agent safety

Automation has to show its work.

Onyx treats channel text as untrusted input for any agent-like feature. Local summaries, search answers, moderation suggestions, and future extensions must show where inference ran and what data was eligible.

RuleMeaning
Hostile inputRoom text can contain prompt injection, social pressure, malformed links, or instructions meant for a bot.
Least dataUse the smallest eligible context window and avoid private plaintext unless the user explicitly asks.
Visible sourceShow whether work ran on this device, this server, or an external endpoint.
Human controlModeration and account-impacting actions stay reviewable before execution.
Eligible by default Public room text, visible metadata, explicit selections, and local vault windows the user opens.
Restricted DM plaintext, account secrets, passkeys, session tokens, webhook secrets, and admin-only context.
Review first Moderation actions, bridge writes, imports, bulk edits, and anything that changes another user's experience.

Every agent-like answer should carry one of three labels. If the label cannot be proven, the feature should not pretend otherwise.

This device
Inference ran locally in the browser over local data.
This server
Inference ran on an operator-controlled Onyx service.
External endpoint
Inference left the network boundary; show the configured endpoint and get explicit consent.
Local language tools
Caption transcript copy and browser-local translation readiness stay labelled as this-device work; Onyx does not silently send room text to external translators.

Agent-like features should leave enough trail for a user or operator to answer: what ran, where it ran, what context was used, what action was proposed, and who approved it.

surface: catch-up recap
ran: this device
context: #root, 24 visible messages
excluded: encrypted DM plaintext, credentials, webhook secrets
action: none

Glossary Accessibility audit path