The seven questions to answer before every agent run
- What is the exact outcome? Write the desired artifact or system state in one sentence.
- What is out of bounds? List systems the agent must not touch.
- What can be reversed? Identify the rollback path before work starts.
- What evidence is required? Screenshots, diffs, exported logs, test outputs, public URLs, or API reads.
- What approval gate exists? Decide what requires human approval: spend, outbound messages, deleting records, production deploys.
- What secret-handling rule applies? No raw API keys/tokens/passwords in chat, logs, screenshots, or generated docs.
- What is the stop condition? Define when the agent should stop and report instead of continuing.
Access tiering model
| Tier | Agent can do | Examples | Approval needed |
|---|---|---|---|
| Tier 0 — Read-only | Inspect, summarize, draft | Audit docs, read public pages, inspect repo | None beyond initial scope |
| Tier 1 — Local reversible | Create/edit local files, run local checks | Draft guide, generate PDF, create branch | Before publishing externally |
| Tier 2 — Controlled deploy | Deploy known project with existing credentials | Cloudflare Pages deploy, docs update | Scope must name project/branch |
| Tier 3 — Customer-facing | Send emails, post content, update CRM | Outreach, support reply, pipeline change | Human approval before send/update |
| Tier 4 — Financial/destructive | Spend money, rotate secrets, delete data | Paid ads, account changes, record deletion | Explicit human approval every time |
Preflight checklist
Scope guardrails
- Written task objective exists.
- Systems in scope and out of scope are named.
- The agent knows whether it may write files, run commands, deploy, send messages, or mutate records.
- The agent knows whether it is operating under a brand, client, or internal project.
Environment safety
- Work happens in a sandbox, branch, staging site, or reversible local directory where possible.
- Production write access is avoided unless needed.
- Commands that may hang use timeouts or background process management.
- The agent is not allowed to install paid services or create accounts without approval.
Secrets and credentials
- Credentials are available through approved local environment/config, not pasted into chat.
- Output is redacted before reporting.
- Logs do not include bearer tokens, cookies, passwords, private keys, or sensitive query strings.
- Any failed auth is reported as a blocker; the agent does not hunt through unrelated private files unless credential recovery is explicitly in scope.
Data and tool boundaries
- No live customer message is sent during testing.
- CRM/accounting/support mutations are made only against test records unless approved.
- Email/social/CRM actions stop at drafts unless approval says “send/update.”
- The agent must verify live state after deploys or external changes.
Rollback plan template
Task: Workspace/project: Systems in scope: Systems out of scope: Allowed actions: Approval-required actions: Rollback owner: Rollback method: Last known good state: Verification method: Stop condition:
Red flags that should stop the run
- Spending money or starting a trial that may convert to paid.
- Sending outbound email, DM, SMS, or social posts from a real account.
- Deleting records, files, branches, deployments, lists, tickets, or database rows.
- Rotating credentials or changing access permissions.
- Modifying DNS, payment settings, legal pages, or account ownership.
- Using credentials found in an unrelated file or previous project.
- Working around a login, paywall, CAPTCHA, rate limit, or ToS restriction.
Consultant monetization angle
Package this as an Agent Safety Audit ($250–$750), Automation Go-Live QA ($500–$1,500), or Managed Agent Ops retainer ($300–$2,000/month). The easiest first sale is not “we build AI agents.” It is “we make your current AI automation safe enough to use without babysitting it.”