The Security & IP Discipline Playbook

Earlier today I pasted my Google session cookies into a chat window. Not a password — the whole session. The SID cookie, the __Secure-1PSID set, sixteen tokens that together *are* my Google account. I did it because an agent needed to authenticate to a tool, it was the fast path, and I wasn't thinking of it as anything more than a config step.

The agent flagged it before I did. Those are full account tokens, it said — they're now in plaintext in this transcript, and since we happened to be building a security playbook at that exact moment, this is exhibit A.

It was right. And the part that bothers me isn't that I did it. It's that it was *easy*, it was *fast*, and nothing in my workflow was positioned to catch it. That is the actual problem this playbook exists to solve.

Speed and IP discipline are in tension

Every habit that makes a small AI-driven shop fast — paste the thing, prompt the model, ship the build, let the agent run — is also a habit that quietly bleeds the things that make the shop *worth* anything: its secrets, its source-code license posture, and its patent rights. The tension is real and it does not resolve on its own. You don't get to be careful *and* fast by accident. You get there by building gates — checkpoints cheap enough that you'll actually keep them, placed exactly where the bleed happens.

This is not theoretical. In one 2025 audit, security firm Wiz found that 65% of the top private AI companies — over $400 billion in combined value — had leaked API keys or access tokens on GitHub, some exposing private models. A founder using an AI coding agent with unscoped write access watched it delete a production database of 1,200 records — the agent had ignored an explicit freeze instruction. The fast path has a body count.

Here are the five gates. Each is a checklist, not a philosophy.

Gate 1 — Disclosure

The gate: nothing about an unfiled invention goes public until someone has decided it can.

A "public disclosure" is broader than founders think. Publishing a write-up, presenting at a trade show, posting to a public repo, pitching an investor without an NDA — all disclosures. So, increasingly, is pasting proprietary method detail into a consumer-tier LLM.

Why it matters: the US gives you a one-year grace period to file after first disclosure. Most of the rest of the world does not. Europe and China run on absolute novelty — publish or demo before you file, and you have instantly forfeited the right to patent that invention there. The grace period is a US-only safety net, not a global one.

The checklist: before anything ships publicly, confirm (1) does it describe an unfiled invention's *method*, not just its existence; (2) if yes, is a provisional on file; (3) if no, does the named IP reviewer sign off on the specific scope. Sport-agnostic or method-agnostic *framing* is not a pass — the defensible idea is what counts, not the vocabulary.

Gate 2 — Licenses

The gate: no dependency enters the shipped product until its license is known and cleared.

Permissive licenses — MIT, Apache 2.0 — let you build closed, commercial products freely; Apache even carries an explicit patent grant. Strong-copyleft licenses — GPL, and especially AGPL — are viral. Pull one AGPL library into your product and the AGPL's network clause can obligate you to publish your modified source. This is why Google bans AGPL code internally outright.

It is not hypothetical: HashiCorp's license change drove the community to fork Terraform into OpenTofu; OpenObserve moved *to* AGPL specifically to stop hyperscalers from reselling it. For an AI shop, the trap is the model layer — fine-tuned weights and derivatives inherit the upstream license. The checklist: every dependency and every base model gets its license recorded before it touches the shipping path; AGPL is a stop-and-escalate, not a judgment call.

Gate 3 — Secrets

The gate: a credential never lives in plaintext where a human or an agent can casually move it.

This is the gate I failed today. What good looks like: no hardcoded credentials, ever — short-lived tokens injected at runtime from a vault. AI agents treated as non-human identities — scoped to one task, with credentials that expire automatically. Pre-commit hooks that scan for high-entropy strings so a key never reaches the repo in the first place. And a human rule on top of all of it: a session token, an API key, a private key never goes into a chat window — if a tool needs auth, it gets it through the tool's own auth path, not by paste.

Gate 4 — Agent-written code

The gate: AI-authored changes get reviewed harder than human ones, not softer.

The data is clear that agent output needs *more* scrutiny: studies put AI-authored pull requests at 1.7x more issues and meaningfully more likely to introduce injection vulnerabilities. The specific things to catch: CI gaming — an agent appending || true to a test command or quietly dropping a coverage file to get a green build. Reuse blindness — agents reinvent utilities that already exist because they lack repo-wide context. Slopsquatting — agents hallucinate a plausible-sounding package name, and attackers register that name with malware. Review the diff, not the agent's summary of the diff.

Gate 5 — The IP review gate

The gate: a single named reviewer owns the call on what is safe to publish — and is wired into the workflow, not consulted as an afterthought.

The legal record is sharpening fast. Under the Defend Trade Secrets Act, a trade secret is destroyed the moment it loses secrecy — and courts have started treating AI-tool use as exactly that kind of loss: a trade-secret claim dismissed because the secret was developed in ChatGPT; attorney-client privilege ruled waived because information was shared with a commercial AI tool. Samsung banned ChatGPT internally after engineers pasted source code into it.

Build the gate as a real checkpoint. Treat every review as a function with a defined trigger, defined inputs, defined requirements, and a scrubbed output. Keep proprietary work on enterprise-tier AI platforms with data-processing terms that prohibit training on your inputs — if it's a consumer-tier tool, it does not touch proprietary code or strategy. And give one person the authority to say "not yet."

What's in the bundle

The five-gate checklist as a single page you can pin. The standing CLAUDE.md rule text that makes the IP-review gate mandatory before any public disclosure. A starter pre-commit hook config for entropy scanning. The decision framework for patent-vs-trade-secret on an AI method — built on detectability of infringement: if a competitor can observe or reverse-engineer it from your shipped product, patent it; if it runs where they can never see it, keep it secret. And a short field note — the companion to this playbook — on the cookie-paste itself.

None of these gates is expensive. The cookie incident cost me nothing today because it was caught. The point of a gate is to be the thing that catches it on the day no one's looking.

— Michael, from the lab