Safety
Approval, risk levels, hard denies — and why you still must review plans.
Safety features reduce risk; they do not make kprompt safe for unattended production use. The product is experimental. Always review the plan. Skip --approve until you understand the proposed actions.
Every mutating plan is risk-evaluated before apply. On a TTY, kprompt asks y/N unless you pass --approve. Read-only intents (get, list, explain, logs, describe) do not require approval.
Hard denies
- Cluster or namespace wipe language
- Delete-everything style prompts
- Deleting a whole namespace
- Anything that is not a named Pod, Deployment, or Service delete
Risk levels
Plans surface low / medium / high / denied. Denied plans never apply. Medium/high mutations still need explicit approval.
Diffs
When a live object exists, plans include a before→after diff so you can review the change, not only the intent summary.
Example deny
kprompt "delete all pods in production"
# Risk: denied — named resources only