惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

云风的 BLOG
云风的 BLOG
Help Net Security
Help Net Security
Y
Y Combinator Blog
WordPress大学
WordPress大学
D
DataBreaches.Net
N
Netflix TechBlog - Medium
U
Unit 42
爱范儿
爱范儿
MyScale Blog
MyScale Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园 - 司徒正美
Google DeepMind News
Google DeepMind News
D
Docker
H
Help Net Security
Stack Overflow Blog
Stack Overflow Blog
宝玉的分享
宝玉的分享
博客园_首页
Microsoft Security Blog
Microsoft Security Blog
Engineering at Meta
Engineering at Meta
Know Your Adversary
Know Your Adversary
P
Privacy & Cybersecurity Law Blog
P
Proofpoint News Feed
T
Tenable Blog
S
Schneier on Security
V
Vulnerabilities – Threatpost
V
V2EX
T
Tor Project blog
Security Latest
Security Latest
S
Securelist
G
Google Developers Blog
NISL@THU
NISL@THU
Schneier on Security
Schneier on Security
Webroot Blog
Webroot Blog
小众软件
小众软件
Google Online Security Blog
Google Online Security Blog
阮一峰的网络日志
阮一峰的网络日志
W
WeLiveSecurity
IT之家
IT之家
I
InfoQ
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
月光博客
月光博客
I
Intezer
T
The Blog of Author Tim Ferriss
C
Cisco Blogs
博客园 - 【当耐特】
The GitHub Blog
The GitHub Blog
Cloudbric
Cloudbric
Scott Helme
Scott Helme
The Cloudflare Blog
L
LINUX DO - 热门话题

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
【5月5日】Coding Agent Harness:99%开发者不知道的AI编程Agent安全护盾 🔥
· 2026-05-05 · via DEV Community

如果你觉得有用,请留言 — 我每条必读。


【5月5日】Coding Agent Harness:99%开发者不知道的AI编程Agent安全护盾 🔥

先说一个让你后背发凉的数字:目前绝大多数 AI 编程 Agent 都是以 root 权限运行在系统中,拥有完整文件系统权限,直接执行大模型生成的任何代码——没有任何安全边界

今天要介绍的这个 GitHub 开源项目 Coding Agent Harness,用 Rust 写了一个专门给 AI 编程 Agent 用的沙箱执行环境,近 4000 GitHub Stars,但知道它的人少之又少。

让我们来看看 5 个连官方文档都没写清楚的安全模式。


模式一:沙箱代码执行 —— 那层缺失的防护

大多数开发者的做法(危险)

# 危险:直接执行
result = agent.execute(code_string)

Enter fullscreen mode Exit fullscreen mode

用 Harness 的正确做法

from harness import AgentHarness, Policy

policy = Policy()
policy.allow_filesystem("/tmp/agent-workspace")  # 只能在 /tmp
policy.allow_network(False)                       # 禁止网络
policy.max_execution_time = 60                   # 最长60秒
policy.max_tokens = 8192                         # 限制输出

harness = AgentHarness(policy=policy)
result = harness.execute(agent_code)

print(f"安全执行完成: {result.status}")

Enter fullscreen mode Exit fullscreen mode

为什么重要:这个策略在 Rust 运行时层面强制执行,即使攻击者突破了 Python 层,Rust 沙箱依然可以终止并记录违规。


模式二:工具权限范围控制 —— 没人配置的精细化权限

被忽视的宝藏功能:Harness 有比任何 MCP 服务商都细粒度的权限体系,但绝大多数开发者直接 allow_all=True 就完事了。

from harness import ToolScope, PolicyBuilder

# 正确做法:最小权限原则
policy = (
    PolicyBuilder()
    .allow_tool("read_file", path_pattern="**/*.py")      # 只能读 .py
    .allow_tool("write_file", path_pattern="/tmp/output/**")  # 只能写这个目录
    .allow_tool("execute_bash", timeout=30,
                allowed_commands=["python3", "git", "ruff"])
    .deny_tool("delete_file")    # 禁止删除
    .deny_tool("network_request",
               exceptions=["localhost:8080"])
    .build()
)

Enter fullscreen mode Exit fullscreen mode

关键洞察:可以精确到文件路径模式——Agent 能读 .py 但不能读 .env,能写 /tmp 但不能碰你的 home 目录。


模式三:执行审计日志 —— 默认关闭的隐藏超能力

被忽视的真相:Harness 会自动记录每次工具调用、每次文件访问、每次代码执行到不可篡改的审计日志。绝大多数开发者从来没配置过,导致违规行为悄悄溜走。

from harness import AgentHarness, AuditLogger
import json

# 启用审计日志 — 默认是关闭的!
logger = AuditLogger(
    backend="file",
    path="/var/log/agent-audit/audit.jsonl",
    redact_sensitive=True,   # 自动抹除敏感信息
    log_level="verbose"
)

harness = AgentHarness(
    policy=policy,
    audit_logger=logger,
    on_violation="log_and_reject"  # 或 "terminate"
)

# 事后分析违规记录:
with open("/var/log/agent-audit/audit.jsonl") as f:
    for line in f:
        entry = json.loads(line)
        if entry.get("violation"):
            print(f"⚠️  {entry['timestamp']}: {entry['violation_type']}")
            print(f"   工具: {entry['tool']}, 路径: {entry.get('resource', 'N/A')}")

Enter fullscreen mode Exit fullscreen mode

隐藏超能力:这些日志可以接入 SIEM 系统,检测 AI Agent 行为异常,同时满足代码审查追溯的合规要求。


模式四:多 Agent 隔离 —— Google A2A 协议没告诉你的安全真相

Google 的 A2A 协议现在很火(Hacker News 450分),但几乎没人讨论 Agent 互相通信时的安全问题。

用 Harness,可以把多个 Agent 运行在完全隔离的隔舱里:

from harness import Compartment, CompartmentalizedHarness
from harness.policies import PolicyBuilder

# 为不同 Agent 创建隔离隔舱
code_review = Compartment(
    name="code-reviewer",
    policy=(
        PolicyBuilder()
        .allow_tool("read_file", path_pattern="**/*.py")
        .allow_tool("execute_bash", allowed_commands=["pytest", "ruff"])
        .build()
    ),
    resource_limit_mb=512,
)

security_scan = Compartment(
    name="security-scanner",
    policy=(
        PolicyBuilder()
        .allow_tool("read_file", path_pattern="**/*")
        .allow_tool("execute_bash", allowed_commands=["semgrep", "bandit"])
        .allow_network(True)
        .build()
    ),
    resource_limit_mb=1024,
)

harness = CompartmentalizedHarness()
harness.register(code_review)
harness.register(security_scan)

review_result = harness.run("code-reviewer", task=review_task)
scan_result = harness.run("security-scanner", task=scan_task)
# 两个 Agent 内存空间完全隔离,Rust 级别保证

Enter fullscreen mode Exit fullscreen mode

这是 A2A 对话中缺失的一环——A2A 处理通信,Harness 处理安全边界。


模式五:实时 Token 预算强制 —— 省钱的隐藏福利

被忽视的好处:Harness 可以在 Agent 级别、会话级别、任务级别强制 Token 预算,防止 LLM 成本悄悄失控。

from harness import AgentHarness, TokenBudget

budget = TokenBudget(
    max_input_tokens=50000,
    max_output_tokens=10000,
    cost_limit_usd=0.50,      # 硬性成本上限
    on_limit="graceful_stop"  # 或 "terminate", "warn"
)

harness = AgentHarness(
    policy=policy,
    token_budget=budget,
    llm_provider="openai",
    model="gpt-4o"
)

result = harness.execute(task)
print(f"已用 Token: {result.tokens_consumed}")
print(f"成本: ${result.cost_usd:.4f}")
print(f"预算余额: ${budget.remaining():.4f}")

Enter fullscreen mode Exit fullscreen mode

结合 Rust 级别的强制执行,Token 预算无法被绕过,就算 Agent 试图操纵自己的执行上下文也不行。Python 方案给不了你这个保证。


数据来源


核心洞察

AI Agent 生态正在为 Agent 通信建立漂亮的协议(A2A、MCP),但在 Agent 安全方面严重落后。Coding Agent Harness 是少数几个从运行时层面解决这个问题的项目。

上面的模式不是杞人忧天——而是运维成熟度的体现。如果你现在部署 AI Agent 到生产环境而没有这些边界,一道提示词注入就能让你出大事。


延伸阅读


讨论时间

你在用什么方式保护你的 AI Agent? 留言告诉我——我特别想知道:

  • 你是怎么处理多 Agent 通信安全问题的?
  • 生产环境里遇到过提示词注入吗?
  • 你的审计流水线是怎么设计的?

每条留言我都会看,也会回复。如果这篇文章帮你省了调试时间,转给需要它的同事吧。