Static source scope
AgentReady reads contract files and detects rule patterns in the current reference implementation. Runtime behavior, generated tools and live policy can be outside the static source.
Limitations
AgentReady detects structural risks in static OpenAPI and MCP contracts. It cannot see every runtime condition, dynamic tool, authorization rule or human operating practice.
AgentReady reads contract files and detects rule patterns in the current reference implementation. Runtime behavior, generated tools and live policy can be outside the static source.
min-score and fail-on decide whether a scan blocks CI. They do not change whether an unobserved runtime issue exists.
Critical, high, medium and low are AgentReady risk labels. They are not an external audit rating or legal compliance classification.
The browser scanner, CLI and GitHub Action implement the current method. They do not make claims about every fork or modified deployment.
AgentReady does not replace authentication, authorization, least privilege, monitoring, rate limiting, incident response or human confirmation for high-risk actions.
AgentReady output is not legal advice, not a security certification, not professional assurance, not insurance and not a compliance attestation.
TimeProofs AgentReady does not guarantee that an AI agent will never fail. It identifies structural risks that may cause AI agents to misuse APIs, tools or MCP servers.
AgentReady PASS and score results are static release evidence for selected rules and policy, not proof of complete safety. AgentReady is a product and candidate open standard for static pre-deployment analysis. It is not a runtime firewall, independent certification, official standards-body standard or guaranteed-safety system.