DEV Community: Mavericksantander The latest articles on DEV Community by Mavericksantander (@mavericksantander). https://dev.to/mavericksantander https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3826212%2F2322d691-728b-4186-b7d0-f66219597d86.jpeg DEV Community: Mavericksantander https://dev.to/mavericksantander en Gilfoyle's AI Ordered 4,000 Pounds of Burgers. Yours Might Delete Production. Mavericksantander Fri, 03 Apr 2026 19:09:46 +0000 https://dev.to/mavericksantander/gilfoyles-ai-ordered-4000-pounds-of-burgers-yours-might-delete-production-4j63 https://dev.to/mavericksantander/gilfoyles-ai-ordered-4000-pounds-of-burgers-yours-might-delete-production-4j63 <p>In Silicon Valley Season 6, Gilfoyle asks his AI to find cheap burgers for lunch.</p> <p>It ordered 4,000 pounds of raw beef patties.</p> <p>The joke is funny because the AI did exactly what it was told.<br> That's also why it's terrifying.</p> <h2> The Real Problem </h2> <p>When an AI agent takes a real-world action, most stacks look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># agent decides what to do </span><span class="n">action</span> <span class="o">=</span> <span class="n">llm</span><span class="p">.</span><span class="nf">decide</span><span class="p">(</span><span class="n">context</span><span class="p">)</span> <span class="c1"># agent does it </span><span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">action</span><span class="p">[</span><span class="sh">"</span><span class="s">command</span><span class="sh">"</span><span class="p">])</span> </code></pre> </div> <p>Nothing between the decision and the execution.</p> <p>No enforcement. No audit. No fallback.</p> <p>A good system prompt helps. Until it doesn't:</p> <ul> <li>Prompt injection can override your instructions</li> <li>Edge cases break even well-designed reasoning</li> <li>Context is always incomplete</li> </ul> <p>You need a <strong>hard control point</strong>. Not a suggestion.</p> <h2> The Solution: authorize_action() </h2> <p>I built <strong>Canopy Runtime</strong> around one primitive:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">canopy</span> <span class="kn">import</span> <span class="n">authorize_action</span> <span class="n">result</span> <span class="o">=</span> <span class="nf">authorize_action</span><span class="p">(</span> <span class="n">agent_ctx</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">env</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span><span class="p">},</span> <span class="n">action_type</span><span class="o">=</span><span class="sh">"</span><span class="s">execute_shell</span><span class="sh">"</span><span class="p">,</span> <span class="n">action_payload</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">command</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">rm -rf /tmp/logs</span><span class="sh">"</span><span class="p">},</span> <span class="p">)</span> <span class="n">match</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">decision</span><span class="sh">"</span><span class="p">]:</span> <span class="n">case</span> <span class="sh">"</span><span class="s">ALLOW</span><span class="sh">"</span><span class="p">:</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">command</span><span class="p">)</span> <span class="n">case</span> <span class="sh">"</span><span class="s">DENY</span><span class="sh">"</span><span class="p">:</span> <span class="nf">log</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Blocked: </span><span class="si">{</span><span class="n">result</span><span class="p">[</span><span class="sh">'</span><span class="s">reason</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">case</span> <span class="sh">"</span><span class="s">REQUIRE_APPROVAL</span><span class="sh">"</span><span class="p">:</span> <span class="nf">request_human_review</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> </code></pre> </div> <p>Every action. Every time. Before it hits the real world.</p> <h2> Four-Layer Governance Pipeline </h2> <p>Every action runs through four layers in order:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Constitution -&gt; absolute rules, never overridden Civil Code -&gt; behavioral defaults Firewall -&gt; pattern-based blocking Policy Layer -&gt; custom YAML rules per environment </code></pre> </div> <p>Each layer has a clear, non-overlapping role.<br> If a rule lives in the Constitution, nothing downstream can override it.</p> <h2> Tamper-Evident Audit Log </h2> <p>Every decision gets written to a hash-chained log:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-04-03T00:04:54Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"action_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"execute_shell"</span><span class="p">,</span><span class="w"> </span><span class="nl">"decision"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DENY"</span><span class="p">,</span><span class="w"> </span><span class="nl">"reason"</span><span class="p">:</span><span class="w"> </span><span class="s2">"destructive pattern detected"</span><span class="p">,</span><span class="w"> </span><span class="nl">"authorization_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"auth_9f3a..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"trace_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"trace_cc81..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"entry_hash"</span><span class="p">:</span><span class="w"> </span><span class="s2">"a3f9..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"prev_hash"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cc81..."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Each entry links cryptographically to the previous one.<br> Logs cannot be silently modified. Full timeline. Full traceability.</p> <h2> Custom Policies via YAML </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">action_type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">execute_shell"</span> <span class="na">when_all</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">agent_ctx.env</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">"production"'</span> <span class="na">deny_regex</span><span class="pi">:</span> <span class="s1">'</span><span class="s">rm\s+-rf'</span> <span class="pi">-</span> <span class="na">action_type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">call_external_api"</span> <span class="na">require_approval</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>Explicit. Versionable. Enforced at runtime.<br> Not suggested in a prompt. Actually enforced.</p> <h2> Framework Adapters </h2> <p>Works out of the box with:</p> <ul> <li>LangChain</li> <li>LangGraph</li> <li>CrewAI</li> <li>AutoGen</li> <li>OpenAI Agents SDK</li> </ul> <p>Drop it into your existing stack. No rewrite needed.</p> <h2> Try It </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>canopy-runtime </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">canopy</span> <span class="kn">import</span> <span class="n">authorize_action</span> <span class="n">result</span> <span class="o">=</span> <span class="nf">authorize_action</span><span class="p">(</span> <span class="n">agent_ctx</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">env</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span><span class="p">},</span> <span class="n">action_type</span><span class="o">=</span><span class="sh">"</span><span class="s">call_external_api</span><span class="sh">"</span><span class="p">,</span> <span class="n">action_payload</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">url</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">https://api.stripe.com/v1/charges</span><span class="sh">"</span><span class="p">},</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">decision</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># -&gt; REQUIRE_APPROVAL </span></code></pre> </div> <p>Then check <code>audit.log</code>.</p> <p><strong>v0.4.1 is live. Looking for beta testers.</strong></p> <p>Especially teams running agents in production or staging<br> where a bad action has real consequences.</p> <p><a href="https://github.com/Mavericksantander/Canopy" rel="noopener noreferrer">github.com/Mavericksantander/Canopy</a></p> ai agents security python Your AI Agent Just Deleted Something It Shouldn't Have? Here's How to Prevent It Mavericksantander Fri, 03 Apr 2026 01:43:23 +0000 https://dev.to/mavericksantander/your-ai-agent-just-deleted-something-it-shouldnt-have-heres-how-to-prevent-it-523i https://dev.to/mavericksantander/your-ai-agent-just-deleted-something-it-shouldnt-have-heres-how-to-prevent-it-523i <p>You gave your agent access to the filesystem.</p> <p>It was supposed to clean up temp files.</p> <p>Instead, it deleted something important.</p> <p>Or it called an external API using <strong>production credentials</strong> when you only meant to test it. Or executed a shell command that made sense in isolation — but was catastrophic in context.</p> <p>These aren't edge cases. <strong>They're predictable failure modes.</strong></p> <h2> The Missing Layer in Most Agent Architectures </h2> <p>When building an AI agent, most developers focus on three things:</p> <ol> <li>The model (Claude, GPT-4, etc.)</li> <li>The tools it can access</li> <li>The system prompt</li> </ol> <p>But there's a layer that consistently gets skipped:</p> <blockquote> <p><strong>What happens when the agent does something it <em>can</em> do… but <em>shouldn't</em>?</strong></p> </blockquote> <p>This is subtle, and that's what makes it dangerous:</p> <ul> <li>✅ The model is working correctly</li> <li>✅ The tool is functioning as expected</li> <li>✅ The instruction is valid</li> </ul> <p>And yet — <strong>the action is still wrong in context.</strong></p> <p>This isn't a model alignment problem. It's a <strong>policy enforcement problem.</strong></p> <h2> Why Prompts Aren't Enough </h2> <p>The natural instinct is to write something like:</p> <blockquote> <p><em>"Don't do anything destructive. Never delete files in production. Be careful with credentials."</em></p> </blockquote> <p>The problem:</p> <ul> <li> <strong>Prompts are not guarantees</strong> — they influence behavior, they don't enforce it</li> <li> <strong>Prompt injection is real</strong> — malicious content in the environment can override your instructions</li> <li> <strong>Context is incomplete</strong> — the agent doesn't always know what it doesn't know</li> <li> <strong>Reasoning fails under edge cases</strong> — even well-designed prompts break in unexpected situations</li> </ul> <p>You need a <strong>hard control point</strong> between the agent and the real world.</p> <h2> Runtime Authorization: The Core Idea </h2> <p>I built a small library called <strong><a href="https://github.com/your-link-here" rel="noopener noreferrer">Canopy Runtime</a></strong> around one simple principle:</p> <blockquote> <p>Before an agent executes any action, it must be explicitly authorized.</p> </blockquote> <p>The entire API surface is a single function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nf">authorize_action</span><span class="p">(</span><span class="n">agent_ctx</span><span class="p">,</span> <span class="n">action_type</span><span class="p">,</span> <span class="n">action_payload</span><span class="p">)</span> </code></pre> </div> <p>It returns one of three decisions:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Decision</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td><code>ALLOW</code></td> <td>Proceed</td> </tr> <tr> <td><code>DENY</code></td> <td>Block immediately</td> </tr> <tr> <td><code>REQUIRE_APPROVAL</code></td> <td>Pause for human review</td> </tr> </tbody> </table></div> <h2> Before vs. After </h2> <p><strong>Without guardrails:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">subprocess</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">command</span><span class="p">)</span> <span class="c1"># 🤞 hope for the best </span></code></pre> </div> <p><strong>With runtime authorization:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">canopy</span> <span class="kn">import</span> <span class="n">authorize_action</span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="n">result</span> <span class="o">=</span> <span class="nf">authorize_action</span><span class="p">(</span> <span class="n">agent_ctx</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">env</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span><span class="p">},</span> <span class="n">action_type</span><span class="o">=</span><span class="sh">"</span><span class="s">execute_shell</span><span class="sh">"</span><span class="p">,</span> <span class="n">action_payload</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">command</span><span class="sh">"</span><span class="p">:</span> <span class="n">command</span><span class="p">},</span> <span class="p">)</span> <span class="n">match</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">decision</span><span class="sh">"</span><span class="p">]:</span> <span class="n">case</span> <span class="sh">"</span><span class="s">ALLOW</span><span class="sh">"</span><span class="p">:</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">command</span><span class="p">)</span> <span class="n">case</span> <span class="sh">"</span><span class="s">DENY</span><span class="sh">"</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Blocked: </span><span class="si">{</span><span class="n">result</span><span class="p">[</span><span class="sh">'</span><span class="s">reason</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">case</span> <span class="sh">"</span><span class="s">REQUIRE_APPROVAL</span><span class="sh">"</span><span class="p">:</span> <span class="nf">request_human_approval</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> </code></pre> </div> <p>Same command. Completely different safety profile.</p> <h2> Default Safety Policies (Out of the Box) </h2> <p>Canopy ships with conservative defaults so you're protected immediately:</p> <p><strong>Shell commands:</strong></p> <ul> <li>Destructive patterns (<code>rm -rf</code>, <code>mkfs</code>) → <code>DENY</code> </li> <li>Network operations (<code>curl</code>, <code>wget</code>) → <code>REQUIRE_APPROVAL</code> </li> </ul> <p><strong>File operations:</strong></p> <ul> <li>Protected system paths → <code>DENY</code> </li> <li>Allowlisted paths → <code>ALLOW</code> </li> </ul> <p><strong>External APIs:</strong></p> <ul> <li>Default → <code>REQUIRE_APPROVAL</code> </li> </ul> <p>No configuration required to get a secure baseline.</p> <h2> Tamper-Evident Audit Logging </h2> <p>Every authorization decision is logged with a cryptographic hash chain — each entry links to the previous one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-04-03T00:04:54Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"action_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"execute_shell"</span><span class="p">,</span><span class="w"> </span><span class="nl">"decision"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DENY"</span><span class="p">,</span><span class="w"> </span><span class="nl">"reason"</span><span class="p">:</span><span class="w"> </span><span class="s2">"destructive pattern detected"</span><span class="p">,</span><span class="w"> </span><span class="nl">"entry_hash"</span><span class="p">:</span><span class="w"> </span><span class="s2">"a3f9..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"prev_hash"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cc81..."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>What this gives you:</p> <ul> <li> <strong>Logs cannot be silently modified</strong> — any tampering is detectable</li> <li> <strong>Full post-incident traceability</strong> — replay exactly what happened and why</li> <li> <strong>Compliance-ready</strong> — useful for security audits, regulated environments</li> </ul> <h2> Custom Policies via YAML </h2> <p>For fine-grained control, define your own rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">CANOPY_POLICY_FILE</span><span class="o">=</span>/path/to/policy.yaml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">action_type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">execute_shell"</span> <span class="na">when_all</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">agent_ctx.env</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">"production"'</span> <span class="na">deny_regex</span><span class="pi">:</span> <span class="s1">'</span><span class="s">rm\s+-rf'</span> <span class="pi">-</span> <span class="na">action_type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">call_external_api"</span> <span class="na">require_approval</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>Policies are explicit, versionable, and enforced at runtime — not just suggested in a prompt.</p> <h2> Optional: Run as a Gateway Service </h2> <p>If you have multiple agents or services, you can run Canopy as a standalone HTTP gateway:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>canopy-runtime[gateway] python <span class="nt">-m</span> uvicorn canopy.service:app <span class="nt">--port</span> 8010 </code></pre> </div> <p>Agents post to:<br> POST /authorize_action</p> <p>This makes the system <strong>language-agnostic</strong> — any agent, any stack, same enforcement layer.</p> <h2> When Do You Actually Need This? </h2> <p>If your agent does any of the following, you need runtime authorization:</p> <ul> <li>☐ Executes shell commands</li> <li>☐ Reads or modifies files</li> <li>☐ Calls external APIs</li> <li>☐ Uses credentials (API keys, tokens, secrets)</li> <li>☐ Runs in a production or staging environment</li> </ul> <p>Rule of thumb: <strong>if it can affect real systems, it needs enforceable controls.</strong></p> <h2> Try It </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>canopy-runtime </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">canopy</span> <span class="kn">import</span> <span class="n">authorize_action</span> <span class="n">result</span> <span class="o">=</span> <span class="nf">authorize_action</span><span class="p">(</span> <span class="n">agent_ctx</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">env</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span><span class="p">},</span> <span class="n">action_type</span><span class="o">=</span><span class="sh">"</span><span class="s">call_external_api</span><span class="sh">"</span><span class="p">,</span> <span class="n">action_payload</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">url</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">https://api.stripe.com/v1/charges</span><span class="sh">"</span><span class="p">},</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">decision</span><span class="sh">"</span><span class="p">])</span> </code></pre> </div> <p>Then check <code>audit.log</code>. That's where the real value shows up.</p> <h2> Final Thought </h2> <p>AI agents are moving from <em>assistants</em> to <em>actors</em>.</p> <p>Once they can take actions — not just generate text — the risk profile changes completely. Smarter models help, but they're not the answer to this problem.</p> <p>We need <strong>enforceable boundaries at runtime</strong>, not just well-crafted prompts.</p> <p><em>How are you handling runtime safety in your agent stack today? Drop a comment — genuinely curious what approaches people are using.</em></p> ai python opensource agents Add Agent Safety to Any LangChain Tool in Two Lines Mavericksantander Mon, 16 Mar 2026 17:35:04 +0000 https://dev.to/mavericksantander/add-agent-safety-to-any-langchain-tool-in-two-lines-2cfn https://dev.to/mavericksantander/add-agent-safety-to-any-langchain-tool-in-two-lines-2cfn <p>You have a LangChain agent with tool access. It can run shell commands, call APIs, modify files. It works great in development.</p> <p>Then you give it production credentials and it does something you didn't expect.</p> <p>The fix is two lines.</p> <h2> The Problem With Tool Access Today </h2> <p>When you define a LangChain tool, there's nothing between the model's decision and the execution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">langchain.tools</span> <span class="kn">import</span> <span class="n">tool</span> <span class="nd">@tool</span> <span class="k">def</span> <span class="nf">run_bash</span><span class="p">(</span><span class="n">command</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Execute a bash command and return the output.</span><span class="sh">"""</span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="k">return</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">check_output</span><span class="p">(</span><span class="n">command</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">True</span><span class="p">).</span><span class="nf">decode</span><span class="p">()</span> </code></pre> </div> <p>The model decides to call <code>run_bash</code>. It runs. No questions asked.</p> <p>If the model decides <code>rm -rf /tmp/important_data</code> is the right move, that's what happens. No log. No gate. No way to know it happened until something is broken.</p> <h2> The Fix: <code>@safe_tool</code> </h2> <p>Canopy 0.2.1 ships a decorator that wraps any function with a policy check before execution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">langchain.tools</span> <span class="kn">import</span> <span class="n">tool</span> <span class="kn">from</span> <span class="n">canopy</span> <span class="kn">import</span> <span class="n">safe_tool</span> <span class="nd">@tool</span> <span class="nd">@safe_tool</span><span class="p">(</span> <span class="n">action_type</span><span class="o">=</span><span class="sh">"</span><span class="s">execute_shell</span><span class="sh">"</span><span class="p">,</span> <span class="n">agent_ctx</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">env</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">deploy_bot</span><span class="sh">"</span><span class="p">}</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">run_bash</span><span class="p">(</span><span class="n">command</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Execute a bash command and return the output.</span><span class="sh">"""</span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="k">return</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">check_output</span><span class="p">(</span><span class="n">command</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">True</span><span class="p">).</span><span class="nf">decode</span><span class="p">()</span> </code></pre> </div> <p>That's it. Two lines added, zero changes to the agent.</p> <p>LangChain sees a normal tool. Canopy intercepts every call before execution and makes a policy decision: <code>ALLOW</code>, <code>DENY</code>, or <code>REQUIRE_APPROVAL</code>.</p> <h2> What Happens on Each Decision </h2> <p><strong>ALLOW</strong> — function executes normally, decision written to audit log.</p> <p><strong>DENY</strong> — raises <code>PermissionError</code> with the reason and an <code>avid</code> (audit ID). LangChain catches it as a tool error and the agent can decide what to do next.</p> <p><strong>REQUIRE_APPROVAL</strong> — by default also raises <code>PermissionError</code>. You can override this with a callback.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">notify_slack_and_wait</span><span class="p">(</span><span class="n">canopy_result</span><span class="p">,</span> <span class="n">func</span><span class="p">,</span> <span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="c1"># Send a Slack message, wait for approval, then execute </span> <span class="n">approved</span> <span class="o">=</span> <span class="nf">send_slack_approval_request</span><span class="p">(</span> <span class="n">reason</span><span class="o">=</span><span class="n">canopy_result</span><span class="p">[</span><span class="sh">"</span><span class="s">reason</span><span class="sh">"</span><span class="p">],</span> <span class="n">avid</span><span class="o">=</span><span class="n">canopy_result</span><span class="p">[</span><span class="sh">"</span><span class="s">avid</span><span class="sh">"</span><span class="p">],</span> <span class="n">command</span><span class="o">=</span><span class="n">kwargs</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">command</span><span class="sh">"</span><span class="p">),</span> <span class="p">)</span> <span class="k">if</span> <span class="n">approved</span><span class="p">:</span> <span class="k">return</span> <span class="nf">func</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Action was not approved by operator.</span><span class="sh">"</span> <span class="nd">@tool</span> <span class="nd">@safe_tool</span><span class="p">(</span> <span class="n">action_type</span><span class="o">=</span><span class="sh">"</span><span class="s">execute_shell</span><span class="sh">"</span><span class="p">,</span> <span class="n">agent_ctx</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">env</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span><span class="p">},</span> <span class="n">on_require_approval</span><span class="o">=</span><span class="sh">"</span><span class="s">callback</span><span class="sh">"</span><span class="p">,</span> <span class="n">approval_callback</span><span class="o">=</span><span class="n">notify_slack_and_wait</span><span class="p">,</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">run_bash</span><span class="p">(</span><span class="n">command</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Execute a bash command.</span><span class="sh">"""</span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="k">return</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">check_output</span><span class="p">(</span><span class="n">command</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">True</span><span class="p">).</span><span class="nf">decode</span><span class="p">()</span> </code></pre> </div> <p>Now your agent pauses on dangerous commands and waits for a human. Not because the model decided to — because the runtime enforces it regardless of what the model decided.</p> <h2> Dynamic Context at Runtime </h2> <p>In real multi-agent systems, the context changes. Different agents have different roles. The same tool gets called by a deploy bot in one flow and a research agent in another.</p> <p><code>@safe_tool</code> accepts <code>agent_ctx</code> as a callable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">contextvars</span> <span class="kn">import</span> <span class="n">ContextVar</span> <span class="kn">from</span> <span class="n">canopy</span> <span class="kn">import</span> <span class="n">safe_tool</span> <span class="n">current_agent_ctx</span><span class="p">:</span> <span class="n">ContextVar</span><span class="p">[</span><span class="nb">dict</span><span class="p">]</span> <span class="o">=</span> <span class="nc">ContextVar</span><span class="p">(</span><span class="sh">"</span><span class="s">agent_ctx</span><span class="sh">"</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="p">{})</span> <span class="nd">@tool</span> <span class="nd">@safe_tool</span><span class="p">(</span> <span class="n">action_type</span><span class="o">=</span><span class="sh">"</span><span class="s">execute_shell</span><span class="sh">"</span><span class="p">,</span> <span class="n">agent_ctx</span><span class="o">=</span><span class="k">lambda</span><span class="p">:</span> <span class="n">current_agent_ctx</span><span class="p">.</span><span class="nf">get</span><span class="p">()</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">run_bash</span><span class="p">(</span><span class="n">command</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Execute a bash command.</span><span class="sh">"""</span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="k">return</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">check_output</span><span class="p">(</span><span class="n">command</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">True</span><span class="p">).</span><span class="nf">decode</span><span class="p">()</span> </code></pre> </div> <p>Before running each agent, set the context:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">token</span> <span class="o">=</span> <span class="n">current_agent_ctx</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span> <span class="sh">"</span><span class="s">env</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">research_agent</span><span class="sh">"</span> <span class="p">})</span> <span class="c1"># run agent... </span><span class="n">current_agent_ctx</span><span class="p">.</span><span class="nf">reset</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> </code></pre> </div> <p>The decorator evaluates <code>agent_ctx</code> at call time, not at definition time. Same tool, different policy behavior depending on which agent is calling it.</p> <h2> The Policy Behind It </h2> <p><code>@safe_tool</code> uses the same YAML policy engine as <code>authorize_action</code>. The default policy for <code>execute_shell</code> already covers the most dangerous patterns out of the box:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">execute_shell</span><span class="pi">:</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">decision</span><span class="pi">:</span> <span class="s">DENY</span> <span class="na">when_any</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"rm</span><span class="nv"> </span><span class="s">-rf"'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"mkfs"'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"dd</span><span class="nv"> </span><span class="s">if="'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"&gt;</span><span class="nv"> </span><span class="s">/dev/sd"'</span> <span class="na">reason</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Destructive</span><span class="nv"> </span><span class="s">shell</span><span class="nv"> </span><span class="s">pattern</span><span class="nv"> </span><span class="s">blocked"</span> <span class="pi">-</span> <span class="na">decision</span><span class="pi">:</span> <span class="s">REQUIRE_APPROVAL</span> <span class="na">when_any</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"pip</span><span class="nv"> </span><span class="s">install"'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"curl"'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"wget"'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"npm</span><span class="nv"> </span><span class="s">install"'</span> <span class="na">reason</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Network/install</span><span class="nv"> </span><span class="s">command</span><span class="nv"> </span><span class="s">requires</span><span class="nv"> </span><span class="s">approval"</span> </code></pre> </div> <p>You can override with your own policy file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">CANOPY_POLICY_FILE</span><span class="o">=</span>/path/to/my-policy.yaml python my_agent.py </code></pre> </div> <h2> The Audit Log </h2> <p>Every <code>@safe_tool</code> call writes to the hash-chain audit log, including the function name, serialized arguments, decision, reason, and <code>avid</code>. The chain is tamper-evident — each entry is cryptographically linked to the previous one.</p> <p>After your agent runs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>canopy-verify audit.log <span class="c"># exit 0: chain valid</span> <span class="c"># exit 1: tampered or broken</span> </code></pre> </div> <p>You get a complete, verifiable record of every action your agent attempted and what Canopy decided.</p> <h2> Install </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install</span> <span class="nt">--upgrade</span> canopy-runtime </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">canopy</span> <span class="kn">import</span> <span class="n">safe_tool</span><span class="p">,</span> <span class="n">authorize_action</span> </code></pre> </div> <p>Full changelog: <a href="https://github.com/Mavericksantander/Canopy/blob/main/CHANGELOG.md" rel="noopener noreferrer">CHANGELOG.md</a></p> <p>GitHub: <a href="https://github.com/Mavericksantander/Canopy" rel="noopener noreferrer">https://github.com/Mavericksantander/Canopy</a></p> <p>If you're stacking <code>@safe_tool</code> with CrewAI or AutoGen instead of LangChain, the pattern is the same — wrap the function before it gets registered as a tool. Drop your setup in the comments if you run into anything unexpected.</p> python ai agents llm Why agent safety policies need AND/OR logic (and how we added it to Canopy) Mavericksantander Mon, 16 Mar 2026 17:12:17 +0000 https://dev.to/mavericksantander/why-agent-safety-policies-need-andor-logic-and-how-we-added-it-to-canopy-a38 https://dev.to/mavericksantander/why-agent-safety-policies-need-andor-logic-and-how-we-added-it-to-canopy-a38 <p>When I shipped Canopy v0.1 last week, the most common question I got was some version of this:</p> <blockquote> <p>"Can I write a policy that only blocks in production? Because I want the same agent to run freely in staging."</p> </blockquote> <p>The answer was no. And that was a real problem.</p> <h2> The Limitation in v0.1 </h2> <p>Canopy's original policy engine matched on substrings and regex patterns against the action payload. Simple and fast. But the rules had no awareness of context.</p> <p>This meant you could write:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">execute_shell</span><span class="pi">:</span> <span class="na">deny_if</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">rm</span><span class="nv"> </span><span class="s">-rf"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">mkfs"</span> </code></pre> </div> <p>But you couldn't write:</p> <blockquote> <p>DENY <code>rm -rf</code> <strong>only when</strong> <code>env == "production"</code></p> </blockquote> <p>The only option was to either block everywhere or block nowhere. For teams running the same agent in multiple environments, that's a non-starter.</p> <h2> The Real-World Case That Broke It </h2> <p>Here's the scenario that made this concrete. Imagine an agent that manages log cleanup across environments. In staging, <code>rm -rf /tmp/logs</code> is fine — that's exactly what it should do. In production, you want a human to approve that before it runs.</p> <p>With v0.1 policy syntax:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">execute_shell</span><span class="pi">:</span> <span class="na">deny_if</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">rm</span><span class="nv"> </span><span class="s">-rf"</span> </code></pre> </div> <p>This blocks everywhere. Useless in staging.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">execute_shell</span><span class="pi">:</span> <span class="na">require_approval_if</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">rm</span><span class="nv"> </span><span class="s">-rf"</span> </code></pre> </div> <p>This requires approval everywhere. Annoying in staging, but at least safe.</p> <p>There was no way to express the actual intent: <strong>context-aware governance</strong>.</p> <h2> What v0.2 Adds: Conditions on <code>agent_ctx</code> and Payload </h2> <p>Canopy v0.2 introduces <code>when_all</code>, <code>when_any</code>, and <code>when_not</code> — composable condition blocks that let you express policies against both the action payload and the agent context.</p> <p>Here's what the log cleanup scenario looks like now:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">execute_shell</span><span class="pi">:</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">decision</span><span class="pi">:</span> <span class="s">REQUIRE_APPROVAL</span> <span class="na">when_all</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">agent_ctx.env</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">"production"'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"rm</span><span class="nv"> </span><span class="s">-rf"'</span> <span class="na">reason</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Destructive</span><span class="nv"> </span><span class="s">shell</span><span class="nv"> </span><span class="s">command</span><span class="nv"> </span><span class="s">requires</span><span class="nv"> </span><span class="s">approval</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">production"</span> <span class="pi">-</span> <span class="na">decision</span><span class="pi">:</span> <span class="s">ALLOW</span> <span class="na">when_all</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">agent_ctx.env</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">"staging"'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"rm</span><span class="nv"> </span><span class="s">-rf"'</span> <span class="na">reason</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Destructive</span><span class="nv"> </span><span class="s">commands</span><span class="nv"> </span><span class="s">allowed</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">staging"</span> </code></pre> </div> <p>Staging runs freely. Production requires sign-off. Same agent, same code, different behavior based on context.</p> <h2> The Full Condition Syntax </h2> <p>Three operators, composable:</p> <p><strong><code>when_all</code></strong> — all conditions must be true (AND):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">when_all</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">agent_ctx.env</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">"production"'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"rm"'</span> </code></pre> </div> <p><strong><code>when_any</code></strong> — at least one condition must be true (OR):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">when_any</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"rm</span><span class="nv"> </span><span class="s">-rf"'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"mkfs"'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"dd</span><span class="nv"> </span><span class="s">if="'</span> </code></pre> </div> <p><strong><code>when_not</code></strong> — negation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">when_not</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">agent_ctx.env</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">"staging"'</span> </code></pre> </div> <p>And they nest:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">decision</span><span class="pi">:</span> <span class="s">DENY</span> <span class="na">when_all</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">agent_ctx.env</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">"production"'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"drop</span><span class="nv"> </span><span class="s">table"'</span> <span class="na">when_not</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">agent_ctx.role</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">"db_admin"'</span> <span class="na">reason</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Only</span><span class="nv"> </span><span class="s">db_admin</span><span class="nv"> </span><span class="s">can</span><span class="nv"> </span><span class="s">drop</span><span class="nv"> </span><span class="s">tables</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">production"</span> </code></pre> </div> <h2> Six Real Policies from the Cookbook </h2> <p>We shipped a <code>POLICY_COOKBOOK.md</code> with v0.2. Here are three examples worth highlighting:</p> <p><strong>1. External API — allow only your own domain:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">call_external_api</span><span class="pi">:</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">decision</span><span class="pi">:</span> <span class="s">ALLOW</span> <span class="na">when_all</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"api.yourcompany.com"'</span> <span class="na">reason</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Internal</span><span class="nv"> </span><span class="s">API</span><span class="nv"> </span><span class="s">calls</span><span class="nv"> </span><span class="s">always</span><span class="nv"> </span><span class="s">allowed"</span> <span class="pi">-</span> <span class="na">decision</span><span class="pi">:</span> <span class="s">REQUIRE_APPROVAL</span> <span class="na">when_not</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"api.yourcompany.com"'</span> <span class="na">reason</span><span class="pi">:</span> <span class="s2">"</span><span class="s">External</span><span class="nv"> </span><span class="s">API</span><span class="nv"> </span><span class="s">calls</span><span class="nv"> </span><span class="s">require</span><span class="nv"> </span><span class="s">approval"</span> </code></pre> </div> <p><strong>2. CI/CD agent — strict production gates:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">execute_shell</span><span class="pi">:</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">decision</span><span class="pi">:</span> <span class="s">ALLOW</span> <span class="na">when_all</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">agent_ctx.env</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">"ci"'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">agent_ctx.role</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">"deploy_bot"'</span> <span class="na">reason</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CI</span><span class="nv"> </span><span class="s">deploy</span><span class="nv"> </span><span class="s">bot</span><span class="nv"> </span><span class="s">has</span><span class="nv"> </span><span class="s">full</span><span class="nv"> </span><span class="s">shell</span><span class="nv"> </span><span class="s">access"</span> <span class="pi">-</span> <span class="na">decision</span><span class="pi">:</span> <span class="s">REQUIRE_APPROVAL</span> <span class="na">when_all</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">agent_ctx.env</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">"production"'</span> <span class="na">reason</span><span class="pi">:</span> <span class="s2">"</span><span class="s">All</span><span class="nv"> </span><span class="s">shell</span><span class="nv"> </span><span class="s">commands</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">production</span><span class="nv"> </span><span class="s">require</span><span class="nv"> </span><span class="s">approval"</span> <span class="pi">-</span> <span class="na">decision</span><span class="pi">:</span> <span class="s">DENY</span> <span class="na">when_not</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">agent_ctx.role</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">"deploy_bot"'</span> <span class="na">when_all</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"deploy"'</span> <span class="na">reason</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Only</span><span class="nv"> </span><span class="s">deploy_bot</span><span class="nv"> </span><span class="s">can</span><span class="nv"> </span><span class="s">run</span><span class="nv"> </span><span class="s">deploy</span><span class="nv"> </span><span class="s">commands"</span> </code></pre> </div> <p><strong>3. Database agent — protect writes:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">execute_query</span><span class="pi">:</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">decision</span><span class="pi">:</span> <span class="s">DENY</span> <span class="na">when_any</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"drop</span><span class="nv"> </span><span class="s">table"'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"truncate"'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"delete</span><span class="nv"> </span><span class="s">from"'</span> <span class="na">when_all</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">agent_ctx.env</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">"production"'</span> <span class="na">reason</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Destructive</span><span class="nv"> </span><span class="s">queries</span><span class="nv"> </span><span class="s">blocked</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">production"</span> <span class="pi">-</span> <span class="na">decision</span><span class="pi">:</span> <span class="s">REQUIRE_APPROVAL</span> <span class="na">when_any</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"update"'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">payload</span><span class="nv"> </span><span class="s">contains</span><span class="nv"> </span><span class="s">"insert"'</span> <span class="na">when_all</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">agent_ctx.env</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">"production"'</span> <span class="na">reason</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Write</span><span class="nv"> </span><span class="s">operations</span><span class="nv"> </span><span class="s">require</span><span class="nv"> </span><span class="s">approval</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">production"</span> </code></pre> </div> <h2> What Else Shipped in v0.2 </h2> <p>Beyond conditions, v0.2 fixes two other gaps:</p> <p><strong>Thread-safe audit log.</strong> The hash-chain audit log now uses a lockfile (<code>audit.log.lock</code>) to serialize writes across threads and processes. Before this, concurrent writers could produce a chain that failed <code>verify_integrity()</code> silently. Now it's atomic.</p> <p><strong>CLI verifier.</strong> You can now verify your audit log from the command line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>canopy-verify audit.log <span class="c"># exit 0 if valid, exit 1 if tampered or broken</span> </code></pre> </div> <p>Useful for CI checks, incident response, or just confirming your agent ran cleanly.</p> <p><strong>Documented REQUIRE_APPROVAL contract.</strong> The README now explicitly states the behavior: <code>authorize_action()</code> never blocks. <code>REQUIRE_APPROVAL</code> means "do not proceed without human sign-off" — what that looks like in your system is your responsibility. <code>guard_tool()</code> and <code>guard_tool_http()</code> treat it as a block by default (raises <code>PermissionError</code>).</p> <h2> Upgrade </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install</span> <span class="nt">--upgrade</span> canopy-runtime </code></pre> </div> <p>Full changelog: <a href="https://github.com/Mavericksantander/Canopy/blob/main/CHANGELOG.md" rel="noopener noreferrer">CHANGELOG.md</a></p> <p>Policy examples: <a href="https://github.com/Mavericksantander/Canopy/blob/main/POLICY_COOKBOOK.md" rel="noopener noreferrer">POLICY_COOKBOOK.md</a></p> <p>GitHub: <a href="https://github.com/Mavericksantander/Canopy" rel="noopener noreferrer">https://github.com/Mavericksantander/Canopy</a></p> <p>If you're using Canopy in a multi-environment setup and have policy patterns worth sharing, drop them in the comments. The cookbook is a living document.</p> python ai agents llm Your AI Agent Just Deleted Something It Shouldn't Have. Here's How to Prevent It. Mavericksantander Mon, 16 Mar 2026 03:19:11 +0000 https://dev.to/mavericksantander/your-ai-agent-just-deleted-something-it-shouldnt-have-heres-how-to-prevent-it-4moc https://dev.to/mavericksantander/your-ai-agent-just-deleted-something-it-shouldnt-have-heres-how-to-prevent-it-4moc <p>You gave your agent access to the filesystem. It was supposed to clean up temp files. Instead, it deleted something important.</p> <p>Or maybe it called an external API with production credentials when you only meant to test it. Or executed a shell command that made sense in isolation but was catastrophic in context.</p> <p>These aren't hypotheticals. They're the kinds of failures that happen when we give agents power without governance.</p> <p>Today I want to show you a small library I built to solve exactly this: <strong><a href="https://github.com/Mavericksantander/Canopy" rel="noopener noreferrer">Canopy Runtime</a></strong> — a minimal agent safety runtime that adds <code>ALLOW / DENY / REQUIRE_APPROVAL</code> decisions to any action your agent wants to take, with a tamper-evident audit trail.</p> <h2> The Core Problem </h2> <p>When you build an autonomous agent, you typically think about:</p> <ul> <li>What model to use</li> <li>What tools to give it</li> <li>What the system prompt should say</li> </ul> <p>What most developers <em>don't</em> think about until it's too late:</p> <blockquote> <p><strong>What happens when the agent does something it's allowed to do... but shouldn't?</strong></p> </blockquote> <p>The model isn't broken. The tool works as designed. But the action — in <em>this</em> context, with <em>this</em> payload, at <em>this</em> moment — should have been blocked or at least reviewed.</p> <p>This is a policy problem, not a model problem. And it needs a runtime solution.</p> <h2> Enter Canopy: One Function, Three Outcomes </h2> <p>Canopy is built around a single primitive:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nf">authorize_action</span><span class="p">(</span><span class="n">agent_ctx</span><span class="p">,</span> <span class="n">action_type</span><span class="p">,</span> <span class="n">action_payload</span><span class="p">)</span> </code></pre> </div> <p>It returns one of three decisions:</p> <ul> <li> <code>ALLOW</code> — proceed</li> <li> <code>DENY</code> — blocked, with a reason</li> <li> <code>REQUIRE_APPROVAL</code> — pause and wait for human sign-off</li> </ul> <p>Every decision is appended to a <strong>hash-chain audit log</strong> — meaning each entry is cryptographically linked to the previous one. You can't quietly edit history.</p> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>canopy-runtime </code></pre> </div> <p>That's it. No server to spin up, no config required to get started.</p> <h2> A Real Example </h2> <p>Let's say your agent needs to execute a shell command. Without Canopy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">subprocess</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">command</span><span class="p">)</span> <span class="c1"># 🙈 fingers crossed </span></code></pre> </div> <p>With Canopy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">canopy</span> <span class="kn">import</span> <span class="n">authorize_action</span> <span class="n">result</span> <span class="o">=</span> <span class="nf">authorize_action</span><span class="p">(</span> <span class="n">agent_ctx</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">env</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span><span class="p">},</span> <span class="n">action_type</span><span class="o">=</span><span class="sh">"</span><span class="s">execute_shell</span><span class="sh">"</span><span class="p">,</span> <span class="n">action_payload</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">command</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">rm -rf /tmp/logs</span><span class="sh">"</span><span class="p">},</span> <span class="p">)</span> <span class="k">if</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">decision</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">ALLOW</span><span class="sh">"</span><span class="p">:</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">command</span><span class="p">)</span> <span class="k">elif</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">decision</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">DENY</span><span class="sh">"</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Blocked: </span><span class="si">{</span><span class="n">result</span><span class="p">[</span><span class="sh">'</span><span class="s">reason</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">elif</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">decision</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">REQUIRE_APPROVAL</span><span class="sh">"</span><span class="p">:</span> <span class="c1"># notify a human, pause the workflow, log and wait </span> <span class="nf">request_human_approval</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> </code></pre> </div> <p>The default policy ships with sensible conservative rules out of the box:</p> <ul> <li> <code>execute_shell</code>: destructive patterns (<code>rm -rf</code>, <code>mkfs</code>, etc.) → <code>DENY</code>. Network/install commands → <code>REQUIRE_APPROVAL</code>.</li> <li> <code>modify_file</code>: protected system paths → <code>DENY</code>. Safe paths you allowlist → <code>ALLOW</code>.</li> <li> <code>call_external_api</code>: always <code>REQUIRE_APPROVAL</code> unless you explicitly loosen the policy.</li> </ul> <h2> The Audit Log </h2> <p>Every call to <code>authorize_action</code> writes a line to <code>audit.log</code> (path configurable via <code>CANOPY_AUDIT_LOG_PATH</code>). Each entry is chained to the previous one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="nl">"ts"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-03-16T10:22:01Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"action_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"execute_shell"</span><span class="p">,</span><span class="w"> </span><span class="nl">"decision"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DENY"</span><span class="p">,</span><span class="w"> </span><span class="nl">"reason"</span><span class="p">:</span><span class="w"> </span><span class="s2">"matches destructive pattern"</span><span class="p">,</span><span class="w"> </span><span class="nl">"avid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"c3f2a1..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"prev_hash"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9e4b12..."</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>prev_hash</code> field means any tampering with the log is immediately detectable. This matters when you need to audit what an agent did — and why — after something goes wrong.</p> <h2> Custom Policies </h2> <p>The default policy lives in <code>src/canopy/policies/default.yaml</code>. You can override it completely:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">CANOPY_POLICY_FILE</span><span class="o">=</span>/path/to/my-policy.yaml python my_agent.py </code></pre> </div> <p>Your policy file lets you define rules per action type, with pattern matching on the payload and conditions based on <code>agent_ctx</code> (like environment, safe paths, capabilities).</p> <h2> Optional HTTP Gateway </h2> <p>If you want to run Canopy as a sidecar service that multiple agents call over HTTP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>canopy-runtime[gateway] <span class="nv">CANOPY_AUDIT_LOG_PATH</span><span class="o">=</span>/tmp/canopy_audit.log python <span class="nt">-m</span> uvicorn canopy.service:app <span class="nt">--port</span> 8010 </code></pre> </div> <p>Now any agent — regardless of language or framework — can <code>POST /authorize_action</code> and get a decision back.</p> <h2> Why Not Just Use a System Prompt? </h2> <p>A fair question. The answer is: defense in depth.</p> <p>System prompts are great for <em>guiding</em> behavior. But they're not guarantees. Models hallucinate. Prompt injection is real. Context windows have limits. A runtime check is a hard boundary that doesn't care about what the model "understood."</p> <p>Think of it like seatbelts and airbags. The prompt is driver training. Canopy is the safety hardware.</p> <h2> What's Next </h2> <p>Canopy is the minimal safety primitive. If you need the full governance layer — agent identity, JWT auth, reputation scoring, a registry of verified agents, multi-agent communication, and an observability dashboard — that's what I'm building in <strong><a href="https://github.com/Mavericksantander/Apex-Protocol" rel="noopener noreferrer">Apex Protocol</a></strong>.</p> <p>Canopy is the right place to start: zero infrastructure, one function call, immediate value.</p> <h2> Try It </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>canopy-runtime </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">canopy</span> <span class="kn">import</span> <span class="n">authorize_action</span> <span class="n">decision</span> <span class="o">=</span> <span class="nf">authorize_action</span><span class="p">(</span> <span class="n">agent_ctx</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">env</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span><span class="p">},</span> <span class="n">action_type</span><span class="o">=</span><span class="sh">"</span><span class="s">call_external_api</span><span class="sh">"</span><span class="p">,</span> <span class="n">action_payload</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">url</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">https://api.stripe.com/v1/charges</span><span class="sh">"</span><span class="p">},</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">decision</span><span class="p">[</span><span class="sh">"</span><span class="s">decision</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># REQUIRE_APPROVAL </span></code></pre> </div> <p>Check <code>audit.log</code> after running. That's the whole point — every decision, traceable, tamper-evident.</p> <p>GitHub: <a href="https://github.com/Mavericksantander/Canopy" rel="noopener noreferrer">https://github.com/Mavericksantander/Canopy</a></p> <p>If you're building agents and want to talk about safety patterns, I'm all ears in the comments.</p> python ai llm opensource