Gating an Always-On Agent's Write/Send Actions: Pattern Survey and Fit for a Single-Operator COO Agent
The question
What are the established patterns for gating an always-on agent's write/send actions (human-in-the-loop, supervisor-agent, capability tokens, dual-control), and which fit a single-operator COO agent?
What we already know (from the vault)
- RDCO already has a v0 design for the exact build: a fourth
/verify-*sibling (/verify-write-action, aka the "Seymour Cash" supervisor) that judges an intended action against policy + economics + L5 authority, layered on top ofverify-action's mechanical hook. APPROVE is defined as necessary-not-sufficient (clears the critique, never authorizes the fire); supervisor fails CLOSED on Tier-A actions ([[2026-06-04-supervisor-agent-write-path-pattern-design-v0]]). - The verification chassis is already standardized: fresh-eyes mandatory (the actor cannot self-supervise), read-source-of-truth-fresh, structured verdict, no-auto-execute, depth=1 recursion stop, max-2-iterate-then-escalate, two-gate PASS / FAIL→{ITERATE|SCRAP} verdict shape ([[2026-05-19-verification-as-independent-worker-pattern]], [[2026-05-20-verify-stack-two-gate-pass-fail-architecture]]).
- The motivating failure for the pre-send gate is fabricated-evidence / batched-result-declaration: Ray has declared results not tied to a real current-turn tool call. The gate's job is provenance, not just quality ([[2026-06-03-every-opus-4-8-gets-in-your-way]], [[feedback_no_batched_result_declaration]]).
- The pattern lineage is Project Vend Phase 2: single-agent Claudius failed from helpfulness bias (over-refunding, over-discounting), and the fix was organizational oversight (a CEO forcing verification before commitment), not a better prompt ([[2026-05-01-vending-bench-research-brief]]). The supervisor operationalizes two Miura-Ko L5 markers: acts within delegated authority, escalates when consequence exceeds it ([[2026-05-01-ann-miura-ko-six-levels-ai-pilled-organizations]]).
- Existing class gates already exist and the supervisor sits in front of them, never replacing them: external email is founder-gated ([[feedback_no_autonomous_external_email]]), and the auto-mode classifier hard-gates deploy/production writes ([[feedback_automode_classifier_hard_gate]]).
What the web says
- Human-in-the-loop interrupt/approval is the dominant framework pattern. LangGraph/LangChain pause execution with
interrupt()before a side-effecting tool runs, persist state via a checkpointer, and resume after a human decision. The human can approve / edit (modify args) / reject (with feedback) / respond, and the canonical maturity ladder is three levels: no gate for read-only, review-after (async) for medium-risk, approve-before (sync) for high-risk (LangChain HITL docs). - Gate on the action class and arguments, not the tool blanketly. A
whenpredicate inspects the tool-call request and returns interrupt/auto-approve, so you can pass non-SELECT SQL or out-of-workspace writes while letting reads through. Read-only operations are explicitly ungated to avoid latency (LangChain HITL docs). - OpenAI splits the problem into automatic guardrails vs. human review. Guardrails (input / output / tool) validate automatically; tool guardrails "check arguments or results around a function tool call" at the moment of action; human review pauses the run so a person can approve/reject. OpenAI explicitly recommends approvals for "side effects like cancellations, edits, shell commands, or sensitive MCP actions," and treats approval as resumable run state (OpenAI guardrails & approvals). Anthropic similarly argues "any output that can cause a side effect needs a validator between the agent and the real world" (Anthropic, Building Effective Agents).
- Dual-control reframed for agents = Meta's "Agents Rule of Two": within one session an agent should hold no more than two of {[A] processes untrusted input, [B] accesses sensitive data, [C] can change state or communicate externally}. If all three are needed, it must not run autonomously and requires human-in-the-loop approval; concrete example: a booking agent must get "human confirmation of any action, like making a reservation or paying a deposit" (Meta, Agents Rule of Two).
- Capability-based security is the identity/infra-layer pattern. Model each agent's authority as unforgeable, signed, single-tool capability tokens scoped to read/write/execute with a short TTL (recommended 60-300s); the runtime verifies the capability before any tool fires. Every tool call maps to a structured permission check (subject, action, resource) with contextual constraints like spend thresholds and rate limits (Token Security, SuperTokens, auth for AI agents).
- Supervisor/critic agent = a validator that carries judgment mechanical checks can't. This is the only pattern that catches "you're about to refuse a $100 offer on a $15 item." It is the structural answer to helpfulness/agreement bias, but it puts an LLM in the verification layer, so guidance is to pair it with a deterministic tier and fail safely (MIT Tech Review's governance framing; OpenAI layering guardrails under human review).
Convergences and contradictions
Convergences. Every source agrees on the same skeleton: (1) read-only is ungated; (2) side-effecting actions need a validator between the agent and the world; (3) gate on action class + actual arguments, not tool identity; (4) approval is a resumable state, not a blocking spin; (5) the deterministic/mechanical check and the judgment/human check are different layers that compose. RDCO's v0 two-layer stack (mechanical verify-action hook + LLM verify-write-action supervisor) is a faithful instance of this consensus, and its Tier-A/Tier-B action taxonomy is exactly the "gate the classes that move money / cross the boundary / are hard to reverse" rule everyone lands on.
Contradictions / tensions for the always-on single-operator case. (1) Sync approve-before is the industry gold standard but is incompatible with an always-on loop and a single human who sleeps the no-blocking-modal rule ([[feedback_no_blocking_modal_in_monitoring]]) forbids it. (2) The "two-person rule" literally cannot apply there is only one operator; a second human approver does not exist. (3) Capability tokens assume multi-agent / multi-tenant identity governance and signing infrastructure that's heavy overkill for a single local harness and is not where the actual RDCO failure mode lives. (4) Putting an LLM in the verification layer risks confabulation contaminating the gate itself ([[2026-04-19-kingsbury-future-of-everything-is-lies]]), which is why the deterministic tier must remain underneath and own provenance.
Synthesis for RDCO
The four named patterns are not alternatives to pick among; they are four layers of one stack, and the single-operator always-on shape determines how each is adapted rather than whether it is used. Capability-based security contributes a principle, not its infrastructure: the useful idea is per-action scoping with contextual constraints (spend thresholds, rate limits, class-specific TTL-like freshness), which RDCO already approximates via the Tier-A taxonomy, per-class dollar thresholds, and the classifier hard-gate. Dual-control contributes Meta's Rule of Two as a framing lens: the channels surface routinely combines [A] untrusted input (incoming messages, pasted content) with [C] external communication, so the correct invariant is "never let the third property join unsupervised" and the missing "second control" is supplied not by a second human but by the fresh-eyes supervisor plus the mechanical gate. The two-person rule becomes a two-control rule. Human-in-the-loop is retained only in its async form: for the rare irreversible Tier-A class (external email, money, outbound call), the founder is the approver, but via park-with-a-deadline escalation, never a blocking sync interrupt exactly as v0 §6 already specifies.
The supervisor-agent pattern is the right spine for the judgment layer, and v0 is well-aligned with the external literature; I would not redesign it. But the brief's stated #1 build is narrower and more important than "judge the wisdom of an action": it is provenance "can't send a channel message or write durable state that isn't tied to a verified current-turn tool result." That is a deterministic property, and it belongs in Layer 1 (verify-action), not the LLM supervisor, because (a) it must be cheap and run on every outbound message and durable write (Tier-B included, where the supervisor deliberately does not fire), and (b) a confabulating LLM is the wrong thing to ask "is this claim real?" The concrete recommendation: add a provenance/grounding rule to the verify-action mechanical hook that, for any outbound message or durable write, requires every cited id / path / result / "done" claim to reference a tool observation in the current turn's transcript, blocking otherwise. This is the capability-token idea inverted onto data instead of tools the "capability" being spent is a fresh, current-turn observation, and a write without one is unauthorized. It directly closes the [[feedback_no_batched_result_declaration]] failure that motivated the build.
So the recommended pre-send/pre-write gate is the v0 two-layer stack with one addition and one ordering clarification. Layer 1 (deterministic, every write): verify-action hook = existing format/voice checks plus the new provenance/grounding check; fails open on crash for low-stakes mechanics but the provenance rule should fail closed for any claim asserting a result. Layer 2 (judgment, Tier-A only): the /verify-write-action fresh-eyes supervisor for helpfulness-bias / economics / authority, failing closed. Layer 0 (framing): apply Meta's Rule of Two as a standing constraint and the existing class gates (founder send-button, DECISION-APPROVE, PR-workflow, classifier) as the actual authorizers. Build order: ship the provenance check first (it is the cheapest, highest-leverage, fully-deterministic piece and needs no draft-path interception point), then the supervisor pilot on the outbound-email draft path per v0 §7.
Open follow-ups
- Where exactly does the provenance check read "current-turn tool results" from? It needs an instrumented transcript/tool-result store the hook can query deterministically does that interception point exist today, or is it a prerequisite build (same dependency v0 §7 flags for the email draft path)?
- Should the provenance rule be claim-classified (only "result/status/id" assertions must be grounded, not conversational text) to avoid false-blocking ordinary replies? What is the regex/heuristic boundary?
- Is a lightweight per-class "spend/rate budget" worth adding from the capability-token literature (e.g., max N external sends/hour, max $ before mandatory escalate), or does the Tier-A taxonomy + dollar threshold already cover it?
- For Meta's Rule of Two: do we want an explicit session-level check that refuses external comms when both untrusted-input and sensitive-data are in play this turn, or is that subsumed by the existing injection-caution + supervisor?
- Does the two-gate verdict-shape rollout ([[2026-05-20-verify-stack-two-gate-pass-fail-architecture]]) need to land before
/verify-write-actionis built, so the new sibling ships in the final shape and doesn't need re-migration?
Related
- [[2026-06-04-supervisor-agent-write-path-pattern-design-v0]]
- [[2026-05-19-verification-as-independent-worker-pattern]]
- [[2026-05-20-verify-stack-two-gate-pass-fail-architecture]]
- [[2026-05-01-vending-bench-research-brief]]
- [[2026-05-01-ann-miura-ko-six-levels-ai-pilled-organizations]]
- [[2026-06-03-every-opus-4-8-gets-in-your-way]]
Sources
- [[2026-06-04-supervisor-agent-write-path-pattern-design-v0]] — ~/rdco-vault/06-reference/concepts/2026-06-04-supervisor-agent-write-path-pattern-design-v0.md
- [[2026-05-19-verification-as-independent-worker-pattern]] — ~/rdco-vault/02-sops/2026-05-19-verification-as-independent-worker-pattern.md
- [[2026-05-20-verify-stack-two-gate-pass-fail-architecture]] — ~/rdco-vault/02-sops/2026-05-20-verify-stack-two-gate-pass-fail-architecture.md
- [[2026-05-01-vending-bench-research-brief]] — ~/rdco-vault/06-reference/2026-05-01-vending-bench-research-brief.md
- [[2026-05-01-ann-miura-ko-six-levels-ai-pilled-organizations]] — ~/rdco-vault/06-reference/2026-05-01-ann-miura-ko-six-levels-ai-pilled-organizations.md
- [[2026-06-03-every-opus-4-8-gets-in-your-way]] — ~/rdco-vault/06-reference/2026-06-03-every-opus-4-8-gets-in-your-way.md
- LangChain Human-in-the-Loop docs — https://docs.langchain.com/oss/python/langchain/human-in-the-loop
- OpenAI guardrails & approvals guide — https://developers.openai.com/api/docs/guides/agents/guardrails-approvals
- Meta, Agents Rule of Two — https://ai.meta.com/blog/practical-ai-agent-security/
- Token Security, credentials to capabilities — https://www.token.security/blog/the-shift-from-credentials-to-capabilities-in-ai-access-control-systems
- SuperTokens, auth for AI agents — https://supertokens.com/blog/auth-for-ai-agents
- Anthropic, Building Effective Agents — https://www.anthropic.com/research/building-effective-agents