How to Add Safety Controls to Windsurf AI Agents

SafeClaw by Authensor gates every action from Windsurf's Cascade AI agent through deny-by-default policies, intercepting file edits, terminal commands, and tool invocations before they execute. Windsurf's autonomous agent can modify your entire codebase in a single flow — SafeClaw ensures every step complies with your YAML-defined safety rules.

How Windsurf's Cascade Agent Works

Windsurf's Cascade is a multi-step agentic system that can read your codebase, write and edit files, run terminal commands, and chain these actions together autonomously. Unlike simple autocomplete, Cascade plans and executes multi-file refactors, debugging sessions, and feature implementations. It uses "Flows" — sequences of actions that build on each other. The security concern is that Cascade can execute long chains of actions with minimal user checkpoints, and each action has full filesystem and terminal access.

Cascade Flow → Action Step → [SafeClaw Policy Check] → Execute or Block

Quick Start

npx @authensor/safeclaw

Creates a safeclaw.yaml in your project. SafeClaw integrates with Windsurf through MCP server configuration, intercepting every action in Cascade's flow.

Step 1: Define Windsurf-Specific Policies

# safeclaw.yaml
version: 1
default: deny

policies:
  - name: "cascade-file-operations"
    description: "Scope Cascade's file access"
    actions:
      - tool: "write_file"
        effect: allow
        constraints:
          path_pattern: "src/|lib/|components/|tests/"
      - tool: "read_file"
        effect: allow
      - tool: "delete_file"
        effect: deny
      - tool: "write_file"
        effect: deny
        constraints:
          path_pattern: ".env|.pem|.key|.git/*"

- name: "cascade-terminal-policy"
    description: "Restrict Cascade terminal access"
    actions:
      - tool: "run_terminal"
        effect: allow
        constraints:
          command_pattern: "npm test|npm run |npx |git status|git diff|git log"
      - tool: "run_terminal"
        effect: deny
        constraints:
          command_pattern: "rm -rf|sudo |curl  | sh|wget |chmod 777*"
      - tool: "run_terminal"
        effect: deny

- name: "cascade-browser-policy"
    description: "Control browser preview actions"
    actions:
      - tool: "open_browser"
        effect: allow
        constraints:
          url_pattern: "http://localhost:/*"
      - tool: "open_browser"
        effect: deny

Step 2: Connect SafeClaw via MCP

Windsurf supports MCP servers for extended tool use. Register SafeClaw as a gating layer:

// windsurf MCP configuration
{
  "mcpServers": {
    "safeclaw": {
      "command": "npx",
      "args": ["@authensor/safeclaw", "mcp-server"],
      "env": {
        "SAFECLAW_POLICY": "./safeclaw.yaml"
      }
    }
  }
}

Every tool call in Cascade's flow now passes through SafeClaw's policy engine before reaching your system.

Step 3: Protect Multi-File Flows

Cascade frequently performs multi-file operations — refactoring a component might touch 10+ files in a single flow. SafeClaw evaluates each file operation independently:

policies:
  - name: "cascade-refactor-scope"
    description: "Limit refactoring to source directories"
    actions:
      - tool: "write_file"
        effect: allow
        constraints:
          path_pattern: "src/**"
      - tool: "write_file"
        effect: allow
        constraints:
          path_pattern: "tests/**"
      - tool: "write_file"
        effect: deny
        constraints:
          path_pattern: "package.json|tsconfig.json|.config."

If Cascade tries to modify your build configuration as part of a refactor, SafeClaw blocks that specific action while allowing the source file changes. Cascade receives the denial and can adapt its plan.

Step 4: Handle Cascade's Agentic Loops

Cascade runs in an agentic loop where it proposes an action, receives the result, and plans the next step. SafeClaw integrates naturally with this loop:

// SafeClaw evaluates each action in Cascade's loop
// Denied actions return an error message to Cascade
// Cascade adjusts its plan based on what's permitted

The hash-chained audit log captures the complete flow — every proposed action, every policy evaluation, and every decision — giving you a full trace of Cascade's autonomous behavior.

Step 5: Per-Project Safety Profiles

Different projects warrant different safety levels. A greenfield project might allow broader file creation, while a production codebase needs tighter constraints:

# Strict production policy
version: 1
default: deny

policies:
  - name: "production-lockdown"
    actions:
      - tool: "write_file"
        effect: allow
        constraints:
          path_pattern: "src/features/**"
          max_size_bytes: 50000
      - tool: "run_terminal"
        effect: allow
        constraints:
          command_pattern: "npm test|npm run typecheck"

Why SafeClaw

• 446 tests covering policy evaluation, edge cases, and audit integrity
• Deny-by-default — every Cascade flow step must match an allow rule
• Sub-millisecond evaluation — no delay in Windsurf's interactive flow
• Hash-chained audit log — complete trace of every autonomous action
• Works with Claude AND OpenAI — supports whatever model Windsurf routes to

Related Pages

• How to Secure AI Agents in Cursor IDE
• How to Add Action Gating to GitHub Copilot Workflows
• How to Secure Devin and Autonomous Coding Agents
• How to Secure MCP Servers