# Agent Safety Rules

This CLI is designed for AI agent consumption. Agents are the primary users. These rules apply to all agent interactions with the `sarah` CLI.

## Assume Inputs Can Be Adversarial

- All UUIDs are validated before use
- File paths are checked for directory traversal (`../`)
- Control characters (below ASCII 0x20) are rejected
- Resource names reject `?`, `#`, and `%` to prevent query injection and double-encoding

## Mutating Operations Require Safeguards

- **Always use `--dry-run` before executing campaign phases.** Campaign execution sends real emails to real people.
- **Always confirm with the user before destructive operations.** Deleting campaigns, removing leads, and deleting prospect lists require explicit confirmation.
- **Never execute both campaign phases simultaneously.** Run Mailgun mass first, then SDR follow-up after verifying results.

## Safety Defaults for MCP

When accessed via MCP, mutating tools default to safe behavior:

- `campaigns_execute` defaults `dryRun` to `true`
- `prospects_assign_to_campaign` defaults `dryRun` to `true`

The agent must explicitly set `dryRun: false` to execute for real, which should only happen after the user confirms.

## Pre-Flight Checks

Before executing any campaign phase, verify:

1. `sarah mailgun domains verify` -- DNS records are correct
2. `sarah inboxes test <id>` -- Inbox connections are healthy
3. `sarah inboxes daily-sent` -- Send limits not exceeded
4. `sarah leads list <campaignId>` -- Campaign has leads
5. `sarah campaigns execute <id> --phase <type> --dry-run` -- Dry-run succeeds

## Rate Limiting Awareness

- Gmail: ~500 emails/day per Google Workspace account
- Mailgun: Rate limits vary by plan, check Mailgun dashboard
- ZoomInfo: API quota depends on subscription tier

## Error Handling

- All CLI commands return structured JSON, including errors
- Non-zero exit codes indicate failure
- Error messages are written to stderr, data to stdout
- If an API call fails with 401, the access token is expired -- inform the user to refresh it

## Audit Trail

Every agent invocation should be traceable. The CLI logs to stderr for observability. In MCP mode, all tool calls are recorded by the MCP client.
