Client code workflow

Client code AI security checklist.

Before an AI coding tool touches client code: get written authorization, isolate the workspace, remove secrets and customer data, start read-only, block high-impact actions, and record what the tool could reach.

Provider privacy settings matter, but they do not replace repository boundaries. Use this workflow before Cursor, Claude Code, Codex, Copilot, or another agent receives an authorized client repository.

CapitalGuard Security Research · Version 1.0.0 · Sources checked July 15, 2026

6

Control steps

18

Register fields

5

Primary sources

The workflow

Six decisions before the first prompt.

The order matters. Authorization comes before configuration, and access reduction comes before trusting a provider setting.

  1. 1

    Authorize

    Confirm the client approved the exact use

    Record the repository, AI tool, account or workspace, task, data categories, and approved operator before the first prompt. A general software contract is not the same as approval for a new AI processing path.

  2. 2

    Reduce

    Create the smallest useful workspace

    Use a dedicated branch, worktree, or sanitized copy. Remove production exports, customer records, credentials, private keys, support logs, and unrelated repositories before opening the workspace in the AI tool.

  3. 3

    Restrict

    Start read-only and block consequential actions

    Keep deployment, billing, identity, permission, package-publish, database-mutation, and external-upload actions behind explicit human approval. Disable network or external tools unless the task requires them.

  4. 4

    Verify

    Check the control on the surface you will actually use

    Verify retention, training, indexing, ignored paths, agent mode, CLI behavior, MCP tools, and sandbox settings for the exact product surface. A provider control may not apply to every mode.

  5. 5

    Observe

    Review changes and preserve a short evidence trail

    Inspect the diff, commands, tool calls, network destinations, and generated files. Record unexpected access requests and require a human decision before merging or releasing the result.

  6. 6

    Close

    Remove temporary access at handoff

    Revoke temporary tokens, remove local copies, close external sessions, and record whether any credential needs rotation. Keep only the minimum evidence the client has authorized you to retain.

Reusable evidence

Keep one access record per client task.

The register is intentionally blank. It records decisions without publishing client identity, repository names, source code, credentials, or scan results. Store completed records only where the client authorizes.

FieldMachine keyWhy it matters
Project IDproject_idA non-sensitive reference that ties the record to the authorized client engagement.
Authorization referenceclient_authorization_refWhere the client's approval for this AI-assisted task is recorded.
Repository scoperepository_scopeThe repository, branch, worktree, or sanitized copy the tool may reach.
AI tool and surfaceai_tool_surfaceThe exact editor, CLI, cloud agent, chat, or security-review surface in use.
Account or workspaceaccount_or_workspaceThe provider account or managed workspace whose policies apply.
Task purposetask_purposeThe specific outcome the client authorized.
Data categoriesdata_categoriesThe types of code, configuration, personal data, logs, or documents present.
Excluded pathsexcluded_pathsFiles and directories removed or blocked from AI access.
Allowed actionsallowed_actionsRead, edit, test, or other actions approved for the task.
Blocked actionsblocked_actionsDeploy, publish, rotate, delete, bill, grant access, or other actions the agent must not take.
Network accessnetwork_accessWhether outbound access is disabled, allowlisted, or unrestricted.
External toolsexternal_toolsMCP servers, connectors, browsers, shells, or other systems available to the agent.
Controls checked atprovider_controls_checked_atWhen retention, training, privacy, indexing, and permission settings were verified.
Human approverhuman_approverThe person responsible for consequential decisions.
Session startsession_started_atWhen authorized AI access began.
Session closesession_closed_atWhen temporary access, tokens, and copies were removed.
Rotation requiredcredential_rotation_requiredWhether observed exposure requires credential rotation or another follow-up.
Evidence notesevidence_notesA short, non-sensitive record of checks, exceptions, and approvals.

Provider boundary check

A control may not cover every agent surface.

Verify the current documentation for the exact editor, CLI, cloud agent, account tier, and workspace policy in use. The table records what the source documents; it does not independently certify provider behavior.

SourceControlDocumented boundaryChecked
AnthropicClaude Code permissions and sandboxingClaude Code supports allow, ask, and deny rules. Anthropic documents permissions and sandboxing as complementary controls and warns that bypass mode skips permission prompts.2026-07-15
CursorPrivacy mode, indexing, and ignored pathsCursor documents that code data is sent to its servers for AI features, explains privacy-mode handling, and describes .cursorignore as a best-effort exclusion for selected paths.2026-07-15
GitHubCopilot content exclusionGitHub supports content exclusion on selected Copilot surfaces, but its documentation says the exclusion does not cover Copilot CLI, the cloud agent, or IDE agent mode.2026-07-15
OpenAICodex Security repository reviewOpenAI documents that Codex Security analyzes an enabled GitHub repository and its history, recommends beginning with a focused repository set, and keeps proposed changes subject to human review.2026-07-15
NISTGenerative AI risk managementNIST's Generative AI Profile frames controls as a risk-management decision tied to the user's goals, risk tolerance, resources, and data-governance obligations.2026-07-15

When a formal baseline is justified

The register records intent. A scan tests the authorized repository boundary.

CapitalGuard can produce a redacted exposure report, preventive controls, and verification path for an authorized repository. It does not guarantee prevention or replace legal advice, provider controls, or remediation.

Check Repository Scope

Method: direct provider and NIST documentation, checked on July 15, 2026. Limitation: this checklist does not inspect a provider's private systems, prove contractual compliance, or establish that a specific client has authorized AI use.