DEV Community

Mavericksantander
Mavericksantander

Posted on

Gilfoyle's AI Ordered 4,000 Pounds of Burgers. Yours Might Delete Production.

#ai #agents #security #python

In Silicon Valley Season 6, Gilfoyle asks his AI to find cheap burgers for lunch.

It ordered 4,000 pounds of raw beef patties.

The joke is funny because the AI did exactly what it was told.
That's also why it's terrifying.

The Real Problem

When an AI agent takes a real-world action, most stacks look like this:

# agent decides what to do
action = llm.decide(context)

# agent does it
subprocess.run(action["command"])
Enter fullscreen mode Exit fullscreen mode

Nothing between the decision and the execution.

No enforcement. No audit. No fallback.

A good system prompt helps. Until it doesn't:

  • Prompt injection can override your instructions
  • Edge cases break even well-designed reasoning
  • Context is always incomplete

You need a hard control point. Not a suggestion.

The Solution: authorize_action()

I built Canopy Runtime around one primitive:

from canopy import authorize_action

result = authorize_action(
    agent_ctx={"env": "production"},
    action_type="execute_shell",
    action_payload={"command": "rm -rf /tmp/logs"},
)

match result["decision"]:
    case "ALLOW":
        subprocess.run(command)
    case "DENY":
        log(f"Blocked: {result['reason']}")
    case "REQUIRE_APPROVAL":
        request_human_review(result)
Enter fullscreen mode Exit fullscreen mode

Every action. Every time. Before it hits the real world.

Four-Layer Governance Pipeline

Every action runs through four layers in order:

Constitution   ->  absolute rules, never overridden
Civil Code     ->  behavioral defaults
Firewall       ->  pattern-based blocking
Policy Layer   ->  custom YAML rules per environment
Enter fullscreen mode Exit fullscreen mode

Each layer has a clear, non-overlapping role.
If a rule lives in the Constitution, nothing downstream can override it.

Tamper-Evident Audit Log

Every decision gets written to a hash-chained log:

{
  "timestamp": "2026-04-03T00:04:54Z",
  "action_type": "execute_shell",
  "decision": "DENY",
  "reason": "destructive pattern detected",
  "authorization_id": "auth_9f3a...",
  "trace_id": "trace_cc81...",
  "entry_hash": "a3f9...",
  "prev_hash": "cc81..."
}
Enter fullscreen mode Exit fullscreen mode

Each entry links cryptographically to the previous one.
Logs cannot be silently modified. Full timeline. Full traceability.

Custom Policies via YAML 

rules:
  - action_type: "execute_shell"
    when_all:
      - 'agent_ctx.env == "production"'
    deny_regex: 'rm\s+-rf'

  - action_type: "call_external_api"
    require_approval: true
Enter fullscreen mode Exit fullscreen mode

Explicit. Versionable. Enforced at runtime.
Not suggested in a prompt. Actually enforced.

Framework Adapters

Works out of the box with:

  • LangChain
  • LangGraph
  • CrewAI
  • AutoGen
  • OpenAI Agents SDK

Drop it into your existing stack. No rewrite needed.

Try It 

pip install canopy-runtime
Enter fullscreen mode Exit fullscreen mode 
from canopy import authorize_action

result = authorize_action(
    agent_ctx={"env": "production"},
    action_type="call_external_api",
    action_payload={"url": "https://api.stripe.com/v1/charges"},
)

print(result["decision"])
# -> REQUIRE_APPROVAL
Enter fullscreen mode Exit fullscreen mode

Then check audit.log.

v0.4.1 is live. Looking for beta testers.

Especially teams running agents in production or staging
where a bad action has real consequences.

github.com/Mavericksantander/Canopy

Top comments (0)