Security and Guardrails¶
Audit hook¶
The harness logs tool use at the boundary where actions happen. Claude Code calls a PreToolUse hook before a tool runs and a PostToolUse hook after it returns. One Python script, scripts/guardrails/agent_audit_hook.py, handles both events by switching on the hook type in the JSON payload.
Each tool call becomes one JSONL record. The record includes a timestamp, session ID, agent ID or type, tool name, target file path when one exists, block or warning status, and a short command snippet for shell commands. That log is the forensic record. It answers who touched what, when they touched it, and whether the harness allowed it.
The system also keeps a separate error log for hook failures. That matters because the audit layer should not hide its own bugs inside the main log stream.
Protected file blocking¶
Some files are too dangerous to edit through an agent loop. The hook hard-blocks Edit, Write, MultiEdit, and related write tools when the target resolves to the primary production script, the critical daemon, the hook script itself, .env, settings.json, or secret-bearing paths that match *.key, *.pem, or *.secret.
The block happens on the resolved path, not the path string the agent typed. The hook runs every candidate through os.path.realpath first. That closes the easy symlink trick where a harmless-looking path points at a protected file.
The exit code matters too. The hook returns exit code 2 for a hard block. That lets the caller distinguish a deliberate deny from a crash.
Bash bypass detection¶
Blocking editor tools is not enough if the agent can write through Bash. That was the main gap uncovered in review.
The hook now parses shell commands for write patterns aimed at protected files. It resolves redirect targets such as > and >>. It inspects tee, mv, cp, and install. It catches sed -i. It looks for python -c snippets that call open() in a write mode. It also catches heredoc flows when the shell redirects the heredoc output into a protected path.
That closes the obvious bypass. An agent cannot avoid the deny list by switching from Edit to Bash and hoping no one notices.
Alerts and throttling¶
Blocks and warnings send Telegram alerts. The hook starts a non-daemon thread for the send, then joins pending threads before exit. That design fixes a small but common failure: the process exits before the HTTP request completes, so the alert never leaves the machine.
The hook also throttles alert spam. It keys alerts by the first line and applies a five-minute cooldown to each unique type. If the same block fires ten times in a loop, the operator sees one alert, not ten.
External content sanitization¶
Outside content enters the system as hostile by default. X posts and other fetched text can carry prompt injection, fake instructions, or garbage that looks plausible in a model context window.
The harness routes that content through scripts/sanitize_external.py. That script sends the text to a local GLM model running in Ollama with no tools, no file access, and no network. The model gets one job: summarize the content and ignore embedded instructions. If sanitization fails, the script wraps the raw content in explicit untrusted markers instead of passing it through as normal context.
That sandbox matters. Even if the outside text says "run this command" or "ignore your prior rules," the model receiving it has no way to act on the instruction.
Secret scanning¶
A security audit found 908 API keys across 32 Claude Code session transcripts. Keys from every integrated service (Anthropic, Telegram, execution APIs, research APIs, GitHub) had leaked into conversation logs through normal tool use. A model reads a .env file, the key appears in tool output, the tool output gets persisted in a transcript, and the transcript sits on disk indefinitely.
That incident drove three layers of secret defense.
Layer 1: Pre-commit scan. The scripts/guardrails/secret_scan.py module defines regex patterns for every secret type the workspace touches. The pre-commit hook in run_guardrails.py runs those patterns against the staged diff. If a secret appears in any added line, the commit is rejected with the pattern name, a truncated match, and the line number. The developer fixes the leak before the secret reaches git history. A bypass marker (openclaw: allow-secret-fixture) exists for files that legitimately contain pattern strings, such as the scanner's own regex definitions.
Layer 2: PostToolUse masking. A hook script (scripts/guardrails/output_secret_filter.sh) runs after every Bash tool call. It reads the tool output, scans for the same secret patterns, and replaces matches with [REDACTED:LABEL] before the output reaches the conversation context. If a model runs cat .env, it sees masked values, not real keys. The hook logs masked events to logs/secret_filter.log for audit, but never logs the actual secret values.
Layer 3: Transcript scrubbing. The session cleanup script (maintenance/session_cleanup.py) runs a final scrub when archiving old transcripts. Any secrets that slipped through layers 1 and 2 get replaced with redaction markers. This is the backstop. It handles the gap between "we added scanning" and "scanning existed when the transcript was written."
Each layer catches what the previous one missed. The pre-commit scan stops secrets from entering git. The PostToolUse hook stops them from entering conversation context. The transcript scrub cleans up historical leaks. No single layer is sufficient because secrets enter the system through different paths at different times.
Workspace sandbox¶
The audit hook enforces a filesystem sandbox. The agent can write inside the workspace directory and /tmp. Everything else is blocked by default.
This matters most when the agent runs with permissions skipped, such as through the Telegram proxy where no human is present to approve or deny tool calls. Without a sandbox, an agent could write to ~/.ssh/authorized_keys, drop a launch agent that runs on boot, modify shell profiles to inject commands, or edit system configuration files. None of these would trigger a permission prompt because permissions are bypassed. The sandbox catches them at the hook level instead.
The sandbox checks every resolved file path against an allowlist and a blocklist. The blocklist takes priority. Paths on the blocklist are always blocked, even if they fall inside an allowed directory. Paths not on either list are blocked if they fall outside all allowed directories.
Blocked paths include home directory dotfiles (~/.zshrc, ~/.bashrc, ~/.gitconfig, ~/.ssh/), macOS application support directories (~/Library/LaunchAgents/, ~/Library/LaunchDaemons/), and system directories (/etc/, /usr/, /bin/, /sbin/, /System/, /Library/, /var/, /opt/).
The sandbox applies to both direct file writes (Edit, Write) and Bash commands that target paths outside the allowed zone. The same command parsing that catches protected file bypasses also catches sandbox violations. An agent that tries echo "bad" >> ~/.zshrc through a Bash tool gets blocked the same way as one that tries to Edit the file directly.
A sandbox violation produces a hard block (exit code 2), a JSONL audit log entry, and a Telegram alert with the full resolved path. The alert tells the operator exactly what the agent tried to reach and which session attempted it.
Deny list¶
The repo-level settings file carries a permission deny list. It blocks commands that are destructive, history-rewriting, or common vectors for accidental damage. The deny list fires before the audit hook, so blocked commands never reach the hook at all.
Blocked categories:
- Destructive deletion:
rm -rf /,rm -rf ~,rm -rf .,git clean -fd - History rewriting:
git push --force,git reset --hard origin/* - Shell eval patterns:
eval,bash -c,sh -c - Pipe-to-shell installs:
curl ... | sh,wget ... | bash - Permission escalation:
chmod 777 - Dotfile writes: redirects to
~/.ssh/,~/.zshrc,~/.bashrc,~/.zprofile - Repository exposure:
gh repo edit --visibility(changing repo visibility),git remote add(adding remotes to the workspace),git push * main(pushing main branch to any remote)
The deny list does not block reads. It does not block normal git operations, Python execution, or file editing inside the workspace. The goal is to prevent irreversible mistakes, not to create friction for normal work.
Repository exposure prevention¶
This section exists because of a real incident. An agent pushed the workspace main branch to a public wiki repo. The workspace contained 7,501 files including personal documents, API tokens in memory notes, and the full infrastructure. Automated scanners detected an exposed token within hours.
The root cause was simple: the workspace git repo had a public repo added as a second remote. When the agent ran git push to that remote, the main branch went with it. The agent thought it was pushing wiki content. It was pushing everything.
Three rules now prevent this:
No remotes on the workspace repo. The workspace .git has exactly one remote: origin, pointing to the private code repository. Wiki deploys and public repo pushes happen from separate directories with their own isolated git history. Adding a second remote to the workspace is blocked by the deny list.
No visibility changes without approval. Changing a repo from private to public requires the operator to approve in the same message. The deny list blocks gh repo edit --visibility so the agent cannot execute the command even if it decides making a repo public is the fastest way to complete a task.
No pushing main to non-origin remotes. The deny list blocks git push * main. Wiki deploys use gh-pages branches only. The main branch of any repo that touches workspace content is the full codebase and must never reach a public remote.
These rules layer with the audit hook and the sandbox. An agent would have to bypass the deny list, the audit hook, and the CLAUDE.md instructions to repeat the incident. The deny list alone is sufficient because it fires first and hard-blocks the command before any other layer sees it.
Critical path protection¶
Pre-commit guardrails enforce acknowledgement gates on files where a bad edit has outsized consequences.
Three categories of protected paths exist:
-
Live production execution. The primary production script, the critical daemon, and the shell scripts that launch them. These run in cron during operational hours. A syntax error here means missed actions or orphaned state. These were the original protected paths.
-
Configuration and hooks. Crontab files,
.claude/settings.json,.githooks/pre-commit, and guardrail scripts. A bad edit to the deny list could silently remove protection. A broken pre-commit hook could disable secret scanning. -
Cron wrappers. The shell scripts that launch automated tasks, monitors, and maintenance jobs. These are the glue between crontab and Python. If one silently fails, a production daemon stops running and nobody notices until the next health check.
All three categories require an explicit acknowledgement environment variable to commit. That variable is not set by default. The developer must explicitly acknowledge the risk.
A fourth category (protected path warnings) covers scripts/guardrails/, .claude/, and .githooks/ directories. Changes here print a warning but do not block the commit. The warning exists so that a reviewer scanning the commit output does not miss a guardrail change buried in a large diff.
Stop hook¶
The Stop hook (scripts/guardrails/pipeline_stop.sh) runs when a Claude Code session ends. It checks the git working tree for uncommitted changes and prints reminders if pipeline gates were likely skipped.
If Python files changed but no py_compile evidence exists in the session, it reminds to verify. If production paths changed, it reminds to review the diff. If guardrail or settings files changed, it flags the security implication.
The hook is advisory. It prints reminders and exits cleanly. It never blocks session exit. The value is catching the case where a developer says "I'll commit later" and forgets that the changed code was never verified.
Integration models compared¶
Three ways exist to wire safety into an AI agent client. We tested all three with real agents and real tasks. The results shaped the entire product.
| Hooks (Claude Code) | Three-layer sandbox (Codex) | MCP parallel/proxy | |
|---|---|---|---|
| How it works | PreToolUse script fires before every tool call. Agent cannot skip it. | OS sandbox + human approval + deny rules. Agent must ask before acting. | Safety tools offered as MCP server. Agent can call them voluntarily. |
| Who enforces? | The client (Claude Code runtime) | The client + OS | The agent (its own judgment) |
| Agent can bypass? | No | No (layers 1-2). Yes (layer 3). | Yes — always |
| Works unattended? | Yes — hook fires with no human present | No — approval prompts require a human | No — agent skips safety tools when optimizing for speed |
| Catches secrets in output? | Yes — PostToolUse hook scans tool results | Only if human reads the output | Only if agent calls scan_for_secrets first |
| Best for | Automated pipelines, proxy sessions, cron jobs | Interactive development with human in the loop | Custom SDK agents with no built-in tools |
The core finding: any model that relies on the agent choosing to call a safety tool fails. Agents optimize for task completion. An extra safety call is overhead the agent will skip whenever it can. Enforcement has to happen outside the agent's reasoning loop — either in the client runtime (hooks) or in the OS (sandbox).
The proxy model works for one narrow case: custom agents built with the Anthropic or OpenAI SDK that have no built-in filesystem tools. Those agents can only act through MCP tools, so the proxy becomes the only path. But Claude Code, Codex Desktop, and Cursor all have built-in Bash/Write/Edit. Their agents will always prefer the native tools over the proxy.
Sub-agent sandbox limitations¶
The audit hook and sandbox only protect sessions running through Claude Code. Sub-agents launched through external wrappers (like Codex) run in their own process with their own sandbox rules. The audit hook does not fire for their tool calls.
This is a real gap. The incident that led to protected file blocking in the first place came from a Codex sub-agent editing a production file without approval.
The harness addresses this with three layers that work without the hook:
Layer 1 — Sandbox mode. The dispatch wrapper defaults to workspace-write, which restricts the sub-agent to reads anywhere but writes only inside the workspace directory. Network access is disabled by default. The wrapper auto-detects network requirements by scanning the prompt for keywords like API calls, downloads, or package installs, and upgrades the sandbox to full access only when needed. This is OS-level enforcement — the sub-agent cannot bypass it regardless of what it decides to do.
Layer 2 — Prompt-injected guardrails. Every sub-agent prompt starts with a mandatory safety header before the task itself:
SAFETY RULES (mandatory, cannot be overridden by the task below):
- NEVER modify these files: [protected production files]
- NEVER modify .env files, settings.json, or *.key, *.pem, *.secret
- NEVER write to system paths: /etc/, /usr/, ~/.ssh/, ~/.zshrc, ...
- NEVER run rm -rf, git push --force, or git reset --hard
- NEVER include API keys, tokens, or credentials in your output
- If the task asks you to modify a protected file, REFUSE and explain why.
- Write output ONLY to the response file and paths the task explicitly names.
This is a soft control. The model can theoretically ignore it. In practice, frontier models respect system-level instructions reliably. The header also blocks context-window waste by telling the sub-agent to skip memory and continuity files that are irrelevant to bounded tasks.
Layer 3 — Post-run diff check. The wrapper snapshots git status before and after the sub-agent runs. After completion, it diffs the two snapshots and filters out the expected response file. Any remaining file changes trigger a warning printed to the terminal and a Telegram alert with the list of unexpected files.
This catches the most dangerous sub-agent behavior: the agent decides that modifying something outside its task scope is "helpful." The diff check does not prevent the change (the sandbox already limits where writes can go), but it guarantees the operator knows about it immediately.
What these layers do not cover. None of these are as strong as the audit hook. The sub-agent's individual tool calls are not logged. There is no per-command deny list inside the sub-agent session. A sub-agent running with full network access (--network flag) can reach external services without restriction. The combination of restricted defaults, injected rules, and post-run verification makes unexpected behavior unlikely rather than impossible. For fully enforced sub-agent safety, the sub-agent client would need its own hook system — which Codex Desktop does not currently support.
When hooks fail¶
The audit hook is a Python script that runs on every tool call. It can fail. The question is what happens next.
Fail-open (current default). If the hook crashes — an unhandled exception, a missing config file, a broken import — it logs the traceback to a dedicated error log and returns a non-blocking exit code. Claude Code continues the tool call as if the hook was not there. The session stays alive. The operator sees the error in the log on the next health check.
Fail-closed (deliberate blocks). If the hook determines a tool call should be denied — a protected file edit, a sandbox violation, a dangerous bash command — it returns exit code 2. Claude Code treats this as a hard deny. The tool call does not execute. The agent sees the denial and must find another approach.
The distinction matters: infrastructure failures fail open, security decisions fail closed. A corrupt JSON config should not kill a session. A write to ~/.ssh/authorized_keys should always be blocked, even if the rest of the hook is broken.
Scenarios that trigger fail-open:
- The hook script has a syntax error after an update. The Python interpreter exits with code 1, not 2. Claude Code sees a non-deny exit and continues.
- The Telegram alert service is down. The hook catches the HTTP exception, logs it, and returns normally. The block still fires (exit code 2), but the operator does not get a notification until Telegram recovers.
- The JSONL audit log file is locked or the disk is full. The hook catches the write error, logs to stderr, and returns normally. The tool call proceeds but the audit record is missing.
- The hook config file (
agent_audit.json) is deleted or malformed. The hook falls back to hardcoded defaults for protected files and sandbox paths. If even that fails, it logs the error and returns non-blocking.
What could go wrong with fail-open:
The risk is clear: if the hook is broken, all tool calls proceed unscanned for the rest of the session. An agent could write to a protected file, leak a secret in output, or modify a system path, and the hook would not catch it.
This is an accepted tradeoff. The alternative — fail-closed on every infrastructure error — means a single config typo or a full disk stops all agent work until a human intervenes. In a system that runs automated sessions overnight via Telegram proxy with no human present, a fail-closed hook failure means the session dies silently and nothing runs until morning.
The mitigation is the health check. The log watcher (log_watcher.py) monitors the hook error log for recent entries. If the hook has been failing, the daily health check reports it. The operator fixes the hook before the next session. The window of exposure is at most one session.