#permissions

13 posts tagged #permissions.

Headless mode isn't a flag you set. It's a privilege you earn.

Headless mode isn't a flag you set. It's a privilege you earn.

Taking the human out of the loop is the real unlock — but headless plus loose permissions plus production access is how you wake up to a wiped repo. Automate only what's tested, sandboxed, and scoped.

Put the confirmation gate in the tool, not the UI.

Put the confirmation gate in the tool, not the UI.

A destructive-tool annotation plus a mid-call elicitation request gives you a deterministic human checkpoint that travels with the capability — so a confused or injected instruction can't quietly delete your data, no matter which client is driving.

A legitimate MCP server with two trust levels is the exploit

A legitimate MCP server with two trust levels is the exploit

The dangerous MCP server isn't the malicious one — it's the convenient all-in-one that reads untrusted data and holds privileged access to a second system. Scope it, gate the writes, and you close the confused-deputy attack.

By the time you're reviewing the diff, the destructive call already ran.

By the time you're reviewing the diff, the destructive call already ran.

Reviewing irreversible actions after the fact is too late. Split tools by reversibility in permissions, force a plan, and gate the destructive step behind a human interrupt — autonomy on reads, a hard stop on anything you can't undo.

Full Autonomy Is Just a Small Blast Radius

Full Autonomy Is Just a Small Blast Radius

The blocker to running an agent overnight is never capability. It's trust. And you don't earn trust with a smarter model — you earn it with a smaller blast radius.

The moment your agent reads a webpage, that webpage can give it orders.

The moment your agent reads a webpage, that webpage can give it orders.

Prompt injection isn't an unsolvable model problem — it's a context-engineering one. Fence untrusted tool output as data in your rules, run a parallel guardrail hook that cancels on a hit, and cap the blast radius with a permissions allowlist.

Adding a system to your agent should be a config line, not a codebase.

Adding a system to your agent should be a config line, not a codebase.

Hand-writing an adapter for every external system is the contextless agent's biggest tax. An MCP server collapses the M×N integration blowup into one standard connection the agent discovers at runtime — scoped by permissions, configured once.