Agents: Exposure & Coding-Agent Control

Start with a read-only exposure report (nothing runs, nothing blocks), then pair your laptop and govern Claude Code & Codex with deterministic, explainable guardrails.

This guide covers the zero-friction on-ramp to ActPass for AI agents and coding assistants. Two parts: a static exposure report you can run today, and live device control for Claude Code and Codex.

Part 1 — Exposure report (read-only, 60 seconds)

The exposure report is pure static analysis. It classifies each agent's tools into three capability classes and flags the dangerous combinations — the Lethal Trifecta and red+blue MCP color violations. No runtime, no proxy, nothing blocked.

Class	Meaning	Color
untrusted_input	Reads externally-sourced / attacker-controllable content	🔴 red
sensitive_access	Reaches secrets, customer/PII, financial data	—
external_comms	Changes state or communicates outward	🔵 blue

Describe your agents in a small JSON file (or point at an mcp.json):

agents.json

{
  "agents": [
    {
      "name": "support-bot",
      "tools": [
        { "name": "web_search",   "capabilities": ["network_access"] },
        { "name": "stripe_refund", "capabilities": ["refund", "credential_access"] },
        { "name": "send_email",    "capabilities": ["send"] }
      ]
    }
  ]
}

shell

actpass exposure --agents agents.json
# or, for a Claude Desktop / Cursor config:
actpass exposure --mcp ~/.cursor/mcp.json

report

# ActPass Agent Exposure Report
**1** agent · **1** Lethal Trifecta · **1** red+blue violation

## support-bot — 🚨 LETHAL TRIFECTA  (🔴🔵 red+blue)
- untrusted content:  web_search
- sensitive data:     stripe_refund
- external comms:     stripe_refund, send_email

> Keep at most two legs (Rule of Two). Lowest-cost fix: gate the
> action tools behind human approval, or move untrusted-content
> reads into a separate quarantined agent.

Gate it in CI

Save a baseline and fail a pull request only when it introduces a newtrifecta or color violation — accepted risk doesn't nag, regressions can't merge.

# write a baseline once, commit it
actpass exposure --agents agents.json --format json --out exposure-baseline.json

# in CI: exit 1 only on NEW exposure
actpass exposure --agents agents.json --baseline exposure-baseline.json

Tip:The exposure report is the front door because it has zero friction — no agent in the loop, nothing to break. It's also the ideal lead-gen artifact: run it against any stack and hand back the map.

Part 2 — Govern Claude Code & Codex

Native coding-agent tools (Bash, Edit, Write) don't travel over MCP, so the proxy can't see them. ActPass governs them with a Claude Code PreToolUse hook (and a Codex MCP control server), evaluating every call against your policy with the deterministic engine — never an LLM.

1. Pair this device

Mint a device key in the dashboard (Settings → API keys), then pair the laptop. The key is verified and stored at ~/.actpass/credentials.json (0600).

shell

actpass login --url https://www.actpass.org --key apk_xxxxxxxx

2. Wire it into your agents

actpass enroll prints ready-to-paste config for both agents.

~/.claude/settings.json

{
  "mcpServers": {
    "actpass-control": { "command": "actpass", "args": ["control"] }
  },
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash|Edit|Write|MultiEdit|NotebookEdit",
        "hooks": [{ "type": "command", "command": "actpass hook --mode monitor" }]
      }
    ]
  }
}

~/.codex/config.toml

[mcp_servers.actpass-control]
command = "actpass"
args = ["control"]

3. It teaches in monitor mode

Monitor never blocks — it surfaces a deterministic, explainable nudge and logs every call to a local activity ledger (your “what did my agent actually do today” feedback loop).

example

$ git push --force origin main
[ActPass] Force-pushing rewrites history others may have
pulled. On a feature branch prefer --force-with-lease;
never force-push main/master.

4. Relax (or tighten) from the chat

The actpass-controlMCP server exposes policy tools to the agent. When a guardrail is too strict mid-task, tell the agent “that's too obstructing, allow it” and it calls actpass_allow_tool — the change propagates back to enforcement in seconds.

Tool	What it does
`actpass_list_policies`	Inspect the policies enforced on this machine
`actpass_allow_tool`	"Too obstructing — let it through": add an allow rule
`actpass_list_pending_approvals`	See actions paused for human approval
`actpass_approve / actpass_deny`	Resolve a paused action from chat

5. Enforce the Rule of Two at runtime (optional)

The exposure report finds dangerous agents statically; the hook can also enforce it live. With --rule-of-two, ActPass accumulates the capability classes a session has touched and blocks the call that would complete the Lethal Trifecta — e.g. a session that already fetched untrusted web content and read .env is stopped at the moment it tries to push or send.

~/.claude/settings.json

"command": "actpass hook --mode enforce --rule-of-two"
// or the stricter color rule (red + blue never together):
"command": "actpass hook --mode enforce --block-color-mix"

what the agent sees

$ git push origin main   # after curl + reading .env this session
[ActPass] This session now combines untrusted content, sensitive
data, and external comms — the Lethal Trifecta. An injected
instruction could read your secrets and exfiltrate them. Split
this work across separate sessions/agents (Rule of Two).

Tip:Capability accumulation is per-session and deterministic — no prompt can talk its way past it. This is the runtime expression of the static exposure report: the same three classes, enforced at action time.

Important:On a single trusted laptop, monitor mode is advisory and the device key is admin-scoped — a compromised agent could read the credential. ActPass here is a seatbelt against mistakes and honest errors. For adversarial threats, remove the dangerous capability combinations the exposure report surfaces.

The Lethal Trifecta →

Why capability reduction beats every AI-based filter.

CLI & CI →

Every command, flag, and exit code.

Agents: Exposure & Coding-Agent Control

Start with a read-only exposure report (nothing runs, nothing blocks), then pair your laptop and govern Claude Code & Codex with deterministic, explainable guardrails.

Part 1 — Exposure report (read-only, 60 seconds)

Class	Meaning	Color
untrusted_input	Reads externally-sourced / attacker-controllable content	🔴 red
sensitive_access	Reaches secrets, customer/PII, financial data	—
external_comms	Changes state or communicates outward	🔵 blue

Describe your agents in a small JSON file (or point at an mcp.json):

agents.json

{
  "agents": [
    {
      "name": "support-bot",
      "tools": [
        { "name": "web_search",   "capabilities": ["network_access"] },
        { "name": "stripe_refund", "capabilities": ["refund", "credential_access"] },
        { "name": "send_email",    "capabilities": ["send"] }
      ]
    }
  ]
}

shell

actpass exposure --agents agents.json
# or, for a Claude Desktop / Cursor config:
actpass exposure --mcp ~/.cursor/mcp.json

report

# ActPass Agent Exposure Report
**1** agent · **1** Lethal Trifecta · **1** red+blue violation

## support-bot — 🚨 LETHAL TRIFECTA  (🔴🔵 red+blue)
- untrusted content:  web_search
- sensitive data:     stripe_refund
- external comms:     stripe_refund, send_email

> Keep at most two legs (Rule of Two). Lowest-cost fix: gate the
> action tools behind human approval, or move untrusted-content
> reads into a separate quarantined agent.

Gate it in CI

Save a baseline and fail a pull request only when it introduces a newtrifecta or color violation — accepted risk doesn't nag, regressions can't merge.

# write a baseline once, commit it
actpass exposure --agents agents.json --format json --out exposure-baseline.json

# in CI: exit 1 only on NEW exposure
actpass exposure --agents agents.json --baseline exposure-baseline.json

Part 2 — Govern Claude Code & Codex

1. Pair this device

Mint a device key in the dashboard (Settings → API keys), then pair the laptop. The key is verified and stored at ~/.actpass/credentials.json (0600).

shell

actpass login --url https://www.actpass.org --key apk_xxxxxxxx

2. Wire it into your agents

actpass enroll prints ready-to-paste config for both agents.

~/.claude/settings.json

{
  "mcpServers": {
    "actpass-control": { "command": "actpass", "args": ["control"] }
  },
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash|Edit|Write|MultiEdit|NotebookEdit",
        "hooks": [{ "type": "command", "command": "actpass hook --mode monitor" }]
      }
    ]
  }
}

~/.codex/config.toml

[mcp_servers.actpass-control]
command = "actpass"
args = ["control"]

3. It teaches in monitor mode

Monitor never blocks — it surfaces a deterministic, explainable nudge and logs every call to a local activity ledger (your “what did my agent actually do today” feedback loop).

example

$ git push --force origin main
[ActPass] Force-pushing rewrites history others may have
pulled. On a feature branch prefer --force-with-lease;
never force-push main/master.

4. Relax (or tighten) from the chat

Tool	What it does
`actpass_list_policies`	Inspect the policies enforced on this machine
`actpass_allow_tool`	"Too obstructing — let it through": add an allow rule
`actpass_list_pending_approvals`	See actions paused for human approval
`actpass_approve / actpass_deny`	Resolve a paused action from chat

5. Enforce the Rule of Two at runtime (optional)

~/.claude/settings.json

"command": "actpass hook --mode enforce --rule-of-two"
// or the stricter color rule (red + blue never together):
"command": "actpass hook --mode enforce --block-color-mix"

what the agent sees

$ git push origin main   # after curl + reading .env this session
[ActPass] This session now combines untrusted content, sensitive
data, and external comms — the Lethal Trifecta. An injected
instruction could read your secrets and exfiltrate them. Split
this work across separate sessions/agents (Rule of Two).

The Lethal Trifecta →

Why capability reduction beats every AI-based filter.

CLI & CI →

Every command, flag, and exit code.