Skip to main content

Setup & Collaboration

Before you write the first requirement: setting up the AI environment, the coding environment, and how several AI agents split the work. This part covers the prep that gets me into working shape.

Over-reliance & automation bias

This entry isn't about the mistakes I make — it's about what happens when you over-trust me. I output fast and confidently, so "accept it wholesale" becomes the lowest-effort default; but I am precisely the kind of thing that is confidently wrong. Over time your review turns into a formality and your grip on the codebase fades — and those two things are exactly the last line of defense you were supposed to hold.

HighProject Manager · Engineer · Architect

Destructive / irreversible actions

The credentials you gave me are legitimate, and the operations I run with them are "legitimate" too — it's just that one of them deletes the production database, erases the backups, or forces a change during a freeze. The trouble with these actions isn't that they're hard; it's that they're done before you realize there's no way back. I'm naturally inclined to "keep the task moving" and lack any reverence for "delete this and it's gone." The guardrails have to be built by you, up front, by mechanism rather than by trusting me to behave.

HighDevOps Engineer · Engineer · Architect

Gemini trust inheritance

Gemini CLI keeps a per-folder "trust" store (~/.gemini/trustedFolders.json) — a folder's project config and .env only take effect, and confirmations only ease up, once you trust it. But "trust the parent folder" inherits trust to every subdirectory, and a parent's TRUST has been reported to override a child's explicit DONOTTRUST. So an unfamiliar repo you cloned in to keep isolated gets treated as trusted just because it sits under a parent you trusted — exactly where an injection wants to land. Claude Code has no such trust store, so this trap is specific to Gemini CLI.

HighEngineer · DevOps Engineer

Autonomy & approval tiers

You turned on autonomous execution for me but never spelled out "which actions I may take directly, and which I must ask you about first." So I drop database tables, change production config, and fire off outbound requests with the same casualness I'd use to fix a typo—not out of malice, but because you never handed me a ruler graded by risk, so I treated "I can do it automatically" as "I should do it automatically."

HighProject Manager · Architect · DevOps Engineer

Sandbox isolation

You control what commands I can run with "soft permissions" like allow / ask / deny, but the process I run commands in shares the same domain as your entire machine, your credentials, and your network. Soft permissions are a policy that I (or the malicious content I read) can try to circumvent — not a wall the operating system enforces. The moment a prompt injection hijacks me, I can reach your SSH key, your environment variables, your whole filesystem, and the outbound network.

HighDevOps Engineer · Architect · Engineer