Human approvals
engineer9 never runs a destructive or sensitive command on its own. When it wants to, it asks the right person in Slack and waits. Nothing runs until a human approves it.
The flow
Section titled “The flow”When engineer9 needs to run something that isn’t in the safe set, it raises an Approval request:
- It posts the request in the relevant thread, routed to the owner responsible for that area.
- It blocks, so the command does not run while the request is pending.
- The approver responds, and the request resolves to one of three outcomes.
Three outcomes
Section titled “Three outcomes”| Outcome | What happens |
|---|---|
| Approve | The command runs, and engineer9 continues with the result. |
| Deny | The command does not run. engineer9 acknowledges and moves on. |
| Expire | If no one responds within the time-to-live, the request lapses. The command does not run, and engineer9 does not re-ping. |
You approve or deny right on the request in Slack. There’s no need to leave the thread.
The Expire outcome is deliberate: engineer9 won’t badger anyone. A request that goes unanswered lapses, so approvals never turn into a stream of repeated pings.
What needs approval
Section titled “What needs approval”Approval is decided by command class rather than a list of individual commands:
- Read-safe actions such as reading files, searching memory, and fetching status run without prompting.
- Destructive actions such as writes, deletes, external mutations, and anything with real consequences (for example, a cluster command like
kubectl delete ...) always prompt.
Who gets asked
Section titled “Who gets asked”engineer9 routes the request to the owner of the relevant area, using the Roster it has built. When there’s no clear owner, it routes to a workspace admin and the requester, and either can approve or deny.
When a command fails
Section titled “When a command fails”If an approved command runs but errors, engineer9 reports what happened, why, and what to try next. It posts the actual error in the thread rather than silently swallowing it or saying “something went wrong.”
History and auto-promote
Section titled “History and auto-promote”Your dashboard’s Approvals page shows a read-only history of every decision: what was approved, what was denied, and how often. When you approve the same action enough times, engineer9 auto-promotes it to run without prompting from then on, so routine, trusted actions stop interrupting you. (You approve and deny live requests in Slack; the dashboard is the record.)