Five enforcement layers anchored to documented production incidents. Permission scoping, dry-run gates, deletion protection, blast radius scoring, and audit trails the agent cannot reach. Built before you need them, not after the first escape.
Most production deploys that break did not break because of bad code. They broke because of context the deployer could not see. A pre-deploy risk score replaces gut feel with six measurable signals and a HOLD/PROCEED/WATCH verdict the pipeline enforces.