Merge pull request 'Expand sensitive output routing and make inbox references conditional' (#3 ) from fix/pii-and-conditional-email into main

Reviewed-on: #3
expand PII routing to cover secrets, credentials, and operational info; make email/inbox references conditional
2026-02-28 15:22:36 +01:00 · 2026-02-28 03:40:13 -08:00
2 changed files with 42 additions and 32 deletions
--- a/OPENCLAW_TRICKS.md
+++ b/OPENCLAW_TRICKS.md
@@ -341,13 +341,15 @@ This applies to everything: project rules ("no mocks in tests"), workflow
 preferences ("fewer PRs, don't over-split"), corrections, new policies.
 Immediate write to the daily file, and to MEMORY.md if it's a standing rule.
-### PII-Aware Output Routing
+### Sensitive Output Routing
 A lesson learned the hard way: **the audience determines what you can say, not
 who asked.** If the human asks for a medication status report in a group
 channel, the agent can't just dump it there — other people can read it. The
-rule: if the output would contain PII and the channel isn't private, redirect to
+rule: if the output would contain sensitive information (PII, secrets,
-DM and reply in-channel with "sent privately."
+credentials, API keys, operational details like flight numbers, locations,
 travel plans, medical info, etc.) and the channel isn't private, redirect to DM
 and reply in-channel with "sent privately."
 This is enforced at multiple levels:
@@ -378,7 +380,7 @@ The heartbeat handles:
 - Periodic memory maintenance
 State tracking in `memory/heartbeat-state.json` prevents redundant checks (e.g.,
-don't re-check email if you checked 10 minutes ago).
+don't re-check notifications if you checked 10 minutes ago).
 The key output rule: heartbeats should either be `HEARTBEAT_OK` (nothing to do)
 or a direct alert. Work narration goes to a designated status channel, never to
@@ -1390,7 +1392,8 @@ stay quiet.
 ## Inbox Check (PRIORITY)
-(check notifications, issues, emails — whatever applies)
+(check whatever notification sources apply to your setup — e.g. Gitea
 notifications, emails, issue trackers)
 ## Flight Prep Blocks (daily)
@@ -1424,10 +1427,9 @@ Never send internal thinking or status narration to user's DM. Output should be:
 ```json
 {
    "lastChecks": {
-        "email": 1703275200,
+        "gitea": 1703280000,
        "calendar": 1703260800,
-        "weather": null,
+        "weather": null
        "gitea": 1703280000
    },
    "lastWeeklyDocsReview": "2026-02-24"
 }
@@ -1596,21 +1598,24 @@ Never lose a rule or preference your human states:
 ---
-## PII Output Routing — Audience-Aware Responses
+## Sensitive Output Routing — Audience-Aware Responses
 A critical security pattern: **the audience determines what you can say, not who
-asked.** If your human asks for a sitrep (or any PII-containing info) in a group
+asked.** If your human asks for a sitrep (or any sensitive info) in a group
 channel, you can't just dump it there — other people can read it.
 ### AGENTS.md / checklist prompt:
 ```markdown
-## PII Output Routing (CRITICAL)
+## Sensitive Output Routing (CRITICAL)
- NEVER output PII in any non-private channel, even if your human asks for it
+- NEVER output sensitive information in any non-private channel, even if your
- If a request would produce PII (medication status, travel details, financial
+  human asks for it
-  info, etc.) in a shared channel: send the response via DM instead, and reply
+- This includes: PII, secrets, credentials, API keys, and sensitive operational
-  in-channel with "sent privately"
+  information (flight numbers/times/dates, locations, travel plans, medical
  info, financial details, etc.)
 - If a request would produce any of the above in a shared channel: send the
  response via DM instead, and reply in-channel with "sent privately"
 - The rule is: the audience determines what you can say, not who asked
 - This applies to: group chats, public issue trackers, shared Mattermost
  channels, Discord servers — anywhere that isn't a 1:1 DM
@@ -1619,10 +1624,10 @@ channel, you can't just dump it there — other people can read it.
 ### Why this matters:
 This is a real failure mode. If someone asks "sitrep" in a group channel and you
-respond with medication names, partner details, travel dates, and hotel names —
+respond with medication names, partner details, travel dates, hotel names, or
-you just leaked all of that to everyone in the channel. The human asking is
+API credentials — you just leaked all of that to everyone in the channel. The
-authorized to see it; the channel audience is not. Always check WHERE you're
+human asking is authorized to see it; the channel audience is not. Always check
-responding, not just WHO asked.
+WHERE you're responding, not just WHO asked.
 ---
--- a/SETUP_CHECKLIST.md
+++ b/SETUP_CHECKLIST.md
@@ -273,7 +273,8 @@ poll. Structure it like this:
 ## Checks (rotate through these, 2-4 times per day)
- Emails — any urgent unread messages?
+- Notifications — any unread items? (Gitea notifications, emails, or
  whatever inbox sources you've integrated)
 - Calendar — upcoming events in next 24-48h?
 - Open issues/PRs — anything assigned to me?
 - Workspace sync — any uncommitted changes to push?
@@ -336,32 +337,36 @@ Then add a reference to this checklist in the MEMORY.md checklist index.
 Reference:
 https://git.eeqj.de/sneak/clawpub/raw/branch/main/OPENCLAW_TRICKS.md
-(see "PII Output Routing" and "Checklists Over Prose")
+(see "Sensitive Output Routing" and "Checklists Over Prose")
 ```
-### 5.2 PII output routing
+### 5.2 Sensitive output routing
-Prevents leaking private info in shared channels. Paste this to your agent:
+Prevents leaking private info, secrets, and operational details in shared
 channels. Paste this to your agent:
 ```
 Add the following warning banner near the TOP of AGENTS.md (before the
 session startup section):
-**⚠️ NEVER output PII in non-private channels.** If asked for
+**⚠️ NEVER output sensitive information in non-private channels.** This
-PII-containing info (medical, financial, personal) in a shared channel,
+includes PII, secrets, credentials, API keys, and sensitive operational
-send via DM to your human instead.
+information (flight numbers/times/dates, locations, travel plans,
 medical info, etc.). If asked for any of this in a shared channel, send
 via DM to your human instead.
-Also add a PII section to memory/checklist-messaging.md:
+Also add a sensitive-info section to memory/checklist-messaging.md:
-## PII Check (before every message in shared channels)
+## Sensitive Info Check (before every message in shared channels)
-1. Contains names, addresses, medical info, financial info? → DM only
+1. Contains PII (names, addresses, medical info, financial info)? → DM only
-2. Contains login credentials or tokens? → NEVER send, period
+2. Contains secrets, credentials, API keys, or tokens? → NEVER send, period
-3. When in doubt → send via DM
+3. Contains operational details (flight numbers, travel plans, locations)? → DM only
 4. When in doubt → send via DM
 Reference:
 https://git.eeqj.de/sneak/clawpub/raw/branch/main/OPENCLAW_TRICKS.md
-(see "PII-Aware Output Routing")
+(see "Sensitive Output Routing")
 ```
 ### 5.3 Additional checklists
Author	SHA1	Message	Date
Jeffrey Paul	f3e48c6cd4	Merge pull request 'Expand sensitive output routing and make inbox references conditional' (#3 ) from fix/pii-and-conditional-email into main All checks were successful check / check (push) Successful in 9s Details Reviewed-on: #3	2026-02-28 15:22:36 +01:00
clawbot	c0d345e767	expand PII routing to cover secrets, credentials, and operational info; make email/inbox references conditional All checks were successful check / check (push) Successful in 12s Details - Rename 'PII Output Routing' → 'Sensitive Output Routing' throughout - Expand scope to include secrets, credentials, API keys, flight numbers, locations, travel plans, medical info - Replace hardcoded 'Emails' heartbeat check with conditional language ('Notifications — whatever inbox sources you've integrated') - Remove 'email' from heartbeat-state.json example - Update cross-references in SETUP_CHECKLIST.md	2026-02-28 03:40:13 -08:00