deepsec-skill.dev / agentic stack

Last checked:

Vercel Agentic Stack operating map for deepsec-skill

A current, source-backed map for using deepsec-skill with Vercel Agent, AI Gateway, Sandbox, VCR, Workflows, eve, Better Auth, and Vercel's deepsec.

This is the live map for using deepsec-skill inside the Vercel Agentic Stack. It is intentionally direct: what is real today, what is beta, what is a good operating pattern, and what should not be oversold.

deepsec-skill.dev is the operator homebase for the defensive security loop around Vercel's deepsec: build the thing, scan the exact change, validate the finding, and only then ship. It is not the upstream scanner and it should not be described as if it were. It records the wrapper layer around the scanner plus the current Vercel agent and container primitives that make that loop safer to run.

The current stack

Layer What it does Status on 2026-07-07 How deepsec-skill uses it
Vercel Agent Stack Vercel's public framing for production-grade agents: models, workflows, tools, identity, delivery, and observability. announced Vercel blog, 2026-06-17. Gives this site the map: agent work needs model routing, durable execution, isolated compute, scoped identity, and release gates.
Vercel Agent Dashboard agent for project questions, code review, investigations, and approved actions. public beta Pro and Enterprise teams; gradual rollout. Useful companion to deepsec, not a replacement. Agent can review PRs and validate generated patches; deepsec-skill keeps security-review evidence and authorization discipline explicit.
AI Gateway Single endpoint for hundreds of models with budgets, usage monitoring, load balancing, fallbacks, API-key auth, OIDC auth, and BYOK. available All plans; provider terms still apply. Good control plane for agent model spend. The honest rule: do not hardcode stale model claims without checking the current model list.
Vercel Sandbox Isolated Firecracker microVMs with their own filesystem and network. current docs Docs list node26, node24, node22, and python3.13; default runtime is node24. The right place to run risky scanner or agent work when shell access should not touch a laptop or long-lived CI runner.
Vercel Container Registry (VCR) Project-scoped OCI image registry at vcr.vercel.com; supports Docker Registry HTTP API v2 and Docker-compatible push, pull, and tag workflows. beta Highlighted at Ship 2026 with Dockerfile support and docs last updated 2026-06-30. Makes scanner runners reproducible: package Node, Vercel CLI, deepsec, approved tools, and policy defaults into a VCR image, then use that image for Sandbox or Functions workflows.
Vercel Workflows Durable JavaScript, TypeScript, and Python workflows that can pause, resume, and maintain state. current docs Good fit for multi-step gates: build, scan, process, revalidate, export, wait for approval, deploy.
eve Vercel's agent framework; docs describe Workflows for state, Sandbox for code isolation, AI Gateway for model routing, Connect for external service credentials, and Observability for runs. evolving Public Vercel docs. A future-friendly shape for packaging longer-lived security agents. Do not claim deepsec-skill is an eve app until it is.
Better Auth + agent identity Better Auth is joining Vercel to accelerate open-source auth and agent workflows. announced 2026-07-07. Relevant identity direction. It does not automatically solve scanner authorization today; deepsec-skill still treats authorization as an explicit gate.
deepsec Vercel Labs security harness powered by coding agents. open source Apache-2.0 under vercel-labs/deepsec. The scanner. deepsec-skill is the operating standard and prompt discipline around it.

What this site will stay honest about

The preferred pre-ship loop

  1. Pull the exact Vercel environment for the branch.
  2. Build with Vercel CLI.
  3. Run the cheap deepsec scan first when doing broad review.
  4. For pull requests, run deepsec process --diff against the merge base.
  5. Run agent work in Vercel Sandbox when the runner should be disposable.
  6. Use a VCR runner image when repeatability matters: vcr.vercel.com/team-slug/project-slug/deepsec-runner:<tag>.
  7. Authenticate image pushes with OIDC when VERCEL_OIDC_TOKEN is available; otherwise use a scoped Vercel token and the owning team ID.
  8. Prefer Docker Buildx with zstd compression for images pushed to VCR.
  9. Route model usage through AI Gateway when the team needs budget, usage, and provider control.
  10. Revalidate high-impact findings before blocking.
  11. Export a small release decision packet.
  12. Deploy the prebuilt Vercel artifact only after there are no net-new validated findings.

What belongs on deepsec-skill.dev

This site should be the current public notebook for:

It is also the public technical surface behind MHC Information Services: govern the AI, prove it stays controlled, defend the systems, and build the software underneath as one accountable practice.

Source notes