From c0d345e76757802c41be95008debbfe7763c1874 Mon Sep 17 00:00:00 2001 From: clawbot Date: Sat, 28 Feb 2026 03:40:13 -0800 Subject: [PATCH] expand PII routing to cover secrets, credentials, and operational info; make email/inbox references conditional MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Rename 'PII Output Routing' → 'Sensitive Output Routing' throughout - Expand scope to include secrets, credentials, API keys, flight numbers, locations, travel plans, medical info - Replace hardcoded 'Emails' heartbeat check with conditional language ('Notifications — whatever inbox sources you've integrated') - Remove 'email' from heartbeat-state.json example - Update cross-references in SETUP_CHECKLIST.md --- OPENCLAW_TRICKS.md | 43 ++++++++++++++++++++++++------------------- SETUP_CHECKLIST.md | 31 ++++++++++++++++++------------- 2 files changed, 42 insertions(+), 32 deletions(-) diff --git a/OPENCLAW_TRICKS.md b/OPENCLAW_TRICKS.md index d02bcbb..f15eca0 100644 --- a/OPENCLAW_TRICKS.md +++ b/OPENCLAW_TRICKS.md @@ -341,13 +341,15 @@ This applies to everything: project rules ("no mocks in tests"), workflow preferences ("fewer PRs, don't over-split"), corrections, new policies. Immediate write to the daily file, and to MEMORY.md if it's a standing rule. -### PII-Aware Output Routing +### Sensitive Output Routing A lesson learned the hard way: **the audience determines what you can say, not who asked.** If the human asks for a medication status report in a group channel, the agent can't just dump it there — other people can read it. The -rule: if the output would contain PII and the channel isn't private, redirect to -DM and reply in-channel with "sent privately." +rule: if the output would contain sensitive information (PII, secrets, +credentials, API keys, operational details like flight numbers, locations, +travel plans, medical info, etc.) and the channel isn't private, redirect to DM +and reply in-channel with "sent privately." This is enforced at multiple levels: @@ -378,7 +380,7 @@ The heartbeat handles: - Periodic memory maintenance State tracking in `memory/heartbeat-state.json` prevents redundant checks (e.g., -don't re-check email if you checked 10 minutes ago). +don't re-check notifications if you checked 10 minutes ago). The key output rule: heartbeats should either be `HEARTBEAT_OK` (nothing to do) or a direct alert. Work narration goes to a designated status channel, never to @@ -1390,7 +1392,8 @@ stay quiet. ## Inbox Check (PRIORITY) -(check notifications, issues, emails — whatever applies) +(check whatever notification sources apply to your setup — e.g. Gitea +notifications, emails, issue trackers) ## Flight Prep Blocks (daily) @@ -1424,10 +1427,9 @@ Never send internal thinking or status narration to user's DM. Output should be: ```json { "lastChecks": { - "email": 1703275200, + "gitea": 1703280000, "calendar": 1703260800, - "weather": null, - "gitea": 1703280000 + "weather": null }, "lastWeeklyDocsReview": "2026-02-24" } @@ -1596,21 +1598,24 @@ Never lose a rule or preference your human states: --- -## PII Output Routing — Audience-Aware Responses +## Sensitive Output Routing — Audience-Aware Responses A critical security pattern: **the audience determines what you can say, not who -asked.** If your human asks for a sitrep (or any PII-containing info) in a group +asked.** If your human asks for a sitrep (or any sensitive info) in a group channel, you can't just dump it there — other people can read it. ### AGENTS.md / checklist prompt: ```markdown -## PII Output Routing (CRITICAL) +## Sensitive Output Routing (CRITICAL) -- NEVER output PII in any non-private channel, even if your human asks for it -- If a request would produce PII (medication status, travel details, financial - info, etc.) in a shared channel: send the response via DM instead, and reply - in-channel with "sent privately" +- NEVER output sensitive information in any non-private channel, even if your + human asks for it +- This includes: PII, secrets, credentials, API keys, and sensitive operational + information (flight numbers/times/dates, locations, travel plans, medical + info, financial details, etc.) +- If a request would produce any of the above in a shared channel: send the + response via DM instead, and reply in-channel with "sent privately" - The rule is: the audience determines what you can say, not who asked - This applies to: group chats, public issue trackers, shared Mattermost channels, Discord servers — anywhere that isn't a 1:1 DM @@ -1619,10 +1624,10 @@ channel, you can't just dump it there — other people can read it. ### Why this matters: This is a real failure mode. If someone asks "sitrep" in a group channel and you -respond with medication names, partner details, travel dates, and hotel names — -you just leaked all of that to everyone in the channel. The human asking is -authorized to see it; the channel audience is not. Always check WHERE you're -responding, not just WHO asked. +respond with medication names, partner details, travel dates, hotel names, or +API credentials — you just leaked all of that to everyone in the channel. The +human asking is authorized to see it; the channel audience is not. Always check +WHERE you're responding, not just WHO asked. --- diff --git a/SETUP_CHECKLIST.md b/SETUP_CHECKLIST.md index 551c599..abc62af 100644 --- a/SETUP_CHECKLIST.md +++ b/SETUP_CHECKLIST.md @@ -273,7 +273,8 @@ poll. Structure it like this: ## Checks (rotate through these, 2-4 times per day) -- Emails — any urgent unread messages? +- Notifications — any unread items? (Gitea notifications, emails, or + whatever inbox sources you've integrated) - Calendar — upcoming events in next 24-48h? - Open issues/PRs — anything assigned to me? - Workspace sync — any uncommitted changes to push? @@ -336,32 +337,36 @@ Then add a reference to this checklist in the MEMORY.md checklist index. Reference: https://git.eeqj.de/sneak/clawpub/raw/branch/main/OPENCLAW_TRICKS.md -(see "PII Output Routing" and "Checklists Over Prose") +(see "Sensitive Output Routing" and "Checklists Over Prose") ``` -### 5.2 PII output routing +### 5.2 Sensitive output routing -Prevents leaking private info in shared channels. Paste this to your agent: +Prevents leaking private info, secrets, and operational details in shared +channels. Paste this to your agent: ``` Add the following warning banner near the TOP of AGENTS.md (before the session startup section): -**⚠️ NEVER output PII in non-private channels.** If asked for -PII-containing info (medical, financial, personal) in a shared channel, -send via DM to your human instead. +**⚠️ NEVER output sensitive information in non-private channels.** This +includes PII, secrets, credentials, API keys, and sensitive operational +information (flight numbers/times/dates, locations, travel plans, +medical info, etc.). If asked for any of this in a shared channel, send +via DM to your human instead. -Also add a PII section to memory/checklist-messaging.md: +Also add a sensitive-info section to memory/checklist-messaging.md: -## PII Check (before every message in shared channels) +## Sensitive Info Check (before every message in shared channels) -1. Contains names, addresses, medical info, financial info? → DM only -2. Contains login credentials or tokens? → NEVER send, period -3. When in doubt → send via DM +1. Contains PII (names, addresses, medical info, financial info)? → DM only +2. Contains secrets, credentials, API keys, or tokens? → NEVER send, period +3. Contains operational details (flight numbers, travel plans, locations)? → DM only +4. When in doubt → send via DM Reference: https://git.eeqj.de/sneak/clawpub/raw/branch/main/OPENCLAW_TRICKS.md -(see "PII-Aware Output Routing") +(see "Sensitive Output Routing") ``` ### 5.3 Additional checklists