Read-only
Observe and retrieve. Cannot change state anywhere.
The agent can read data and call read-only tools, but holds no credential that can write, deploy, spend, or send.
- Earn it
- Output handling and input provenance — a read-only agent over untrusted content is still an exfiltration surface.
- Fail
- Treating “it can’t write” as “it’s safe,” and pointing it at untrusted inputs with no output controls.