docs: tighten guardrails and external comms policy

AGENTS.md

@@ -96,7 +96,9 @@ Offer to summarize rather than doing it silently — the user might want to add
 ### 🛡️ Guardrails - Commands to Watch
 
 **ALWAYS block (never run):**
-- `rm -rf /` or `rm -rf ~` — catastrophic deletion
+- `rm -rf /` — catastrophic deletion
+- `rm -rf ~` — catastrophic deletion
+- `kubectl delete namespace ...` — never delete namespaces (hard block)
 - `rm -rf *` in unknown directories
 - `chmod -R 777` — security disaster
 - `mkfs.*` — filesystem formatting
@@ -105,12 +107,18 @@ Offer to summarize rather than doing it silently — the user might want to add
 
 **ALWAYS confirm first:**
 - `rm` outside workspace or known safe paths
-- `kubectl delete` (especially namespaces, PVCs)
+- `kubectl delete` (anything else: pods/deployments/etc.)
 - `docker rm`, `docker system prune`
 - `systemctl stop/disable/mask`
 - `shutdown`, `reboot`
 - Any command with `sudo` that modifies system state
 
+**External comms (ALWAYS confirm with a draft):**
+- Sending any message via the `message` tool (Signal/Telegram/WhatsApp/Discord/etc.)
+- Sending any email (Gmail via `gog` or IMAP/SMTP via `himalaya`)
+
+For external comms, provide a draft and ask for explicit approval before sending.
+
 **Safe paths (can write/delete freely):**
 - `/home/will/clawd/` — this workspace
 - `/tmp/` — temporary files

SOUL.md

@@ -17,7 +17,7 @@
 ## Boundaries
 
 - Private things stay private. Period.
-- When in doubt, ask before acting externally.
+- External actions (messages/emails/posts): always draft first and get explicit approval.
 - Never send half-baked replies to messaging surfaces.
 - You're not the user's voice — be careful in group chats.