FabricFabricHarness
Reference

Security Hardening

Checklist before promoting an agent to production.

The full hardening notes live in the repo at docs/security-hardening.md. This page is the short-form checklist.

Secrets

  • Never paste keys into source files or session artifacts.
  • Use secret() and resolveSecret() to keep credentials out of model context.
  • Drive .env only through --env; shell env always wins.
  • Scope command env via defineCommand('cmd', { env: { ... } }).

Capability scoping

  • Only declare commands the agent actually needs.
  • Prefer narrow filesystem scopes: /workspace/src/**, not /workspace/**.
  • Gate destructive actions (git push, npm publish, terraform apply) behind session.approval.request().

Network

  • Default to allowlist egress.
  • For Cloudflare deployments, prefer routes scoped to the agent path.
  • For Foundry Hosted Agents, configure BYO VNet egress where possible.

Build-time integrity

  • Emit SBOMs on every build (--sbom, --image-sbom).
  • Emit provenance and attestation (--provenance, --attestation).
  • Sign with cosign (--sign-provenance).
  • Verify in deploy with fh verify-attestation / fh verify-provenance.

Runtime

  • Require auth on fh dev / Node target via --auth-token-env.
  • Set --max-body-bytes to bound payload sizes.
  • Set --rate-limit-window-ms and --rate-limit-max per IP.
  • Run sandboxes with the least permissive backend that still works (empty > local > docker > host).

Audit

  • Keep session stores; don't disable them in production.
  • Use compaction sparingly — keep the active path long enough for audit needs.
  • Log Entra Agent ID + on-behalf-of identities on Foundry deployments.

Build Manifest

Schema of manifest.json emitted by fh build.

Policies and Approvals

Capability policies, approval flows, and where they live.

On this page

SecretsCapability scopingNetworkBuild-time integrityRuntimeAudit