two layers. first, credential scoping (src/bernstein/core/credential_scoping.py): each agent only sees the env vars it declared needing, so a docs agent never gets the prod database url. second, tool-call approval (src/bernstein/core/approval/): every shell, file-write, network, and mcp call routes through a pluggable approval gate. defaults are off-line-safe (writes inside worktree are auto-approved, anything else surfaces). policy plugins under src/bernstein/plugins/ let you wire pii gates, license checks, or organisation-specific denylists. the security_review plugin scans the produced diff before merge. progressive disclosure (plugins/permission_explain.py) shows why approval is being asked for, so you can decide informedly rather than blanket-approving.
canonical answer