Human-in-the-Loop
Where to surface confirmation prompts without breaking flow.
Always require human confirmation for irreversible operations: deploys, deletes, money movement, outbound messages. Use a *permission tool* the model must call — never just trust prose intent.
Real-world example: Trading-desk drafting assistant
A buy-side desk uses an agent to draft FX orders from research notes. The agent does the research, sizes the trade, builds the order ticket — and then stops. It must call a request_trader_approval tool that surfaces the ticket in the trader's UI for a one-click confirm.
tools.request_trader_approval({
pair: "EURUSD",
side: "BUY",
size: 2_500_000,
rationale: "ECB statement-driven asymmetric upside; SL 1.0820 TP 1.0980",
expires_in_sec: 60,
});The trader's click is the only way the order leaves the system. Approval lives in code, not in prose.
Why this matters: irreversible, externally visible actions — money movement, outbound email, infrastructure changes — *always* gate behind an explicit permission tool. Never trust the model's word that it should proceed.
- Irreversible actions require explicit confirmation
- Outbound messages always confirm
- Deploys and deletes always confirm
- Use a permission tool, not prose intent
- Read-only actions need not confirm