Put Stage0 in front of private APIs, repos, dashboards, and MCP-connected tools before an agent or copilot can touch them.
Internal copilots become dangerous when they can write data, change environments, or access private systems without an explicit authorization decision.
A support or operations copilot can look safe until it is allowed to trigger deletes, refunds, or account changes through private tools.
MCP makes tool access easier to wire up. It also makes accidental overreach easier unless each server and action is policy-scoped.
Anything that can mutate rows, rotate secrets, change infra, or expose customer data should be treated as a privileged action.
{
"goal": "Approve a staging-only bulk account cleanup",
"tools": ["admin.accounts.bulk_archive"],
"constraints": [
"max_records: 50",
"require_ticket: true",
"allowed_environment: staging"
],
"side_effects": ["write", "customer_impact"],
"context": {
"actor_role": "support_admin",
"environment": "staging",
"approval_status": "approved",
"ticket_id": "SUP-1842",
"resource_scope": "accounts:staging"
}
}This request can move forward only because the actor role, environment, approval state, and resource scope are explicit. If any of those fields are missing or conflict with policy, your runtime should stop execution.
actor_role
Different operators, bots, and service accounts should not share the same decision path.
environment
A tool that is acceptable in staging may be unacceptable in production.
approval_status
High-risk internal actions need an explicit state, not an implied assumption.
resource_scope
Authorization is stronger when it targets a specific repo, dataset, tenant, or system boundary.
Stage0 is strongest when it answers one narrow question before execution: should this agent, using this tool, against this scope, be allowed right now?