Skip to content

AI Agent Access & Risk Assessment

Overview

This document summarises the access levels and risk profiles of the AI tools used in MCC Systems development, so remediation options are understood without needing to rediscover them.

Weekly Automated Agents

Scripts: weekly-ai-review.mjs, weekly-doco-review.mjs

Risk: Very low. These are read-only reporters. They scan local files, call the Anthropic Claude API, and output a markdown report. They cannot modify code, write to the database, deploy anything, or make network calls beyond the Anthropic API. Worst case: a bad report or a spurious GitHub Issue.

Claude.ai (Web Interface)

Risk: Low, but not zero. Claude.ai has MCP connectors to Supabase, Google Drive, Gmail, Google Calendar, Vercel, and Shopify. The Supabase connector is technically capable of write operations (INSERT, UPDATE, DELETE, ALTER, etc.) — the restriction to SELECT-only is enforced by procedural rules in the project instructions, not by a technical constraint on the connector itself. The same applies to other connectors (e.g. could theoretically send emails via Gmail, modify Drive files, or trigger Vercel deployments).

Mitigation in place: Interactive — Glenn reviews all actions in real time.

Possible hardening: Create a read-only Supabase database role and use its credentials for the MCP connector, so write operations are technically impossible regardless of instructions.

Claude Code (VS Code Extension)

Risk: Moderate. Claude Code has the broadest access of all three:

  • Full filesystem read/write on Glenn's machine
  • Can run arbitrary PowerShell commands
  • Has access to environment variables, including Supabase service role keys for both dev and prod
  • Can run supabase CLI commands (deploy Edge Functions, execute migrations, run raw SQL)
  • Can commit and push to GitHub
  • Can deploy Edge Functions to production via deploy-edge-prod.ps1
  • Can run deploy-prod.ps1 for database migrations against production

Mitigations in place: Procedural, operating in two layers:

  1. Instructional discipline (upstream). CC does not operate on intent or improvisation. Every instruction file produced in Claude.ai specifies exact before/after code snippets, names reference files explicitly, and scopes each step to a single modification group. CC is expected to execute exactly what's written — not interpret goals, add "improvements," or make scope decisions on its own. If CC encounters something unexpected (file doesn't match the snippet, an unanticipated dependency surfaces, a step would touch files outside the stated scope), it must stop and report back rather than work around it. This means any deviation from the plan is visible at the next report-back, rather than buried in a larger autonomous change.

  2. Report-back checkpoints (downstream). CC operates interactively with mandatory stop-and-report gates between steps. Glenn reviews every report-back before authorising the next step. CC does not commit, push, or deploy to production until Glenn explicitly says "commit, push and make live."

Together, these layers minimise blast radius: the first constrains what CC is allowed to do, and the second ensures Glenn sees what CC actually did before anything consequential proceeds.

Key risk scenario: If Glenn gives CC a large instruction file and does not review report-backs before authorising continuation, CC could theoretically make unintended changes — including to production. The instructional discipline reduces the likelihood of unintended changes, but does not eliminate it; the report-back discipline is what catches them.

Hardening Option (Not Currently Implemented)

What: Scope CC's Supabase credentials to dev-only, so it has no technical ability to touch production — even if instructed to.

Trade-off: Glenn would need to run production deployment commands manually in PowerShell:

  • .\scripts\deploy-edge-prod.ps1 <function-name> for Edge Function deploys
  • .\scripts\deploy-prod.ps1 for database migrations
  • git push for triggering Vercel production builds

Currently, Glenn delegates these to CC as the final step of a development cycle ("commit, push and make live"). Hardening would remove this convenience.

Assessment (April 2026): The procedural guardrails (instructional discipline + report-back checkpoints, with Glenn always in the loop before prod deployment) are considered sufficient for now. The risk is acknowledged and this document exists so hardening can be implemented at any time without rediscovery.

Comparison to Autonomous Agents (e.g. OpenClaw)

The critical difference between the MCC tools and autonomous agent frameworks is supervision. Claude.ai and Claude Code operate interactively with human confirmation before consequential actions. The weekly agents are read-only. An autonomous agent like OpenClaw, by contrast, can execute multi-step workflows unsupervised with broad permissions — meaning a hallucination or prompt injection could result in data changes, deployments, or external API calls without human review.