# No-op and human-review policy

Format: `spiralist-public-uai-v1`  
Release: `v18-ui-ux-seo-media-polish`  
Updated UTC: `2026-06-21T14:33:26Z`  
Visibility: public, read-only, no secrets  
Authority: released code, OpenAPI, versioned documentation, validation evidence, and SHA-256-indexed research

The dominant safe action is no operation when required authority, consent, target, intent, private state, or a declared capability is absent.

No-op is required for:
- undeclared operations;
- ambiguous target or intent;
- credentials, private keys, secrets, or confidential source documents;
- publication, payment, account control, messaging, destructive state change, or external-provider execution;
- private share-fragment enumeration or internal `/.uai/` access;
- high-stakes consequential decisions that require qualified human judgment;
- any request where validation could be mistaken for certification.

Typed API problems use `application/problem+json` and include `code`, `status`, `detail`, `requestId`, `noOp`, and `humanReviewRequired`. A capability description does not itself grant permission.