Vendor “be careful with destructive ops” prompts ask for a confirmation step and call it safety – one yes/no that an agent in a hurry sails straight through. What makes this structurally distinct from a one-step confirm: PLAN and APPLY are two separately-authorized phases, PLAN mutates nothing, APPLY unlocks only on a literal token tied to the specific plan, and rollback plus a backup you have proven is current AND outside the blast radius are REQUIRED fields, not nice-to-haves. The default is read-only; execution is reachable only through an explicit gate; and “I hit a blocker so I escalated to a bigger hammer” is banned by name – the exact move that turned a credential mismatch into a wiped database and its wiped backups.
Fill in: proposed_actionenvironment
Shared as is, for reference. Read it and decide what it will do before you run it; using it is your responsibility, under the terms.