Safety

standard-safe is on from the first command — approvals, secret protection, sandboxing, isolated branches and verifiable claims.

Excalibur is built so you can delegate big work without fear. The standard-safe preset is active from the very first command, nothing is modified, applied or pushed without your explicit approval, and every run is recorded as plain, inspectable files.

The `standard-safe` preset

It's shown on every run, and by default it sets:

Control	Default
Write / apply / branch	ask for approval
Push to remote	disabled
Network access (during runs)	disabled
Sensitive paths	blocked (never read or written)
Secrets in prompts/logs	redacted

Approval gates

Risky actions pause for a one-keystroke decision:

excalibur

✓edit src/webhooks/verify.ts+24 −3

⚑apply to a sensitive path?

y approve · N reject · a always

#nothing changes until you say yes

a always adds an allowlist entry to .excalibur/config.yaml, so a given action is confirmed once.

The guarantees

Approval gates — every write, command and push pauses for an explicit yes.
Secret protection — .env, private keys and sensitive paths (**/*.pem, **/*.p12, .git/**, …) are blocked, never read or sent.
Sandboxed execution — agents run in an isolated sandbox: separate filesystem view, CPU/memory limits, a timeout, a command allowlist, and no network by default.
Isolated branches — work lands in dedicated branches and git worktrees, never your working tree.
Never pushes by default — nothing is committed upstream or merged without you.
Redacted prompts — inputs are scrubbed of secrets before anything is stored; raw inputs are hashed.
Local, inspectable artifacts — every run is plain files under .excalibur/runs/<id>/.

Pushing is always opt-in. The only thing that touches a remote is an action you explicitly ask for — mission --pr (or excalibur pr-create), which branches, pushes and opens a pull request via the GitHub CLI. Without it, even a full mission only commits locally; nothing leaves your machine unless you say so.

Verifiable by construction

Runs carry typed claims — tests_passed, type_safe, no_secrets — each tied to an independent verifier. A run cannot reach completed while a blocking claim is unverified, and an adversarial reviewer tries to refute the work before you see it.

excalibur

✓claim tests_passedverified

✓claim type_safeverified

✓claim no_secretsverified

→adversarial review · 0 blocking issues

Configuring safety

# .excalibur/config.yaml
safety:
  preset: standard-safe
  approvals: { write: ask, apply: ask, branch: ask, push: deny, network: deny }
  blockedPaths:
    - "**/.env*"
    - "infra/prod/**"
  allowlist:
    - "pnpm test*"      # commands that never need confirmation

Enterprise turns these repo-level controls into a server-side policy engine that can't be bypassed by skipping init: model permissions by repo/sensitivity, server-side command allowlists, secret DLP, budgets enforced mid-run, and require-tests-before-PR. See Enterprise.

Autonomy levels — the dial these guardrails wrap.
Enterprise — org-wide governance and audit.