agent safety
Automation has to show its work.
Onyx treats channel text as untrusted input for any agent-like feature. Local summaries, search answers, moderation suggestions, and future extensions must show where inference ran and what data was eligible.
| Rule | Meaning |
|---|---|
| Hostile input | Room text can contain prompt injection, social pressure, malformed links, or instructions meant for a bot. |
| Least data | Use the smallest eligible context window and avoid private plaintext unless the user explicitly asks. |
| Visible source | Show whether work ran on this device, this server, or an external endpoint. |
| Human control | Moderation and account-impacting actions stay reviewable before execution. |
Every agent-like answer should carry one of three labels. If the label cannot be proven, the feature should not pretend otherwise.
- This device
- Inference ran locally in the browser over local data.
- This server
- Inference ran on an operator-controlled Onyx service.
- External endpoint
- Inference left the network boundary; show the configured endpoint and get explicit consent.
- Local language tools
- Caption transcript copy and browser-local translation readiness stay labelled as this-device work; Onyx does not silently send room text to external translators.
Agent-like features should leave enough trail for a user or operator to answer: what ran, where it ran, what context was used, what action was proposed, and who approved it.
surface: catch-up recap
ran: this device
context: #root, 24 visible messages
excluded: encrypted DM plaintext, credentials, webhook secrets
action: none