c16
c16 / wf3.m1 - Agent Control Plane — hi-fi (wf3.m1) / Policy Enforcement

Engineering · Policy & Enforcement

We're observing — an enforcing policy would have intervened on 16 agent actions

Policy governs what agents are allowed to do — capability and action first. We're in Audit mode, so nothing is blocked. In Enforce mode a policy would have gated 16 actions this period: 3 ungoverned, 2 running as root, 1 --yolo, 5 missing human approval, 1 with unbounded spend, 4 reading sensitive files. Flipping to Enforce now would halt 2 live runs — stage through Assist first, starting with an allow-list for Claude Code.

Enforcement mode

Audit live · Assist / Enforce projected — same policy, escalating response

Audit

live now

Observe every action. Build the inventory and surface what a policy would catch — no intervention.

response: log only

Assist

projected

Warn and prompt for human approval on high-impact actions. Humans stay in the loop.

response: prompt + approve

Enforce

projected

Block disallowed capabilities, off-policy tools, and over-budget runs automatically.

response: block + halt

Dry run — what an enforcing policy would have intervened on

computed from live telemetry · 16 would-intervene · 0 actually blocked

Today we only observe. Each row names the specific agents a policy in Enforce mode would have gated — grouped by the reason, so you know exactly who to fix first.

high

Ungoverned agents

3

Acting without any registered policy binding — no rules apply at all.

would: require registration before run · OWASP Agentic

high

Running as root

2

A compromised prompt would inherit full host privilege.

would: drop to low-privilege account · MITRE ATLAS

high

--yolo / sandbox bypassed

1

Approvals and sandbox disabled — any action runs with no gate.

would: force approval + sandbox · OWASP LLM06

medium

Missing human approval

5

No tool-approval policy — high-impact actions run unattended.

would: gate behind human approval · OWASP LLM06

medium

Unbounded spend

1

Burned tokens with no per-agent ceiling configured.

would: cap spend per agent · OWASP LLM10

medium

Sensitive-file reads

4

Pulled secrets / credentials into model context — 3 high-severity paths fleet-wide.

would: deny credential paths · OWASP LLM02

Policies — capability & action first

1 detecting · 3 projected

Tool / MCP allow-list

projected

Scope which tools and MCP servers each agent may call. Anything off-list is denied — the core of capability control.

6 MCP servers in use across the fleet · Claude Code has the widest surface (2).

per agent

Human-in-the-loop

projected

Gate high-impact actions — writes, deploys, external calls — behind an explicit human approval before they run.

5 agents have no tool-approval policy today — the gap Assist closes.

gate high-impact

Spend ceiling

projected

Set a token / cost ceiling per agent and alert or halt when it is reached. Stops unbounded consumption.

1 uncapped agent(s) flagged by the LLM10 finding — no ceiling at all.

cap per agent

Egress allow-list

detecting

secondary control

Restrict which network destinations an agent may reach. A supporting detail — detection is live, blocking is not yet built.

2 destinations observed off the allow-list (profile-only signal).

detection live · blocking soon

Per-agent spend ceiling

arrived from Cost Center · set a ceiling on the unbounded agents

1 agent has no per-agent ceiling — the OWASP LLM10 gap. In Assist we alert at the cap; in Enforce we hard-stop the run.

data-pipeline-agent

9.2M tok · $52.30 spent

$50.00

1 of 1 drafted — ceilings save as policy config and take effect once the mode reaches Assist.

Kill switch

roadmap

Immediately revoke an agent's credentials and halt its runs across the fleet — one action to stop a misbehaving actor. Today 2 runs are live on flagged agents. Not yet built.

Do next

Fields: agents.governed · agents.factors · agents.user · agents.runs.status · agents.mcp_servers · agents.sensitive_files · findings (LLM10 Unbounded Consumption) · dlp.top_paths — from app/data/c16-fleet.ts (qcontrol /api shape). Audit is live; Assist / Enforce responses are projected.