| I started working on this because I was getting uncomfortable with how quickly “autonomous” systems are allowed to touch real things like files, shells, or networks, while the safety story is often just “trust the prompt” or “we’ll log what happens.” That felt backwards to me. So I tried a small experiment: instead of trying to make the agent behave, make execution itself the hard boundary. Let the agent propose whatever it wants, but require an explicit authorization step before anything with side effects can actually run. When you run the demo, the agent proposes a plan that includes things like deleting files, changing configs, restarting services, and making network calls. None of that actually happens. The only thing that “runs” is an analysis step with no side effects. The output is basically a trace showing what was proposed, what was blocked, and a diff proving that nothing changed. I spent most of the time trying to poke holes in that boundary — impersonation, urgency, “just do it once,” pretending it’s only a simulation. The proposals still show up, but execution stays blocked. This isn’t a product or a finished system. It’s a proof-of-concept to see whether putting safety at the execution layer changes the kinds of failures you get compared to prompt-based guardrails. |