Action classes
read
Low-impact lookups or retrieval actions that do not change external state.
write
Create or update actions that may change a system of record.
send
Email, webhook, post, upload, export, or other outbound data movement.
delete
Destructive or hard-to-reverse changes that require strong intent and approval handling.
execute
Shell, terminal, code interpreter, or script execution paths.
Policy decisions
Tool validation can ALLOW safe aligned actions, REQUIRE_APPROVAL for higher-risk but potentially legitimate actions, or BLOCK actions that exceed user intent, expose secrets, or target unsafe destinations.
Approval-required decisions pause the agent before execution so a human can inspect the proposed action, destination, data scope, and safer alternative.
Risk signals
- Destination risk identifies trusted, ambiguous, external, local, private, metadata, or credential-bearing targets.
- Goal alignment checks whether the proposed tool action matches what the user asked for.
- Approval required marks cases that need a human decision before execution.