Summary

Add a comprehensive blog post documenting the action authority demo, which shows how Cycles blocks unauthorized agent actions before execution using runtime budget enforcement.

Changes

• New blog post: blog/action-authority-demo-support-agent-walkthrough.md
  • Explains a real-world scenario: a support agent handling a billing dispute with four sequential actions
  • Contrasts unguarded execution (all actions run) vs. guarded execution (email blocked by Cycles)
  • Walks through the code diff showing three @cycles decorators and exception handling
  • Details how toolset-level budget provisioning controls action authorization at runtime
  • Clarifies the distinction between static allowlists and dynamic runtime authority
  • Includes setup instructions to run the demo locally
  • Links to related conceptual posts on action control and runtime authority

Key Content

• Scenario: Support agent (support-bot) processes case #4782 with four steps: read case, log internal note, update CRM, send customer email
• Core mechanism: The @cycles decorator wraps tool functions and reserves budget before execution; missing budget returns 409 BUDGET_EXCEEDED, raising BudgetExceededError and preventing execution
• Operational model: Approving/revoking actions = adding/removing budgets; no code changes or redeployment needed
• Distinction: Explains why runtime authority (per-action decisions) is superior to static allowlists or API key-based access control

Notable Details

• Includes side-by-side comparison of unguarded vs. guarded execution logs
• Shows the exact code diff (3 decorators + 1 exception handler)
• Visualizes the budget hierarchy: tenant → workspace → app → workflow → agent → toolset
• Demonstrates that the tool implementations remain unchanged; control is purely in the decorator and budget provisioning layer

https://claude.ai/code/session_015zc6uasNhYkXQqTeTRFUMv