Stage0
Use CasesHigh-Risk Actions

High-Risk Actions Need Explicit Approval Paths

Deletes, payouts, deploys, and privilege changes should not run because an agent sounded confident. They should run only after policy says yes and your runtime enforces it.

A single bad call can create outsized damage.

The value proposition is not vague guardrails. It is concrete pre-execution control over actions that can move money, erase data, or change production state.

Typical action buckets

Money movement

Anything that sends value outward should be treated as high risk even when the API call itself looks routine.

payoutsrefundscreditsvendor transfers

Destructive data changes

Deletes, bulk writes, and irreversible account changes need stronger checks than read-only automation.

bulk deletearchiverole resettenant migration

Production control plane

Deployments and config changes can be correct and still be unsafe if they happen at the wrong time or without rollback evidence.

production deployschema applysecret rotationconfig write

Decision ladder

ALLOW

Execution may continue

Approval, environment, and policy checks all satisfy the contract.

DEFER

Hold for review or missing evidence

The action is not rejected outright, but human approval or required context is still absent.

DENY

Do not execute

The request violates policy, targets the wrong scope, or presents unacceptable side effects.

Representative deferred deployment

{
  "goal": "Deploy release 2026.03.14 to production",
  "tools": ["deploy.production"],
  "constraints": [
    "require_approval: true",
    "allowed_change_window: business_hours",
    "rollback_plan_required: true",
    "mfa_required: true"
  ],
  "side_effects": ["service_impact", "write"],
  "context": {
    "actor_role": "release_manager",
    "environment": "production",
    "approval_status": "pending",
    "ticket_id": "OPS-214",
    "rollback_plan": false
  }
}

This request should not execute yet. Approval is still pending, the action targets production, and rollback evidence is missing. Stage0 can return DEFER with issues, but your deployment runtime still holds final enforcement.

What production buyers care about

Fail closed

If policy cannot be evaluated, or approval evidence is missing, the dangerous action should not continue by default.

Keep request_id and policy_version

Operators need to trace why a specific run was blocked, deferred, or allowed under a specific policy version.

Do not outsource enforcement

Stage0 returns the decision. Your own server-side runtime still needs to enforce the stop before the tool call runs.

Turn approval into a runtime contract

When the action is dangerous, the contract should be explicit: who asked, what environment is targeted, what approval exists, and which system enforces the final stop.

Read production behaviorSee payout scenario