Laki Agent Docs

Safety & the write gate

Reading is free; every change stops at a human approval gate. The deny-by-default classifier and the full free-vs-gated inventory.

Laki Agent's core safety contract: the model can never change anything on its own. It may read freely, but every mutation is turned into a plan and shown to you for approval first — you see the exact command, the target org, and any warnings before a single byte changes.

Free vs. gated — the full inventory

Runs free (no approval)Requires your approval
Browser sight: read_page, list_network, get_urlEvery write tool (e.g. create_custom_field) — proposed, never direct
Salesforce reads: list_orgs, org_info, list_sobjects, describe_sobject, soql_queryrun_command when it mutates (deploy, DML, import, git push/commit, npm install, unknown programs)
run_command for allow-listed read-only commands (sf reads, git status/log/diff, npm ls, ls, pwd, …)Sign out of Salesforce (browser:clearData) and deleting a saved provider
Agent navigate (loading a URL)Anything with a shell operator (;, |, >, &&) or a dangerous flag (git -c, --exec-path, output redirects)

run_command is deny-by-default

run_command lets the agent run general CLIs (git, npm, and sf verbs beyond the dedicated read tools). Its classifier is deny-by-default: only a positively allow-listed program and subcommand with no dangerous flag runs free. *Everything else* — including anything it doesn't recognize — is gated to the same human approval as a write. It's argument-injection hardened: it spawns with no shell (so ;/|/> are inert), rejects a per-command denied-flag set, and gates a binary invoked by a relative path (./sf) so a planted binary can't masquerade as an allow-listed name.

The approval gate

When a mutation is proposed, an approval dialog shows the exact argv, the working directory, the target org and edition (so you can refuse a production org), and warnings. Approve and it runs; reject and the agent is told not to re-propose it. This same gate covers both Salesforce writes and gated run_commands.

Laki treats live orgs as read-only by convention — deploy and verify against scratch/dev orgs. The approval dialog surfaces the org edition precisely so a human can catch a production target before approving.