Client code workflow
Client code AI security checklist.
Before an AI coding tool touches client code: get written authorization, isolate the workspace, remove secrets and customer data, start read-only, block high-impact actions, and record what the tool could reach.
Provider privacy settings matter, but they do not replace repository boundaries. Use this workflow before Cursor, Claude Code, Codex, Copilot, or another agent receives an authorized client repository.
CapitalGuard Security Research · Version 1.0.0 · Sources checked July 15, 2026
6
Control steps
18
Register fields
5
Primary sources
The workflow
Six decisions before the first prompt.
The order matters. Authorization comes before configuration, and access reduction comes before trusting a provider setting.
- 1
Authorize
Confirm the client approved the exact use
Record the repository, AI tool, account or workspace, task, data categories, and approved operator before the first prompt. A general software contract is not the same as approval for a new AI processing path.
- 2
Reduce
Create the smallest useful workspace
Use a dedicated branch, worktree, or sanitized copy. Remove production exports, customer records, credentials, private keys, support logs, and unrelated repositories before opening the workspace in the AI tool.
- 3
Restrict
Start read-only and block consequential actions
Keep deployment, billing, identity, permission, package-publish, database-mutation, and external-upload actions behind explicit human approval. Disable network or external tools unless the task requires them.
- 4
Verify
Check the control on the surface you will actually use
Verify retention, training, indexing, ignored paths, agent mode, CLI behavior, MCP tools, and sandbox settings for the exact product surface. A provider control may not apply to every mode.
- 5
Observe
Review changes and preserve a short evidence trail
Inspect the diff, commands, tool calls, network destinations, and generated files. Record unexpected access requests and require a human decision before merging or releasing the result.
- 6
Close
Remove temporary access at handoff
Revoke temporary tokens, remove local copies, close external sessions, and record whether any credential needs rotation. Keep only the minimum evidence the client has authorized you to retain.
Reusable evidence
Keep one access record per client task.
The register is intentionally blank. It records decisions without publishing client identity, repository names, source code, credentials, or scan results. Store completed records only where the client authorizes.
| Field | Machine key | Why it matters |
|---|---|---|
| Project ID | project_id | A non-sensitive reference that ties the record to the authorized client engagement. |
| Authorization reference | client_authorization_ref | Where the client's approval for this AI-assisted task is recorded. |
| Repository scope | repository_scope | The repository, branch, worktree, or sanitized copy the tool may reach. |
| AI tool and surface | ai_tool_surface | The exact editor, CLI, cloud agent, chat, or security-review surface in use. |
| Account or workspace | account_or_workspace | The provider account or managed workspace whose policies apply. |
| Task purpose | task_purpose | The specific outcome the client authorized. |
| Data categories | data_categories | The types of code, configuration, personal data, logs, or documents present. |
| Excluded paths | excluded_paths | Files and directories removed or blocked from AI access. |
| Allowed actions | allowed_actions | Read, edit, test, or other actions approved for the task. |
| Blocked actions | blocked_actions | Deploy, publish, rotate, delete, bill, grant access, or other actions the agent must not take. |
| Network access | network_access | Whether outbound access is disabled, allowlisted, or unrestricted. |
| External tools | external_tools | MCP servers, connectors, browsers, shells, or other systems available to the agent. |
| Controls checked at | provider_controls_checked_at | When retention, training, privacy, indexing, and permission settings were verified. |
| Human approver | human_approver | The person responsible for consequential decisions. |
| Session start | session_started_at | When authorized AI access began. |
| Session close | session_closed_at | When temporary access, tokens, and copies were removed. |
| Rotation required | credential_rotation_required | Whether observed exposure requires credential rotation or another follow-up. |
| Evidence notes | evidence_notes | A short, non-sensitive record of checks, exceptions, and approvals. |
Provider boundary check
A control may not cover every agent surface.
Verify the current documentation for the exact editor, CLI, cloud agent, account tier, and workspace policy in use. The table records what the source documents; it does not independently certify provider behavior.
| Source | Control | Documented boundary | Checked |
|---|---|---|---|
| Anthropic | Claude Code permissions and sandboxing | Claude Code supports allow, ask, and deny rules. Anthropic documents permissions and sandboxing as complementary controls and warns that bypass mode skips permission prompts. | 2026-07-15 |
| Cursor | Privacy mode, indexing, and ignored paths | Cursor documents that code data is sent to its servers for AI features, explains privacy-mode handling, and describes .cursorignore as a best-effort exclusion for selected paths. | 2026-07-15 |
| GitHub | Copilot content exclusion | GitHub supports content exclusion on selected Copilot surfaces, but its documentation says the exclusion does not cover Copilot CLI, the cloud agent, or IDE agent mode. | 2026-07-15 |
| OpenAI | Codex Security repository review | OpenAI documents that Codex Security analyzes an enabled GitHub repository and its history, recommends beginning with a focused repository set, and keeps proposed changes subject to human review. | 2026-07-15 |
| NIST | Generative AI risk management | NIST's Generative AI Profile frames controls as a risk-management decision tied to the user's goals, risk tolerance, resources, and data-governance obligations. | 2026-07-15 |
Continue the evidence trail
Use the register with the right reference.
When a formal baseline is justified
The register records intent. A scan tests the authorized repository boundary.
CapitalGuard can produce a redacted exposure report, preventive controls, and verification path for an authorized repository. It does not guarantee prevention or replace legal advice, provider controls, or remediation.
Method: direct provider and NIST documentation, checked on July 15, 2026. Limitation: this checklist does not inspect a provider's private systems, prove contractual compliance, or establish that a specific client has authorized AI use.
