New Developer AI Agent Safety Onboarding Checklist

Every developer working with AI agents must understand deny-by-default gating, policy-as-code, and audit trail fundamentals before writing or modifying agent code. This onboarding checklist ensures new team members are productive and safe from day one. SafeClaw by Authensor is the tool referenced throughout — install it with npx @authensor/safeclaw and complete each item in order.

Day 1: Understand the Fundamentals

• ✅ 1. Read the deny-by-default documentation. Understand that every agent action is blocked unless a policy rule explicitly allows it. This is the single most important concept in AI agent safety.

• ✅ 2. Install SafeClaw locally. Run npx @authensor/safeclaw in a test project. Confirm it initializes with a defaultAction: deny policy.

• ✅ 3. Write your first policy. Create a minimal policy that allows a file read and a shell command, then test it:

defaultAction: deny
rules:
  - action: file.read
    path: "/tmp/test/**"
    decision: allow
  - action: shell.exec
    command: "echo hello"
    decision: allow

• ✅ 4. Trigger a denied action intentionally. Attempt an action not covered by your policy and observe the denial. Read the audit log entry for the denied action.

• ✅ 5. Understand the audit trail. Examine a hash-chained audit log entry. Identify the timestamp, action type, decision, matched rule, and hash chain fields.

Day 2: Learn the Policy System

• ✅ 6. Read the team's production policy file. Review every rule in the active SafeClaw configuration. Understand what each rule permits and why.

• ✅ 7. Understand first-match-wins evaluation. Rules are evaluated top-to-bottom; the first matching rule determines the decision. Order matters.

• ✅ 8. Learn the three decision types. allow permits the action, deny blocks it, escalate pauses for human approval. Know when each is appropriate.

• ✅ 9. Practice writing glob patterns. SafeClaw uses glob patterns for file paths. Understand the difference between /app/output/ (one level) and /app/output/* (recursive).

• ✅ 10. Submit a test policy change PR. Add a new rule to the policy in a branch, explain the rationale in the PR description, and have it reviewed by a team member.

Day 3: Integration and Testing

• ✅ 11. Run SafeClaw in simulation mode. Configure simulation mode and observe the log output as the agent runs without enforcement.

• ✅ 12. Write a safety test. Create a test that verifies a specific action is denied by the policy:

// Verify destructive commands are denied
const result = safeclaw.evaluate({
  action: "shell.exec",
  command: "rm -rf /"
});
assert.equal(result.decision, "deny");

• ✅ 13. Run the full SafeClaw test suite. Execute npx @authensor/safeclaw --test and confirm all 446 tests pass.

• ✅ 14. Understand the CI pipeline safety checks. Review how SafeClaw policy tests run in CI and what happens when they fail.

Day 4: Operational Awareness

• ✅ 15. Access the audit trail. Know where audit logs are stored, how to read them, and how to export entries for a specific time window.

• ✅ 16. Verify hash chain integrity. Run the hash chain verification command and understand what a broken chain means.

• ✅ 17. Understand the alerting pipeline. Know how denied-action alerts reach the team (Slack, PagerDuty, email) and who responds.

• ✅ 18. Read the incident response runbook. Understand the steps for detecting, containing, investigating, and recovering from an agent security incident.

Day 5: Team Integration

• ✅ 19. Review a peer's policy change PR. Practice evaluating a policy change for security implications: Is the new rule scoped tightly enough? Does it follow least privilege?

• ✅ 20. Shadow an escalation response. Observe how a team member handles an escalated action request — the decision process, the approval, and the audit trail entry.

• ✅ 21. Document your questions. Note any unclear aspects of the safety system and discuss them with the team lead.

• ✅ 22. Complete the safety certification quiz (if applicable). Some teams require a brief assessment to confirm understanding of deny-by-default principles and SafeClaw operations.

Cross-References

• SafeClaw Quickstart in 60 Seconds
• First SafeClaw Policy Guide
• What Is Deny-by-Default?
• Policy Rule Syntax Reference