Charon
Charon's cleanup safety model: propose, approve, audit — never autopilot
· ~6 min read · Jamie, Founder, Blackglass
Cloud cost tools that auto-delete resources burn trust exactly once. Charon is deliberately boring: inventory first, conservative scoring, tag-based protect lists, and a human approval gate before any destructive API call. This post is the checklist we give internal reviewers when they ask “what if Charon nukes prod?”
Read-only is the default posture
Linking a cloud account starts with inventory-only scopes. Live cleanup requires a separate credential, per-account opt-in, and an explicit toggle in workspace settings. Until all three are true, Charon will happily show waste — it will not act on it.
Protect lists beat post-hoc suppression
Resources matching your protect tags never enter the proposal queue. Suppressing at delete-time is too late; the operator already saw noise. We would rather miss a marginal finding than train people to click through warnings.
Versioned webhooks
Outbound scan webhooks include an explicit schema version so downstream automation can pin to a known shape. Cloud integrations rot quietly; versioning makes the rot visible.