Enforced Mode 0.2 beta

The agent gets a workspace. CapitalGuard keeps the authority.

CapitalGuard launches supported AI coding sessions without ambient access to the host repository, network, secrets, or container control. Privileged operations must cross one authenticated, policy-enforced broker.

Closed authority loop

The bypass path disappears inside the contained session.

1

Project

Build a new workspace from policy-approved or redacted files only.

2

Isolate

Start a digest-pinned agent image without direct network or host repository access.

3

Route

Expose privileged actions only through the authenticated CapitalGuard broker.

4

Decide

Apply the exact policy and one-use approval lease before invocation.

5

Prove

Record the result in a privacy-safe tamper-evident event chain.

Enforcement surface

Ambient authority is removed before the agent starts.

Contained

Repository access

The agent receives a policy-filtered read-only projection, not a mount of the host repository. Secret paths and symlinks are omitted before launch.

Broker only

Commands

Container-local commands have no host authority. Host commands require the no-shell gateway, an exact argument digest, trusted executable, timeout, and bounded output.

Disabled

Network

The container network is set to none. The only built-in host network operation is a policy-approved, DNS-pinned HTTPS HEAD request through the broker.

Fail closed

MCP and handoffs

The session cannot reach them directly. Live operations require a reviewed broker adapter and a matching policy; otherwise they remain blocked.

Protected mode never downgrades silently.

A missing runtime, mutable image tag, invalid session signature, wrong broker token, replayed sequence, unsupported operation, or missing adapter stops the protected path instead of falling back to ordinary execution.

Digest-pinned image with pull disabled

Read-only root and workspace projection

No network, capabilities, or privileged mode

Signed session and one-time broker sequence

No host source or Docker socket mount

Minimal environment without host secrets

Public contract

Verify the boundary before trusting the claim.

Public schemas, threat model, support matrix, contract vectors, benchmark results, and a signed evidence challenge describe what Enforced Mode controls and what still requires customer-specific integration.