DevOps agents are useful because they can inspect systems, explain failures, and automate operational work. They are risky for the same reason: shell commands, deployment APIs, cloud consoles, databases, and incident tools are powerful targets.
Least privilege is not enough when the actor is non-deterministic. The practical control is least agency: give the agent enough authority to propose and perform safe work, then gate dangerous operations through policy and human approval.
allow:
- capability: shell.exec
command_starts_with: "kubectl get"
- capability: shell.exec
command_starts_with: "journalctl"
require_approval:
- capability: shell.exec
command_starts_with: "kubectl rollout restart"
- capability: database.write
environment: production
deny:
- capability: shell.exec
command_matches: ".*--force.*"
- capability: shell.exec
command_matches: "rm -rf /.*"CapFence sits between the DevOps agent and the production target. It does not block the useful read-only workflow. It blocks destructive patterns, routes exceptional changes to approval, and creates replayable logs for incident review.
That is the difference between an impressive demo and a production control.