Command policies
What actually bounds the commands an agent runs inside a workspace today.
Info:
Proliferate doesn't have a per-command allow or deny list yet, there's no
setting where you type rm -rf or terraform apply and mark it denied.
This page covers what actually constrains a command an agent runs, so you
can reason about risk with the controls that exist today.
What actually bounds a command
- Sandbox isolation. Every workspace runs in its own local worktree or isolated cloud sandbox. A command an agent runs stays scoped to that workspace's checkout and environment, it doesn't reach your other workspaces or your host machine's other repos.
- Environment secrets. Only the environment variables and files you've added to a repository's cloud environment are available to commands running there. An agent can't reach a credential you never gave that repo.
- Agent policy. The org-wide agent policy controls which harnesses and auth routes can run at all, which bounds what a session can do before it ever gets to running a command.
- Review before merge. Nothing an agent does lands outside its workspace until a human reviews the diff and opens or merges a pull request. Destructive local changes are recoverable through git; changes that leave the workspace go through your normal PR review.
Coming later
A real command-level allow and deny list (for example: always allow git,
npm test, and read-only commands; always ask before rm, package
installs, or anything that touches production infrastructure) isn't
available yet. Track runtime guardrails
for updates as this lands.