Skip to content

Adr 009 security posture dev agents

ADR-009: Security posture and blast radius for development-time agents

Section titled “ADR-009: Security posture and blast radius for development-time agents”

Status: proposed Date: 2026-05-19

The existing SECURITY.md covers runtime agent execution (inside MicroVMs). It does not cover development-time agents — those writing code, creating PRs, and modifying infrastructure in this repository. A development-time agent operates with the credentials of whoever invoked it, creating a risk of self-approval, policy modification, and unbounded blast radius.

The core principle: planners and implementors must be separated by context and ideally by identity. No self-approval.

RoleCan doCannot do
PlannerCreate/edit issues, write RFCs/ADRs, define roadmap and revisit visionWrite code, push branches, approve PRs
ImplementorWrite code, create PRs, push branches, run testsApprove own PRs, merge own PRs, modify CI/security config
ReviewerApprove PRs, request changes, merge, suggest code (no commits)Write code on the same PR being reviewed
AdminAll of the above + modify policies, approve issuesStill requires 2P for policy changes
ActionRiskGate
Edit code in existing patternsLowCI + peer review
Add new dependencyMediumSecurity scan + review
Modify IAM policy / security configHigh2P review + admin approval
Modify CI/CD workflowHigh2P review + admin approval
Modify branch protection / approval rulesCriticalAdmin-only + audit trail
Modify governance ADRsCriticalAdmin-only + 2P review
Delete or force-push protected branchesCriticalNever automated; human-only

For High and Critical actions:

  • The author cannot be one of the two approvers
  • At least one approver must be a human
  • Approvals reference the specific risk being accepted
  • Branch protection requires review from someone other than the pusher
  • Approval cannot come from the last committer on the branch
  • If an agent plans AND implements, review must come from an identity that did neither
  • The identity that writes code cannot approve or merge it
Agent contextMinimum credentials
Planning (issues, RFCs)GitHub Issues write, read-only repo
Implementation (code, PRs)Repo write, PR create, no merge capability
ReviewPR review write, no push capability
DeploymentSeparate deploy key, environment approval gate
  • (+) Prevents self-approval of dangerous changes
  • (+) Blast radius is explicit and enforceable
  • (+) Role separation enables audit trail
  • (+) 2P review catches compromised or confused agents
  • (-) Credential management complexity increases
  • (-) Small tasks require multi-identity orchestration
  • (!) Personal PATs grant all permissions — structural enforcement requires GitHub Apps or fine-grained tokens
  • Issue #140 — full RFC with open questions
  • docs/design/SECURITY.md — runtime agent security (complementary)
  • Cedar HITL gates (PR #88) — runtime tool-call governance
  • ADR-003 — governance (approval gates enforced here technically)