Skip to content
Back to full roadmap
topicadvanced

Capability Gating

Tier the destructive actions the agent can take — default: least privilege.

2 hours1 prereqs

Least-privilege agent: 3 tiers per tool:

  1. Read-only — fetches info, doesn't change the world. Default-allowed.
  2. Write (reversible) — drafts, prepares emails, creates files. User approval required (Claude Desktop pattern).
  3. Destructive (irreversible) — deletes files, sends emails, makes payments. Mandatory HITL + double confirmation.

Implementation: capability_tier enum per tool + middleware. For tier 2/3 actions, show user a structured "approve/deny" prompt.

Anthropic Computer Use and Claude Desktop apply this — modal popup when destructive tool is called.

Prerequisites

Indirect Prompt Injection (Agent-Specific)
Malicious instructions hidden in web pages/emails/files the agent reads — the most dangerous attack.
Previous
Indirect Prompt Injection (Agent-Specific)
Next
Human-in-the-Loop Patterns
Open the full interactive roadmap