Command policies

What actually bounds the commands an agent runs inside a workspace today.

Info:

Proliferate doesn't have a per-command allow or deny list yet, there's no setting where you type rm -rf or terraform apply and mark it denied. This page covers what actually constrains a command an agent runs, so you can reason about risk with the controls that exist today.

What actually bounds a command

  • Sandbox isolation. Every workspace runs in its own local worktree or isolated cloud sandbox. A command an agent runs stays scoped to that workspace's checkout and environment, it doesn't reach your other workspaces or your host machine's other repos.
  • Environment secrets. Only the environment variables and files you've added to a repository's cloud environment are available to commands running there. An agent can't reach a credential you never gave that repo.
  • Agent policy. The org-wide agent policy controls which harnesses and auth routes can run at all, which bounds what a session can do before it ever gets to running a command.
  • Review before merge. Nothing an agent does lands outside its workspace until a human reviews the diff and opens or merges a pull request. Destructive local changes are recoverable through git; changes that leave the workspace go through your normal PR review.

Coming later

A real command-level allow and deny list (for example: always allow git, npm test, and read-only commands; always ask before rm, package installs, or anything that touches production infrastructure) isn't available yet. Track runtime guardrails for updates as this lands.

On this page