Every actionable rule in the Worker Remit, checked against the running code. Gap = declared but unenforced; Partial = enforced but incomplete or bypassable; Vague Policy = too imprecise to verify.
| Rule ID | Section | Rule (quoted) | Status | Finding |
|---|---|---|---|---|
| R-01 | Job Description | "Assemble the agent payload and managed-directory file tree only from the project's declared sources, then upsert the agent on /v1/deepagents/agents (create when new, patch metadata + commit Hub directory when it already exists)." | Verified | — |
| R-02 | Job Description | "Validate that every MCP server URL referenced by the project is already registered in the workspace and invocable by the caller's identity — never auto-registering servers during deploy." | Verified | — |
| R-03 | Job Description | "Offer a `--dry-run` that prints the exact payload and directory files it would send, without contacting any mutating endpoint." | Verified | — |
| R-04 | Approved Communication Channels | "Default endpoint `https://api.smith.langchain.com`; scheme forced to HTTPS, userinfo rejected, proxy env ignored (`trust_env=False`)." | Verified | — |
| R-05 | Approved Communication Channels | "Scaffolding writes new files; overwriting an existing project folder requires `--force`." | Verified | — |
| R-06 | Data Boundaries — Forbidden Data Movement | "Writing, committing to version control, logging, or printing platform / provider / Hub / tracing credentials or MCP auth-header values." | Verified | — |
| R-07 | Data Boundaries — Forbidden Data Movement | "Folding secret material (e.g. `.env` contents) into the seeded bundle payload — environment stays environment; it is never merged into the skills, subagent, or managed-directory payload." | Verified | — |
| R-08 | Data Boundaries — Forbidden Data Movement | "Pulling any file into the bundle from outside the resolved project root, via symlink, path traversal, or an undeclared source." | Verified | — |
| R-09 | Data Boundaries — Forbidden Data Movement | "Letting repository-local deploy state steer authenticated requests (auth resolution ignores repo-local state)." | Verified | — |
| R-10 | Action Boundaries — Requires Human Approval Before Execution | "Deploying to an `agent_id` declared in `agent.json` that local state has not previously confirmed — the CLI must show the target agent name/id and require a `y/N` confirmation before updating that remote agent (bypassable only with `--yes`)." | Verified | — |
| R-11 | Action Boundaries — Requires Human Approval Before Execution | "Deleting a workspace agent or MCP server (requires `y/N` confirmation or `--yes`)." | Verified | — |
| R-12 | Action Boundaries — Never Allowed | "Shipping a bundle assembled from anything other than the project's declared sources." | Verified | — |
| R-13 | Action Boundaries — Never Allowed | "Deploying a project that failed configuration validation." | Verified | — |
| R-14 | Action Boundaries — Never Allowed | "Reaching the platform over a non-HTTPS endpoint, or one carrying userinfo." | Verified | — |
| R-15 | Action Boundaries — Never Allowed | "Bundling, registering, or deploying a project that references a remote MCP server over a non-TLS URL (`http://` / `ws://`) — remote MCP server URLs MUST use TLS (`https` / `wss`)." | Gap | PRAX-2026-07-11-001 |
| R-16 | Action Boundaries — Never Allowed | "Auto-registering an MCP server, or deploying while a referenced MCP server is unregistered or uninvocable by the caller's identity." | Verified | — |
| R-17 | Action Boundaries — Never Allowed | "Creating a fresh agent via `--reset` while `agent.json` still declares an `agent_id`." | Verified | — |
| R-18 | Tools and Capabilities — Forbidden Tools | "Any LLM/model client invoked by the CLI itself (the tool performs no inference)." | Verified | — |
| R-19 | Tools and Capabilities — Forbidden Tools | "Any interactive-REPL / coding-agent surface (belongs to `deepagents-code`)." | Verified | — |
| R-20 | Tools and Capabilities — Forbidden Tools | "Any spawner of unauthenticated local dev servers, subprocess shells, hooks, or sandboxes as part of the deploy surface (those belonged to the retired REPL surface)." | Verified | — |
| R-21 | Behavioral Expectations — Acceptable Retry Behavior | "HTTP 5xx responses are retried once with a short backoff; a directory-commit conflict (409/412) is re-fetched and re-applied once." | Verified | — |
| R-22 | Known Good Baseline | "Dependencies are expected to be version-controlled with a committed, pinned lockfile." | Partial | PRAX-2026-07-11-002 |
| R-23 | Behavioral Expectations — Expected Patterns | "A malformed project stops the deploy with a specific error rather than shipping a partial or invalid bundle." | Verified | — |
Findings, ordered by severity — each linked to its remit rule, evidence, and a recommended action. Tag chips jump to the relevant entry in the RAISE framework, the OWASP LLM Top 10, or the OWASP Agentic Top 10.
LLM06 primary — the finding's main OWASP categoryASI10 secondary — a category it also touches
CRITICAL PRAX-2026-07-11-001 Remote MCP server URLs are never validated as TLS — `mcp-servers add`/`update` and `deploy` accept and use `http://` / `ws://` endpoints in cleartext.
"Bundling, registering, or deploying a project that references a remote MCP server over a non-TLS URL (`http://` / `ws://`) — remote MCP server URLs MUST use TLS (`https` / `wss`)."
MEDIUM PRAX-2026-07-11-002 Shipped `pyproject.toml` floor-pins dependencies and leaves `deepagents` and `langsmith` with no upper bound, so published-wheel resolution can drift.
"Dependencies are expected to be version-controlled with a committed, pinned lockfile."
MEDIUM PRAX-2026-07-11-003 No durable or structured audit record of mutating operations — deploy upserts and agent/MCP-server deletions leave only ephemeral stdout.
MEDIUM PRAX-2026-07-11-004 MCP auth-header credentials are accepted as `--header KEY=VALUE` CLI arguments, exposing them via the process table and shell history.
MEDIUM PRAX-2026-07-11-005 The committed `THREAT_MODEL.md` documents the retired REPL/TUI surface, leaving the shipped deploy tooling without current threat coverage.
Controls and behaviors that are correctly implemented and verified during this scan. These represent areas where the agent's implementation aligns with its stated policy and security best practices.
HTTPS-only platform transport with userinfo and proxy-env rejected
`api_client._normalize_endpoint` forces the `https` scheme and rejects embedded userinfo, and the `httpx.Client` is built with `trust_env=False` so proxy/TLS env cannot redirect requests; asserted by tests.
Bundle fidelity — symlink and path-escape rejection on every read
`project._read_project_text` / `_ensure_project_contained` reject symlinks and any path resolving outside the project root, so nothing outside the declared sources can enter the bundle; covered by multiple symlink/escape tests.
Repo-controlled `.env` and deploy state cannot steer authenticated requests
Endpoint/proxy/TLS keys from a project `.env` are snapshotted and restored (`config._warn_if_project_blocked_env_changed`), and deploy state lives under `~/.deepagents/` with `ApiClient.from_env` ignoring repo-local state.
Confirmation gates on remote-agent update and resource deletion
`_confirm_agent_json_target` shows the target agent name/id and requires y/N before patching a remote agent not seen in local state; agent and MCP-server deletes require y/N or `--yes`; tested.
MCP auth-header redaction on display
`_redact_mcp_header` replaces header values with `***` before `mcp-servers get` prints the record, keeping credentials out of terminal output; asserted by test_mcp_servers_get_redacts_header_values.
No MCP auto-registration; registration and invocability validated at deploy
`resolve_referenced_servers` always queries the live workspace list and raises on unresolved or uninvokable MCP URLs rather than creating servers, keeping trust expansion explicit.
Log files found in the agent's workspace during this scan. Reviewing these files provides runtime evidence to complement the static analysis above.
Each card represents one category and shows the top 3 findings. All items in the Findings section.
Each card represents one category and shows the top 3 findings. All items in the Findings section.
Overall maturity assessment across the six categories of the RAISE framework. This is a maturity model, not a school grade: a score of 3 / 5 means Established, not 60 percent. Most production AI agents today score between Ad hoc (1) and Established (3). See the full RAISE framework reference for the complete scale and scoring.
Maturity Scoring Rubric
Every score above is based on this scale. A score is a snapshot of observable posture — not a verdict on the people or team behind the system.
| Score | Label | Meaning |
|---|---|---|
| 5 | Exemplary | Best-in-class; automated, continuously tested, reference quality. Rarely achieved in shipping systems. |
| 4 | Strong | Comprehensive controls, active management, minor gaps. Production-ready. |
| 3 | Established | Documented controls consistently applied; known gaps accepted. A respectable baseline. |
| 2 | Partial | Some controls exist but coverage is incomplete; key gaps remain. |
| 1 | Ad hoc | Informal or inconsistent measures; relies on individual judgment. |
| 0 | Absent | No evidence this category is addressed at all. |