DEV Community: xywa23 The latest articles on DEV Community by xywa23 (@xywa23). https://dev.to/xywa23 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3629017%2F8cf8df0e-56c8-49c6-a7f6-dad060fec095.png DEV Community: xywa23 https://dev.to/xywa23 en I Built a 'Sudo' Command for AI Agents (and Why You Need It) xywa23 Wed, 26 Nov 2025 04:11:55 +0000 https://dev.to/xywa23/i-built-a-sudo-command-for-ai-agents-and-why-you-need-it-3k9b https://dev.to/xywa23/i-built-a-sudo-command-for-ai-agents-and-why-you-need-it-3k9b <p>Earlier this year, during a test run for Replit, an autonomous AI agent <strong>accidentally deleted a live production database containing sensitive data from more than 1,200 companies and executives.</strong></p> <p>Multiple outlets reported the same story:</p> <blockquote> <p>The agent “ran unauthorized database commands”<br> It “wiped all production data during a code freeze”<br> It acted against explicit human instructions<br> Replit described it as a “catastrophic failure”</p> </blockquote> <p>This incident made something very clear:</p> <p><strong>We are giving AI agents root access to our most sensitive systems, and we have zero guardrails in place.</strong></p> <p>And yet… companies are deploying these agents into production</p> <h2> The Problem Nobody's Solving </h2> <p>Right now, when you deploy an AI agent, it typically uses a single API key with God-mode access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># How most AI agents work today </span><span class="n">STRIPE_API_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">sk_live_...</span><span class="sh">"</span> <span class="c1"># Root access to EVERYTHING </span> <span class="n">agent</span><span class="p">.</span><span class="nf">charge_customer</span><span class="p">(</span><span class="mi">1000000</span><span class="p">)</span> <span class="c1"># Any agent can do ANYTHING </span><span class="n">agent</span><span class="p">.</span><span class="nf">delete_database</span><span class="p">()</span> <span class="c1"># No permission checks </span><span class="n">agent</span><span class="p">.</span><span class="nf">email_all_customers</span><span class="p">()</span> <span class="c1"># No oversight </span></code></pre> </div> <p>When that agent hallucinates (and they all do eventually), the damage is real:</p> <ul> <li>Production databases getting wiped</li> <li>Unauthorized refunds going out</li> <li>Customers getting spam</li> <li>And no way to tell which agent did it</li> </ul> <p><strong>Companies are building incredible agents... that they're too afraid to actually deploy.</strong></p> <h2> We Solved This for Humans Decades Ago </h2> <p>When a developer needs elevated permissions, they use <code>sudo</code>.<br><br> When an employee needs system access, they get scoped credentials.<br><br> We don't give everyone the root password.</p> <p><strong>So why are we doing exactly that with AI agents?</strong></p> <h2> Introducing AgentSudo </h2> <p>I spent a week building what I wish existed: a permission system specifically designed for AI agents.</p> <p>It's dead simple - each agent gets its own identity with specific permissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agentsudo</span> <span class="kn">import</span> <span class="n">Agent</span><span class="p">,</span> <span class="n">sudo</span> <span class="n">support_bot</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">SupportBot</span><span class="sh">"</span><span class="p">,</span> <span class="n">scopes</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">read:orders</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">write:refunds</span><span class="sh">"</span><span class="p">]</span> <span class="p">)</span> <span class="n">analytics_bot</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AnalyticsBot</span><span class="sh">"</span><span class="p">,</span> <span class="n">scopes</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">read:orders</span><span class="sh">"</span><span class="p">]</span> <span class="p">)</span> <span class="nd">@sudo</span><span class="p">(</span><span class="n">scope</span><span class="o">=</span><span class="sh">"</span><span class="s">write:refunds</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">process_refund</span><span class="p">(</span><span class="n">order_id</span><span class="p">,</span> <span class="n">amount</span><span class="p">):</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Refunded $</span><span class="si">{</span><span class="n">amount</span><span class="si">}</span><span class="s"> for </span><span class="si">{</span><span class="n">order_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Support bot can process refunds </span><span class="k">with</span> <span class="n">support_bot</span><span class="p">.</span><span class="nf">start_session</span><span class="p">():</span> <span class="nf">process_refund</span><span class="p">(</span><span class="sh">"</span><span class="s">order_123</span><span class="sh">"</span><span class="p">,</span> <span class="mi">50</span><span class="p">)</span> <span class="c1"># ✅ Allowed </span> <span class="c1"># Analytics bot cannot </span><span class="k">with</span> <span class="n">analytics_bot</span><span class="p">.</span><span class="nf">start_session</span><span class="p">():</span> <span class="nf">process_refund</span><span class="p">(</span><span class="sh">"</span><span class="s">order_456</span><span class="sh">"</span><span class="p">,</span> <span class="mi">25</span><span class="p">)</span> <span class="c1"># ❌ PermissionDeniedError </span></code></pre> </div> <h2> The Features That Matter </h2> <h3> 1. <strong>Audit Mode</strong> </h3> <p>Perfect for rolling out to production without breaking everything:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@sudo</span><span class="p">(</span><span class="n">scope</span><span class="o">=</span><span class="sh">"</span><span class="s">write:database</span><span class="sh">"</span><span class="p">,</span> <span class="n">on_deny</span><span class="o">=</span><span class="sh">"</span><span class="s">log</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">update_record</span><span class="p">(</span><span class="n">record_id</span><span class="p">):</span> <span class="c1"># Logs violation but ALLOWS execution </span> <span class="c1"># Great for gradually tightening permissions </span> <span class="k">pass</span> </code></pre> </div> <h3> 2. <strong>Human-in-the-Loop</strong> </h3> <p>For actions that need approval:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">slack_approval</span><span class="p">(</span><span class="n">agent</span><span class="p">,</span> <span class="n">scope</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="c1"># Send message to your Slack </span> <span class="n">response</span> <span class="o">=</span> <span class="nf">ask_slack_manager</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Approve </span><span class="si">{</span><span class="n">agent</span><span class="p">.</span><span class="n">name</span><span class="si">}</span><span class="s"> for </span><span class="si">{</span><span class="n">scope</span><span class="si">}</span><span class="s">?</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">response</span> <span class="o">==</span> <span class="sh">"</span><span class="s">yes</span><span class="sh">"</span> <span class="nd">@sudo</span><span class="p">(</span><span class="n">scope</span><span class="o">=</span><span class="sh">"</span><span class="s">delete:customer</span><span class="sh">"</span><span class="p">,</span> <span class="n">on_deny</span><span class="o">=</span><span class="n">slack_approval</span><span class="p">)</span> <span class="k">def</span> <span class="nf">delete_customer</span><span class="p">(</span><span class="n">customer_id</span><span class="p">):</span> <span class="c1"># Won't execute until a human approves in Slack </span> <span class="k">pass</span> </code></pre> </div> <h3> 3. <strong>Wildcard Permissions</strong> </h3> <p>For power users:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">admin_agent</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AdminBot</span><span class="sh">"</span><span class="p">,</span> <span class="n">scopes</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">read:*</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">write:*</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Can do anything </span><span class="p">)</span> <span class="n">analytics_agent</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AnalyticsBot</span><span class="sh">"</span><span class="p">,</span> <span class="n">scopes</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">read:*</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Read-only access </span><span class="p">)</span> </code></pre> </div> <h3> 4. <strong>Session Expiry</strong> </h3> <p>Like JWT tokens:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">agent</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">TempBot</span><span class="sh">"</span><span class="p">,</span> <span class="n">scopes</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">read:data</span><span class="sh">"</span><span class="p">],</span> <span class="n">session_ttl</span><span class="o">=</span><span class="mi">3600</span> <span class="c1"># Expires in 1 hour </span><span class="p">)</span> </code></pre> </div> <h3> 5. <strong>Pydantic Integration</strong> </h3> <p>Perfect for LangChain/LlamaIndex users:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agentsudo.integrations</span> <span class="kn">import</span> <span class="n">ScopedModel</span> <span class="k">class</span> <span class="nc">RefundRequest</span><span class="p">(</span><span class="n">ScopedModel</span><span class="p">):</span> <span class="n">_required_scope</span> <span class="o">=</span> <span class="sh">"</span><span class="s">write:refunds</span><span class="sh">"</span> <span class="n">order_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">amount</span><span class="p">:</span> <span class="nb">float</span> <span class="c1"># Raises PermissionDeniedError if agent lacks permission </span><span class="n">request</span> <span class="o">=</span> <span class="nc">RefundRequest</span><span class="p">(</span><span class="n">order_id</span><span class="o">=</span><span class="sh">"</span><span class="s">123</span><span class="sh">"</span><span class="p">,</span> <span class="n">amount</span><span class="o">=</span><span class="mf">50.0</span><span class="p">)</span> </code></pre> </div> <h2> Why It's Different </h2> <p>Most "AI security" tools try to detect bad behavior after it happens.<br><br> <strong>AgentSudo prevents it from happening in the first place.</strong></p> <p>And unlike enterprise IAM systems:</p> <ul> <li>✅ <strong>3 lines of code</strong> to integrate (no infrastructure changes)</li> <li>✅ <strong>Works with any framework</strong> (LangChain, AutoGen, custom)</li> <li>✅ <strong>Open source</strong> (MIT license - audit every line)</li> <li>✅ <strong>No vendor lock-in</strong> (runs locally, cloud optional)</li> </ul> <h2> Real-World Use Case </h2> <p>Here's a complete example - an e-commerce support bot:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">agentsudo</span> <span class="kn">import</span> <span class="n">Agent</span><span class="p">,</span> <span class="n">sudo</span> <span class="kn">import</span> <span class="n">stripe</span> <span class="c1"># Define the agent </span><span class="n">support_bot</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">CustomerSupportBot</span><span class="sh">"</span><span class="p">,</span> <span class="n">scopes</span><span class="o">=</span><span class="p">[</span> <span class="sh">"</span><span class="s">read:customers</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">read:orders</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">write:refunds</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">send:email</span><span class="sh">"</span> <span class="p">]</span> <span class="p">)</span> <span class="c1"># Protect your functions </span><span class="nd">@sudo</span><span class="p">(</span><span class="n">scope</span><span class="o">=</span><span class="sh">"</span><span class="s">write:refunds</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">issue_refund</span><span class="p">(</span><span class="n">order_id</span><span class="p">,</span> <span class="n">amount</span><span class="p">):</span> <span class="n">stripe</span><span class="p">.</span><span class="n">Refund</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="n">charge</span><span class="o">=</span><span class="n">order_id</span><span class="p">,</span> <span class="n">amount</span><span class="o">=</span><span class="n">amount</span><span class="p">)</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Refunded $</span><span class="si">{</span><span class="n">amount</span><span class="o">/</span><span class="mi">100</span><span class="si">}</span><span class="sh">"</span> <span class="nd">@sudo</span><span class="p">(</span><span class="n">scope</span><span class="o">=</span><span class="sh">"</span><span class="s">send:email</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">notify_customer</span><span class="p">(</span><span class="n">customer_id</span><span class="p">,</span> <span class="n">message</span><span class="p">):</span> <span class="n">sendgrid</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="n">to</span><span class="o">=</span><span class="n">customer_id</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="n">message</span><span class="p">)</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Email sent</span><span class="sh">"</span> <span class="nd">@sudo</span><span class="p">(</span><span class="n">scope</span><span class="o">=</span><span class="sh">"</span><span class="s">delete:customer</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Support bot doesn't have this! </span><span class="k">def</span> <span class="nf">delete_customer</span><span class="p">(</span><span class="n">customer_id</span><span class="p">):</span> <span class="n">db</span><span class="p">.</span><span class="n">customers</span><span class="p">.</span><span class="nf">delete</span><span class="p">(</span><span class="n">customer_id</span><span class="p">)</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Customer deleted</span><span class="sh">"</span> <span class="c1"># Use the bot </span><span class="k">with</span> <span class="n">support_bot</span><span class="p">.</span><span class="nf">start_session</span><span class="p">():</span> <span class="c1"># These work - bot has permission </span> <span class="nf">issue_refund</span><span class="p">(</span><span class="sh">"</span><span class="s">order_123</span><span class="sh">"</span><span class="p">,</span> <span class="mi">5000</span><span class="p">)</span> <span class="nf">notify_customer</span><span class="p">(</span><span class="sh">"</span><span class="s">cust_456</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Your refund is processed</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># This fails - PermissionDeniedError </span> <span class="nf">delete_customer</span><span class="p">(</span><span class="sh">"</span><span class="s">cust_456</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># ❌ Blocked! </span></code></pre> </div> <p>The support bot can help customers but can't delete them. Exactly what you want.</p> <h2> Technical Deep Dive (For the Curious) </h2> <p>Under the hood, AgentSudo uses Python's <code>contextvars</code> for thread-safe agent context management:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">contextvars</span> <span class="n">_current_agent_ctx</span> <span class="o">=</span> <span class="n">contextvars</span><span class="p">.</span><span class="nc">ContextVar</span><span class="p">(</span><span class="sh">"</span><span class="s">current_agent</span><span class="sh">"</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="bp">None</span><span class="p">)</span> <span class="k">class</span> <span class="nc">AgentSession</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__enter__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">token</span> <span class="o">=</span> <span class="n">_current_agent_ctx</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">agent</span><span class="p">)</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">agent</span> <span class="k">def</span> <span class="nf">__exit__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">exc_type</span><span class="p">,</span> <span class="n">exc_val</span><span class="p">,</span> <span class="n">exc_tb</span><span class="p">):</span> <span class="n">_current_agent_ctx</span><span class="p">.</span><span class="nf">reset</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">token</span><span class="p">)</span> </code></pre> </div> <p>This means:</p> <ul> <li>✅ Works with async/await</li> <li>✅ Thread-safe by default </li> <li>✅ No global state pollution</li> <li>✅ Clean context management</li> </ul> <p>The <code>@sudo</code> decorator is just a simple permission check:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">sudo</span><span class="p">(</span><span class="n">scope</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">def</span> <span class="nf">decorator</span><span class="p">(</span><span class="n">func</span><span class="p">):</span> <span class="nd">@functools.wraps</span><span class="p">(</span><span class="n">func</span><span class="p">)</span> <span class="k">def</span> <span class="nf">wrapper</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="n">agent</span> <span class="o">=</span> <span class="nf">get_current_agent</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">agent</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">PermissionDeniedError</span><span class="p">(</span><span class="sh">"</span><span class="s">No active agent session</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">agent</span><span class="p">.</span><span class="nf">has_scope</span><span class="p">(</span><span class="n">scope</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">PermissionDeniedError</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Agent </span><span class="sh">'</span><span class="si">{</span><span class="n">agent</span><span class="p">.</span><span class="n">name</span><span class="si">}</span><span class="sh">'</span><span class="s"> missing scope: </span><span class="sh">'</span><span class="si">{</span><span class="n">scope</span><span class="si">}</span><span class="sh">'"</span> <span class="p">)</span> <span class="k">return</span> <span class="nf">func</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="k">return</span> <span class="n">wrapper</span> <span class="k">return</span> <span class="n">decorator</span> </code></pre> </div> <p>Nothing fancy. Just good software engineering.</p> <h2> What's Next </h2> <p>This is v0.1 - the core permission system. Coming soon:</p> <ul> <li> <strong>Cloud dashboard</strong> (see all your agents in one place)</li> <li> <strong>Slack/Teams integration</strong> (get pinged for approvals)</li> <li> <strong>Pre-built connectors</strong> (Salesforce, Gmail, Stripe)</li> <li> <strong>Enterprise features</strong> (SSO, compliance reports)</li> </ul> <p>But the core library will always be free and open source.</p> <h2> Try It Out </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>agentsudo </code></pre> </div> <ul> <li> <strong>ProductHunt:</strong> <a href="https://www.producthunt.com/products/agentsudo" rel="noopener noreferrer">https://www.producthunt.com/products/agentsudo</a> </li> <li> <strong>GitHub:</strong> <a href="https://github.com/xywa23/agentsudo" rel="noopener noreferrer">github.com/xywa23/agentsudo</a> </li> <li> <strong>PyPI:</strong> <a href="https://pypi.org/project/agentsudo" rel="noopener noreferrer">pypi.org/project/agentsudo</a> </li> <li> <strong>License:</strong> MIT</li> </ul> <h2> I'd Love Your Feedback </h2> <p>Especially if you're:</p> <ul> <li>Building agents for production</li> <li>Worried about AI safety in your systems </li> <li>Using LangChain, AutoGen, or similar frameworks</li> <li>Just curious about the space</li> </ul> <p><strong>What features would help you deploy agents with confidence?</strong></p> <p>Let's make AI agents safe enough to actually use. 🚀</p> <p><em>P.S. If you're building agent systems and want to chat about architecture/security, DM me. Always happy to talk shop.</em></p> ai python opensource security