Skip to content

Agent Safety Harness

Specification > Delivery & Safety

An AI coding agent operates inside a secure-by-default shell harness that constrains what commands it can run, redirects destructive operations to a recoverable location, and refuses attempts to slip past those constraints. This chapter defines that safety posture together with the supply-chain stance applied before any dependency is installed.


The harness denies dangerous operations unless they are explicitly safe, rather than allowing everything that is not explicitly dangerous. Whole classes of commands are blocked because their risk outweighs any routine benefit.

Blocked classWhat it coversLevel
Privilege escalationCommands that elevate to administrative or root authorityMUST block
Remote executionPiping or fetching remote content straight into an interpreterMUST block
Low-level disk operationsRaw device, partition, and filesystem manipulationMUST block
Code injectionConstructs that evaluate arbitrary strings as codeMUST block
RuleLevel
The harness MUST deny these command classes by defaultMUST
The harness SHOULD fail closed, refusing anything it cannot classify as safeSHOULD

Deletion is treated as recoverable by default. A destructive delete MUST be redirected to a trash location rather than performed as an unrecoverable hard removal, so a mistake can be undone.

RuleLevel
Destructive deletes MUST be redirected to a recoverable trash locationMUST
A hard, unrecoverable removal MUST NOT be the default delete pathMUST NOT
Recovery from the trash location SHOULD remain possible until it is deliberately clearedSHOULD

The harness assumes its constraints will be probed. Attempts to reach a blocked operation through an indirect route MUST be recognized and refused, not just the obvious direct form.

Bypass patternExample shapeLevel
Alternate pathsReaching a blocked command through a different binary locationMUST refuse
Wrapper interpretersSmuggling a blocked action inside another interpreter or shellMUST refuse
Symlink tricksIndirecting through links to evade a path-based guardMUST refuse
RuleLevel
Indirect routes to a blocked operation MUST be recognized and refusedMUST
The harness MUST NOT rely on matching only the literal direct form of a dangerous commandMUST NOT

Dependencies are evaluated before they enter the project, and installation never runs untrusted code as a side effect.

RuleLevel
Dependencies MUST be checked for supply-chain risk before installMUST
Package lifecycle scripts MUST be disabled by default during installMUST
A critical finding MUST stop the installMUST
A flagged but non-critical finding SHOULD be reviewed before proceedingSHOULD

The stance keeps risk assessment ahead of execution: nothing is installed before it is judged, and a critical risk halts the process rather than being merely logged.