Build a Command Security Pipeline for Your Agent
0/4 steps0%

Step 3 of 4

Build the main validator chain and hard path constraints

One attack class per validator, plus constraints nothing can override.

First time here? Paste the Context Pack first so the AI understands your project - open it from the header above.

Prompt Capsule
Implement single-purpose main-chain validators, each with its own tests: shell metacharacters that split commands (';', '|', '&' outside quotes), IFS-injection, redirection detection (informational severity), sub-command extraction for compound commands so each piece is checked (a benign-looking second command reading credentials is the classic leak). Then implement the hard constraints layer: a protected-path denylist (system roots, credential directories) that blocks removal operations regardless of any permission rule, correct handling of the '--' separator so flags cannot smuggle paths past extraction, and for your riskiest allowed tool (e.g. sed-like editors), a whitelist of safe forms plus a denylist of dangerous sub-features (write-file and execute commands, non-ASCII lookalikes, multiline programs). Keep validators stateless and independent.
Paste into EmergentFull Build: complete implementation prompt with explicit requirements

Quick is short. Full Build is recommended for most steps. Strict forces real logic when the AI keeps faking output.

Actual change check

Expected after this step

A chain of tested single-purpose validators plus unoverridable path constraints.

Should NOT happen

  • An existing feature broke
  • A button only logs to console
  • Data disappears after refresh
  • Errors fail silently with no visible state

This is what should exist before you continue. If reality does not match, do not move on.

Track what changed, failed, or needs follow-up. Notes export with the flow.

Made with Emergent