fix(guardrails): harden infrastructure agent permissions#114
Conversation
…ow-up #113) - Add *.pem, *.key, *secret* deny to terraform-engineer, cloud-architect, deployment-engineer - Split kubectl rollout into read-only (allow) vs mutating (ask) subcommands - Add explicit docker push/docker compose push deny to deployment-engineer Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
This PR doesn't fully meet our contributing guidelines and PR template. What needs to be fixed:
Please edit this PR description to address the above within 2 hours, or it will be automatically closed. If you believe this was flagged incorrectly, please let a maintainer know. |
|
Thanks for your contribution! This PR doesn't have a linked issue. All PRs must reference an existing issue. Please:
See CONTRIBUTING.md for details. |
There was a problem hiding this comment.
Pull request overview
Hardens guardrail permissions for infrastructure-focused agents to reduce accidental secret exposure and prevent mutating deployment actions without explicit approval.
Changes:
- Added additional secret-related deny patterns (
*.pem,*.key,*secret*) toread/grepfor terraform/cloud/deployment agents. - Tightened
deployment-engineerkubectl rollout permissions (status/history allow; restart/undo ask). - Explicitly denied image pushes for
deployment-engineer(docker push*,docker compose push*).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| packages/guardrails/profile/agents/terraform-engineer.md | Adds extra secret-file deny patterns to reduce accidental key/secret access. |
| packages/guardrails/profile/agents/deployment-engineer.md | Adds secret denies; restricts rollout mutators to ask; denies Docker push operations. |
| packages/guardrails/profile/agents/cloud-architect.md | Adds extra secret-file deny patterns for a read-only infrastructure reviewer. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "*.key": deny | ||
| "*secret*": deny | ||
| grep: | ||
| "*": allow |
There was a problem hiding this comment.
In the grep permission rules, *credentials* is not denied (unlike security-engineer.md, which denies it). Since grep permissions are evaluated against the search pattern, this agent can still grep for credentials and potentially surface secret values. Add a "*credentials*": deny entry in the grep block (keeping it after "*": allow).
| "*": allow | |
| "*": allow | |
| "*credentials*": deny |
| "*secret*": deny | ||
| grep: | ||
| "*": allow | ||
| "*.env*": deny |
There was a problem hiding this comment.
The grep permission rules are missing "*credentials*": deny, which is present in the security-engineer baseline. Without it, this agent can still grep for credential-related patterns and potentially expose secret material in grep output. Add the credentials deny rule to the grep block.
| "*.env*": deny | |
| "*.env*": deny | |
| "*credentials*": deny |
| "*secret*": deny | ||
| grep: | ||
| "*": allow | ||
| "*.env*": deny |
There was a problem hiding this comment.
The grep permission rules don’t deny *credentials* (the security-engineer agent does). Because grep permission checks apply to the search pattern, this still allows grepping for credential material and could leak secrets via grep results. Add "*credentials*": deny to the grep block.
| "*.env*": deny | |
| "*.env*": deny | |
| "*credentials*": deny |
| "*": deny | ||
| "docker build*": allow | ||
| "docker compose*": allow | ||
| "docker compose push*": deny | ||
| "docker push*": deny |
There was a problem hiding this comment.
This agent now hard-denies docker push* / docker compose push*, but the guidance text later in the file says to never run docker push without explicit approval. Since deny means it can’t be approved at runtime, update the guidance to reflect that pushes are disallowed for this agent (or change the rule to ask if approval should be possible).
Summary
Follow-up from PR #113 code review (CRITICAL-2, HIGH-3, HIGH-4).
Type of change
Changes
terraform-engineer, cloud-architect, deployment-engineer:
*.pem,*.key,*secret*deny to read and grep permissions (matching security-engineer pattern)deployment-engineer only:
kubectl rollout*: allowintokubectl rollout status/history: allow+kubectl rollout restart/undo: askdocker push*: denyanddocker compose push*: denyVerification
bun turbo typecheck— 13/13 passChecklist