The Proposal System: How AI Agents Ask Permission Before Acting

Silent autonomy is dangerous

The agent sees an overdue invoice. It drafts an email to the client. It sends the email. The client receives a passive-aggressive payment reminder that your agent composed without your knowledge. This happened to us. The client was not amused.

Fully autonomous agents are a liability. Fully manual agents are useless. The answer is a governance layer: agents propose actions, the system validates them, and humans approve when the stakes are high enough.

The 5-tier autonomy model

Every tool in Klawty has a risk level. The risk level determines how much autonomy the agent gets:

| Tier | Name | Behavior | Example Tools | |------|------|----------|---------------| | 1 | AUTO | Execute immediately, no notification | search, fetch, read, recall | | 2 | AUTO+ | Execute + notify on Discord/Slack | draft-email, update-tracker, create-task | | 3 | PROPOSE | Execute with 15-min rollback window | send-email, staging-deploy, publish-content | | 4 | CONFIRM | Wait for human approval (Discord reaction) | production-deploy, delete-data, change-config | | 5 | BLOCK | Hardcoded no-op, always returns error | financial-transfer, legal-action, credential-rotation |

Tier 1-2 tools let agents work autonomously on routine tasks. Tier 3-4 tools create proposals. Tier 5 tools never execute — period.

The 6-state lifecycle

When an agent calls a Tier 3 or 4 tool, the system creates a proposal instead of executing the action directly:

pending → sentinel_approved → executing → completed
                                        → rolled_back
         → rejected (by Sentinel or human)

Pending — Proposal created. Dedup check passes (no identical pending proposal from the same agent). Posted to Discord with details.

Sentinel approved — The safety agent (Sentinel) validates against 9 business rules. Does the email contain prohibited content? Is the deploy target allowed? Does the financial amount exceed thresholds? If all rules pass, the proposal advances.

Executing — For PROPOSE tier: execution begins immediately with a 15-minute rollback window. For CONFIRM tier: execution waits for a human reaction on Discord.

Completed — The rollback window expires without objection, or the human approves. The action is committed. The originating task is marked done.

Rolled back — During the 15-minute window, a human (or Sentinel) flags the action. The system reverses it. Email? Unsent (draft only during window). Deploy? Reverted to previous version.

Rejected — Sentinel fails the proposal on a business rule, or the human reacts with a rejection emoji. The task returns to the backlog with an explanation.

Discord as the approval interface

Proposals post to Discord with a structured embed: agent name, action, details, risk tier, evidence. Two reactions are available:

- Approve — the action executes (or the rollback window starts) - Reject — the proposal is rejected, task returns to backlog

🔔 PROPOSAL from Leila (PROPOSE tier)
Action: send-email
To: [email protected]
Subject: Invoice #2847 — Payment Terms Update
Evidence: Client requested 30-day terms in email thread #847
⏱️ 15-min rollback window after approval
React: ✅ approve | ❌ reject

For PROPOSE tier, Nour (the orchestrator agent) can auto-approve if the proposal passes Sentinel validation. The human still has 15 minutes to override. For CONFIRM tier, only a human reaction triggers execution.

Why this works

The proposal system adds ~30 seconds of latency for risky actions. In exchange, you get an audit trail of every significant decision, a rollback mechanism for mistakes, and the confidence to let agents run unsupervised at 3 AM.

The 8-agent system processes about 40 proposals per week. Of those, roughly 35 are auto-approved (PROPOSE tier, Sentinel-validated). About 5 require human confirmation. Zero have needed rollback in the last month — because Sentinel catches the problems before execution.