Rule
Before an agent acts, bound what it can touch and what it can spend. The envelope has walls — capabilities, file scope, credentials — and a meter: budget caps, step caps, attempt caps.
Untrusted input must never widen the envelope. A fetched page, a file, a tool result can ask for anything; the envelope answers. And the meter is not optional: public reports of runaway agent runs burning five-figure bills in a weekend all share one root cause — nobody set a number the run could not exceed. Isolation is the license for autonomy: the tighter the envelope, the more freely the agent can act inside it.
What AgentOps Enforces
- Deny by default; grant the minimum capability the task needs, then revoke it.
- Set explicit budget, step, and attempt caps before unattended work starts.
- Treat fetched and loaded content as untrusted: it cannot change what the agent may do.
- Keep secrets out of context, commits, learnings, and traces unless the task requires them.
- Put destructive or irreversible actions behind an explicit grant or a human gate.
Failure Signal
- Agents run with broad or shared credentials "because it's easier."
- A retry loop runs all night because no attempt cap existed.
- A prompt injection in fetched content changes what the agent does.
- "How much could this run cost?" has no bounded answer.
Done Looks Like
The blast radius of a mistake — or a compromise — was bounded before the agent acted: what it could touch, what it could spend, and where it had to stop.