Danger Zones
A danger zone is a node — function, class, route, or table — that you’ve marked as off-limits for unsupervised AI modification.
zone_guard watches every MCP tool call. When a proposed action would reach a marked node (directly or through the call graph), it fires before execution and asks for permission.
The problem it solves
Section titled “The problem it solves”AI coding agents work fast. Too fast, sometimes. An agent refactoring UserService doesn’t automatically know that processPayment three hops downstream is a payment-critical function that touches live Stripe charges.
Danger zones make that knowledge explicit and enforced — not just in a comment, but in the MCP layer itself.
What “intercept” means
Section titled “What “intercept” means”zone_guard doesn’t check after the fact. It traces forward from the tool call’s target through the call graph before execution, detects a danger zone in the path, and blocks.
The AI sees an interception message with the blast radius and cannot proceed without your yes.
Marking nodes
Section titled “Marking nodes”zone_guard(action="mark", node="processPayment")zone_guard(action="mark", node="db.migrate")zone_guard(action="mark", node="AuthGuard")Safe zone / Danger zone model
Section titled “Safe zone / Danger zone model”The mental model is a split workspace:
- Safe zone — everything the AI can touch freely
- Danger zone — nodes where
zone_guardfires first
You define the boundary. The graph enforces it.
Recommended nodes to mark
Section titled “Recommended nodes to mark”- Payment execution functions
- Auth middleware and session logic
- Database migration runners
- Webhook handlers with external side effects
- Anything tied to PII or compliance requirements