I've mentioned this before, but you want the default to be a dry run and for there to be a --commit, --prod, --for-real, or whatever you want to call it to opt in to the destructive behavior.