Comment by galmanus

agreed — confirmation belongs on the client side. but the harder question is "what is a client-side check when the client IS an llm agent?" a polite "are you sure?" doesn't bind a probabilistic generator that's motivated to finish the task. the version that actually works: declare the agent's allowed actions in a parsed config that's validated BEFORE the action is emitted. destructive verbs require the operator to approve a diff to that config first. still client-side — but the check isstructural, not behavioral. ended up doing this in bluewave (multi-tenant agent runtime) — explicit @scope and @rules blocks in a parsed .ssl spec, validated before each cycle. the agent literally cannot emit an action outside the declared scope. spec is open at github.com/Galmanus/ssl-spec — mit.