pattern detail
outbound-communications-standing
Allows agents to read, draft, and preview communications while requiring human approval before email, chat, ticket, recruiter, social, or webhook messages leave the system.
Pattern analysis
doctrinal basis
Positive identification, proportionality, collateral damage estimation, and escalation of force for reputation-bearing external messages.
Use the summary here for context, then inspect the YAML or related patterns for the concrete rule path.
What it catches
- Prompt injection that turns “draft a reply” into “send it to the customer now.”
- Unauthorized social, chat, recruiter, or support replies that would be externally visible.
- Mass-send, impersonation, credential access, approval bypass, and private-thread export attempts.
Related patterns
policy yaml
The downloadable policy stays available below, but the inline YAML now wraps cleanly for narrow screens.
name: outbound-communications-standing
version: 1.1.0
doctrinal_basis: Standing ROE / standing rules for use of force map to always-on external communication authority boundaries; positive identification maps to recipient confirmation before outbound messages; proportionality and collateral damage estimation map to recipient_count, channel_count, and audience_size blast-radius caps; escalation of force maps to human approval before sending, publishing, notifying, or replying externally; restricted engagement zones map to impersonation, credentials, approval bypass, deletion, private-thread export, spam, harassment, and commitment-making action spaces.
description: Standing outbound communications guardrails for agent-initiated email, chat, support ticket, customer, recruiter, social, webhook, and other third-party-facing message actions.
rules:
- id: deny-communications-credential-access
applies_to:
action_class:
- communications.credentials.*
- communications.secret.*
- communications.token.*
- communications.session.*
decision: deny
reasoning: Standing outbound communications ROE denies direct credential, secret, token, or session access; use scoped communication-provider operations instead.
- id: deny-communications-impersonation
applies_to:
action_class:
- communications.impersonation.*
- communications.identity.spoof
- communications.sender.forge
decision: deny
reasoning: Standing outbound communications ROE denies impersonation, forged sender identity, or false identity claims.
- id: deny-communications-approval-bypass
applies_to:
action_class:
- communications.bypass_approval.*
- communications.approval_gate.*
- communications.audit_log.*
decision: deny
reasoning: Standing outbound communications ROE denies attempts to bypass approval, weaken approval gates, or alter communication audit logs.
- id: deny-communications-history-or-private-export
applies_to:
action_class:
- communications.delete_history
- communications.history.delete
- communications.export_private_threads
- communications.private_threads.export
decision: deny
reasoning: Standing outbound communications ROE denies message-history deletion and broad export of private communication threads.
- id: deny-communications-abuse-or-commitment
applies_to:
action_class:
- communications.spam.*
- communications.harassment.*
- communications.legal_commitment.*
- communications.financial_commitment.*
decision: deny
reasoning: Standing outbound communications ROE denies spam, harassment, and legal or financial commitments under standing authority.
- id: deny-communications-mass-send
applies_to:
action_class:
- communications.mass_send
- communications.broadcast.bulk
- communications.email.send
- communications.chat.send
- communications.ticket.reply
- communications.customer.reply
- communications.recruiter.reply
- communications.social.post
- communications.webhook.notify
- communications.broadcast.small
conditions:
- type: blast_radius_max
parameter: recipient_count
threshold: 25
decision: deny
reasoning: Requested outbound communication affects ${recipient_count} recipients, exceeding the standing 25-recipient hard cap.
- id: deny-communications-high-channel-count
applies_to:
action_class:
- communications.mass_send
- communications.broadcast.bulk
- communications.chat.send
- communications.social.post
- communications.webhook.notify
- communications.broadcast.small
conditions:
- type: blast_radius_max
parameter: channel_count
threshold: 5
decision: deny
reasoning: Requested outbound communication affects ${channel_count} channels, exceeding the standing 5-channel hard cap.
- id: deny-communications-high-audience-size
applies_to:
action_class:
- communications.mass_send
- communications.broadcast.bulk
- communications.social.post
- communications.webhook.notify
- communications.broadcast.small
conditions:
- type: blast_radius_max
parameter: audience_size
threshold: 100
decision: deny
reasoning: Requested outbound communication reaches an estimated ${audience_size} people, exceeding the standing 100-person audience hard cap.
- id: escalate-communications-outbound
applies_to:
action_class:
- communications.email.send
- communications.chat.send
- communications.ticket.reply
- communications.customer.reply
- communications.recruiter.reply
- communications.social.post
- communications.webhook.notify
- communications.broadcast.small
decision: escalate
escalation:
requires: human_approval
via: communications-ops
reasoning: Outbound communication requires communications-ops approval under standing ROE before external send, publish, notify, or reply.
- id: allow-communications-readonly
applies_to:
action_class:
- communications.read.*
- communications.search.*
- communications.thread.view
- communications.classify
- communications.summarize
decision: allow
reasoning: Read-only communication inspection, classification, and summarization are authorized under standing ROE when they do not send, publish, notify, delete, export, expose private threads, or access credentials.
- id: allow-communications-drafting
applies_to:
action_class:
- communications.draft.create
- communications.draft.update
- communications.preview
decision: allow
reasoning: Non-sending communication drafting and preview are authorized under standing ROE when the adapter guarantees no external message is delivered.