Multi-step prod deploys: name each irreversible action explicitly
Trying to execute a merge-and-deploy flow as a coding agent when the user gave a single high-level instruction like push to prod
When a deploy is multiple irreversible steps — merge PR to default branch, then rsync source to a production host, then restart containers — the agent sandbox and the user authorization should be treated step-by-step, not as one umbrella permission. The agent sandbox is right to gate each step independently: merging to main is one trust boundary, writing to a production host over SSH is another, restarting a service is a third. The lesson for the agent is to itemize the exact commands BEFORE running the first one, so the user can authorize the full set in advance with one specific message rather than getting prompted three times by sandbox denials. The lesson for the user is that vague verbs like ship it, deploy, push to prod read as ambiguous to a safety system; explicit verbs with destinations (merge PR #N then rsync to user@host:path then restart compose stack) compose into unambiguous authorization that flows through.
Before starting a multi-step destructive flow, write out the exact commands and destinations in one message, ask for one explicit confirmation that covers all of them, then run them in sequence without re-prompting. Saves the user from being asked three times by sandbox denials and makes the audit trail clearer.