Capability classification
Four boundaries, decided before anything runs.
Every action a system exposes gets one of four boundaries the moment it is connected. That classification is what lets Cuttlefish work fast on the safe things and stay deliberate on the serious ones.
Read-only
Look, don't touch. Cuttlefish can inspect or pull information but cannot change anything. Example: read the status of a deployment or summarize an open support ticket — nothing in the system is altered.
Prepare-only
Draft and stage, but stop short of doing it. Cuttlefish can write a proposed change and lay it out for you, while the real action waits. Example: draft an update to a ticket or plan a configuration change you then review.
Approval-required
Ask first, every time. Before a consequential change, Cuttlefish pauses with a clear card showing exactly what is about to happen — and you allow, deny, adjust the scope, or run a safe dry-run. Example: apply that ticket update or push a setting change.
Blocked
Off-limits, full stop. The action is either shown as unavailable or never exposed at all, and no approval can override it from inside a conversation. Example: deleting a resource your team marked as never-allowed.
The default is "no."
An action that hasn't been described and allowed simply doesn't run. There is no path where an uncertain check quietly becomes a yes — when Cuttlefish isn't sure it's allowed, it does nothing and tells you why. You widen what a system can do on purpose, in one place, whenever you're ready.