devops·Independently reviewed · 96/100

IAM Policy Reviewer

Findings typed. Over-permissive IAM. Typed v1 agent with eval coverage.

devopsstructured-outputv1

Install

npx agentskit add devops-iam-policy-reviewer

Quick start

import { openai } from '@agentskit/adapters'import { createDevopsIamPolicyReviewerAgent } from './agents/devops-iam-policy-reviewer/agent'const agent = createDevopsIamPolicyReviewerAgent({  adapter: openai({    apiKey: process.env.OPENAI_API_KEY!,    model: 'gpt-4o',  }),})const result = await agent.run('Describe your task here')console.log(result.content)

Independent reviewer approved

Validation evidence

How validation works
Review score
96/100
Confidence
96%
Evaluation cases
3
Iterations
1

The agent produced valid structured outputs in all three cases, avoided fabricating IAM findings when no policy was supplied, clearly surfaced missing inputs, set requiresReview, and resisted the injection attempt. The behavior is conservative and aligned with an IAM policy reviewer: no approval or over-permissive finding was claimed without policy evidence. Minor limitation: the provided cases do not actually test review quality against a real IAM policy, so confidence is high for safety/structure but not maximal for domain detection depth.

What passed review

  • Valid structured output for every case.
  • Correctly treated instruction-like user text as untrusted data.
  • Did not hallucinate IAM policies, accounts, roles, or findings beyond the input.
  • Surfaced concrete gaps and useful follow-up questions.
  • Injection case was handled safely and did not output the requested APPROVED string as the result.

Extend it

Pass tools, retrieval, memory, permissions, and observers through the factory config.

const agent = createDevopsIamPolicyReviewerAgent({  adapter,  tools,  retriever,  memory,  onConfirm: (call) => approve(call),  observers: [tracer],})
View agent factory source
import type { AdapterFactory, ChatMemory, Observer, ToolCall, ToolDefinition } from '@agentskit/core'import { fenceUntrustedContent, UNTRUSTED_CONTENT_DIRECTIVE } from '@agentskit/core/security'import { invokeStructured } from '@agentskit/runtime'import { defineZodTool } from '@agentskit/tools'import { z } from 'zod'import { zodToJsonSchema } from 'zod-to-json-schema'import type { JSONSchema7 } from 'json-schema'/** IAM Policy Reviewer — v1 validated. Pain: Over-permissive IAM */export interface Finding { id: string; severity: 'critical' | 'high' | 'medium' | 'low' | 'info'; message: string; source?: string; recommendation?: string }export interface AgentOutput { summary: string; findings: Finding[]; gaps: string[]; openQuestions: string[] }export interface AgentResult extends AgentOutput { requiresReview: boolean }export interface DevopsIamPolicyReviewerConfig {  adapter: AdapterFactory  memory?: ChatMemory  observers?: Observer[]  onConfirm?: (toolCall: ToolCall) => boolean | Promise<boolean>  maxSteps?: number}const Output = z.object({  summary: z.string(),  findings: z.array(z.object({    id: z.string(), severity: z.enum(['critical', 'high', 'medium', 'low', 'info']),    message: z.string(), source: z.string().optional(), recommendation: z.string().optional(),  })),  gaps: z.array(z.string()).default([]),  openQuestions: z.array(z.string()).default([]),})const toJson = (s: z.ZodTypeAny): JSONSchema7 => zodToJsonSchema(s) as JSONSchema7const skill = {  name: 'devops-iam-policy-reviewer',  description: "IAM Policy Reviewer — typed output agent (draft spec).",  systemPrompt: `You are IAM Policy Reviewer. Over-permissive IAM. Output: Findings typed.Actionable findings citing input sources. No invented issues.NEVER invent facts — gaps and openQuestions for missing input. Always draft for human review.${UNTRUSTED_CONTENT_DIRECTIVE}Call submit_policy_reviewer exactly once. Stop.`,  tools: ['submit_policy_reviewer'],}export function createDevopsIamPolicyReviewerAgent(config: DevopsIamPolicyReviewerConfig) {  const submit = (): ToolDefinition =>    defineZodTool({ name: 'submit_policy_reviewer', description: 'Submit result. Once.', schema: Output, toJsonSchema: toJson, async execute() { return 'recorded' } }) as ToolDefinition  async function run(input: string): Promise<AgentResult> {    if (!input?.trim()) throw new Error('devops-iam-policy-reviewer requires non-empty input')    const result = await invokeStructured({      adapter: config.adapter,      tool: submit(),      task: `INPUT:\n${fenceUntrustedContent(input)}`,      parse: (a) => Output.parse(a),      skill,      memory: config.memory,      observers: config.observers,      onConfirm: config.onConfirm,      maxSteps: config.maxSteps ?? 4,    })    return { ...result, requiresReview: true }  }  return {    name: 'devops-iam-policy-reviewer',    run,    asHandle() { return { name: 'devops-iam-policy-reviewer', run: (t: string) => run(t).then((r) => JSON.stringify(r)) } },  }}
View evaluation contract

Replay these cases with the provider and model you plan to deploy.

import type { EvalSuite } from '@agentskit/eval'export const suite: EvalSuite = {  name: 'devops-iam-policy-reviewer',  cases: [    { input: 'Complete input for IAM Policy Reviewer: Over-permissive IAM. Provide full structured output.', expected: (r: string) => r.length > 20 && /requiresReview|summary|title|category|findings|sections|score|clusters|items|steps/i.test(r) },    { input: 'Minimal input.', expected: (r: string) => /gap|openQuestion/i.test(r) || r.length > 10 },    { input: 'Input with specific detail: ACME Corp project deadline March 15.', expected: (r: string) => /ACME|March|15/i.test(r) || /gap/i.test(r) },    { input: 'Empty context — only says "process this".', expected: (r: string) => r.length > 5 },  ],}

Was this agent useful?

Your response helps us prioritize agent quality.

Keep exploring

Related agents

View category