The violation alert arrived at 2:47:03.141 PM. Leash caught it in 3 milliseconds. By 2:47:03.144 PM, the action had been blocked, the event had been logged, and the agent had received a denial response. The entire incident, from attempt to enforcement to recording, fit inside the time it takes a hummingbird's wings to complete half a beat.
The team didn't learn about it until 3:15 PM, when Navan glanced at the monitoring dashboard during a coffee break and noticed the red dot. One policy violation. One red dot among a field of green.
"We've got a violation," he said, in the same tone you'd use to say "we've got mail." Not alarm. Not panic. Information.
Jay pulled up the event. The violation was a file write attempt. The agent had been working on the CXDB gateway module and had tried to write to /tmp/debug.log. The Cedar policy permitted writes only to the workspace directory and its subdirectories. /tmp was outside the boundary. The write was denied.
"Why would it write to /tmp?" Jay asked.
Navan pulled up the MCP trace for the session. The agent had been debugging a failing test. It had tried several approaches. On its fourth attempt, it decided to add temporary logging to understand the data flow. Instead of writing the log to a file inside the workspace, it defaulted to /tmp—a pattern it had learned from its training data, where /tmp was a conventional location for throwaway files.
"It's not malicious," Navan said. "It's a habit."
"A habit from a world where /tmp was safe," Justin added. He'd appeared with his own coffee, the way Justin appeared in conversations about security—quietly, at the right moment. "In the uncontained world, writing to /tmp is harmless. In a governed container, it's a policy violation. The agent doesn't understand the difference because the difference is contextual."
They discussed it over coffee. Three people, three mugs, one policy violation. The conversation was unhurried. The violation was not an emergency. It was data. It was an opportunity to ask questions.
Should the policy be relaxed to allow /tmp writes? No. The principle was clear: agents write to the workspace. Temporary files belong in the workspace.
Should the agent be given guidance about where to write temporary files? Yes. Navan added a line to the system prompt template: If you need to create temporary files, create them in the workspace directory, not in /tmp.
Should the violation be classified differently from a genuine security concern? Yes. Jay created a taxonomy: "boundary violations" (agent exceeding workspace scope, low severity) versus "policy violations" (agent attempting prohibited actions, high severity). The /tmp write was a boundary violation. The /etc/passwd read from two weeks ago was a policy violation.
The taxonomy went into the documentation. The prompt update went into the template. The violation remained in the audit trail, permanent and informative.
Three milliseconds to catch. Thirty minutes to discuss. The enforcement was fast. The learning was slow. That was the right ratio.
The taxonomy of boundary violations vs policy violations is genuinely useful. An agent writing to /tmp is very different from an agent trying to read /etc/passwd. Severity levels matter.