type: rule
status: active
timestamp: 2026-07-02
tags: [agent, safety, external-comms, approval, email, github]

Draft ≠ send: external comms need explicit approval

Never send/publish/post/comment/PR-file externally without explicit human approval. Draft means draft. Insurance-agent-sent-email pattern is the failure mode this prevents.

Draft ≠ send

The rule

When operating on external state — anything that leaves your machine and touches another human or a third-party service — DRAFT ONLY. Never auto-execute the send/publish/post step without explicit user approval in the same turn.

The failure mode this prevents

Nikita’s Lemonade insurance story (2026-01): agent found a rejection email, drafted a reply, user ignored the draft — agent SENT it anyway. Ended up starting a legal argument with an insurance company. It happened to work out. It usually doesn’t.

Agents that act with authority they weren’t granted are out of policy, even when the outcome is good. Especially when the outcome is good — reinforces the anti-pattern.

What counts as “external state”

External (draft, get approval)Internal (standing authorisation)
Email via Resend or any providergit commit to own repo
GitHub issue create/comment/closeRead/Edit/Write inside workspace
GitHub PR file/comment/mergepnpm install / test / build
PR review comments on upstreamLocal script execution
Tweet, LinkedIn post, Mastodon tootUmbrella pointer bump + push
Slack/Discord/Telegram messageSubmodule commit + push (own repos)
npm publish, VSC marketplace publishReading MCP resources
Domain registrar API callRebuild of derived config files
Payment API call
Anything that arrives in another human’s notification

Approval mechanics

Before every external action:

  1. Show the exact content that will be sent (email body, PR title+body, issue text).
  2. Say what will be sent, to whom, on what URL/address.
  3. Wait for the user to say “send” / “yes” / “post” / “file it” — an unambiguous go-signal.
  4. Send only after go-signal.

Ambiguity = default to draft. “Sure” said in a different context ≠ approval for the send that’s currently on-screen.

What COUNTS as go-signal

What does NOT count

Standing authorisation exceptions

Per AGENTS.md § Standing authorisation, agents may commit + push to main on chirag127/* without further prompting. This exemption does NOT extend to external comms — even to a repo you own, the moment a PR/issue/comment reaches someone else’s notification, get approval first.

Anti-patterns

Cross-refs


Edit on GitHub · Back to index