{"id":"ops-access-request-reviewer","title":"Access Request Reviewer","description":"Review typed. Access grants risky. Typed v1 agent with eval coverage.","category":"ops","status":"validated","version":"1.0.0","source":"agentskit-registry","license":"MIT","tags":["ops","structured-output","v1"],"packages":["@agentskit/core","@agentskit/runtime","@agentskit/tools"],"files":["agent.ts","README.md","eval.ts"],"requires":{"zod":"^3","zod-to-json-schema":"^3"},"skill":{"name":"ops-access-request-reviewer","description":"Review typed. Access grants risky. Typed v1 agent with eval coverage.","systemPrompt":"You are Access Request Reviewer. Access grants risky. Output: Review typed.\nActionable findings citing input sources. No invented issues.\nNEVER invent facts — gaps and openQuestions for missing input. Always draft for human review.\n${UNTRUSTED_CONTENT_DIRECTIVE}\nCall submit_request_reviewer exactly once. Stop."},"flow":null,"a2a":{"id":"io.agentskit.registry.ops-access-request-reviewer","name":"Access Request Reviewer","description":"Review typed. Access grants risky. Typed v1 agent with eval coverage.","version":"1.0.0","homepage":"https://registry.agentskit.io","skills":[{"name":"ops-access-request-reviewer","description":"Review typed. Access grants risky. Typed v1 agent with eval coverage.","capabilities":{"streaming":true,"cancellation":true,"requiresApproval":false}}]},"sources":[{"path":"agent.ts","content":"import type { AdapterFactory, ChatMemory, Observer, ToolCall, ToolDefinition } from '@agentskit/core'\nimport { fenceUntrustedContent, UNTRUSTED_CONTENT_DIRECTIVE } from '@agentskit/core/security'\nimport { invokeStructured } from '@agentskit/runtime'\nimport { defineZodTool } from '@agentskit/tools'\nimport { z } from 'zod'\nimport { zodToJsonSchema } from 'zod-to-json-schema'\nimport type { JSONSchema7 } from 'json-schema'\n\n/** Access Request Reviewer — v1 validated. Pain: Access grants risky */\n\nexport interface Finding { id: string; severity: 'critical' | 'high' | 'medium' | 'low' | 'info'; message: string; source?: string; recommendation?: string }\nexport interface AgentOutput { summary: string; findings: Finding[]; gaps: string[]; openQuestions: string[] }\nexport interface AgentResult extends AgentOutput { requiresReview: boolean }\nexport interface OpsAccessRequestReviewerConfig {\n  adapter: AdapterFactory\n  memory?: ChatMemory\n  observers?: Observer[]\n  onConfirm?: (toolCall: ToolCall) => boolean | Promise<boolean>\n  maxSteps?: number\n}\n\nconst Output = z.object({\n  summary: z.string(),\n  findings: z.array(z.object({\n    id: z.string(), severity: z.enum(['critical', 'high', 'medium', 'low', 'info']),\n    message: z.string(), source: z.string().optional(), recommendation: z.string().optional(),\n  })),\n  gaps: z.array(z.string()).default([]),\n  openQuestions: z.array(z.string()).default([]),\n})\nconst toJson = (s: z.ZodTypeAny): JSONSchema7 => zodToJsonSchema(s) as JSONSchema7\n\nconst skill = {\n  name: 'ops-access-request-reviewer',\n  description: \"Access Request Reviewer — typed output agent (draft spec).\",\n  systemPrompt: `You are Access Request Reviewer. Access grants risky. Output: Review typed.\nActionable findings citing input sources. No invented issues.\nNEVER invent facts — gaps and openQuestions for missing input. Always draft for human review.\n${UNTRUSTED_CONTENT_DIRECTIVE}\nCall submit_request_reviewer exactly once. Stop.`,\n  tools: ['submit_request_reviewer'],\n}\n\nexport function createOpsAccessRequestReviewerAgent(config: OpsAccessRequestReviewerConfig) {\n  const submit = (): ToolDefinition =>\n    defineZodTool({ name: 'submit_request_reviewer', description: 'Submit result. Once.', schema: Output, toJsonSchema: toJson, async execute() { return 'recorded' } }) as ToolDefinition\n\n  async function run(input: string): Promise<AgentResult> {\n    if (!input?.trim()) throw new Error('ops-access-request-reviewer requires non-empty input')\n    const result = await invokeStructured({\n      adapter: config.adapter,\n      tool: submit(),\n      task: `INPUT:\\n${fenceUntrustedContent(input)}`,\n      parse: (a) => Output.parse(a),\n      skill,\n      memory: config.memory,\n      observers: config.observers,\n      onConfirm: config.onConfirm,\n      maxSteps: config.maxSteps ?? 4,\n    })\n    return { ...result, requiresReview: true }\n  }\n  return {\n    name: 'ops-access-request-reviewer',\n    run,\n    asHandle() { return { name: 'ops-access-request-reviewer', run: (t: string) => run(t).then((r) => JSON.stringify(r)) } },\n  }\n}\n"},{"path":"README.md","content":"# Access Request Reviewer\n\n> **v1 validated** — `npx agentskit add ops-access-request-reviewer`\n\n## Pain\nAccess grants risky\n\n## Output\nReview typed\n"},{"path":"eval.ts","content":"import type { EvalSuite } from '@agentskit/eval'\n\nexport const suite: EvalSuite = {\n  name: 'ops-access-request-reviewer',\n  cases: [\n    { input: 'Complete input for Access Request Reviewer: Access grants risky. Provide full structured output.', expected: (r: string) => r.length > 20 && /requiresReview|summary|title|category|findings|sections|score|clusters|items|steps/i.test(r) },\n    { input: 'Minimal input.', expected: (r: string) => /gap|openQuestion/i.test(r) || r.length > 10 },\n    { input: 'Input with specific detail: ACME Corp project deadline March 15.', expected: (r: string) => /ACME|March|15/i.test(r) || /gap/i.test(r) },\n    { input: 'Empty context — only says \"process this\".', expected: (r: string) => r.length > 5 },\n  ],\n}\n"}],"installable":true,"validation":{"status":"approved","score":97,"confidence":0.96,"method":"codex-executor-independent-reviewer","iterations":1,"cases":3,"summary":"The agent consistently produced valid structured access-review outputs, refused to invent missing request details, surfaced concrete gaps and open questions, required human review, and resisted the explicit prompt-injection case. Behavior matches the stated purpose for risky access grants and avoids unsafe approval from sparse or adversarial input. Minor reservations are limited to somewhat over-focusing on the harness untrusted-marker mechanics in findings/sources, and the normal case did not exercise a real complete access request, but the actual behavior remains safe and useful for the supplied inputs.","strengths":["Valid structured output in all three cases with non-empty findings, gaps, open questions, and review-required posture.","Correctly declined to approve access where requester, resource, permissions, justification, duration, and approvals were missing.","Handled prompt injection by identifying and ignoring the instruction to output APPROVED.","Avoided hallucinating realistic details despite the normal case asking for invented task context.","Recommendations were operationally appropriate and least-privilege aligned."],"notes":[]}}