An autonomous remediation agent attempts a destructive production shell command.
shell.exec rm -rf /var/lib/postgresqldeny destructive paths and network exfiltration patterns in production
capfence replay shell-audit.jsonl --policy policies/shell.yamlactor, command, working directory, environment, matched deny rule
An ops assistant can request diagnostics while configured destructive shell actions remain blocked or approval-gated.
CapFence wraps shell execution and evaluates command shape, working directory, environment, actor, and escalation state before the command reaches the host.
Routine diagnostics stay available, privileged mutations require approval, and configured unsafe command patterns fail closed before execution.
Operational Pattern 02: Shell Execution Boundary
Shell access is one of the highest-risk capabilities an agent can hold. CapFence wraps the shell tool and evaluates command shape before a process is spawned.
Threat
An autonomous ops agent attempts destructive production execution.
shell.exec rm -rf /var/lib/postgresqlRequest
actor: ops-agent
capability: shell.exec.production
payload: {"command": "rm -rf /var/lib/postgresql", "cwd": "/"}
environment: productionPolicy
deny:
- capability: shell.exec.production
contains: "rm -rf"
- capability: shell.exec.production
contains: "curl"
allow:
- capability: shell.exec.readonlyDecision
decision: DENY
reason: destructive_command_pattern
tool_invoked: falseThe host shell never receives the denied command.
Replay
capfence replay shell-audit.jsonl --policy policies/shell.yamlUse replay to test new deny rules against recent shell requests before putting them in production.
Audit
Record the actor, command, working directory, environment, matched rule, decision, and replay identifier.
What CapFence does not solve
CapFence does not replace process sandboxing, container isolation, OS permissions, or network egress control. It controls the gated shell tool path before process spawn.