Permission ProtocolBack to site →

BEAT 2 · DECISION

A real person makes the call. Always.

Permission Protocol does not decide. It routes the decision to a human signer with the authority to approve. This is what Rod Carvalho, the CTO and signer of record, sees when his agent tries to ship a destructive change.

PENDING AUTHORITY DECISION · AWAITING SIGNER

REQUEST · 2026-05-14 13:47 UTC · req_a8f3d2c1

Approve destructive write on prod-db-1?

Your agent agent-sql-runner is requesting authority to execute 2 destructive SQL statements against production. Decide within 10 minutes or the request expires automatically.

DESTRUCTIVE WRITEPCI SCOPE47,238 ROWS AFFECTED

SIGNER

Rod Carvalho · CTO · Verified via Okta SSO

POLICY

prod-write-requires-signer (v3)

REQUESTED

agent-sql-runner · instance prod-runner-7

TARGET

prod-db-1.us-east-2

SQL PAYLOAD · 2 STATEMENTSDESTRUCTIVE

DELETE FROM users WHERE created_at < '2024-01-01';

ALTER TABLE payments DROP COLUMN cvv;

IF YOU APPROVE

  1. 2 SQL statements execute on prod-db-1
  2. 47,238 user rows deleted; payments.cvv column dropped
  3. Signed receipt issued under your identity (Rod Carvalho)
  4. Receipt exportable as JSON, PDF, or shareable link
  5. GitHub PR #184 commit check transitions to passing
  6. Audit log entry written to your org's Permission Protocol ledger

IF YOU REJECT

  1. Agent execution halted; no data changes occur
  2. Signed receipt issued documenting the rejection
  3. Agent receives denial code and reason
  4. Agent can re-request with a revised, narrower plan
  5. GitHub PR #184 stays blocked
REQUEST EXPIRES IN 09:42 · ed25519 SIGNATURE REQUIREDPERMISSION PROTOCOL REVIEW · v3.2.1
INTERCEPTION
·DECISION
·RECEIPT

Demo. No real systems were changed.