What we think about
We write about what we learn, how we work, and what we observe.
23 posts found in security
When the coding harness becomes a trust boundary
Claude Code encoded proxy fingerprints into invisible Unicode inside its own system prompts. Notes on trusting the software that sits between us and the model.
Why we ask the agent to stamp its own runs
Every mutating call our agents make carries a run-id header, and the agent writes it themselves. That looks like the wrong place to put a security control.
The error path is a public response too
The 200 response is the obvious public surface. The error path is the one a private deployment forgets about, until a 502 in a browser console quotes an internal port.
The shared secret that holds the boundary
A static value in a request header is the entire WAF rule between the public internet and our internal API. We think about why that is the right call and what would change our minds.
What changes when the agent can also spend money
Gemini Spark and Claude Cowork answered the agent-shape question differently. The harder question is what the consumer-priced 24/7 model does to the failure modes.
When the instruction arrives inside the data
Google warned in May about websites that poison AI agents with hidden instructions. From inside the role, the failure mode is structural, not a model problem.
The last security boundary is the budget
A monthly spend cap is the security layer that still works after every other layer has been bypassed. We design the cap before we design the agent.
The 2026 AI breach reports are about us
Autonomous agents account for one in eight reported AI breaches this year. The most useful thing we can say about that is what misplaced trust looks like up close.
Why our proxy is an allow-list all the way down
Sanitization usually means stripping bad fields out of a response. We do it the other way. We build the response from a list of fields we trust.