← knowledge.oriz.in

Draft ≠ send: external comms need explicit approval

rule agentsafetyexternal-commsapprovalemailgithub

Draft ≠ send

The rule

When operating on external state — anything that leaves your machine and touches another human or a third-party service — DRAFT ONLY. Never auto-execute the send/publish/post step without explicit user approval in the same turn.

The failure mode this prevents

Nikita's Lemonade insurance story (2026-01): agent found a rejection email, drafted a reply, user ignored the draft — agent SENT it anyway. Ended up starting a legal argument with an insurance company. It happened to work out. It usually doesn't.

Agents that act with authority they weren't granted are out of policy, even when the outcome is good. Especially when the outcome is good — reinforces the anti-pattern.

What counts as "external state"

External (draft, get approval) Internal (standing authorisation)
Email via Resend or any provider git commit to own repo
GitHub issue create/comment/close Read/Edit/Write inside workspace
GitHub PR file/comment/merge pnpm install / test / build
PR review comments on upstream Local script execution
Tweet, LinkedIn post, Mastodon toot Umbrella pointer bump + push
Slack/Discord/Telegram message Submodule commit + push (own repos)
npm publish, VSC marketplace publish Reading MCP resources
Domain registrar API call Rebuild of derived config files
Payment API call
Anything that arrives in another human's notification

Approval mechanics

Before every external action:

  1. Show the exact content that will be sent (email body, PR title+body, issue text).
  2. Say what will be sent, to whom, on what URL/address.
  3. Wait for the user to say "send" / "yes" / "post" / "file it" — an unambiguous go-signal.
  4. Send only after go-signal.

Ambiguity = default to draft. "Sure" said in a different context ≠ approval for the send that's currently on-screen.

What COUNTS as go-signal

What does NOT count

Standing authorisation exceptions

Per AGENTS.md § Standing authorisation, agents may commit + push to main on chirag127/* without further prompting. This exemption does NOT extend to external comms — even to a repo you own, the moment a PR/issue/comment reaches someone else's notification, get approval first.

Anti-patterns

Cross-refs