Empty Is Not Clean: Five Fail-Open Bugs in an AI Agent
dev.to
A policy said deny anything under /etc. A Bash call read /etc/shadow and came back {allow, rule: 'trust-bash'}. No human in the loop. The deny rule was still there, still first in the list, still scoped exactly the way an operator would write it. It just never fired. Two cold-contributor reviewers reproduced it independently on this policy: const policy = [ { effect: 'deny', tool: 'Bash', pathPrefix: '/etc' }, { effect: 'auto_approve', tool: 'Bash', rule: 'trust-bash' }, ]; // Bash → /et