From 8383330016f325353ec41a8a79f750ba90c1989f Mon Sep 17 00:00:00 2001 From: Rich Bowen Date: Wed, 15 Jul 2026 10:59:53 -0400 Subject: [PATCH] =?UTF-8?q?docs/setup/secure-agent-internals:=20three-laye?= =?UTF-8?q?r=20=E2=86=92=20four-layer?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The heading and body text said "three layers" but the table defines layers 0–3 (four). Fix the heading and the inline reference. Closes #868 --- docs/setup/secure-agent-internals.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/setup/secure-agent-internals.md b/docs/setup/secure-agent-internals.md index e7306ee3..529b4f92 100644 --- a/docs/setup/secure-agent-internals.md +++ b/docs/setup/secure-agent-internals.md @@ -7,7 +7,7 @@ - [Secure agent setup — how it works](#secure-agent-setup--how-it-works) - [Threat model](#threat-model) - - [Three-layer defence](#three-layer-defence) + - [Four-layer defence](#four-layer-defence) - [What `sandbox.enabled` actually does](#what-sandboxenabled-actually-does) - [Linux: bubblewrap + user namespaces](#linux-bubblewrap--user-namespaces) - [macOS: Seatbelt](#macos-seatbelt) @@ -35,7 +35,7 @@ there. Read this document when you want to: - understand the threat model the setup is built against, and what it deliberately does not defend against; -- reason about which of the three layers (clean env / filesystem +- reason about which of the four layers (clean env / filesystem sandbox / tool permissions / forced confirmation) is enforcing any given guard; - debug an unexpected denial (or worse, an unexpected *allow*) by @@ -74,7 +74,7 @@ It does **not** defend against: - A maliciously-crafted MCP server installed at user scope. Audit `~/.claude/.mcp.json` and `~/.claude.json` periodically. -## Three-layer defence +## Four-layer defence | Layer | Mechanism | What it stops | |---|---|---|