Agent workflows need an impact boundary

In part 1, I wrote about why coding agents should not hold write credentials.

GitHub was the example, because the problem is easy to see there. A coding agent can read a repository, reason about a change, and produce useful work. But if the same agent also owns the token that creates branches, commits, or pull requests, the proposal and the authority to create impact are too close together.

The problem is not only GitHub.

The problem is the moment where an agent request becomes an external effect.

Agents are getting more useful because they can use tools. They can read files, call APIs, update tickets, prepare emails, run commands, inspect systems, and sometimes change state. That is exactly why the boundary matters more, not less.

In part 1, I wrote about why coding agents should not hold write credentials.

The problem is not only GitHub.

The problem is the moment where an agent request becomes an external effect.

Agent workflows need an impact boundary

Agent workflows need an impact boundary

Other newsrooms on this story

Related reading

Coding agents should not hold write credentials.

coding agents made repositories the security boundary

One Malicious GitHub Issue Was All It Took to Hijack a Claude Code Agent

open-source coding agents need maintainers, not just models

Give Every AI Agent Its Own Git Worktree

Maybe Coding Agents Don't Need a Bigger Memory. Maybe They Need Continuity.

Other newsrooms on this story

Related reading

Coding agents should not hold write credentials.

coding agents made repositories the security boundary

One Malicious GitHub Issue Was All It Took to Hijack a Claude Code Agent

open-source coding agents need maintainers, not just models

Give Every AI Agent Its Own Git Worktree

Maybe Coding Agents Don't Need a Bigger Memory. Maybe They Need Continuity.