Safety

Approval, risk levels, hard denies — and why you still must review plans.

Safety features reduce risk; they do not make kprompt safe for unattended production use. The product is experimental. Always review the plan. Skip --approve until you understand the proposed actions.

Every mutating plan is risk-evaluated before apply. On a TTY, kprompt asks y/N unless you pass --approve. Read-only intents (get, list, explain, logs, describe) do not require approval.

Hard denies

  • Cluster or namespace wipe language
  • Delete-everything style prompts
  • Deleting a whole namespace
  • Anything that is not a named Pod, Deployment, or Service delete

Risk levels

Plans surface low / medium / high / denied. Denied plans never apply. Medium/high mutations still need explicit approval.

Diffs

When a live object exists, plans include a before→after diff so you can review the change, not only the intent summary.

Example deny

kprompt "delete all pods in production"
# Risk: denied — named resources only