//The problem
To learn a customer's IWMS, an agent has to drive the real UI — open forms, read fields, navigate workflows. But that same UI has Submit, Save, and Delete buttons one misclick away from corrupting live data. Prompting the model to "be careful" is not a safety guarantee.
//Code-enforced, not prompt-based
The guard lives below the agent, in the browser-tool layer. Any click whose target resolves to a mutating control is physically intercepted and refused before it reaches the page — regardless of what the model intended. The model literally cannot submit.
if is_mutating(target): # submit / save / delete raise NeverMutate(target) # blocked before the click lands page.click(target)
//The result
Verified live against a production instance, the agent mapped hundreds of forms into a knowledge graph and never once mutated a record. Safety became a property of the system, not a hope about the model.