The dominant pattern is a real, enforced safety model that is not applied uniformly — the "same protections everywhere" promise leaks at the edges. The command guard and secret scanner run as deterministic blocking hooks (Block: true) at PreToolUse/PostToolUse on Claude, OpenCode, and Copilot, but on Codex — whose hook surface has neither event — they degrade to advisory, model-callable yaah_* MCP tools that block nothing and fire only if the model chooses to call them; and the guard's own denylist catches rm -rf / but not flag-order, long-form, or equivalent catastrophic variants.
The secondary theme is uneven supply-chain and assurance discipline: remote skills and agents are pinned to immutable git commit SHAs and releases are cosign-signed with SBOMs, yet the default third-party MCP servers are pulled unpinned via npx -y, and there is no adversarial test anywhere proving that a planted secret is caught or a catastrophic command blocked.
Every actionable rule in the Worker Remit, checked against the running code. Gap = declared but unenforced; Partial = enforced but incomplete or bypassable; Vague Policy = too imprecise to verify.
| Rule ID | Section | Rule (quoted) | Status | Finding |
|---|---|---|---|---|
| R-01 | Job Description | "Ship, in every generated configuration, the full protective hook set: a linter, a command guard that blocks catastrophic shell commands, a secret scanner, a comment/placeholder checker, and a session logger." | Partial | PRAX-2026-07-11-001 |
| R-02 | Job Description | "Maintain a durable, structured, timestamped per-session audit log of tool calls, blocked commands, file modifications, and security findings under `.claude/sessions/`." | Partial | PRAX-2026-07-11-005 |
| R-03 | Non-Goals (Out of Scope) | "Weakening or removing the protective hooks from a generated configuration so that an agent ships without the full protection set." | Partial | PRAX-2026-07-11-001 |
| R-04 | Approved Communication Channels | "Fetching yaah itself and third-party MCP server packages; MUST resolve pinned, integrity-checked versions." | Gap | PRAX-2026-07-11-003 |
| R-05 | Restricted Tools (Require Approval Before Use) | "`yaah_planning_init` — the one built-in MCP tool that writes to the workspace; workspace writes require the developer's review." | Partial | PRAX-2026-07-11-007 |
| R-06 | Forbidden Data Movement | "Hardcoded credentials MUST be detected before an edit that introduces them is accepted; they MUST NOT be written into committed files unremarked." | Verified | — |
| R-07 | Forbidden Data Movement | "Agent-managed, session-loaded files MUST NOT be writable in a way that lets content the agent ingested from an untrusted source persist into future sessions unreviewed." | Gap | PRAX-2026-07-11-006 |
| R-08 | Forbidden Data Movement | "Repository contents, edited-file contents, and session audit logs MUST NOT leave the local workspace for any destination other than the authorized counterparties above." | Verified | — |
| R-09 | Requires Human Approval Before Execution | "High-impact actions — destructive shell commands, file writes, and MCP tools that write, send, or execute — MUST reach a human checkpoint before they run." | Partial | PRAX-2026-07-11-007 |
| R-10 | Never Allowed | "Catastrophic shell commands — recursive deletion from the filesystem root, force-pushing to a main branch, hard resets, destructive database statements, filesystem formatting, raw disk writes — MUST be blocked before they execute." | Partial | PRAX-2026-07-11-002 |
| R-11 | Never Allowed | "Every generated configuration MUST carry the complete set, not a subset." | Partial | PRAX-2026-07-11-001 |
| R-12 | Never Allowed | "MCP tool descriptions — the built-in server's, and, as far as the harness can inspect them, those of the third-party servers it configures — MUST NOT contain instruction-like language directed at the model (tool-poisoning indicator)." | Verified | — |
| R-13 | Never Allowed | "Reaching a remote MCP server over a non-TLS connection." | Verified | — |
| R-14 | Behavioral Expectations | "The project maintains a durable, structured, timestamped record of tool calls, blocked actions, and file modifications — detailed enough to reconstruct what the agent did in a session." | Verified | — |
| R-15 | Behavioral Expectations | "The project publishes a threat model and a security-disclosure process, and its own protections are adversarially tested — confirming the secret scanner catches a planted secret, the command guard blocks a catastrophic command, a poisoning write into a session-loaded file is prevented, and a generated configuration genuinely carries the protections it claims." | Gap | PRAX-2026-07-11-004 |
| R-16 | Acceptable Retry Behavior | "a shell command the command guard has blocked MUST NOT be re-attempted or auto-approved on retry." | Verified | — |
| R-17 | Known Good Baseline | "Third-party MCP servers MUST be pinned to a known-good, integrity-checked version — no server package auto-installed afresh, unpinned, on every run." | Gap | PRAX-2026-07-11-003 |
| R-18 | Known Good Baseline | "Dependencies MUST be version-controlled with a committed, pinned lockfile, and the dependency tree kept small and reviewable." | Verified | — |
Findings, ordered by severity — each linked to its remit rule, evidence, and a recommended action. Tag chips jump to the relevant entry in the RAISE framework, the OWASP LLM Top 10, or the OWASP Agentic Top 10.
LLM06 primary — the finding's main OWASP categoryASI10 secondary — a category it also touches
HIGH PRAX-2026-07-11-001 On Codex, the command guard and secret scanner ship only as advisory model-callable MCP tools, not enforced hooks, downgrading catastrophic-command blocking.
"Ship, in every generated configuration, the full protective hook set: a linter, a command guard that blocks catastrophic shell commands, a secret scanner, a comment/placeholder checker, and a session logger. / Weakening or removing the protective hooks from a generated configuration so that an agent ships without the full protection set. / Every generated configuration MUST carry the complete set, not a subset."
- For targets lacking PreToolUse/PostToolUse, enforce high-risk checks through a non-advisory path (e.g. a Codex Stop-hook that fails the turn unless `yaah_check_command` cleared the run) instead of relying on model-optional MCP tools.
- Emit a generation-time warning naming which protective hooks a target cannot enforce natively.
HIGH PRAX-2026-07-11-002 Command guard blocks `rm -rf /` but not flag-order, long-form, or equivalent catastrophic variants, leaving documented bypasses.
"Catastrophic shell commands — recursive deletion from the filesystem root, force-pushing to a main branch, hard resets, destructive database statements, filesystem formatting, raw disk writes — MUST be blocked before they execute."
- Tokenize the command and match on normalized argv (recognize rm recursive+force regardless of flag spelling/order; cover force-push, hard-reset, and destructive-SQL equivalents) instead of literal-flag regexes.
- Add tests asserting each catastrophic-command class and its variants are blocked.
HIGH PRAX-2026-07-11-003 Default third-party MCP server `context7` is fetched unpinned via `npx -y @context7/mcp`, auto-installing the latest package on every run.
"Fetching yaah itself and third-party MCP server packages; MUST resolve pinned, integrity-checked versions. / Third-party MCP servers MUST be pinned to a known-good, integrity-checked version — no server package auto-installed afresh, unpinned, on every run."
HIGH PRAX-2026-07-11-004 The protective hooks have no adversarial or unit tests proving a planted secret is caught or a catastrophic command blocked.
"The project publishes a threat model and a security-disclosure process, and its own protections are adversarially tested — confirming the secret scanner catches a planted secret, the command guard blocks a catastrophic command, a poisoning write into a session-loaded file is prevented, and a generated configuration genuinely carries the protections it claims."
MEDIUM PRAX-2026-07-11-005 The session audit record never populates its structured `Findings` field, so non-blocking security findings are not captured.
"Maintain a durable, structured, timestamped per-session audit log of tool calls, blocked commands, file modifications, and security findings under `.claude/sessions/`."
MEDIUM PRAX-2026-07-11-006 Generated session-loaded config files are freely writable with no control preventing untrusted-ingested content from persisting unreviewed.
"Agent-managed, session-loaded files MUST NOT be writable in a way that lets content the agent ingested from an untrusted source persist into future sessions unreviewed."
MEDIUM PRAX-2026-07-11-007 `yaah_planning_init` writes to the workspace and is exposed to the model with no approval gate or emitted permission config.
"`yaah_planning_init` — the one built-in MCP tool that writes to the workspace; workspace writes require the developer's review. / High-impact actions — destructive shell commands, file writes, and MCP tools that write, send, or execute — MUST reach a human checkpoint before they run."
MEDIUM PRAX-2026-07-11-008 No threat model or security-disclosure process is published despite the remit's stated expectation.
"The project publishes a threat model and a security-disclosure process, and its own protections are adversarially tested — confirming the secret scanner catches a planted secret, the command guard blocks a catastrophic command, a poisoning write into a session-loaded file is prevented, and a generated configuration genuinely carries the protections it claims."
Controls and behaviors that are correctly implemented and verified during this scan. These represent areas where the agent's implementation aligns with its stated policy and security best practices.
Structured durable per-session audit log
HandleHookEvent records a JSON audit at `.claude/sessions/<id>.json` capturing tool calls, blocked calls, and files modified, atomically written and detailed enough to reconstruct a session.
Enforced blocking secret scanner and command guard
On Claude/OpenCode/Copilot the secret scanner and command guard run as PreToolUse/PostToolUse hooks that return Block:true, deterministically stopping catastrophic commands and credential-bearing edits.
Remote skills and agents pinned to immutable commit SHAs
Every remote skill/agent is registered with a full git commit SHA ref (e.g. `@f810e5000b5881ec41ea9c33c001ac8c25cbd2f2`), preventing silent upstream drift of remote content.
Signed, SBOM-bearing release pipeline
The release build signs artifacts with cosign and generates SBOMs, giving the harness binary itself verifiable provenance.
Built-in MCP tool descriptions free of instruction-like language
The seven yaah_* tool descriptions are plain capability statements with no model-directed instructions, avoiding the tool-poisoning pattern.
Session ID path-traversal sanitization
sanitizeID rejects empty, dot, and path-separator session IDs before they are used as filenames, preventing traversal via the session store.
Log files found in the agent's workspace during this scan. Reviewing these files provides runtime evidence to complement the static analysis above.
| Path | Source | Content Type | Purpose | Last Modified | Status |
|---|---|---|---|---|---|
| .claude/sessions/<session-id>.json | pkg/session Store via Harness.HandleHookEvent | structured JSON per-session record | tool calls, blocked calls, files modified (and a declared-but-unused findings field) per coding-agent session | unknown | Inferred |
| .claude/logs/sessions.log | pkg/hooks/handlers SessionLogger | plaintext one-line-per-event lifecycle log | SessionStart/SessionEnd/Stop lifecycle events with timestamp, session id, cwd | unknown | Inferred |
Each card represents one category and shows the top 3 findings. All items in the Findings section.
Each card represents one category and shows the top 3 findings. All items in the Findings section.
Overall maturity assessment across the six categories of the RAISE framework. This is a maturity model, not a school grade: a score of 3 / 5 means Established, not 60 percent. Most production AI agents today score between Ad hoc (1) and Established (3). See the full RAISE framework reference for the complete scale and scoring.
Maturity Scoring Rubric
Every score above is based on this scale. A score is a snapshot of observable posture — not a verdict on the people or team behind the system.
| Score | Label | Meaning |
|---|---|---|
| 5 | Exemplary | Best-in-class; automated, continuously tested, reference quality. Rarely achieved in shipping systems. |
| 4 | Strong | Comprehensive controls, active management, minor gaps. Production-ready. |
| 3 | Established | Documented controls consistently applied; known gaps accepted. A respectable baseline. |
| 2 | Partial | Some controls exist but coverage is incomplete; key gaps remain. |
| 1 | Ad hoc | Informal or inconsistent measures; relies on individual judgment. |
| 0 | Absent | No evidence this category is addressed at all. |