Empty Is Not Clean: Five Fail-Open Bugs in an AI Agent

dev.to

A policy said deny anything under /etc. A Bash call read /etc/shadow and came back {allow, rule: 'trust-bash'}. No human in the loop. The deny rule was still there, still first in the list, still scoped exactly the way an operator would write it. It just never fired. Two cold-contributor reviewers reproduced it independently on this policy: const policy = [ { effect: 'deny', tool: 'Bash', pathPrefix: '/etc' }, { effect: 'auto_approve', tool: 'Bash', rule: 'trust-bash' }, ]; // Bash → /et

Read Full Article open_in_new
arrow_back Back to News