DEV Community

Cover image for I Let AI Agents Attack My Permission Gateway for a Week. Here's What Broke.
sriram prakhya
sriram prakhya

Posted on

I Let AI Agents Attack My Permission Gateway for a Week. Here's What Broke.

#agents #ai #opensource #security

When I started building Agent_Sudo, I thought the hard part would be approvals and policy enforcement.

I was wrong.

The hard part was discovering all the ways real agents behave once they start interacting with real tools, real runtimes, and real users.

Over the last week I dogfooded Agent_Sudo against actual agent workflows and found four surprising problems:

1. Agents Can Bypass Governance If The Runtime Gives Them Native Tools

One agent successfully changed Agent_Sudo's workspace configuration using a host-native shell that Agent_Sudo never saw. Agent_Sudo behaved correctly. The runtime boundary didn't. This reinforced a lesson that now sits at the center of the project: Agent_Sudo governs routed actions, not arbitrary runtime capabilities.

2. Workspace Changes Were Invisible

A write that was previously denied later became allowed. The audit log showed the decision change. What it didn't show was why. The cause was a workspace configuration change that wasn't being audited. Fix: PR #83 added workspace_changed audit events.

3. Broad Delegations Can Hide Problems

A wildcard delegation was allowing writes that should have required approval. Later, when that delegation expired, it denied everything instead. The authorization engine was working correctly. The visibility wasn't. Fix: PR #86 added delegation status and broad-scope visibility.

4. Approval Wait Time Didn't Mean What I Thought It Meant

I configured Agent_Sudo to wait 300 seconds for approvals. The requests still expired after 120 seconds.

The reason: approval TTL and wait time were separate controls.

Fix: PR #89 now warns when wait exceeds TTL and explains the effective limit.

What Surprised Me Most

None of these issues came from architecture reviews. None came from design documents. All came from running real agents against the system. The lesson wasn't "build more features."

It was:

Dogfood your assumptions.

Want To Try It?

The fastest path is:

pipx install agent-sudo-mcp
agent-sudo eval

It runs the complete flow:

blocked → delegated → allowed once → denied → audit verified

If you try it, tell me one thing:

Did you reach audit verified, or where did you stop?

https://github.com/Kisyntra/Agent_Sudo my repo in case you want to checkout.

Top comments (0)