# gate-outbound

**Rule:** No agent posts to a customer-facing surface without explicit human approval recorded in the queue.

**Customer-facing surfaces include, but are not limited to:**
- A response on Google Business Profile, Yelp, Tripadvisor, or Facebook.
- A post on Facebook, Instagram, X, or LinkedIn.
- An email or SMS to a reviewer.
- An email or SMS to a franchisee, GM, or end customer that the operator did not opt into (alerts the operator opted into are fine).

**What the swarm CAN do without human approval:**
- Write to D1.
- Update an escalation case's internal state.
- Send an alert email or SMS to a customer of FranchiseFrontline (operator, GM, owner, brand HQ) that they opted into in their settings.
- Internal-only digest emails to the operator, brand HQ contact, or Brian.

**How the runtime enforces this:**
1. Before any third-party platform write (Google response, social post, customer-facing email), the runtime checks the queue for an approval row referencing the action's draft id.
2. If no approval row exists, the runtime blocks the action and logs a hook breach attempt. The breach is surfaced in the swarm-status page (when that page exists).
3. Approval rows are created only by a signed-in human in the application UI, never by an agent.

**No "for emergencies" override.** If we ever feel the urge to add one, that's the signal to revisit the whole architecture.

**Why this exists:** the swarm touches customers' public reputations. A bad auto-post can be screenshot'd and quoted for the life of the business. Human-in-the-loop is the price of being trusted with that surface.