Agent stack integrations
Pair Critique’s merge gate with RWX, Swytchcode, and Identity Machines — upstream signals, cookbooks, and where each layer sits in the agent loop.
Critique is the merge boundary for code changes. RWX, Swytchcode, and Identity Machines (Iron Book) solve adjacent problems — build validation, API execution, and runtime agent IAM. v6.1.1 adds upstreamSignals on POST /api/v1/reviews so orchestrators attach their outcomes to the same Change Passport and webhook payloads Critique already emits.
Product cookbooks: /merge-gate-api#cookbooks. Merge gate reference: Merge Gate API. Long-form product update: Critique v6.1.1: Agent Stack Integrations.
Where each product sits
flowchart LR
IM[Iron Book — agent identity]
RWX[RWX — CI / build]
W[Writer agent]
GH[GitHub PR]
CR[Critique — merge gate]
SC[Swytchcode — API exec]
IM --> W
W --> RWX
W --> GH
RWX --> GH
GH --> CR
CR -->|PASS| SC| Partner | Layer | Question they answer | Critique does not replace |
|---|---|---|---|
| RWX | Build / CI | Does it compile and pass tests? | Per-task caching, sandboxes, OCI images |
| Swytchcode | Integration execute | Did the API call succeed safely? | 2000+ manifests, swytchcode exec kernel |
| Identity Machines | Agent IAM | Is this agent allowed to act now? | CapBAC, Iron Book trust registry, Entra mapping |
One line: RWX proves the build. Swytchcode proves the integration call. Iron Book proves the agent identity. Critique proves the change may merge.
Upstream signals (v6.1.1)
Pass upstreamSignals (max 8) when queueing a review — REST or MCP queue_review. Critique stores them on the review run, echoes them on GET /api/v1/review-runs/:id, includes them on lifecycle and per-run webhooks, and copies them into passport snapshot provenance for compliance export.
Signal shape
| Field | Required | Notes |
|---|---|---|
provider | Yes | rwx · swytchcode · identity_machines · custom |
kind | Yes | Short type, e.g. ci_run, tool_policy, agent_identity |
status | No | pass · warn · fail · unknown |
label | No | Human-readable summary |
externalId | No | Partner run id, canonical tool id, agent DID, etc. |
url | No | Link to partner dashboard / run page |
recordedAt | No | ISO-8601; Critique sets now if omitted |
metadata | No | Opaque JSON (trust score, policy id, …) |
Example — RWX then gate
curl https://critique.sh/api/v1/reviews \
-H "Authorization: Bearer crt_..." \
-H "Content-Type: application/json" \
-d '{
"repositoryFullName": "acme/web",
"pullRequestNumber": 42,
"headSha": "abc123def4567890abcdef1234567890abcdef12",
"upstreamSignals": [
{
"provider": "rwx",
"kind": "ci_run",
"status": "pass",
"url": "https://cloud.rwx.com/mint/acme/runs/RUN_ID"
}
]
}'Example — Iron Book provenance
{
"provider": "identity_machines",
"kind": "agent_identity",
"status": "pass",
"externalId": "did:ironbook:finance-agent.v1",
"metadata": { "trustScore": 0.92, "capbacPolicy": "finance-write" }
}Critique does not call partner APIs to verify signals in v6.1.1 — your orchestrator attests what already passed upstream. Future releases may add optional webhook verification hooks; the field shape is stable for passport export today.
Recommended loops
RWX + Critique (most teams)
- Agent iterates with
rwx rununtil green (inner + outer loop on RWX). - Writer opens or updates the PR on GitHub.
- Orchestrator
POST /api/v1/reviewswithupstreamSignalspointing at the RWX run. - On FAIL/WARN, fix agent pushes; re-queue on new
headSha. - On PASS, your merge policy merges.
Swytchcode + Critique (integration-heavy agents)
Use Swytchcode for prod API calls; use Critique for repo changes. Same agent stack, two trust boundaries. Record successful swytchcode exec paths in upstreamSignals when the PR ships integration code.
Iron Book + Critique (enterprise)
Iron Book registers the agent and enforces CapBAC at runtime. Critique records what code that agent tried to merge with evidence runs and signed passport export. Attach agent DID / trust metadata via upstreamSignals so GRC sees both runtime IAM and SDLC judgment in one bundle.
Full stack
Iron Book → RWX → Critique gate → merge → Swytchcode for post-merge side effects. See cookbook Full stack on /merge-gate-api.
What Critique still owns alone
- PASS / WARN / FAIL with structured
findings[] - Checkpoint before expensive review
- Merge policy check separate from CI green
- Remedy proof on the passport
- Compliance export via
GET /api/v1/passports/:id/export
Partners do not replace review depth, merge policy, or passport history — they feed the passport.
FAQ
Do I need a partnership to use upstreamSignals?
No. Pass JSON your orchestrator already has. Provider enums name common stacks; use custom for anything else.
Will Critique block merge if RWX failed but I omit the signal?
Not automatically in v6.1.1. Upstream signals are audit and display on the passport unless you enforce them in your orchestrator (only queue Critique when RWX passed). Merge policy inside Critique still evaluates review findings and configured rules.
MCP support?
Yes — queue_review accepts the same upstreamSignals array as REST.