Rule
An agent acts inside an explicit, least-privilege envelope it cannot widen — not even when the input tells it to.
The envelope has two walls: what the agent is allowed to do (the narrowest capabilities its job needs) and what is allowed to leave (secrets and sensitive data don't escape through tool calls, commits, learnings, or traces). Untrusted input — a fetched page, a file, a tool result — must never be able to grant the agent more power than it started with.
What AgentOps Enforces
- Deny by default; grant the minimum capability the task needs, then revoke it.
- Keep production authority out of routine tasks; read-only when reading is enough.
- Treat fetched/loaded content as untrusted: it cannot change what the agent may do.
- Keep secrets out of context, commits, learnings, and traces unless the task requires them.
- Put destructive or irreversible actions behind an explicit grant or a human gate.
Failure Signal
- Agents run with broad or shared credentials "because it's easier."
- A prompt injection in fetched content changes what the agent does.
- Secrets or PII show up in a commit, a log, or a compounded learning.
- "How much could this agent break?" has no bounded answer.
Done Looks Like
The blast radius of a mistake — or a compromise — was bounded before the agent acted, and untrusted input can ask for power the envelope simply doesn't grant.