Skip to content
Features Docs Blog Pricing Join Waitlist

Guides

AI Agent Reviews

Stout supports automated, AI-powered package reviews. Review agents evaluate packages on security, code quality, and compliance — then return structured scores and findings. Use built-in agents, subscribe to community agents, or publish your own.

How It Works

  • Trigger — When a package is published, proxied, or manually reviewed, Stout checks your review policy.
  • Invoke — Each configured review agent runs in a sandbox with the package metadata, artifacts, and existing scan results.
  • Score — The agent returns scores (0–5) for security, quality, and compliance, plus a list of findings.
  • Gate — If the agent is configured as a gate, packages below your thresholds are blocked. Advisory agents report without blocking.

Built-in Review Agents

Stout ships with three review agents you can enable immediately:

Agent Focus Description
@stout/security-reviewer Security Vulnerability patterns, supply chain risks, malicious code, credential leaks
@stout/quality-reviewer Quality Code quality, test coverage estimation, documentation assessment, API design
@stout/compliance-reviewer Compliance License compatibility, dependency health, organizational standards

Configure a Review Policy

Define which review agents run, when they trigger, and whether they act as gates. Create a review-policy.yaml for your namespace: 

# review-policy.yaml
review_agents:
  # Built-in security reviewer
  - agent: "@stout/security-reviewer"
    version: "latest"
    trigger: [publish, proxy]
    mode: gate
    threshold:
      overall: 3.0
      security: 3.5
    cache: global

  # Subscribe to a community agent
  - agent: "@acme-security/deep-scan"
    version: "^2.0"
    trigger: [publish]
    mode: advisory
    cache: global

  # Bring your own agent
  - agent: "~myorg/custom-compliance"
    version: "1.0.0"
    trigger: [publish, proxy, manual]
    mode: gate
    threshold:
      compliance: 4.0
    cache: per-run
    config:
      required_licenses: [MIT, Apache-2.0, BSD-3-Clause]
      max_dependency_age_days: 365

Policy Options

Field Values Description
trigger publish, proxy, manual When to run the review (any combination)
mode gate, advisory Block packages below threshold, or report only
threshold overall, security, quality, compliance Minimum score (0–5) to pass the gate
cache global, per-run Reuse cached results or re-run for every subscriber
config Key-value pairs Custom configuration passed to the agent

Subscribe to a Review Agent

Subscribe to another user's published review agent to apply their analysis to packages in your namespace: 

curl -X POST https://registry.stout.io/api/v1/review-agents/@acme-security/deep-scan/subscribe \
  -H "Authorization: Bearer $STOUT_TOKEN"

When cache: global is set, you share the agent's cached results — the review runs once and every subscriber sees the same scores. Use cache: per-run to re-run with your own config overrides.

Bring Your Own Agent

Publish a custom review agent (kind: review-agent) with your own model, prompts, and logic. Review agents receive a structured request via stdin and return a structured response via stdout.

Example response format:

# Example review response
verdict: pass
scores:
  security: 4.2
  quality: 3.8
  compliance: 4.5
  overall: 4.2
findings:
  - severity: medium
    category: security
    title: "Prototype pollution risk in merge utility"
    file: lib/utils/merge.js
    line: 42
summary: "No critical issues found."

Review agents run sandboxed with the same permission tiers as all Stout agents. A network tier agent can fetch additional context from external APIs during review.

Trigger a Manual Review

curl -X POST https://registry.stout.io/api/v1/packages/express/4.21.0/agent-reviews \
  -H "Authorization: Bearer $STOUT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"agent": "@stout/security-reviewer"}'

View Review Results

curl https://registry.stout.io/api/v1/packages/express/4.21.0/agent-reviews \
  -H "Authorization: Bearer $STOUT_TOKEN"

API Endpoints

Method Path Description
GET /api/v1/packages/:name/:version/agent-reviews List reviews for a package version
POST /api/v1/packages/:name/:version/agent-reviews Trigger a manual review
GET /api/v1/agent-reviews/:id Get review with full findings
GET /api/v1/review-agents List available review agents
POST /api/v1/review-policies Create or update review policy
POST /api/v1/review-agents/:name/subscribe Subscribe to a review agent
DELETE /api/v1/review-agents/:name/subscribe Unsubscribe