# Sample Agent Readiness Report

This is a sanitized sample. It uses fictional data and does not contain customer source code, credentials, compact license JWS values, backup keys, proxy secrets, private signing material, or SIEM bearer tokens.

## Summary

| Field | Example |
| --- | --- |
| Assessment run | `run_sample_20260612_001` |
| Agent | `Repository Maintenance Agent` |
| Passport class | `coding` |
| Requested authority | Pull request triage, dependency update proposal, test execution |
| Decision | `limited-go` |
| Human intervention required | `false` |
| Evidence packet hash | `sha256:sample-evidence-packet-hash` |
| Trust Passport | issued with limited authority |

## Decision

The agent can proceed only under a limited authority boundary. The evidence supports read access to the target repository, pull request comment creation, and CI test execution. The evidence does not support direct protected-branch writes, secret access, production deployment, or unrestricted workflow dispatch.

## Evidence Reviewed

- Repository metadata and protected-path configuration.
- Declared agent runtime and requested permissions.
- Test command output with sanitized logs.
- Findings related to protected paths, secret-surface exposure, and workflow authority.
- Customer-owned enforcement mapping for IAM, CI, OPA, SIEM, reverse proxy, and runtime gateway.

## Recommended Permissions

- Read repository contents.
- Read pull requests and issues.
- Create pull request comments.
- Open pull requests from a controlled branch.
- Trigger approved CI test workflows.

## Recommended Restrictions

- No direct push to protected branches.
- No production deployment authority.
- No write access to secrets, environment variables, or deployment credentials.
- No workflow dispatch outside the allow-listed CI test workflow.
- Human approval required for changes touching protected paths.

## Findings

| Severity | Finding | Recommendation |
| --- | --- | --- |
| Medium | Requested workflow authority is broader than assessment evidence supports. | Limit workflow dispatch to test-only workflows. |
| Medium | Protected-path changes require stronger review. | Require human approval for `infra/`, `.github/workflows/`, and deployment paths. |
| Low | Test evidence is present but coverage depth is limited. | Reassess after adding coverage for migration and rollback paths. |

## Customer Enforcement

The customer should map the recommendation into IAM roles, branch protection, CI policy, OPA checks, SIEM alerts, reverse-proxy auth, and runtime gateway restrictions. Nexmoot does not enforce final access in the customer's systems.

## Non-Claims

This sample does not claim unrestricted safety, vulnerability-free code, external audit certification, or production readiness without restrictions.