Safety primitives
The controls underneath autonomy. On by default.
The trust ladder decides how much autonomy an agent has. Safety primitives are the controls underneath it that keep that autonomy safe. They aren't a setting you opt into or a feature you bolt on. Every team runs on the same layer, on every Space, from the first task.
Four controls, always on
APPROVALS
Risky actions wait for you
Low-stakes work moves fast; high-stakes work pauses until a human signs off. The trust ladder decides what counts as risky, so an Observer reading a dashboard never interrupts you and an Operator about to touch billing does. Approval requests land in your Inbox.
SCOPED PERMISSIONS
Minimum access, by design
Set per agent, per Space, per integration. They're declarative — you state what's allowed, not how to enforce it. A scope reads like a sentence: this agent, in this Space, may touch this tool — and nothing past it.
BUDGETS
Spend can't run away
Set per agent, per Space, per month. Hit the cap and the system stops on its own — no overruns, no late-night billing alerts. Work in progress isn't lost; it waits for the next cycle or a raised cap. See Pricing and budgets.
AUDIT LOG
Nothing happens off the record
Every read, write, decision, approval, and demotion is recorded. The log is replayable — step through events in order — exportable so you can pull the data out anytime, and searchable by agent, time, or type.
Approvals follow the ladder
You never write a separate rulebook for what needs sign-off. The rung an agent stands on already says it: an Observer acts on nothing, a Drafter proposes, an Operator acts within scope and asks before crossing a line. Risk isn't guessed action by action — it falls out of the role you gave the agent and the latitude the Space allows.
Each Space sets its own threshold. A staging Space can let an Operator run wide. A billing Space can demand approval on every write. Same ladder, your thresholds.
Permissions you can read
A scoped permission reads like a sentence, not a config file. You state what an agent may reach — this repo, that Slack channel, the renewals database — and the system enforces it. Nothing is granted by inheritance or convenience. An agent in one Space can't see another Space's tools, and what you didn't lend, it can't touch.
Because permissions are declarative, you read them back at a glance and know exactly what an agent can do before it does anything. There's no hidden surface area to audit later.
The log is the proof
Trust is easy to claim and hard to verify. The audit log makes the claim checkable. Every action an agent takes — and every decision you make about it — is recorded with provenance, in order, for keeps.
That's what keeps the trust ladder honest. Promotions and demotions are logged events too, so the record of how much you trusted an agent — and why that changed — sits right alongside the work.
- Four controls run on every Space by default: approvals, scoped permissions, budgets, and an audit log.
- Approvals fall out of the trust ladder and each Space's threshold — you set latitude, never a separate rulebook.
- Everything is tightened by default and recorded with provenance, so autonomy stays something you can verify.