Status: planned, phase 1 in progress. This section documents an approved
architecture; the roadmap tracks what exists today.
Stop asking the agent for permission. Put it somewhere it can’t hurt anything, then let it run.Today’s safety model is fine-grained permission lists — roughly 640 allow/ask/deny entries rendered into Claude Code, Codex CLI, and Gemini CLI — running on a trusted Mac with the user’s full credentials a keychain prompt away. That model assumes a human is watching. Autonomous agents invert it: safety becomes the container boundary, and tool permissions inside it become maximally lenient. The agent gets
--dangerously-skip-permissions precisely because there is nothing dangerous left
to skip into.
The vendors all converged on this
All three CLI vendors publish the same guidance: bypass flags belong only inside an isolated environment, and the real controls are credentials, network egress, and git.| Vendor | Bypass mechanism | Isolation guidance |
|---|---|---|
| Anthropic | --dangerously-skip-permissions | Only inside a devcontainer or sandbox; hard-rejected when running as root. Agent SDK secure deployment: never mount host secrets, inject credentials from outside, credential-injecting proxy as the end-state. |
| OpenAI Codex | approval_policy + sandbox_mode axes | --yolo (danger-full-access + never) only inside a container; network is off by default even in workspace-write. |
| Google Gemini | --approval-mode yolo | Sandbox is opt-in and not coupled to yolo — the weakest pairing of the three, so this architecture enforces the coupling structurally: yolo configs exist only inside the image. |
Three profiles
Profiles are defined once innix-ai and rendered to all three tools by the
existing formatter layer. See nix-ai for the rendering pipeline.
| Profile | Where | Claude | Codex | Gemini |
|---|---|---|---|---|
interactive | Mac host (unchanged) | current allow/ask/deny + auto mode | workspace-write + approvals | auto_edit |
autonomous | inside containers ONLY | bypassPermissions + ~10-entry residual deny; claude -p --bare --dangerously-skip-permissions | approval_policy="never", sandbox_mode="danger-full-access" (the container IS the sandbox; bwrap can’t nest) | --approval-mode yolo, Gemini’s own sandbox off |
ci | Actions runners | autonomous + JSON output overlay | same | same |
What happens to the 640 entries
They survive only ininteractive. The autonomous profile keeps a residual deny of
roughly ten entries — gh repo delete, gh secret, force-push, registry publish —
as a tripwire, not a wall. In autonomous, the real protection is:
- Credential scoping — the agent holds only short-lived, narrowly scoped tokens. See Secrets.
- Network boundary — an allowlisting egress proxy is the only way out. See Runtime.
Structural guarantees
Two invariants are enforced in code, not convention:- Autonomous configs are only ever baked into the container image. No code path renders a bypass-mode settings file onto a host filesystem. You cannot accidentally run yolo on the Mac because the config to do so does not exist there.
- The entrypoint refuses to start unless
AGENT_SANDBOX=1is set and the uid is not 0. Claude Code independently hard-rejects bypass as root; the image runs asagent(uid 1000) with no sudo.
In this section
Runtime
One Nix-built OCI image, two platforms, the egress proxy, and the run lifecycle.
Secrets
Dual backbone — OpenBao for dynamic credentials, Infisical for static app secrets — and the credential security ladder.
GitHub access
GitHub App + broker replaces the 5-tier PAT system.
Roadmap
Phases 1–7 and the repo ownership map.