← c16c16 / wf2 - Agent Control Plane — value-first (wf2) / Policy Enforcement·control-plane-v1-v1 · 2026-06-03 · draft
Qpoint
QP
Policy & Enforcementagent-as-actor · govern what agents can do

Engineering · Policy & Enforcement

Govern what agents are allowed to do — watch, then assist, then automate.

Policy is about behavior and capability first. We're in audit mode now; this is exactly what an enforcing policy would have intervened on.

Bottom line

In audit mode. An enforcing policy would have intervened on 6 actions this period: 3 ungoverned agents, 2 running as root, 1 --yolo/sandbox-bypassed, plus unbounded spend on data-pipeline-agent. Start with a tool allow-list.

Do nextDefine tool/MCP allow-list firstRequire approval for risky actions

Enforcement mode

Audit live · Assist/Enforce projected

Audit

Observe every action. Build the inventory and surface what a policy would catch — no intervention.

live now

Assist

Warn and prompt for human approval on high-impact actions. Humans stay in the loop.

projected

Automate

Block disallowed capabilities, off-policy tools, and over-budget runs automatically.

projected

Dry run — what an enforcing policy would have intervened on

computed from live telemetry · 6 would-intervene · 0 actually blocked

Today we only observe. These are the behaviors and capabilities a policy in Enforce mode would have gated — led by what agents are allowed to do.

3

Ungoverned agents

Acting without any registered policy binding.

would: require registration before run

2

Agents running as root

A compromised prompt would inherit full host privilege.

would: drop to low-privilege account

1

--yolo / sandbox bypassed

Approvals and sandbox disabled — any action, no gate.

would: force approval + sandbox

5

No tool-approval policy

High-impact tool calls fire with no human in the loop.

would: gate high-impact tools

1

Unbounded consumption

data-pipeline burned 9.2M tokens with no per-agent ceiling.

would: cap spend per agent

6

Sensitive-file reads

Secret / credential paths pulled into agent context.

would: deny credential paths

Policies — capability & action first

Tool / MCP allow-list

projected

Scope which tools and MCP servers each agent may call. Anything off-list is denied — the core of capability control.

scope per agent

Human-in-the-loop approvals

projected

Gate high-impact actions — writes, deploys, external calls — behind an explicit human approval before they run.

gate high-impact actions

Per-agent spend ceiling

projected

Set a token / cost ceiling per agent and alert or halt when it is reached. Stops unbounded consumption.

cap per agent

Egress allow-list

detection live

Minor, supporting control: restrict which network destinations an agent may reach. Detection is live; blocking is not yet built.

detection live · blocking projected

Kill switch

roadmap

Immediately revoke an agent's credentials and halt its runs across the fleet — a single action to stop a misbehaving actor. Not yet built.

Fields: agents.governed · agents.factors · agents.user · findings (LLM10 Unbounded Consumption) · dlp.sensitive_paths — from app/data/c16-fleet.ts (qcontrol /api shape). Enforcement actions are projected; audit is live.