Skip to content
Flows
Build a Command Security Pipeline for Your Agent
Agent QA & Security120-180 minutes
0/4 steps0%

Step 1 of 4

Define the contract and pipeline skeleton

A uniform result type is what makes 20 checks composable.

Prompt capsule

Define the validator contract: each validator is a pure function taking the parsed command context and returning a result of allow (confident-safe: short-circuit the pipeline), ask (needs user confirmation, with reason), deny (block, with reason), or passthrough (no opinion: next validator). Add a severity flag distinguishing parser-mismatch findings (the command will execute differently than it parses - must interrupt) from informational ones (redirections, newlines - confirm but do not panic). Build the pipeline runner: run early validators first (allow can short-circuit), then the main chain collecting results, then apply selection - any deny wins, else the highest-severity ask, else allow. Wire ALL execution paths through it, including sub-agents and background tasks.

Paste into Claude · Complete implementation prompt with explicit requirements

Expected after this step

A typed contract and pipeline runner that every execution path uses.

Should not happen

  • One mega-function of nested ifs where fixing one check breaks another
  • Validators that mutate shared parse state, creating order-dependent bugs
  • Path checks that trust permission rules over the hard denylist
  • First-match-wins reporting that surfaces a warning while hiding a critical finding

Verify before continuing

Do not move on until every check is true. The complete button stays locked until then.

Do not continue if…

  • !One mega-function of nested ifs where fixing one check breaks another
  • !Validators that mutate shared parse state, creating order-dependent bugs
  • !Path checks that trust permission rules over the hard denylist
  • !First-match-wins reporting that surfaces a warning while hiding a critical finding

If the AI messes this up

Use this when the AI fakes progress or breaks the feature. It forces a real fix.

Some code path still executes commands directly. Grep for every call site of your executor and route it through the pipeline - a security pipeline with a bypass is theater; make the raw executor private so new bypasses cannot compile.

Your notes for this step