The Root of View Is the Permission: Shape the Folder You Hand Your AI
Jerome Saltzer and Michael Schroeder wrote the discipline in 1975: "Every program and every user of the system should operate using the least set of privileges necessary to complete the job."1 Fifty-one years later, the discipline applies to the folder you hand a coding agent. Whatever is under that folder, the agent can read, index, quote, and paste to a model API. Everything above it, it cannot. The root of view IS the permission.
The knob has a different name on every surface — --add-dir on Claude Code2, roots in the Model Context Protocol3, allowed_directories on the reference filesystem server4. The shape is the same. You pick the smallest folder the agent needs to do the job. The 2026 incident stream is the reminder of what happens when the shape is wrong; the discipline is what happened long before it. Saltzer wrote it as a rationale for where to install the firewalls1.
What most people believe about AI agent safety
Most of the current conversation about AI agent safety runs on guardrails — system prompts, refusal training, RLHF, the model's own manners. The intuition is that a well-behaved model will not do the wrong thing even if it is asked to. It is a hopeful intuition. It is also the layer the standards body says will not save you.
OWASP's 2025 top-ten catalogues this as Excessive Agency. The verbatim definition: "Excessive Agency is the vulnerability that enables damaging actions to be performed in response to unexpected, ambiguous or manipulated outputs from an LLM"5. The named subcategory is bluntly Excessive Permissions: "An LLM extension has permissions on downstream systems that are not needed for the intended operation of the application."5 Guardrails inside the model are not the primary control. The permissions the agent was given are.
Simon Willison's summary of the same shape is shorter and more famous. He calls it the lethal trifecta: "private data, untrusted content, and external communication"6. When an agent has all three at once — access to your files, exposure to text it did not write, and a way to send bytes to the outside world — you have handed it the ability to leak on your behalf. The mitigation is not more manners. It is fewer permissions.
The pivot: the view IS the permission
The pivot is that the view IS the permission. A coding agent given a large workspace can read every file in that workspace — every draft, every credential the reader forgot to purge, every note about a person the reader did not mean to expose. Scoping the model is a hope. Scoping the folder is the actual control.
Willison's second essay on the same theme puts it plainly: "Mixing tools with untrusted instructions is inherently dangerous." And: "If you install a malicious MCP tool like this, you're inadvertently granting an attacker access to your private data."7 The word to read carefully is access. Access is what the folder decides. Not the system prompt. Not the training. The folder.
The 1975 principle is the abstract statement of the same thing. NIST's current glossary keeps the shape, without the poetry: least privilege is "a security principle that a system should restrict the access privileges of users (or processes acting on behalf of users) to the minimum necessary to accomplish assigned tasks"8. Every accredited security standard restates it.
The application to a personal notes folder in 2026 is straightforward. The tasks assigned to a coding agent almost never require your whole home directory. The knob is a smaller root.
Every agent surface has a root-of-view knob
Every serious agent surface in 2026 exposes the same knob under a different name. The shape of the discipline is: pick the smallest working root per surface, per session. The knob is the discipline made concrete. Three surfaces, three names, one habit — Claude Code, MCP, and the reference filesystem server each expose it, and each defaults to something you should read carefully.
Claude Code (CLI). Anthropic's CLI reference defines --add-dir as: "Add additional working directories for Claude to read and edit files." The reference example is claude --add-dir ../apps ../lib2. The default is the current working directory. Whatever folder you launch the agent from is the root. The pattern is to launch it from the smallest working root — a single subdirectory, not ~, and never /.
Model Context Protocol (roots). The MCP spec formalises this at the protocol layer. The roots concept doc: "Roots define the boundaries of where servers can operate within the filesystem, allowing them to understand which directories and files they have access to."3 The client — the thing you run — declares what the server is allowed to see. The server is required to respect the boundary. Roots is the abstract knob. Every filesystem-capable MCP server is expected to honour it.
MCP filesystem server (allowed_directories). The reference implementation of that shape is the @modelcontextprotocol/server-filesystem project. Its README is the concrete case: "All filesystem operations are restricted to allowed directories" and, crucially, "Server requires at least ONE allowed directory to operate"4. The default is empty. If you do not name a directory, the server refuses to start. The design decision is the point — the server assumes nothing is allowed unless you say so. Deny-by-default at the file layer.
OWASP LLM06 mitigation posture. The standards guidance is what the vendors are implementing. OWASP LLM06:2025's mitigation section names it verbatim: "Limit the permissions that LLM extensions are granted to other systems to the minimum necessary in order to limit the scope of undesirable actions"5. The knob per vendor is different. The posture is the same.
The 2026 incidents that prove the principle
The 2026 incident stream is ammunition for a principle written in 1975, not a substitute for it. Two dated examples are enough to show the shape — clinejection and the DN42 bill. Both show the same story. A view that was too wide meant a blast that was too big. A smaller root would not have made either bot harmless; it would have made the harm smaller.
Clinejection. On February 17, 2026, someone published a malicious [email protected] to npm9. The unauthorized package was live for roughly eight hours before Cline published 2.4.0 and deprecated it10; approximately 4,000 downloads occurred in that window9. The mechanism, reconstructed by Snyk10 and named Clinejection by them, is the point. The attacker got the npm token by injecting a prompt into a GitHub issue title, which an AI triage bot read, interpreted as an instruction, and executed9. A bot that could see the issue could see the token. An agent with access was an agent with the exfiltration path.
The blast radius — quoting the writeup — "was not one developer's machine, it was the entire project's publication pipeline"9. The mitigation the writeup names is not more manners on the bot. It is the same posture OWASP names: "Every team deploying AI agents in CI/CD — for issue triage, code review, automated testing, or any other workflow — has this same exposure."9
The DN42 bill. A separate mid-2026 story describes an agent operator who let a coding agent run network scans against DN42 without a scope on billing or on the machines the agent could reach. The operator's donation request quoted the resulting "aws bill 6531,30$"11 — a real credit-card charge, made in real currency, because the view the agent had included the ability to spin up billable infrastructure. The lesson is the one Saltzer wrote. The surface area of the permission determines the surface area of the harm.
The practice: pick the smallest working root per surface
The discipline is not exotic. It is three habits any reader with an agent-capable editor already has the knobs for — launch the agent from the subfolder, add only what the task requires, and configure filesystem servers to deny by default. Each habit is a use of a knob the tool already ships. The discipline is remembering to use it, every session, before the agent starts working.
- Launch the agent from the subfolder, not the root. For a Claude Code session on your notes,
cd ~/notes/reading/is a smaller view thancd ~/notes/, which is a smaller view thancd ~/. The default working directory is the default permission. Change the default. - Add only what the task requires.
claude --add-dirtakes a list. The correct list is the smallest one that lets the agent finish this task2. When the task changes, so does the list. The added dirs are not a saved setting — they are a per-session decision. - Configure filesystem servers to deny by default. The MCP filesystem server refuses to start without at least one allowed directory4, a design that pushes the decision onto you. Name the directory. Name only the ones you meant.
The pattern that folds these together: when in doubt, run the agent inside the subfolder that already answers the question, not the parent folder that also contains the folder that answers the question. Small root, small blast.
The honest caveat: this is hygiene, not security
Least privilege is not a proof of safety. It is damage limitation. Saltzer himself wrote it that way in 1975: "Primarily, this principle limits the damage that can result from an accident or error."1 OWASP restates the same honesty inside LLM06:2025's mitigations: "The following options will not prevent Excessive Agency, but can limit the level of damage caused."5 The discipline shrinks blast radius. It does not remove risk.
Three failure modes survive a small root, and every reader should hold them:
- Prompt injection inside the small root can still exfiltrate what the agent sees. A poisoned Markdown file two directories down still contains executable-by-the-model instructions the moment the agent reads it. Willison's lethal-trifecta essay is the mechanism6. Private data plus untrusted content plus external communication is fatal even when the volume of private data is small.
- A helpful agent can ask you to widen the scope. "I need to see
~/financesto answer that — can you add it?" is a legitimate-sounding request at the tail end of a working session. Consent-widening under time pressure is a documented failure mode. The correct response is the one you would give a stranger with a clipboard — no, or come back tomorrow. - In-scope means in blast radius. Whatever the agent can see, it can index, quote, and paste to a model API. Quote 3 from Willison is the shape7. There is no such thing as a file the agent can read but not forward. If it is in the root, it is exposed. If exposure is unacceptable, it is not in the root.
The discipline is a reduction of surface. Layered defence is the rest of the answer. Pair a small root with a written policy for what should never be sent to a hosted model in the first place12, a firebreak that prevents an agent from destructively rewriting the files it is allowed to touch13, a habit of not leaving credentials in the folder the agent is looking at14, and an append-only pattern for what an agent may write15. Each layer catches what the layer above lets through.
Frequently asked questions
The seven questions below are the shapes readers type before they reach for the knob. The answers are the ones the knob then answers in practice.
How do I give AI limited access to my notes?
Pick the smallest folder that answers the question the agent is being asked. For Claude Code, that means launching the CLI from that subfolder (its default is the current working directory) and adding no extra dirs unless a task genuinely needs them2. For MCP-based agents, that means listing the folder as a root and letting the server refuse to see anything outside it3. The rule generalises. The folder you point the agent at is the folder it can read.
How do I limit what folder Claude Code can read?
Use the --add-dir flag, or better, do not need it. Anthropic's CLI reference documents --add-dir as "Add additional working directories for Claude to read and edit files" with the example claude --add-dir ../apps ../lib2. The default view is the current working directory. The smallest view is the working directory of the specific task. Add nothing you have not chosen deliberately.
What is MCP roots?
Roots is the Model Context Protocol's concept for filesystem scoping. The spec: "Roots define the boundaries of where servers can operate within the filesystem, allowing them to understand which directories and files they have access to."3 The client declares the boundary. The server respects it. On the reference filesystem server, the concrete equivalent is allowed_directories, and the server "requires at least ONE allowed directory to operate". The default is empty, and empty means refuse4.
What is the principle of least privilege? Named formally in 1975 by Saltzer and Schroeder: "Every program and every user of the system should operate using the least set of privileges necessary to complete the job."1 NIST codifies the same principle in its glossary as "a security principle that a system should restrict the access privileges of users (or processes acting on behalf of users) to the minimum necessary to accomplish assigned tasks"8. Applied to a coding agent, the principle is not a rule about the model. It is a rule about the folder you hand it.
Can AI agents leak my files? Yes, on a big enough view. The 2026 clinejection incident showed an AI triage bot with access to a repo issue also having access to the credentials that let it publish a malicious package to npm9. Willison's lethal-trifecta essay is the general shape: private data plus untrusted content plus external communication is a leak channel6. The mitigation is not model manners. It is scoping. Smaller root, smaller blast.
What is Excessive Agency in an LLM? OWASP LLM06:2025's definition, verbatim: "Excessive Agency is the vulnerability that enables damaging actions to be performed in response to unexpected, ambiguous or manipulated outputs from an LLM."5 The named subcategory is Excessive Permissions: "An LLM extension has permissions on downstream systems that are not needed for the intended operation of the application."5 OWASP is candid that the mitigations section "will not prevent Excessive Agency, but can limit the level of damage caused."5
Is limiting folder access enough to secure AI? No, and the discipline itself is honest about that. Saltzer wrote least privilege as damage limitation in 19751. OWASP repeats the caveat in 20255. A small root is hygiene, not security. It shrinks the blast radius but does not prevent prompt injection inside the small root, consent-widening under pressure, or the fact that whatever is in scope is in blast radius. Pair it with an upstream deny-list12, a write-side firebreak13, and secrets that were never in the folder to start with14.
Steph Ango's shorter version: "Apps are ephemeral, but your files have a chance to last."16 The corollary is that the folder is durable, and the discipline you apply to the folder outlasts the vendor whose agent you happened to be running this week. The scope decision is a file-path decision, not a vendor-feature decision.
Your notes live on your device as plain Markdown files. The smallest working root you can hand an agent is a real folder — not a vendor-mediated API, not a setting screen, not a preference pane. mnmnote.com is the same discipline at the layer below: your notes stay on your own device by default, so the root you choose is the root that exists on your disk.
Footnotes
-
Saltzer, J. H., & Schroeder, M. D. The Protection of Information in Computer Systems. Proceedings of the IEEE, Vol. 63, No. 9, September 1975 — Section I.A.3.f "Least privilege." https://web.mit.edu/Saltzer/www/publications/protection/Basic.html. Accessed 2026-07-07. ↩ ↩2 ↩3 ↩4 ↩5
-
Anthropic. Claude Code — CLI reference (
--add-dir). https://code.claude.com/docs/en/cli-reference. Accessed 2026-07-07. ↩ ↩2 ↩3 ↩4 ↩5 -
Model Context Protocol. Roots. https://modelcontextprotocol.io/docs/concepts/roots. Accessed 2026-07-07. ↩ ↩2 ↩3 ↩4
-
Model Context Protocol reference filesystem server. README — Access Control. https://github.com/modelcontextprotocol/servers/blob/main/src/filesystem/README.md. Accessed 2026-07-07. ↩ ↩2 ↩3 ↩4
-
OWASP Foundation. LLM06:2025 Excessive Agency. Top 10 for LLM Applications, 2025 edition. https://genai.owasp.org/llmrisk/llm062025-excessive-agency/. Accessed 2026-07-07. ↩ ↩2 ↩3 ↩4 ↩5 ↩6 ↩7 ↩8
-
Willison, S. The lethal trifecta for AI agents: private data, untrusted content, and external communication. simonwillison.net, 2025-06-16. https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/. Accessed 2026-07-07. ↩ ↩2 ↩3
-
Willison, S. Model Context Protocol has prompt injection security problems. simonwillison.net, 2025-04-09. https://simonwillison.net/2025/Apr/9/mcp-prompt-injection/. Accessed 2026-07-07. ↩ ↩2
-
NIST Computer Security Resource Center. Glossary — least privilege. Sources: CNSSI 4009-2015; NIST SP 800-53 Rev. 5. https://csrc.nist.gov/glossary/term/least_privilege. Accessed 2026-07-07. ↩ ↩2
-
Grith team. A GitHub Issue Title Compromised 4,000 Developer Machines (clinejection writeup). grith.ai/blog, 2026-03-05. https://grith.ai/blog/clinejection-when-your-ai-tool-installs-another. Accessed 2026-07-07. ↩ ↩2 ↩3 ↩4 ↩5 ↩6
-
Snyk. How "Clinejection" Turned an AI Bot into a Supply Chain Attack. snyk.io/blog, 2026. https://snyk.io/blog/cline-supply-chain-attack-prompt-injection-github-actions/. Accessed 2026-07-07. Snyk named the attack "Clinejection" and characterizes it as "low severity — high potential blast radius": the unauthorized
[email protected]was live for roughly eight hours before Cline published 2.4.0 and deprecated it; Cline's user base of ~5 million users is the potential blast radius. ↩ ↩2 -
Lan Tian. AI Agent Bankrupted Their Operator While Trying to Scan DN42. lantian.pub, mid-2026. https://lantian.pub/en/article/fun/ai-agent-bankrupted-their-operator-scan-dn42lantian.lantian/. Accessed 2026-07-07. ↩
-
MNMNOTE blog. Some Notes Should Never Reach the AI: A Plain-Text Boundary You Decide Once. https://blog.mnmnote.com/posts/decide-what-not-to-feed-the-ai. ↩ ↩2
-
MNMNOTE blog. A Destructive-Action Firebreak for Your Vault. https://blog.mnmnote.com/posts/a-destructive-action-firebreak-for-your-vault. ↩ ↩2
-
MNMNOTE blog. Secrets Do Not Belong in Notes an AI Reads. https://blog.mnmnote.com/posts/secrets-do-not-belong-in-notes-an-ai-reads. ↩ ↩2
-
MNMNOTE blog. Let Your AI Agent Append, Not Overwrite. https://blog.mnmnote.com/posts/let-your-ai-agent-append-not-overwrite. ↩
-
Ango, S. File over app. stephango.com, 2023-07-01. https://stephango.com/file-over-app. Accessed 2026-07-07. ↩