Home/ Part XII — Building Real Products (End-to-End Projects)/34. Project 3: "Vibe Coder" Assistant for Your Own Repo/34.5 Guardrails: refuse risky changes and require approvals

34.5 Guardrails: refuse risky changes and require approvals

Overview and links for this section of the guide.

On this page

Blocking Destructive Actions
Protecting Secrets
Where to go next

Blocking Destructive Actions

Your tool needs an "Allowlist" of allowed commands.

Allowed: `ls`, `cat`, `grep`, `npm test`, `git status`.
Blocked: `rm -rf`, `git push --force`, `aws delete-bucket`.

If the model tries to run a blocked command, your tool should intercept it and say: "Action blocked by safety policy. Please ask the user for permission."

Protecting Secrets

Before sending any file to the LLM, run a regex scan for API keys (`sk-live-...`, `AWS_SECRET...`). If found, redact them to `[REDACTED]`.

This prevents you from accidentally leaking your production keys to the model provider (though Google Enterprise has privacy guarantees, it's good hygiene).

Where to go next

35. Project 4: Customer Support Triage Assistant