4. Safe Space

Blast-radius containment, so "going wrong" has bounded cost.

Max: 28 points (PL4-branch-protection and PL4-agent-invokable-rollback are max 2)

Blast-radius containment — if the agent goes wrong, the damage is bounded. The security of the setup is what lets the agent operate freely.

Safety is a composition of mechanisms, not a single gate. Human-in-the-loop, deterministic policy gates, metric-gated progression, capability scoping, dry-run defaults, audit with fast rollback — the agent operates freely when these layers compose.

Ordered as environment isolation → permissions and data boundaries → release safety → cost → memory governance.

---

Criteria in this pillar

• PL4-environment-isolation — Environment isolation
• PL4-least-privilege — IAM scoped read-only by default
• PL4-branch-protection — Branch protection and source-control write scoping
• PL4-prompt-injection-defence — Prompt injection defence at ingestion boundary
• PL4-egress-capability-scoping — Egress capability scoping at emission boundary
• PL4-release-strategy — Canary / blue-green / partial release
• PL4-agent-invokable-rollback — Rollback is trivial and agent-invokable
• PL4-cost-governance — Operating cost is observable, capped, and attributed
• PL4-memory-safety — Memory safety