Flows category icon
Harness Engineering
Intermediate

Hook a Permission Layer onto Dangerous Tools

Intercept dangerous tool calls with a hook layer: pattern rules, approval gates, and blocks that the model cannot talk its way past.

4 steps12 verify checks60-90 minutesWorks with: emergent · chatgpt · claude · cursor
Start Guided Walkthrough

The Route

0/4 verified

Context Pack

Paste this first. It briefs the AI on requirements, constraints, and the Definition of Done before your first build prompt.

Context Pack
PROJECT CONTEXT:
My agent can execute shell commands and edit any file, and one bad completion could rm the wrong directory. Harness analyses show the answer is a hook layer: programmable interception before dangerous calls, with deterministic rules the model cannot negotiate with.

GOAL:
Build a pre-execution hook layer: deterministic danger rules, approval escalation, protected paths, and hook-based extensibility.

REQUIREMENTS:
- A pre-tool-use hook point in the dispatch path where rules run before execution
- Deterministic danger rules: destructive command patterns, protected paths, secret files
- Three verdicts: allow, require-approval, block - each with a reason
- Protected-path enforcement for writes (env files, credentials, system paths, .git internals)
- Hook configurability so projects can add rules without forking the harness

CONSTRAINTS:
- Rules are code/config, never prompt text - the model can request, not overrule
- Blocks return structured refusals that keep the loop alive

DEFINITION OF DONE:
- rm -rf variants, force-push, and bulk-delete patterns require approval or block
- Writes to .env, key files, and outside-workspace paths are blocked with reasons
- A blocked call produces an honest model-visible refusal and the task adapts
- A project-level hook config adds a custom rule without harness code changes

COMMON FAILURES TO AVOID:
- Safety rules living in the system prompt where clever phrasing routes around them
- Pattern rules so naive that rm -rf ./ passes because the pattern expected rm -rf /
- Hooks that crash the loop instead of returning verdicts
- No project extensibility, so real deployments disable the layer entirely

Paste this into your AI builder first. It teaches the AI what you want before you give it the build prompt.

Related routes

More Harness Engineering flows that share ground with this one.

Flows category icon
Harness Engineering

Design Layered Tool Prompts with Preference Chains

Structure your tool prompts the way the leading harness does: preference chains up front, usage constraints in the middle, NEVER-guarded safety protocols at the end.

01Audit the current tool prompt
02Write the preference chain
03Write usage constraints and safety protocols

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate
Flows category icon
Harness Engineering

Design the Permission Approval UX

Design approval prompts users actually read: diffs, risk framing, scoped grants, and pacing that prevents approval fatigue.

01Audit the current approval moments
02Rebuild the prompt content
03Make friction proportional to risk

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate
Flows category icon
Harness Engineering

Pair Every Prompt Rule with a Code Backstop

Prompts guide, code enforces: inventory your agent's soft rules, back each critical one with an independent deterministic check, and define the allow/ask/deny escalation.

01Inventory soft rules and classify enforcement needs
02Implement checks independent of the prompt
03Wire the escalation path

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps120-180 minutesAdvanced

Made with Emergent