Security & Guardrails

AMOF enforces safety at the tool execution level, not just through prompt instructions. When an AI agent tries to write a file, run a command, or delete something, the guardrail system intercepts the call.

Protection Layers

Agent Request
    |
    v
[1] Protected Paths      --> Block writes to .git, .env, secrets, *.pem
    |
    v
[2] Protected Basenames  --> Block .env, .env.* regardless of directory
    |
    v
[3] Protected Extensions --> Block *.pem, *.key
    |
    v
[4] Readonly Repos       --> Block all writes to readonly: true repos
    |
    v
[5] Manifest Guardrails  --> Block paths in ecosystem.yaml no_touch_paths
    |
    v
[6] Blocked Commands     --> Block catastrophic commands (rm -rf /, mkfs)
    |
    v
[7] Dangerous Patterns   --> Confirm: git push --force, DROP TABLE, kubectl delete
    |
    v
[8] Sensitive Commands   --> Confirm: pip install, npm install, git push
    |
    v
ALLOWED

File Protection

Protected Paths

Any Write, StrReplace, or Delete tool call targeting these paths is blocked unconditionally:

  • .git
  • .env / .env.*
  • secrets/ / credentials/
  • *.pem / *.key
  • id_rsa / id_ed25519
  • .ssh/

Readonly Repositories

Repositories marked with readonly: true in the ecosystem manifest are completely protected. The agent can read files for context but cannot modify them. To make changes, promote the repo: amof repo promote <name>.

Command Protection

Blocked Commands

Commands that are always blocked, regardless of context:

  • rm -rf /
  • mkfs
  • :(){ :|:& };: (fork bomb)
  • dd

Dangerous Patterns

Commands matching these patterns require interactive confirmation or are blocked in unattended mode:

  • git push --force
  • git reset --hard
  • DROP TABLE
  • kubectl delete
  • helm uninstall
  • terraform destroy

Interactive Confirmation

[!] Dangerous command detected: git push --force origin main
    Allow this command? [y]es / [n]o / [a]lways:
ChoiceBehavior
y (yes)Allow this single execution
n (no)Block this execution
a (always)Allow permanently; saved to .amof/rules/allowed.yaml
In non-interactive execution (API-driven runs, subprocess agents), both dangerous and sensitive commands are blocked entirely -- no confirmation is possible.

Plan Mode Protection

When the agent runs in plan mode (amof agent --plan), all write operations are disabled: Write, StrReplace, Delete tools are blocked, shell commands that modify state are blocked, and the agent can only read, analyze, and produce plans.

Linter Integration

LinterExtensionsCommand
ruff.pyruff check --output-format=concise --no-fix {file}
yamllint.yaml, .ymlyamllint -f parsable {file}
shellcheck.sh, .bashshellcheck -f gcc {file}

When lint_on_complete is true (default), all modified files are linted after task completion. Issues are injected back into the conversation for the agent to fix.