docs(adr): ADR-015 AgentSH Integration for execution-layer security

[wildcard]

Description

This PR introduces ADR-015, a comprehensive architecture decision record for integrating AgentSH—an execution-layer security gateway—into Caro's command execution pipeline. The ADR proposes a two-track approach: adopting agentsh's architectural patterns into Caro's core (regardless of agentsh availability) and optionally routing execution through agentsh when installed.

Motivation

Caro's current safety validation relies on 52+ regex patterns that catch known dangerous commands before execution. However, this approach has fundamental blind spots:

• Pattern evasion through obfuscation or encoding
• No visibility into subprocess behavior after execution
• No runtime governance of actual command behavior
• No structured audit trails for compliance

AgentSH addresses these gaps with syscall-level interception and a richer decision model (allow/deny/approve/redirect/soft_delete) that enables defense-in-depth security for AI agent workflows.

Changes Made

• New file: docs/adr/ADR-015-agentsh-integration.md (385 lines)

  • Comprehensive analysis of AgentSH's security model and how it applies to Caro
  • Eight key architectural patterns to adopt from AgentSH (decision model, redirect steering, subprocess visibility, audit events, checkpoints, policy-as-code, sessions, environment security)
  • Integration architecture diagram showing decision routing to multiple execution backends
  • Four-phase implementation plan (Phase 1: architectural adoption; Phase 2-4: progressive integration)
  • Detailed consequences, trade-offs, and risk analysis
  • Comparison with ADR-010 (bubblewrap sandbox) showing complementary scope
  • Success metrics for measuring adoption and effectiveness

• Updated file: docs/adr/README.md

  • Added ADR-015 entry to the architecture decision records index

Key Architectural Insights

The ADR proposes evolving Caro's binary allowed: bool validation result into a five-way Decision enum:

• Allow: Execute directly
• Deny: Block with reason
• Approve: Require human confirmation
• Redirect: Suggest safer alternative (new)
• SoftExecute: Execute with checkpoint for rollback (new)

This enables "steering" patterns where risky-but-legitimate commands are redirected to safer equivalents rather than blocked outright.

---

Type of Change

• Documentation update (new ADR document)

---

Checklist

Documentation

• ADR follows established format and conventions
• All sections are complete (Context, Decision, Consequences, Alternatives, References)
• Technical diagrams and tables are clear and accurate
• Implementation plan is realistic and phased
• Risk analysis is thorough with mitigation strategies
• Related ADRs (ADR-010, ADR-001) are properly cross-referenced

---

Related Issues and Specs

• Related to ADR-010 (Bubblewrap Sandbox) — complementary execution isolation approach
• Related to ADR-001 (Enterprise/Community Architecture) — enterprise audit and compliance features
• Addresses execution-layer security gaps in Caro's current safety model

---

Additional Context

Technical Decisions

1. Two-track approach: Separates architectural pattern adoption (Phase 1, no dependency) from optional agentsh integration (Phase 2+), reducing risk if agentsh project stalls
2. Complementary to ADR-010: AgentSH provides runtime governance where bubblewrap provides isolation; both can coexist with agentsh as primary and bubblewrap as fallback
3. Phased implementation: Four phases allow incremental value delivery and reduce integration risk
4. Optional dependency: AgentSH is an external Go binary, not a Rust crate, making it a graceful optional feature

Future Work

• Implement Phase 1 (Decision enum, redirect suggestions, environment scrubbing, structured audit)
• Evaluate agentsh API stability before committing to Phase 2
• Develop policy file format and validation
• Create enterprise audit reporting infrastructure (Phase 4)

---

By submitting this PR, I confirm that:

https://claude.ai/code/session_016L7E3aAp1Z3xZVhdaAYF9m

---

Summary by cubic

Adds ADR-015 proposing AgentSH as an optional execution backend and a phased plan to adopt execution-layer security patterns in Caro; updates the ADR index.

^{Written for commit 92c7d9f. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
caro-docs	Ready	Preview, Comment	Feb 27, 2026 11:57pm
caro-foss-website	Error		Feb 27, 2026 11:57pm
caro-slides	Ready	Preview, Comment	Feb 27, 2026 11:57pm
caro-storybook	Ready	Preview, Comment	Feb 27, 2026 11:57pm
cmdai	Error		Feb 27, 2026 11:57pm
cmdai-saas	Ready	Preview, Comment	Feb 27, 2026 11:57pm

[github-actions]

Props for pushing this forward! 👏

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[cubic-dev-ai]

No issues found across 2 files

[Copilot]

Pull request overview

Adds a new architecture decision record (ADR-015) describing an optional integration of AgentSH as an execution-layer security gateway for Caro, plus updates the ADR index to include it.

Changes:

• Added docs/adr/ADR-015-agentsh-integration.md outlining a two-track approach (core pattern adoption + optional agentsh backend) and a phased implementation plan.
• Updated docs/adr/README.md to index ADR-015.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File	Description
docs/adr/ADR-015-agentsh-integration.md	New ADR describing execution-layer security integration patterns, architecture, phases, and trade-offs.
docs/adr/README.md	Adds ADR-015 entry to the ADR index table.

[Copilot]

The Context section says agentsh “subsumes sandboxing” (line 24), but later this ADR frames ADR-010 (bubblewrap) as complementary and a fallback. Consider rewording the earlier claim to avoid an internal contradiction (e.g., clarify that agentsh adds runtime governance while sandboxing still provides isolation).

Suggested change

	- ADR-010 proposed bubblewrap sandbox for execution isolation — agentsh is a more complete solution that subsumes sandboxing with runtime policy enforcement
	- ADR-010 proposed bubblewrap sandbox for execution isolation — agentsh complements sandboxing by adding runtime policy enforcement and governance, while sandboxing continues to provide process isolation and serves as a fallback when agentsh is unavailable

[Copilot]

Phase 1 mentions redirect suggestions that “auto-execute”. Auto-executing a replacement command can bypass the human-approval step and could be unsafe for high-risk intents; consider specifying that redirects still require explicit user confirmation (or are represented as an Approve+Redirect flow) before execution.

Suggested change

	2. **Redirect support**: When blocking a command, suggest safer alternatives that auto-execute
	2. **Redirect support**: When blocking a command, suggest safer alternatives that the user can explicitly approve and execute (Approve+Redirect flow), never auto-execute

[Copilot]

The decision model references AgentSH’s soft_delete, but the proposed Decision enum introduces SoftExecute. If this is an intentional divergence, it would help to explicitly document the mapping (AgentSH soft_delete → Caro SoftExecute) or align the naming to reduce confusion for implementers.

Suggested change

	/// Execute but quarantine effects for rollback
	SoftExecute { checkpoint_id: String },
	/// Execute but quarantine effects for rollback (AgentSH `soft_delete`)
	SoftDelete { checkpoint_id: String },

[Copilot]

Phase 2 includes a concrete agentsh invocation (agentsh exec $SID -- <command>). Since this ADR doesn’t cite agentsh’s actual CLI contract, consider labeling this as pseudocode and/or linking to the upstream docs for the exact command format to avoid documenting an incorrect interface.

Suggested change

	4. **Execution routing**: `agentsh exec $SID -- <command>` instead of direct shell
	4. **Execution routing**: Route commands through an agentsh execution session (pseudocode: `agentsh exec $SID -- <command>`; consult the [agentsh documentation](https://github.com/canyonroad/agentsh) for the exact CLI contract) instead of invoking the shell directly.

[Copilot]

The trade-offs list includes specific platform-coverage percentages and a per-execution latency estimate (e.g., “70–90% macOS”, “~50–200ms”). If these numbers aren’t backed by measurements or an upstream reference, consider removing them or explicitly marking them as rough, unverified estimates with a citation link.

Suggested change

	2. **Platform coverage gap**: Full enforcement only on Linux initially (70-90% macOS, 85% Windows)
	3. **Added latency**: Session creation + policy evaluation adds ~50-200ms per execution
	2. **Platform coverage gap**: Full enforcement only on Linux initially; macOS and Windows support are partial and may lag Linux features.
	3. **Added latency**: Session creation and policy evaluation introduce additional latency per execution that must be measured and monitored.

[github-actions]

Website Claims Verification Report

Run ID: 22508530717
SHA: f3d0c7e
Date: 2026-02-28

Platform Results

claims-report-macos-latest

{
  "suite": "website-claims",
  "platform": "macos-latest",
  "timestamp": "2026-02-28T00:02:52Z",
  "passed": 84,
  "skipped": 0,
  "warnings": 1,
  "run_id": "22508530717",
  "sha": "f3d0c7ed431377d4f204f9c6f84953a430bafa1e"
}

claims-report-ubuntu-latest

{
  "suite": "website-claims",
  "platform": "ubuntu-latest",
  "timestamp": "2026-02-28T00:01:13Z",
  "passed": 84,
  "skipped": 0,
  "warnings": 1,
  "run_id": "22508530717",
  "sha": "f3d0c7ed431377d4f204f9c6f84953a430bafa1e"
}

Documentation

• PRD: Website Claims Test Suite
• ADR: Website Claims Verification

Next Steps

1. Review warnings and address any gaps
2. Update website if claims are inaccurate
3. Implement missing features if claims are aspirational