt/scope alignment	partial	declared_intentions; misalignments; +2 more	medium	SHIP-SCOPE-PROHIBITED-TOOL-PRESENT on stripe.create_refund: stripe.create_refund appears to overlap with a prohibited action; SHIP-SCOPE-PROHIBITED-TOOL-PRESENT on gmail.send_customer_email: gmail.send_customer_email appears to overlap with a prohibited action	—	SHIP-SCOPE-PROHIBITED-TOOL-PRESENT (high); SHIP-SCOPE-PROHIBITED-TOOL-PRESENT (high)
Retry/timeout	not_declared	—	unknown	—	—	—
Baseline debt	informational	—	unknown	—	—	—
Action-surface policy	covered	action_surface_facts.actions	medium	—	—	—

§2 Capability ↔ Intent diff — missing

Declared

Purpose: answer refund policy questions
Purpose: prepare refund requests for human review
Purpose: update support ticket notes
Prohibited: issue refund without approval
Prohibited: cancel order without explicit confirmation
Prohibited: send external email without preview

Observed tools

gmail.send_customer_email
refund_status_lookup
send_email_preview
shopify.cancel_order
stripe.create_refund
support.search_kb
wildcard_mcp_tools.*
zendesk.update_ticket

Divergences

SHIP-SCOPE-PROHIBITED-TOOL-PRESENT: stripe.create_refund appears to overlap with a prohibited action
SHIP-SCOPE-PROHIBITED-TOOL-PRESENT: gmail.send_customer_email appears to overlap with a prohibited action

§3 High-risk tool surface — partial

Total tools: 8 · High-risk: 3

Tool	Source	Risk tags	Approval	Idempotency
`gmail.send_customer_email`	mcp	customer_communication, external_write	no	no
`shopify.cancel_order`	openapi	destructive, write	yes	yes
`stripe.create_refund`	openapi	external_write, financial_action, write	no	no

§3A Tool-surface diff — not declared

Status: disabled — No --diff-from report or v0.3 baseline snapshot was provided.
Base: none

§3B Action-surface diff — not declared

Status: disabled — No action-surface comparison source was provided.
Base: none

§4 Approval policy coverage — partial

Tool	Declared	Source	Gap finding(s)
`shopify.cancel_order`	yes	policies	—
`stripe.create_refund`	no	—	fp_f092940f62fbb012

Gap findings

SHIP-POLICY-APPROVAL-MISSING (critical): stripe.create_refund lacks a declared approval policy

§5 Idempotency / retry risk — partial

Retry policy: not declared

Tool	Declared	Source	Gap finding(s)
`gmail.send_customer_email`	no	—	fp_0f8aaa912d589cf0
`shopify.cancel_order`	yes	policies	—
`stripe.create_refund`	no	—	fp_dac8011e14c53777

Gap findings

SHIP-SIDEFX-IDEMPOTENCY-MISSING (critical): stripe.create_refund lacks idempotency evidence
SHIP-SIDEFX-IDEMPOTENCY-MISSING (high): gmail.send_customer_email lacks idempotency evidence

§6 Scope coverage — missing

Declared scopes

zendesk:tickets:read
zendesk:tickets:write
stripe:*

Scope	Declared	Used by tools
`gmail:send`	no	`gmail.send_customer_email`
`shopify:orders:write`	no	`shopify.cancel_order`
`stripe:*`	yes	—
`stripe:refunds:write`	yes	`stripe.create_refund`
`support:kb:read`	no	`support.search_kb`
`zendesk:tickets:read`	yes	—
`zendesk:tickets:write`	yes	`zendesk.update_ticket`

Unused declared scopes

zendesk:tickets:read

Used by tools but not declared

gmail:send
shopify:orders:write
support:kb:read

Gap findings

SHIP-AUTH-SCOPE-COVERAGE-MISSING (high): shopify.cancel_order requires scopes not declared in the manifest
SHIP-AUTH-SCOPE-COVERAGE-MISSING (high): support.search_kb requires scopes not declared in the manifest
SHIP-AUTH-SCOPE-COVERAGE-MISSING (high): gmail.send_customer_email requires scopes not declared in the manifest
SHIP-MANIFEST-UNUSED-SCOPE (medium): Manifest declares unused permission scope zendesk:tickets:read

§7 Memory isolation — not declared

Manifest does not declare a memory isolation policy. The current manifest schema (v0.1) has no agent.memory field. See §10 for the residual review item.

§8 Human-in-the-loop evidence — covered

Configured: yes
Human review recommended: yes
Provenance mode: fresh_scan
HITL evidence is local review evidence only. Missing local evidence does not prove a runtime control is absent, and present local evidence does not certify runtime enforcement.

Approval-required tools

shopify.cancel_order

Confirmation-required tools

shopify.cancel_order

§9 Required dynamic scenarios — partial

Manual review for SHIP-AUTH-MANIFEST-BROAD-SCOPE — Replace broad manifest permission scopes with the narrowest scopes needed for this release.
Related finding(s): fp_d27325cbdbbf5483
Manual review for SHIP-AUTH-SCOPE-COVERAGE-MISSING — Add the required scopes for shopify.cancel_order to permissions.scopes or narrow the tool's declared auth requirements.
Related finding(s): fp_1f6cfd6b7daa9b7c, fp_83852fbd6b440524, fp_d8e6d1865dae97cc
Manual review for SHIP-INVENTORY-WILDCARD-TOOLS — Replace wildcard tool exposure with an explicit tool allowlist before release review.
Related finding(s): fp_fc02d8ecd30f2578
Manual review for SHIP-MANIFEST-HIGH-RISK-OWNER-MISSING — Declare an owner for each high-risk production tool in risk_overrides.tools.
Related finding(s): fp_fd2577850cef1f87
Manual review for SHIP-MANIFEST-UNUSED-SCOPE — Remove unused manifest scopes or add tool metadata showing why they are required.
Related finding(s): fp_39b9ae878f343d1b
Manual review for SHIP-POLICY-APPROVAL-MISSING — Declare an approval policy for stripe.create_refund or remove this tool from the release.
Related finding(s): fp_f092940f62fbb012
Manual review for SHIP-POLICY-CONFIRMATION-MISSING — Declare a user confirmation policy for stripe.create_refund or remove this action from the release.
Related finding(s): fp_8e08a4fe6b0917f6, fp_a62ca2fd9a68a1d1
Manual review for SHIP-SCHEMA-BROAD-FREE-TEXT — Constrain zendesk.update_ticket.updates with an enum, structured schema, or narrower field-specific parameters.
Related finding(s): fp_acd63b899d49aa1c, fp_ff2f028953d1c220
Manual review for SHIP-SCHEMA-FREEFORM-OUTPUT — Prefer a structured output schema for send_email_preview, especially when output is later passed back into model context.
Related finding(s): fp_85f8513ad72cd9ea
Manual review for SHIP-SCHEMA-MISSING-BOUNDS — Add a maximum bound to stripe.create_refund.amount or document an equivalent limit in the tool policy.
Related finding(s): fp_ab60b01cb53cfcbe
Manual review for SHIP-SCOPE-PROHIBITED-TOOL-PRESENT — Remove stripe.create_refund, narrow its policy, or revise prohibited_actions so the manifest and tool surface do not contradict each other.
Related finding(s): fp_12985c36a06026de, fp_e090c62e390e70ab
Manual review for SHIP-SIDEFX-IDEMPOTENCY-MISSING — Add an idempotency key, idempotent annotation, or declared idempotency policy for stripe.create_refund.
Related finding(s): fp_0f8aaa912d589cf0, fp_dac8011e14c53777
Re-run scan after resolving source warnings — Source loaders emitted warnings; some tool surfaces may have been parsed with reduced confidence.
Verify low-confidence tool extractions — One or more tools were extracted with low confidence; confirm against the upstream source before release.

§10 What this packet did NOT prove

Agents Shipgate is an advisory tool: the deterministic merge gate for AI-generated agent capability changes, run as a local-first, static Tool-Use Readiness review. The packet below is derived from a scan; it does not, by itself, prove the following properties:

Prompt robustness. Whether the agent's prompt holds up under jailbreaks, persona drift, indirect prompt injection, or adversarial inputs.
Runtime behavior. Whether the agent actually invokes only the declared tools, respects approval gates at runtime, or follows policy under load. Static config is not runtime evidence.
Model correctness. Whether the underlying model produces correct outputs, calls the right tools, or stays within the declared scope. The packet does not benchmark the model.
Adversarial resistance. Whether the agent withstands red-team or penetration testing. The packet does not run scenarios; it organizes evidence.

Per-run residuals

Source warnings:
- MCP source declares wildcard tool exposure
Low-confidence tool extractions: none
Suppressed findings in effect: none
Memory isolation is not modeled by the v0.1 manifest schema; no static evidence is available.
6 active finding(s) came from heuristic provenance (keyword_heuristic=6, regex_heuristic=0); review the finding evidence before acting.