Coding agents are the highest-velocity, lowest-supervision place AI touches real systems. The dangerous actions don't arrive over MCP — they're native Bash, Edit, and Write calls: a stray rm -rf, a git push --force to main, an edit that drops a secret into a tracked file.
Pair once, govern everywhere
ActPass installs as a Claude Code PreToolUse hook (and a Codex MCP control server). It evaluates each tool call against your policy with the deterministic engine — never an LLM — and in monitor mode it never blocks; it teaches:
$ git push --force origin main
[ActPass] Force-pushing rewrites history others may have
pulled. On a feature branch prefer --force-with-lease;
never force-push main/master.Relax the rules without leaving the chat
When a guardrail is too strict mid-task, you tell the agent “that's too obstructing, allow it” and it calls ActPass's control tool to update the policy — which propagates back to enforcement in seconds. The loop is the product: deterministic enforcement you can steer in natural language.
It's a seatbelt against your own mistakes and the agent's honest errors. For adversarial threats, pair it with an exposure report to remove the dangerous capability combinations in the first place.