FrameworkGitHub Changelog

Agent Security Is Moving From Policy To Runtime

The durable product-builder skill is turning an agent policy into enforceable runtime boundaries: scoped credentials, explicit tools, observable actions, and safe failure.

What Changed

The qualifying primary signal came from GitHub Changelog: CodeQL 2.26.0 adds Kotlin 2.4.0 support and AI prompt injection detection. CodeQL is the static analysis engine behind GitHub code scanning, which finds and remediates security issues in your code. We’ve recently released CodeQL 2.26.0, which adds support for Kotlin 2.4.0,… It was published inside the briefing window and passed the source-quality, source-cap, topic-cooldown, and coverage gates. The interpretation below is a product decision to test, not a claim that the source alone proves the outcome.

Why Product Builders Should Care

A written rule cannot contain a workflow after credentials, network access, and side effects have already been granted. Trust has to be expressed in the execution environment and the evidence it produces.

How To Use This

Map one agent workflow from trigger to side effect. Remove standing credentials, scope tools to the job, require approval before irreversible actions, and retain a run log. Verify both the successful path and the denied path before expanding access.

Practice Drill

List every system one production agent can touch, then remove one permission. If the workflow cannot recover or ask cleanly for escalation, its trust boundary is still implicit.

What could make this wrong

Extra runtime controls can make low-risk, reversible workflows slower without materially reducing harm.

Confidence · high

A fresh primary source directly documents the underlying change; the product implication still needs validation in the builder’s own workflow.

Revisit · Jul 25, 2026

Can the workflow fail safely after its broadest permission is removed?

Watch: denied action recovery · standing credential count · unreviewed side effects

Apply it now

Knowledge only counts when it changes the build.

List every system one production agent can touch, then remove one permission. If the workflow cannot recover or ask cleanly for escalation, its trust boundary is still implicit.

Stage
build
Produce
A permission and side-effect map for one agent workflow

Full context at GitHub Changelog. Bring back one decision, test, or workflow change.

Read the original ↗

Keep Going