CapitalGuardAI-agent security licensesScan

Workspace boundary risk

Dangerous Agent-Readable Files

Some files should not be read, edited, summarized, or sent to external tools by autonomous coding agents.

Severity: HighDetected by: Starter, Growth, and Pro

Signals CapitalGuard looks for

Production scripts in default agent scope
Customer exports or support logs inside the repo
Security notes, incident notes, or private runbooks stored beside code

Why it matters

Agents can accidentally expose sensitive files while answering normal engineering questions.
The most dangerous files are often operational, not application source code.
Protected path rules are easier to enforce after the risky file classes are named.

Precautions to take

Create a protected-path policy for sensitive directories.
Move customer data and incident notes out of the repo workspace.
Require human approval before agents read or edit operational files.

Next step

Turn this risk into a scoped scan and policy path.

Compare Licenses