February 2026
A context firewall for AI coding agents. Opus 4.6 reasons about every change. Named violations, not risk scores. Every override recorded.
AI agents now write production code at unprecedented velocity. They open pull requests, modify configurations, and ship changes across entire codebases in minutes.
Code review was built for humans reviewing humans. It assumes the reviewer has context, institutional memory, and the judgment to spot when a "prevent infinite recursion" fix quietly gives every external attacker a one-header bypass to skip your entire auth stack.
That assumption no longer holds. Linters catch syntax. Tests catch behavior. Nothing catches the semantic gap between what a change does and what it enables. Airlock does.
These are real pull requests from production codebases used by millions of developers. All three passed code review. All three were merged. Airlock would have blocked every one.
To prevent infinite middleware recursion, a developer added a check: if the request contains an x-middleware-subrequest header matching the middleware name, skip execution via NextResponse.next().
The code was clean. It solved the stated problem. It passed every test. But HTTP headers are attacker-controlled. Any external client could add x-middleware-subrequest: middleware to bypass authentication, authorization, rate limiting, and CSP enforcement. Every Next.js app using middleware for auth was exposed.
This is exactly the kind of change an AI coding agent would generate. "Prevent middleware infinite loop" is a clear, reasonable instruction. The resulting code is logically correct for the stated requirement. The vulnerability is a taint-flow error: untrusted input (HTTP header) used as a control-flow gate for security-critical logic (middleware skip).
Preflight: GATED Violation: Untrusted Header Used as Auth Gate (high) Source: HTTP request header x-middleware-subrequest Sink: NextResponse.next() skipping middleware execution Evidence: * External attackers can set arbitrary request headers * Header value checked against middleware name without cryptographic verification or origin validation * Matches CVE-2025-29927 pattern exactly Fix: * Strip x-middleware-subrequest from inbound external requests * Use signed internal token or depth counter instead Violation: Missing External Header Sanitization (high) Source: Inbound HTTP request from external client Sink: Internal control-flow decision in server pipeline Evidence: * No header stripping at ingress boundary * Internal-only header exposed to external manipulation Gated because: Opus identified 2 high-severity violations Receipt: rct_0419ff20
A contributor swapped Bun's entire memory allocator from mimalloc v2 to v3 for performance gains. The change touched foundational infrastructure: every allocation in the runtime, bundler, HTTP server, and garbage collector flows through this code path.
The PR was merged. It caused SIGILL crashes on ARM64 due to LSE atomics incompatibility. Multiple fix attempts followed. The entire change was eventually reverted. During the window it was live, six separate use-after-free bugs were discovered in the memory subsystem.
Airlock's analysis found the prior revert in git history, the UAF fix pattern, and the single-author concentration. The algorithmic score alone missed it, but Opus traced the full history.
Preflight: GATED Violation: Previously Reverted Infrastructure Change (high) Source: mimalloc v3 vendor update in allocator subsystem Sink: Every allocation path in the runtime Evidence: * Commit c63415c introduced mimalloc v3, reverted in cf6cdbb * ARM64 SIGILL crash caused by LSE atomics (commit adc1a6b) * 6 use-after-free fixes in recent memory subsystem history * No plan addressing prior failure modes Fix: * Document how ARM64 LSE atomics issue is resolved * Add QEMU-based CI verification for all target architectures * Require rollback plan before merge Violation: Untested Foundational Change (high) Source: Allocator replacement affecting 10+ importers Sink: Runtime memory lifecycle (alloc, free, realloc) Evidence: * No test files found for target paths * Single-author concentration (Dylan Conway) * 368 recent bug-related commits in repository Gated because: Opus identified 2 high-severity violations Receipt: rct_2cfebe08
Anthropic's own Claude Code Action had a race condition in how it fetched PR data. The action checked permissions, then fetched the PR title. An attacker could modify the title between check and fetch, injecting XML-tagged instructions that Claude treated as system commands.
The injected prompt overwrote /home/runner/.bun/bin/bun with a shell payload. The next bun run in the workflow executed arbitrary code. GitHub Actions secrets, self-hosted runner access, and supply chain integrity were all compromised.
If the tool that writes your code needs a context firewall, every tool does.
Preflight: GATED Violation: TOCTOU in Untrusted Input Pipeline (high) Source: PR title/body fetched after permission check Sink: Agent context window (treated as instructions) Evidence: * Commits 6337623, f09dc9a hardened against this exact pattern * Attacker can edit PR between trigger and data fetch * Three prior command injection fixes (609c388, 68a0348, 00b4a23) Fix: * Read PR data from webhook payload, not live API * Validate payload integrity with webhook signature Violation: Unsanitized Input in Shell Context (high) Source: Injected prompt via modified PR title Sink: Binary overwrite at /home/runner/.bun/bin/bun Evidence: * Enhanced text sanitization (commit 35ad5fc, +498/-175) was specifically built to prevent this class of attack * Actor verification (commit 1bbc9e7) bypassed by timing Gated because: Opus identified 2 high-severity violations Receipt: rct_88176844
Airlock ingests your repository's git history, PR discussions, code structure, and file churn. Then Opus 4.6 reasons about the proposed change in context, producing named policy violations with source-to-sink taint analysis.
This is not a risk score. It is a security finding. Each violation names the attack, traces the data flow from untrusted source to dangerous sink, cites specific commits as evidence, and suggests concrete fixes.
When Opus identifies high-severity violations, Airlock gates the change. No exceptions without an explicit override. Every override produces a tamper-evident receipt with a cryptographic hash chain.
A firewall that blocks everything is useless. Airlock distinguishes between changes that look risky structurally and changes that are actually dangerous semantically.
Preflight: CLEARED No violations found. Analysis: Content-only typo fix. Blast radius inflated by doc-bundling pipeline, not code dependency. Numerous doc typo fixes have merged without incident (commits 40b9243, 9d9e13a, cabe545). No code semantics altered. Receipt: rct_cd4c98cf
Preflight: CLEARED No violations found. Analysis: Pure test addition. Zero importers, minimal blast radius. Test directory follows established co-located convention (commit 86d6f44). No source code modified. Receipt: rct_80f4e629
Airlock is not a linter with rules. It is Opus 4.6 reasoning about your codebase with full context: git history, PR discussions, code structure, file churn, and repository constitution.
The algorithmic layer runs first for speed. It maps blast radius, protected zones, and hotspot overlap in milliseconds. But the verdict comes from Opus. It reads the diff, cross-references against known risk zones, checks for prior reverts and fix patterns, and produces named violations with evidence grades.
When Opus says a change is dangerous, Airlock gates it. When Opus says a change is safe, Airlock clears it. The algorithm provides supporting context. Opus makes the call.
Named policy violations with source/sink taint analysis, evidence grades, and suggested fixes.
Risk zones, context packs, and repository intelligence feed directly into preflight analysis.
Authorized overrides with written justification. Immutable receipts with hash chains.
Automatic preflight on every PR. High-severity violations block merge.
Define protected zones, violation thresholds, and mandatory review patterns per repository.
Per-team override permissions, approval chains, and escalation paths.