How we build with agents and approval gates.
Practical notes from SecuRight, an Australian agentic software company building its own consumer apps. We share what we learn about AI-assisted workflows, human approval gates, safe automation, public artifacts, and AI-agent safety research. General information only — not professional, security, compliance, or legal advice, and not a service we offer.
The notes — agentic building in practice.
Safe code and checklist artifacts
Small templates and cleaned examples will appear on GitHub as they are safe to publish. No private company records, secrets, tester data, or unreleased app internals.
Research noteDefending agents against prompt injection
Why prompt injection is the SQL-injection of the agent era, the classes of attack that actually land, and the layered defences — input isolation, capability gating, output checks — that hold up.
Research noteA runtime, not a policy document
A policy PDF can't stop an agent from calling the wrong tool. Putting policy enforcement and a tamper-evident audit at the call site — and why the check has to be fast enough that no one disables it.
Research noteOur AI-agent safety checklist
The questions we work through for our own apps before an AI agent takes an action — auth, scope, injection, logging, human oversight. Shared as a research note.
Code and templates we'll share.
Some of our engineering notes, release checklists, tester-checklist patterns, and AI-safety examples may be useful in the open. We publish only sanitized standalone artifacts as general educational material. (Not a product or service.)