Drop-in configs and scripts that block the threats. Copy these into your repo and watch the same demos fail.
How to run
Open the sandbox/ folder directly in Kiro β itβs the same Express baseline as the threat sandbox, but with .kiroignore, steering rules, a scoped spec, and a working PreToolUse hook all wired in. See sandbox/README.md for the prompts to try.
The five layers
- [[community/demo/20260427 - Secure Practices in Agentic IDEs/defenses/kiroignore|
.kiroignore]] β keep secrets and infra out of context - Specs β declare scope before code
- Steering rules β durable invariants across sessions
- Hooks β block dangerous commands at the harness
- Sandbox β last-resort isolation for untrusted work
Order of operations
If you only do four things:
# 1. Ignore secrets
cp .gitignore .kiroignore # then add .env*, *.pem, id_rsa
# 2. Stop postinstall scripts
npm config set ignore-scripts true
# 3. Install the deny-dangerous hook
mkdir -p .kiro/hooks scripts
# (copy from defenses/hooks)
# 4. Pin tools per project, not globally
# (configure approval mode per project)The full ship checklist is on the talk slide deck.
Layered, not bullet-proof
None of these stop a determined attacker on their own. Together, they raise the cost enough that the agent stops being the cheapest path in.