Rules of Engagement
pattern detail

external-automation-standing

Restricts outbound automations such as webhooks, mass messaging, and third-party workflow execution unless the workflow is already sanctioned.

doctrinal basis

Restricted engagement zones and escalation of force, translated into outbound automation controls.

Use the summary here for context, then inspect the YAML or related patterns for the concrete rule path.

What it catches

  • Prompt injection that tries to exfiltrate data through a webhook or outbound API call.
  • Abuse of CRM or email tooling to send unauthorized bulk communications.
  • Agent attempts to stand up a new external automation path without operator review.

Related patterns

Download YAML Back to library
policy yaml

The downloadable policy stays available below, but the inline YAML now wraps cleanly for narrow screens.

name: external-automation-standing
version: 1.1.0
doctrinal_basis: Standing ROE / standing rules for use of force map to always-on external automation authority boundaries; proportionality and collateral damage estimation map to target_count blast-radius caps; escalation of force maps to human approval before external automation changes proceed; restricted engagement zones map to credentials, sessions, destructive automation, security controls, audit controls, and bypass or circumvention attempts.
description: Standing external automation guardrails for agent-initiated scheduler, workflow, webhook, integration, and third-party automation actions.
rules:
  - id: deny-automation-credential-access
    applies_to:
      action_class:
        - external_automation.credentials.*
        - external_automation.secret.*
        - external_automation.token.*
        - external_automation.session.*
    decision: deny
    reasoning: Standing external automation ROE denies direct credential, secret, token, or session access; use scoped provider operations instead.

  - id: deny-automation-security-control-change
    applies_to:
      action_class:
        - external_automation.security_control.*
        - external_automation.approval_gate.*
        - external_automation.audit_log.*
        - external_automation.monitoring.*
    decision: deny
    reasoning: Standing external automation ROE denies changes to security controls, approval gates, audit logs, or monitoring controls.

  - id: deny-destructive-automation
    applies_to:
      action_class:
        - external_automation.job.delete
        - external_automation.workflow.delete
        - external_automation.webhook.delete
        - external_automation.integration.delete
        - external_automation.run.cancel_all
        - external_automation.remote_execution.*
    decision: deny
    reasoning: Destructive external automation is outside standing authority and must not be executed by an agent.

  - id: deny-high-target-count-automation
    applies_to:
      action_class:
        - external_automation.job.create
        - external_automation.job.update
        - external_automation.job.run
        - external_automation.workflow.create
        - external_automation.workflow.update
        - external_automation.workflow.enable
        - external_automation.workflow.disable
        - external_automation.workflow.run
        - external_automation.webhook.create
        - external_automation.webhook.update
        - external_automation.integration.sync
        - external_automation.api.write
    conditions:
      - type: blast_radius_max
        parameter: target_count
        threshold: 25
    decision: deny
    reasoning: Requested external automation affects ${target_count} targets, exceeding the standing 25-target hard cap.

  - id: deny-automation-evasion-or-bypass
    applies_to:
      action_class:
        - external_automation.evasion.*
        - external_automation.bypass.*
        - external_automation.circumvention.*
    decision: deny
    reasoning: Standing external automation ROE denies attempts to bypass controls, approval gates, logging, rate limits, or monitoring.

  - id: escalate-automation-state-change
    applies_to:
      action_class:
        - external_automation.job.create
        - external_automation.job.update
        - external_automation.job.run
        - external_automation.workflow.create
        - external_automation.workflow.update
        - external_automation.workflow.enable
        - external_automation.workflow.disable
        - external_automation.workflow.run
        - external_automation.webhook.create
        - external_automation.webhook.update
        - external_automation.integration.sync
        - external_automation.api.write
    decision: escalate
    escalation:
      requires: human_approval
      via: automation-ops
    reasoning: External automation state changes require automation-ops approval under standing ROE before execution.

  - id: allow-automation-readonly
    applies_to:
      action_class:
        - external_automation.read.*
        - external_automation.status.view
        - external_automation.job.list
        - external_automation.workflow.view
        - external_automation.webhook.view
        - external_automation.integration.view
        - external_automation.audit.view
    decision: allow
    reasoning: Read-only external automation lookup is authorized under standing ROE when it does not mutate external systems, schedules, workflows, webhooks, integrations, credentials, or controls.

  - id: allow-automation-dry-run
    applies_to:
      action_class:
        - external_automation.plan.preview
        - external_automation.workflow.dry_run
        - external_automation.job.dry_run
    decision: allow
    reasoning: Non-mutating external automation preview or dry-run is authorized under standing ROE when the adapter guarantees no external state change.