First attempt at building out practices

robmoffat · robmoffat · commit 3c13d6877af8 · 2026-02-18T09:59:02.000Z
diff --git a/.dev/mitigations-research/chatgpt-deep-research-mitigations-16-feb.md b/.dev/mitigations-research/chatgpt-deep-research-mitigations-16-feb.md
diff --git a/.dev/mitigations-research/chatgpt-deep-research-tools-16-feb.md b/.dev/mitigations-research/chatgpt-deep-research-tools-16-feb.md
diff --git a/docs/Start.md b/docs/Start.md
@@ -1,5 +1,4 @@
 ---
-slug: /
 sidebar_position: 1
 title: Introduction
 ---
@@ -16,30 +15,9 @@ This shifts risk from *"bad AI decision"* to *"unsafe evolving codebase"* — a
 
 ---
 
-## Capabilities
+## Sections of this Catalog
 
-Agent capabilities that create attack surface:
-
-<TagList tag="Capability"/>
-
----
-
-## Risks
-
-Threats unique to or amplified by agentic software development:
-
-<TagList tag="Threat" />
-
----
-
-## Practices
-
-Controls and safeguards for agentic SDLC:
-
-<TagList tag="Control" />
-
-
----
+<TagList tag="Category"/>
 
 ## Related Standards
 
diff --git a/docs/capabilities/Start.md b/docs/capabilities/Start.md
@@ -3,6 +3,9 @@ title: Agentic Software Development Capabilities
 description: The foundational capabilities that enable AI agents to participate in software development
 sidebar_position: 1
 slug: /capabilities
+list_image: /img/icons/capability.svg
+tags:
+  - Category
 ---
 
 # Agentic Capabilities
diff --git a/docs/practices/Containment/Hard-Budgets.md b/docs/practices/Containment/Hard-Budgets.md
@@ -0,0 +1,24 @@
+---
+title: Enforce Hard Token, Time, and Cost Budgets on Every Agent Task
+sidebar_label: Hard Budgets
+sidebar_position: 1
+list_image: /img/icons/control.svg
+tags:
+  - Control
+gemara:
+  id: hard-budgets
+  title: Hard Budgets
+  objective: Preventing runaway agent execution, denial-of-wallet attacks, and resource exhaustion by enforcing strict limits on tokens, time, API calls, and cost per task.
+  threat-mappings:
+    - reference-id: economic-pressure-risks
+      entries:
+        - remarks: Prevents unbounded spend and denial-of-wallet scenarios
+    - reference-id: multi-agent-risks
+      entries:
+        - remarks: Limits resource contention between concurrent agents
+    - reference-id: containment-isolation-risks
+      entries:
+        - remarks: Bounds blast radius of runaway loops or infinite recursion
+---
+
+<ControlIntro fm={frontMatter} />
diff --git a/docs/practices/Containment/No-Production-Access.md b/docs/practices/Containment/No-Production-Access.md
@@ -0,0 +1,24 @@
+---
+title: Block Direct Agent Write Access to Production Environments
+sidebar_label: No Production Access
+sidebar_position: 2
+list_image: /img/icons/control.svg
+tags:
+  - Control
+gemara:
+  id: no-production-access
+  title: No Production Access
+  objective: Preventing agents from directly modifying production systems, databases, or live infrastructure without going through controlled deployment pipelines.
+  threat-mappings:
+    - reference-id: autonomy-control-risks
+      entries:
+        - remarks: Prevents unauthorized commits and deploys to production
+    - reference-id: deployment-rollback-risks
+      entries:
+        - remarks: Forces changes through controlled pipelines with rollback capability
+    - reference-id: containment-isolation-risks
+      entries:
+        - remarks: Isolates agent actions from production blast radius
+---
+
+<ControlIntro fm={frontMatter} />
diff --git a/docs/practices/Containment/Sandbox-Execution.md b/docs/practices/Containment/Sandbox-Execution.md
@@ -0,0 +1,21 @@
+---
+title: Sandbox Agent Code Execution with Syscall and Network Restrictions
+sidebar_label: Sandbox Execution
+sidebar_position: 3
+list_image: /img/icons/control.svg
+tags:
+  - Control
+gemara:
+  id: sandbox-execution
+  title: Sandbox Execution
+  objective: Running all agent-generated or agent-executed code within isolated sandboxes that restrict syscalls, filesystem access, and network egress.
+  threat-mappings:
+    - reference-id: containment-isolation-risks
+      entries:
+        - remarks: Prevents container escape, privilege escalation, and host compromise
+    - reference-id: code-security-risks
+      entries:
+        - remarks: Limits damage from insecure or malicious generated code
+---
+
+<ControlIntro fm={frontMatter} />
diff --git a/docs/practices/Containment/Tool-Call-Validation.md b/docs/practices/Containment/Tool-Call-Validation.md
@@ -0,0 +1,24 @@
+---
+title: Validate Agent Tool Calls Against Typed Schemas and Allowlists
+sidebar_label: Tool Call Validation
+sidebar_position: 4
+list_image: /img/icons/control.svg
+tags:
+  - Control
+gemara:
+  id: tool-call-validation
+  title: Tool Call Validation
+  objective: Enforcing strict validation of all agent tool calls against typed schemas and allowlists before execution, preventing parameter injection and unauthorized tool use.
+  threat-mappings:
+    - reference-id: prompt-injection-risks
+      entries:
+        - remarks: Blocks injection payloads in tool call parameters
+    - reference-id: code-security-risks
+      entries:
+        - remarks: Prevents malformed or dangerous parameters reaching tools
+    - reference-id: containment-isolation-risks
+      entries:
+        - remarks: Restricts tool chain exploitation via allowlisted actions
+---
+
+<ControlIntro fm={frontMatter} />
diff --git a/docs/practices/Containment/Untrusted-Content.md b/docs/practices/Containment/Untrusted-Content.md
@@ -0,0 +1,21 @@
+---
+title: Treat All Agent-Retrieved Content as Untrusted Input
+sidebar_label: Untrusted Content
+sidebar_position: 5
+list_image: /img/icons/control.svg
+tags:
+  - Control
+gemara:
+  id: untrusted-content
+  title: Untrusted Content
+  objective: Treating all content retrieved by agents—from files, APIs, documentation, or user input—as potentially malicious and applying appropriate input validation.
+  threat-mappings:
+    - reference-id: prompt-injection-risks
+      entries:
+        - remarks: Defends against indirect injection via retrieved content
+    - reference-id: world-model-risks
+      entries:
+        - remarks: Prevents poisoned data sources from corrupting agent understanding
+---
+
+<ControlIntro fm={frontMatter} />
diff --git a/docs/practices/Oversight/Agent-Identities.md b/docs/practices/Oversight/Agent-Identities.md
@@ -0,0 +1,21 @@
+---
+title: Assign Unique Machine Identities to Each Agent
+sidebar_label: Agent Identities
+sidebar_position: 1
+list_image: /img/icons/control.svg
+tags:
+  - Control
+gemara:
+  id: agent-identities
+  title: Agent Identities
+  objective: Assigning distinct, non-shared machine identities to each agent instance, enabling clear attribution of actions and proper access control.
+  threat-mappings:
+    - reference-id: identity-accountability-risks
+      entries:
+        - remarks: Enables attribution of actions to specific agent instances
+    - reference-id: multi-agent-risks
+      entries:
+        - remarks: Allows enforcement of per-agent access policies and prevents identity confusion
+---
+
+<ControlIntro fm={frontMatter} />
diff --git a/docs/practices/Oversight/Human-Approval-Gates.md b/docs/practices/Oversight/Human-Approval-Gates.md
@@ -0,0 +1,24 @@
+---
+title: Require Human Approval for Merges, Deploys, and Sensitive Actions
+sidebar_label: Human Approval Gates
+sidebar_position: 2
+list_image: /img/icons/control.svg
+tags:
+  - Control
+gemara:
+  id: human-approval-gates
+  title: Human Approval Gates
+  objective: Requiring explicit human review and approval before agents can execute high-impact actions such as merging code, deploying to production, or modifying infrastructure.
+  threat-mappings:
+    - reference-id: autonomy-control-risks
+      entries:
+        - remarks: Prevents unauthorized commits and deploys without human oversight
+    - reference-id: deployment-rollback-risks
+      entries:
+        - remarks: Ensures human verification before production changes
+    - reference-id: human-factors-risks
+      entries:
+        - remarks: Creates deliberate decision points that resist manipulation
+---
+
+<ControlIntro fm={frontMatter} />
diff --git a/docs/practices/Oversight/Immutable-Audit-Logs.md b/docs/practices/Oversight/Immutable-Audit-Logs.md
@@ -0,0 +1,21 @@
+---
+title: Log Every Agent Action to an Immutable, Append-Only Audit Trail
+sidebar_label: Immutable Audit Logs
+sidebar_position: 3
+list_image: /img/icons/control.svg
+tags:
+  - Control
+gemara:
+  id: immutable-audit-logs
+  title: Immutable Audit Logs
+  objective: Maintaining comprehensive, tamper-evident logs of all agent actions, tool calls, and decisions to enable forensic analysis and accountability.
+  threat-mappings:
+    - reference-id: identity-accountability-risks
+      entries:
+        - remarks: Enables forensic reconstruction and attribution after incidents
+    - reference-id: containment-isolation-risks
+      entries:
+        - remarks: Detects and documents containment breaches or unauthorized actions
+---
+
+<ControlIntro fm={frontMatter} />
diff --git a/docs/practices/Oversight/Review-Volume-Caps.md b/docs/practices/Oversight/Review-Volume-Caps.md
@@ -0,0 +1,21 @@
+---
+title: Cap Daily Review Volume Per Reviewer to Prevent Rubber-Stamping
+sidebar_label: Review Volume Caps
+sidebar_position: 4
+list_image: /img/icons/control.svg
+tags:
+  - Control
+gemara:
+  id: review-volume-caps
+  title: Review Volume Caps
+  objective: Limiting the volume of agent-generated changes any single reviewer must process per day to maintain review quality and prevent fatigue-induced approval.
+  threat-mappings:
+    - reference-id: human-factors-risks
+      entries:
+        - remarks: Prevents review fatigue exploitation and rubber-stamping
+    - reference-id: verification-testing-risks
+      entries:
+        - remarks: Ensures human reviewers can meaningfully evaluate agent outputs
+---
+
+<ControlIntro fm={frontMatter} />
diff --git a/docs/practices/Start.md b/docs/practices/Start.md
@@ -1,12 +1,13 @@
 ---
-title: Agentic Software Development Practices
+title: Agentic Software Development Practices and Controls
 description: Controls and practices for managing risks in agentic software development
 sidebar_position: 1
 slug: /practices
+list_image: /img/icons/control.svg
+tags: 
+ - Category
 ---
 
-# Agentic Practices
-
 Controls, practices, and mitigations for managing the risks introduced by AI agents in software development workflows.
 
 ## Practice Inventory
diff --git a/docs/practices/Verification/Canary-Rollouts.md b/docs/practices/Verification/Canary-Rollouts.md
@@ -0,0 +1,21 @@
+---
+title: Deploy Agent Changes via Canary Rollout with Automatic Rollback
+sidebar_label: Canary Rollouts
+sidebar_position: 1
+list_image: /img/icons/control.svg
+tags:
+  - Control
+gemara:
+  id: canary-rollouts
+  title: Canary Rollouts
+  objective: Deploying agent-generated changes progressively to a small subset of traffic first, with automated rollback if health metrics degrade.
+  threat-mappings:
+    - reference-id: deployment-rollback-risks
+      entries:
+        - remarks: Limits blast radius and ensures rollback capability for agent changes
+    - reference-id: containment-isolation-risks
+      entries:
+        - remarks: Contains deployment failures to canary population before full rollout
+---
+
+<ControlIntro fm={frontMatter} />
diff --git a/docs/practices/Verification/Context-Refresh.md b/docs/practices/Verification/Context-Refresh.md
@@ -0,0 +1,18 @@
+---
+title: Refresh Agent Context from Authoritative Sources Before Irreversible Actions
+sidebar_label: Context Refresh
+sidebar_position: 2
+list_image: /img/icons/control.svg
+tags:
+  - Control
+gemara:
+  id: context-refresh
+  title: Context Refresh
+  objective: Requiring agents to refresh their understanding from authoritative sources immediately before taking irreversible actions, preventing stale world model errors.
+  threat-mappings:
+    - reference-id: world-model-risks
+      entries:
+        - remarks: Prevents actions based on outdated architecture views or stale data
+---
+
+<ControlIntro fm={frontMatter} />
diff --git a/docs/practices/Verification/Dependency-Scanning.md b/docs/practices/Verification/Dependency-Scanning.md
@@ -0,0 +1,18 @@
+---
+title: Scan Agent-Selected Dependencies and Require SBOM Generation
+sidebar_label: Dependency Scanning
+sidebar_position: 3
+list_image: /img/icons/control.svg
+tags:
+  - Control
+gemara:
+  id: dependency-scanning
+  title: Dependency Scanning
+  objective: Scanning all dependencies selected or introduced by agents for known vulnerabilities and generating Software Bills of Materials for traceability.
+  threat-mappings:
+    - reference-id: supply-chain-risks
+      entries:
+        - remarks: Detects compromised, vulnerable, or license-contaminated packages
+---
+
+<ControlIntro fm={frontMatter} />
diff --git a/docs/practices/Verification/Independent-Verification.md b/docs/practices/Verification/Independent-Verification.md
@@ -0,0 +1,21 @@
+---
+title: Use Independent Verifiers for Agent-Generated Code and Tests
+sidebar_label: Independent Verification
+sidebar_position: 4
+list_image: /img/icons/control.svg
+tags:
+  - Control
+gemara:
+  id: independent-verification
+  title: Independent Verification
+  objective: Ensuring that verification of agent-generated code comes from sources independent of the code-generating agent, breaking the verification illusion.
+  threat-mappings:
+    - reference-id: verification-testing-risks
+      entries:
+        - remarks: Breaks test-code coupling and prevents verification illusion
+    - reference-id: code-security-risks
+      entries:
+        - remarks: Catches security flaws the generating agent may share blind spots with
+---
+
+<ControlIntro fm={frontMatter} />
diff --git a/docs/practices/Verification/Injection-Testing.md b/docs/practices/Verification/Injection-Testing.md
@@ -0,0 +1,18 @@
+---
+title: Include Prompt Injection Tests in CI/CD Security Gates
+sidebar_label: Injection Testing
+sidebar_position: 5
+list_image: /img/icons/control.svg
+tags:
+  - Control
+gemara:
+  id: injection-testing
+  title: Injection Testing
+  objective: Including automated prompt injection tests in CI/CD pipelines to detect vulnerabilities before they reach production.
+  threat-mappings:
+    - reference-id: prompt-injection-risks
+      entries:
+        - remarks: Detects injection vulnerabilities in agent workflows before deployment
+---
+
+<ControlIntro fm={frontMatter} />
diff --git a/docs/practices/Verification/Secrets-Scanning.md b/docs/practices/Verification/Secrets-Scanning.md
@@ -0,0 +1,21 @@
+---
+title: Run Secrets Scanning on All Agent-Generated Code and Logs
+sidebar_label: Secrets Scanning
+sidebar_position: 6
+list_image: /img/icons/control.svg
+tags:
+  - Control
+gemara:
+  id: secrets-scanning
+  title: Secrets Scanning
+  objective: Automatically scanning all agent-generated code, logs, and outputs for accidentally embedded credentials, API keys, or sensitive data.
+  threat-mappings:
+    - reference-id: data-privacy-risks
+      entries:
+        - remarks: Prevents credentials and secrets from being committed or logged
+    - reference-id: code-security-risks
+      entries:
+        - remarks: Catches hardcoded secrets that agents may embed in generated code
+---
+
+<ControlIntro fm={frontMatter} />
diff --git a/docs/risks/Start.md b/docs/risks/Start.md
diff --git a/docs/risks/Supply-Chain-Risks.md b/docs/risks/Supply-Chain-Risks.md
diff --git a/src/theme/gemara/ControlIntro/index.js b/src/theme/gemara/ControlIntro/index.js
diff --git a/src/theme/gemara/ThreatIntro/index.js b/src/theme/gemara/ThreatIntro/index.js
