Scene: just run the tests
Imagine a normal work morning. A developer opens a project, sees a failing test, and asks an AI agent to look at the failure, run the tests, and suggest a fix. At first, this feels like a small request. The agent is not deploying the application, opening a production console, or using a separate administrator account.
But within a few minutes it is already reading code, looking at configuration, running commands, possibly installing a package, calling an API, or opening a file with local environment variables. It works in the same runtime environment as the human developer. That is why the developer laptop is no longer just a private workspace. For an AI agent, it is a real operational zone with files, secrets, network access, and command history.
The point is not that AI agents are dangerous by nature. The point is that we often give them the keys to the workshop before writing down the workshop rules.
Episode 1. The agent reads the repository
The first step almost always looks safe: the agent browses files. It searches for the failing test, the related module, and the run configuration. This is where the first trust boundary appears. A repository can contain more than source files. It may also include local settings, example keys, private notes, temporary dumps, or files that were accidentally left out of .gitignore.
The operational check is simple: before allowing the agent to read the whole folder, look at what is inside it. Are there .env files, database exports, private certificates, or old archives nearby? If the agent needs to fix one module, it should not receive access to the home directory or every work project.
Anti-pattern: starting the agent from the root of a broad work directory where client repositories, personal notes, and service keys sit next to each other.
Better option: create a separate working folder for the task, provide the minimum set of files, and define which paths the agent must not read.
Episode 2. The agent runs commands
Next, the agent suggests running tests, a linter, or a build. This is useful because it can check hypotheses quickly. But a terminal command is no longer advice. It is an action. It can create files, change cache, start a local server, read environment variables, or connect to an external service.
This is where least privilege matters. If the task is to verify a unit test, the agent does not need permission to modify system directories, access a production cluster, or use long-lived cloud tokens. It is worth having a separate terminal profile or container without unnecessary credentials.
A practical boundary: read-only commands, local tests, and formatting can be allowed more freely. Commands that delete files, change permissions, use the network, or run long scripts should require confirmation.
Anti-pattern: approving every command because the agent supposedly knows better.
Episode 3. The agent installs dependencies
After running tests, the agent may propose installing a package or updating a dependency. For a beginner, this looks like a normal part of development. In reality, package installation often runs additional scripts, changes lock files, and pulls code from the internet.
The guardrail should be very concrete here. Before installation, check the package name, source, version, reason for adding it, and expected changes in dependency files. If the package is only needed for an experiment, run it in isolation: a container, a temporary branch, or a disposable working folder.
Anti-pattern: allowing the agent to install any package just to get a green test faster.
Better option: the agent explains why the dependency is needed, which files will change, which scripts may run, and the human confirms the action.
Episode 4. The agent reaches outside
More capable agents may call APIs, read documentation, open issues, create pull requests, or use cloud CLI tools. This is where the local laptop most clearly looks like a production boundary. It already contains secrets, SSH keys, browser sessions, registry tokens, and access to test environments.
A good practice is to split external actions into levels. Reading public documentation is low risk. Downloading an artifact from an internal store is medium risk. Creating a key, changing infrastructure, publishing a package, or writing to an external system is high risk.
High-risk actions need short-lived tokens, a separate account, or at least manual confirmation. The agent should not accidentally use the same secrets that the developer uses for real systems.
Episode 5. The agent proposes changes
At the end, the agent changes code and asks you to accept a patch. This is a good moment to think about the audit trail. You need to see not only the diff, but also the path that led to it: which files the agent read, which commands it ran, which network requests it made, and which errors it observed.
GitHub’s changelog about enterprise-managed OpenTelemetry export for VS Code and CLI points to an important direction: teams want managed collection of events from IDE and CLI tools, configurable export, and controls over captured telemetry content. This does not mean every small team needs a complex observability platform tomorrow. But the idea is useful: agent actions should be visible.
A minimal starting point is to keep command history, the agent conversation log, the list of changed files, and the reason for each external action.
A small operational runbook before delegating
Before saying, fix this yourself, pause for a short check:
- Define the working folder and forbidden paths.
- Remove unnecessary secrets from the runtime environment.
- Give the agent only the access needed for the task.
- Require confirmation for package installation, file deletion, and network actions.
- Run risky experiments in isolation.
- Review the diff and command log before merging.
Docker’s article describes the broader trend: the developer laptop is becoming a new governance boundary because AI agents perform real actions there. This is not a reason to reject agents. Clear trust boundaries allow teams to delegate more, not less.
Without rules, an agent is a very fast colleague holding your keys. With rules, it becomes a useful operator inside a controlled workshop.
Sources
Quick checklist
- list the local secrets an agent might be able to reach
- split agent actions into safe, conditional, and forbidden groups
- run risky tasks in a separate working folder or container
- require confirmation before network calls, package installs, and changes outside the repository
- keep a log of commands and changes performed by the agent
Assess the trust boundary for an AI agent on my laptop
You are helping me use an AI agent safely in my local development environment. First, ask up to 7 clarifying questions about my operating system, IDE or terminal tool, repositories, secrets, cloud access, test environments, and common commands. After I answer, return the result in this format: 1. Access map: which files, commands, network destinations, and credentials the agent may touch. 2. Actions without confirmation: what can be allowed automatically and why. 3. Actions with confirmation: what the agent should do only after my explicit approval. 4. Forbidden actions: what should not be executed from the local laptop. 5. Minimal isolation plan: separate folder, profile, container, or temporary tokens. 6. Review log: which events should be recorded for an audit trail. Do not recommend buying a specific product. Give a practical checklist for a beginner.