Agent Safety Harness
An AI coding agent operates inside a secure-by-default shell harness that constrains what commands it can run, redirects destructive operations to a recoverable location, and refuses attempts to slip past those constraints. This chapter defines that safety posture together with the supply-chain stance applied before any dependency is installed.
Secure-by-Default Shell
Section titled “Secure-by-Default Shell”The harness denies dangerous operations unless they are explicitly safe, rather than allowing everything that is not explicitly dangerous. Whole classes of commands are blocked because their risk outweighs any routine benefit.
| Blocked class | What it covers | Level |
|---|---|---|
| Privilege escalation | Commands that elevate to administrative or root authority | MUST block |
| Remote execution | Piping or fetching remote content straight into an interpreter | MUST block |
| Low-level disk operations | Raw device, partition, and filesystem manipulation | MUST block |
| Code injection | Constructs that evaluate arbitrary strings as code | MUST block |
| Rule | Level |
|---|---|
| The harness MUST deny these command classes by default | MUST |
| The harness SHOULD fail closed, refusing anything it cannot classify as safe | SHOULD |
Destructive Deletes Go to Trash
Section titled “Destructive Deletes Go to Trash”Deletion is treated as recoverable by default. A destructive delete MUST be redirected to a trash location rather than performed as an unrecoverable hard removal, so a mistake can be undone.
| Rule | Level |
|---|---|
| Destructive deletes MUST be redirected to a recoverable trash location | MUST |
| A hard, unrecoverable removal MUST NOT be the default delete path | MUST NOT |
| Recovery from the trash location SHOULD remain possible until it is deliberately cleared | SHOULD |
Bypass Attempts Are Refused
Section titled “Bypass Attempts Are Refused”The harness assumes its constraints will be probed. Attempts to reach a blocked operation through an indirect route MUST be recognized and refused, not just the obvious direct form.
| Bypass pattern | Example shape | Level |
|---|---|---|
| Alternate paths | Reaching a blocked command through a different binary location | MUST refuse |
| Wrapper interpreters | Smuggling a blocked action inside another interpreter or shell | MUST refuse |
| Symlink tricks | Indirecting through links to evade a path-based guard | MUST refuse |
| Rule | Level |
|---|---|
| Indirect routes to a blocked operation MUST be recognized and refused | MUST |
| The harness MUST NOT rely on matching only the literal direct form of a dangerous command | MUST NOT |
Supply-Chain Stance
Section titled “Supply-Chain Stance”Dependencies are evaluated before they enter the project, and installation never runs untrusted code as a side effect.
| Rule | Level |
|---|---|
| Dependencies MUST be checked for supply-chain risk before install | MUST |
| Package lifecycle scripts MUST be disabled by default during install | MUST |
| A critical finding MUST stop the install | MUST |
| A flagged but non-critical finding SHOULD be reviewed before proceeding | SHOULD |
The stance keeps risk assessment ahead of execution: nothing is installed before it is judged, and a critical risk halts the process rather than being merely logged.