<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Paul Choi</title>
    <description>The latest articles on DEV Community by Paul Choi (@men16922).</description>
    <link>https://dev.to/men16922</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4004587%2Fd22fa268-5ac8-4f3c-80e2-d15736c5200c.png</url>
      <title>DEV Community: Paul Choi</title>
      <link>https://dev.to/men16922</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/men16922"/>
    <language>en</language>
    <item>
      <title>Building a Safe AI DevOps Agent: From Slack Diagnosis to Verified Pull Requests</title>
      <dc:creator>Paul Choi</dc:creator>
      <pubDate>Fri, 17 Jul 2026 15:24:31 +0000</pubDate>
      <link>https://dev.to/men16922/building-a-safe-ai-devops-agent-from-slack-diagnosis-to-verified-pull-requests-3e5c</link>
      <guid>https://dev.to/men16922/building-a-safe-ai-devops-agent-from-slack-diagnosis-to-verified-pull-requests-3e5c</guid>
      <description>&lt;p&gt;Giving an AI agent access to production is easy. Explaining exactly what it can read, what it can change, and what happens when it is tricked is much harder.&lt;/p&gt;

&lt;p&gt;SlackOps DevOps Agent began as a read-only assistant that could investigate an incident from Slack. The first version proved that Slack and a web dashboard could share one event-driven job queue. V2 asks a stricter question:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Can an agent investigate real operational data and prepare a change without ever holding the authority to silently execute it?&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;The answer is not a better system prompt. It is a set of runtime boundaries outside the model: fixed read adapters, isolated untrusted data, immutable approval plans, short-lived credentials, deterministic execution, restricted network egress, and an audit trail built from observed behavior.&lt;/p&gt;

&lt;p&gt;This article describes the current architecture, what changed after V1, and what has been verified in a live AWS environment.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fcnl6202atiei45qhqibk.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fcnl6202atiei45qhqibk.png" alt=" " width="800" height="533"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Figure 1 — Current architecture. Slack, the web dashboard, the resident agent, and the event-driven Lambda producer share one DynamoDB control plane. Read and write paths remain separate.&lt;/em&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  The operating model: detect, propose, notify, approve, execute
&lt;/h2&gt;

&lt;p&gt;The system follows a five-stage loop:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Detect&lt;/strong&gt; — A CloudWatch alarm, Slack message, scheduled monitor, or web request identifies a possible issue.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Propose&lt;/strong&gt; — The system collects bounded evidence and creates a job in DynamoDB.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Notify&lt;/strong&gt; — Slack and the web dashboard show the same job, evidence, and proposed change.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Approve&lt;/strong&gt; — A human reviews the diff. Approval is attached to one exact execution plan.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Execute and verify&lt;/strong&gt; — Runtime code rechecks the plan, obtains a short-lived write credential, opens the pull request, verifies the remote result, revokes the credential, and records the outcome.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The event-driven producer is deliberately limited. A CloudWatch alarm flows through EventBridge to an AWS Lambda function, which can create a proposal in DynamoDB even while the EC2 worker is stopped. Lambda cannot approve or execute the proposal. It only adds work to the same queue used by Slack, the dashboard, and the resident monitor.&lt;/p&gt;

&lt;p&gt;This keeps the inexpensive detection path available without turning the worker into an always-on privileged service.&lt;/p&gt;

&lt;h2&gt;
  
  
  What changed after V1
&lt;/h2&gt;

&lt;p&gt;V1 used a generic read-only AWS API MCP server for diagnosis. Read-only access sounded safe, but the surface was still broader than the task required. A generic API tool could expose unrelated data, and its tool results did not pass through the same untrusted-data boundary as the rest of the evidence.&lt;/p&gt;

&lt;p&gt;V2 removed that runtime dependency.&lt;/p&gt;

&lt;p&gt;For &lt;code&gt;logs&lt;/code&gt;, &lt;code&gt;diagnose&lt;/code&gt;, and &lt;code&gt;detect&lt;/code&gt;, command-specific boto3 adapters now fetch only the required AWS data. Results are capped, sanitized, and placed inside a single &lt;code&gt;&amp;lt;untrusted_data&amp;gt;&lt;/code&gt; boundary before they reach the model. The model receives no AWS tool for these L0 analysis commands: the tool allowlist is empty.&lt;/p&gt;

&lt;p&gt;The separate internal FastMCP server remains, but its purpose is narrower. It can create a proposal in the SlackOps control plane. It is not a general AWS read surface.&lt;/p&gt;

&lt;p&gt;This distinction matters: &lt;strong&gt;the application gathers evidence; the model analyzes evidence&lt;/strong&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  Five runtime boundaries
&lt;/h2&gt;

&lt;h3&gt;
  
  
  1. Fixed reads instead of generic tools
&lt;/h3&gt;

&lt;p&gt;Each diagnostic command owns a small adapter with an explicit service, API, account, Region, log prefix, and result limit. Policy is expressed as deterministic code rather than a prompt instruction.&lt;/p&gt;

&lt;p&gt;If a requested resource falls outside the configured scope, the adapter refuses the request before fetching data. The denial is recorded as a policy event.&lt;/p&gt;

&lt;h3&gt;
  
  
  2. One boundary for untrusted content
&lt;/h3&gt;

&lt;p&gt;Slack messages, CloudWatch log lines, Kubernetes output, Git output, and adapter errors are data from the model's perspective. They may contain text such as “ignore previous instructions” or a forged closing tag.&lt;/p&gt;

&lt;p&gt;SlackOps sanitizes boundary-like text and wraps external content once:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight xml"&gt;&lt;code&gt;&lt;span class="nt"&gt;&amp;lt;untrusted_data&amp;gt;&lt;/span&gt;
  ...bounded operational evidence...
&lt;span class="nt"&gt;&amp;lt;/untrusted_data&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The wrapper is not presented as a complete prompt-injection solution. The stronger property is that the L0 analysis phase has no execution tool. Even if the model follows a malicious instruction in the data, it has no direct action path.&lt;/p&gt;

&lt;h3&gt;
  
  
  3. Separate identities and short-lived credentials
&lt;/h3&gt;

&lt;p&gt;The EC2 instance profile is used only for bootstrap. Runtime services receive separate one-hour AWS STS credentials, refreshed every 45 minutes by a root-owned process. The runtime, internal MCP, and audit writer use different roles.&lt;/p&gt;

&lt;p&gt;The agent services cannot query EC2 instance metadata directly and cannot read the root-owned audit environment. A dedicated audit role can append only to the deployment-owned CloudWatch Logs security sink. The normal runtime role has an explicit deny on that sink.&lt;/p&gt;

&lt;p&gt;For GitHub writes, the worker keeps no personal access token and no standing &lt;code&gt;gh&lt;/code&gt; credential. After a human approves a specific plan, the runtime creates a repository- and permission-scoped GitHub App installation token. The token is passed only to one child process and revoked on every exit path.&lt;/p&gt;

&lt;h3&gt;
  
  
  4. Approval binds an exact state
&lt;/h3&gt;

&lt;p&gt;A displayed diff is not enough. Files can change after approval, and a natural-language request does not identify the exact tool chain that will execute it.&lt;/p&gt;

&lt;p&gt;SlackOps builds a canonical &lt;code&gt;ExecutionPlan&lt;/code&gt; containing:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;request and diff hashes;&lt;/li&gt;
&lt;li&gt;approved paths and workspace root;&lt;/li&gt;
&lt;li&gt;policy version, AWS account, and Region;&lt;/li&gt;
&lt;li&gt;the complete execution tool chain;&lt;/li&gt;
&lt;li&gt;declared capabilities, risk score, and the approval-time risk ceiling.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The human approval stores the hash of that exact plan. Immediately before execution, the worker recomputes and compares it. A changed diff, missing plan, expanded tool chain, path traversal, symlink, untracked file, workspace mismatch, or capability expansion causes the job to fail closed.&lt;/p&gt;

&lt;p&gt;Approval therefore means: &lt;strong&gt;run this reviewed change under this policy&lt;/strong&gt;, not “do something similar later.”&lt;/p&gt;

&lt;h3&gt;
  
  
  5. The model is removed from the write path
&lt;/h3&gt;

&lt;p&gt;The prepare phase may use the model to propose and edit a change. After approval, the model is no longer needed.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;app.pr_execution.open_pr&lt;/code&gt; performs a fixed sequence:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;create branch
  → add only approved paths
  → commit
  → push with the short-lived GitHub App token
  → create pull request
  → verify the remote path set
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;No model output decides how to push. This is both safer and more reliable: the creative part ends before authority begins.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F8lfnduqaeelrxm6zozws.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F8lfnduqaeelrxm6zozws.png" alt=" " width="800" height="234"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Figure 2 — A real Slack proposal shows the bounded change, diff preview, estimated usage, and explicit Review, Approve, and Reject controls.&lt;/em&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  The command boundary is an argv schema
&lt;/h2&gt;

&lt;p&gt;Tool allowlists are useful, but they are not treated as the final security boundary.&lt;/p&gt;

&lt;p&gt;During testing, a head-matching Bash pattern that appeared to allow only &lt;code&gt;echo&lt;/code&gt; also accepted a chained command. SlackOps therefore normalizes every Bash call and checks it against a command-specific argument schema in a &lt;code&gt;PreToolUse&lt;/code&gt; hook. Separators, substitutions, redirections, unexpected flags, and unknown subcommands fail closed.&lt;/p&gt;

&lt;p&gt;Adding a command requires both an allowlist entry and a matching guard schema. An import-time cross-check rejects an inconsistent configuration.&lt;/p&gt;

&lt;p&gt;The guard also provides the capability classifier used later by the audit and completion gates. The system does not maintain a second, potentially inconsistent parser for “what the command really did.”&lt;/p&gt;

&lt;h2&gt;
  
  
  Capability is measured, not only declared
&lt;/h2&gt;

&lt;p&gt;Every permitted tool has one of five capabilities:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;read · sensitive-read · write-low · write-high · privileged
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;An unclassified tool is an error. A plan sums its distinct capabilities and compares the result with &lt;code&gt;RISK_CEILING=10&lt;/code&gt;. High-impact and privileged capabilities exceed the ceiling without needing a separate exception list. L2 execution remains disabled.&lt;/p&gt;

&lt;p&gt;Claude Code runs with &lt;code&gt;stream-json&lt;/code&gt; output so the worker can reconstruct observed tool calls. The worker resolves each call through the same command guard, records it as a child step in the audit tree, and recomputes observed capabilities.&lt;/p&gt;

&lt;p&gt;A job cannot become &lt;code&gt;DONE&lt;/code&gt; if the observed capability exceeds the approved set or score. It fails with a distinct &lt;code&gt;capability_drift&lt;/code&gt; audit event instead.&lt;/p&gt;

&lt;p&gt;This turns telemetry into an enforcement point. The system checks not only what was allowed, but also what actually ran.&lt;/p&gt;

&lt;h2&gt;
  
  
  Network egress is part of the agent policy
&lt;/h2&gt;

&lt;p&gt;The worker has no inbound port. Slack uses Socket Mode, and the dashboard communicates through DynamoDB rather than opening a callback endpoint on the agent.&lt;/p&gt;

&lt;p&gt;Outbound traffic passes through a localhost Squid proxy with a small destination allowlist for required services. Direct egress and unlisted destinations are denied. Proxy audit records contain denial metadata, not requested URLs, to avoid copying sensitive query data into the security log.&lt;/p&gt;

&lt;p&gt;This follows the “lethal trifecta” framing: private data, untrusted content, and external communication become dangerous when one agent holds all three. SlackOps narrows each leg, with the egress boundary acting as the final barrier against data exfiltration.&lt;/p&gt;

&lt;h2&gt;
  
  
  Mapping the implementation to OWASP
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;OWASP risk&lt;/th&gt;
&lt;th&gt;SlackOps control&lt;/th&gt;
&lt;th&gt;Runtime evidence&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;LLM01 Prompt Injection&lt;/td&gt;
&lt;td&gt;sanitizer, one &lt;code&gt;&amp;lt;untrusted_data&amp;gt;&lt;/code&gt; boundary, L0 tools = 0&lt;/td&gt;
&lt;td&gt;injection instruction rejected without an action path&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;LLM02 Sensitive Information Disclosure&lt;/td&gt;
&lt;td&gt;command-specific adapters, bounded evidence, egress allowlist&lt;/td&gt;
&lt;td&gt;out-of-scope reads and unlisted egress denied&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;LLM05 Improper Output Handling&lt;/td&gt;
&lt;td&gt;diff review, canonical plan hash, deterministic executor&lt;/td&gt;
&lt;td&gt;changed plan rejected before execution&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;LLM06 Excessive Agency&lt;/td&gt;
&lt;td&gt;argv guard, capability ceiling, L2 disabled&lt;/td&gt;
&lt;td&gt;restart, apply, delete, and over-ceiling actions denied&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;ASI03 Identity &amp;amp; Privilege Abuse&lt;/td&gt;
&lt;td&gt;role separation, short-lived STS, per-approval GitHub App token&lt;/td&gt;
&lt;td&gt;credential issue and revoke events linked to approval&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;These mappings use the &lt;a href="https://genai.owasp.org/llm-top-10/" rel="noopener noreferrer"&gt;OWASP Top 10 for Large Language Model Applications&lt;/a&gt; and the &lt;a href="https://genai.owasp.org/2025/12/09/owasp-top-10-for-agentic-applications-the-benchmark-for-agentic-security-in-the-age-of-autonomous-ai/" rel="noopener noreferrer"&gt;OWASP Top 10 for Agentic Applications&lt;/a&gt; as design references. They are not compliance claims.&lt;/p&gt;

&lt;h2&gt;
  
  
  One control plane, multiple producers
&lt;/h2&gt;

&lt;p&gt;DynamoDB stores jobs, audit events, telemetry, conversations, metrics, and detection configuration in a single-table design. Conditional writes implement the state machine and atomic claim.&lt;/p&gt;

&lt;p&gt;The important property is not that all data lives in one table. It is that every producer enters the same transition rules:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;PENDING → RUNNING → AWAITING_APPROVAL → APPROVED → DONE
                              └────────→ REJECTED
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Slack, the web dashboard, the resident monitor, and the Lambda alarm producer cannot invent separate approval semantics. A worker claims a job with a conditional write, so concurrent pollers cannot execute it twice. An abandoned &lt;code&gt;RUNNING&lt;/code&gt; job is recovered as failed rather than replayed into a second push.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Figure 3 — The compact operating loop: the agent detects and proposes; a person reviews the change; a deterministic path executes the approved result.&lt;/em&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  What has been verified
&lt;/h2&gt;

&lt;p&gt;The project distinguishes automated checks, live rehearsals, and scaffolding:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;make check&lt;/code&gt;: &lt;strong&gt;563 tests passed&lt;/strong&gt;, with Ruff, strict mypy, and the documentation budget gate green on 2026-07-17.&lt;/li&gt;
&lt;li&gt;AWS boundary rehearsal: split roles, one-hour credentials, 45-minute refresh, IMDS denial, fixed read scope, direct-egress denial, allowlisted proxy access, and the root-owned audit sink were verified on a fresh EC2 instance on 2026-07-15.&lt;/li&gt;
&lt;li&gt;GitHub write path: natural-language proposal, preparation, human approval, deterministic execution, remote verification, and credential revocation opened live pull requests &lt;strong&gt;#3 through #5&lt;/strong&gt; on 2026-07-17.&lt;/li&gt;
&lt;li&gt;Slack-native approval: buttons and the “Review change” modal were verified with a fail-closed approver allowlist.&lt;/li&gt;
&lt;li&gt;Managed AWS MCP: the separate-account pilot remains a CI-locked scaffold. No managed endpoint, role, or session is enabled in the SlackOps runtime.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fprx9xilianve1mw1wrmy.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fprx9xilianve1mw1wrmy.png" alt=" " width="800" height="610"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Figure 4 — A completed dashboard job links the approved execution plan to the opened pull request and its observed tool-call audit trail.&lt;/em&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Cost: estimate the architecture, do not present a personal bill as a benchmark
&lt;/h2&gt;

&lt;p&gt;The current demo uses a scheduled &lt;code&gt;t3.medium&lt;/code&gt;, EBS, DynamoDB, CloudWatch, EventBridge, and Lambda. Under the presentation's weekday operating scenario—roughly 220 EC2 hours per month—the infrastructure estimate is about &lt;strong&gt;USD 12 per month&lt;/strong&gt;. Lambda and EventBridge remain negligible at demo volume.&lt;/p&gt;

&lt;p&gt;That number is a scenario estimate, not an AWS bill and not a promise about another account. Region, log retention, data volume, NAT design, and instance runtime will change it.&lt;/p&gt;

&lt;p&gt;The runtime also records a client-side API-equivalent estimate for each Claude run. Typical demo investigations have appeared in the &lt;strong&gt;USD 0.15–0.50&lt;/strong&gt; range, but the project currently authenticates with a Claude subscription OAuth token. The displayed value is therefore useful for comparing runs, not for claiming the amount personally charged. A production deployment should use an approved API, enterprise, or cloud-provider authentication path and measure provider billing independently. Anthropic likewise describes &lt;code&gt;total_cost_usd&lt;/code&gt; as an estimate and directs product integrations to supported API or provider credentials in its &lt;a href="https://code.claude.com/docs/en/agent-sdk/cost-tracking" rel="noopener noreferrer"&gt;cost tracking&lt;/a&gt; and &lt;a href="https://code.claude.com/docs/en/legal-and-compliance" rel="noopener noreferrer"&gt;legal and compliance&lt;/a&gt; guidance.&lt;/p&gt;

&lt;h2&gt;
  
  
  Known limitations
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Prompt injection is not “solved.” The architecture reduces the available sinks when the model is misled.&lt;/li&gt;
&lt;li&gt;Subscription OAuth is suitable only for this controlled personal demonstration, not as a production product authentication model.&lt;/li&gt;
&lt;li&gt;The Vercel dashboard should use workload identity such as OIDC and STS instead of static AWS credentials in a production deployment.&lt;/li&gt;
&lt;li&gt;The managed AWS MCP pilot is intentionally not connected to the runtime.&lt;/li&gt;
&lt;li&gt;The capability ceiling is evaluated per job; cross-job accumulation requires a separate policy layer.&lt;/li&gt;
&lt;li&gt;ADOT Collector integration remains future work. The current system records application telemetry and audit events without claiming a complete distributed tracing deployment.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Closing principle
&lt;/h2&gt;

&lt;p&gt;The most useful lesson from V2 is simple:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Let the model investigate and propose. Let deterministic code and authenticated humans control authority.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;An agent does not become safe because it refuses a dangerous prompt in a demo. It becomes safer when its identity, tools, data flow, network path, approval state, and observed behavior remain bounded even after the prompt fails.&lt;/p&gt;

&lt;p&gt;That is the boundary SlackOps DevOps Agent is designed to make visible—and testable.&lt;/p&gt;

&lt;h2&gt;
  
  
  References
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://genai.owasp.org/llm-top-10/" rel="noopener noreferrer"&gt;OWASP Top 10 for Large Language Model Applications&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://genai.owasp.org/2025/12/09/owasp-top-10-for-agentic-applications-the-benchmark-for-agentic-security-in-the-age-of-autonomous-ai/" rel="noopener noreferrer"&gt;OWASP Top 10 for Agentic Applications&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/" rel="noopener noreferrer"&gt;The lethal trifecta for AI agents — Simon Willison&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://arxiv.org/abs/2503.18813" rel="noopener noreferrer"&gt;Defeating Prompt Injections by Design — CaMeL&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://arxiv.org/abs/2506.08837" rel="noopener noreferrer"&gt;Design Patterns for Securing LLM Agents against Prompt Injections&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://code.claude.com/docs/en/agent-sdk/cost-tracking" rel="noopener noreferrer"&gt;Anthropic Agent SDK cost tracking&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://code.claude.com/docs/en/legal-and-compliance" rel="noopener noreferrer"&gt;Anthropic legal and compliance guidance&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>ai</category>
      <category>devops</category>
      <category>aws</category>
      <category>security</category>
    </item>
  </channel>
</rss>
