Expand sensitive output routing and make inbox references conditional #3
@ -341,13 +341,15 @@ This applies to everything: project rules ("no mocks in tests"), workflow
|
||||
preferences ("fewer PRs, don't over-split"), corrections, new policies.
|
||||
Immediate write to the daily file, and to MEMORY.md if it's a standing rule.
|
||||
|
||||
### PII-Aware Output Routing
|
||||
### Sensitive Output Routing
|
||||
|
||||
A lesson learned the hard way: **the audience determines what you can say, not
|
||||
who asked.** If the human asks for a medication status report in a group
|
||||
channel, the agent can't just dump it there — other people can read it. The
|
||||
rule: if the output would contain PII and the channel isn't private, redirect to
|
||||
DM and reply in-channel with "sent privately."
|
||||
rule: if the output would contain sensitive information (PII, secrets,
|
||||
credentials, API keys, operational details like flight numbers, locations,
|
||||
travel plans, medical info, etc.) and the channel isn't private, redirect to DM
|
||||
and reply in-channel with "sent privately."
|
||||
|
||||
This is enforced at multiple levels:
|
||||
|
||||
@ -378,7 +380,7 @@ The heartbeat handles:
|
||||
- Periodic memory maintenance
|
||||
|
||||
State tracking in `memory/heartbeat-state.json` prevents redundant checks (e.g.,
|
||||
don't re-check email if you checked 10 minutes ago).
|
||||
don't re-check notifications if you checked 10 minutes ago).
|
||||
|
||||
The key output rule: heartbeats should either be `HEARTBEAT_OK` (nothing to do)
|
||||
or a direct alert. Work narration goes to a designated status channel, never to
|
||||
@ -1390,7 +1392,8 @@ stay quiet.
|
||||
|
||||
## Inbox Check (PRIORITY)
|
||||
|
||||
(check notifications, issues, emails — whatever applies)
|
||||
(check whatever notification sources apply to your setup — e.g. Gitea
|
||||
notifications, emails, issue trackers)
|
||||
|
||||
## Flight Prep Blocks (daily)
|
||||
|
||||
@ -1424,10 +1427,9 @@ Never send internal thinking or status narration to user's DM. Output should be:
|
||||
```json
|
||||
{
|
||||
"lastChecks": {
|
||||
"email": 1703275200,
|
||||
"gitea": 1703280000,
|
||||
"calendar": 1703260800,
|
||||
"weather": null,
|
||||
"gitea": 1703280000
|
||||
"weather": null
|
||||
},
|
||||
"lastWeeklyDocsReview": "2026-02-24"
|
||||
}
|
||||
@ -1596,21 +1598,24 @@ Never lose a rule or preference your human states:
|
||||
|
||||
---
|
||||
|
||||
## PII Output Routing — Audience-Aware Responses
|
||||
## Sensitive Output Routing — Audience-Aware Responses
|
||||
|
||||
A critical security pattern: **the audience determines what you can say, not who
|
||||
asked.** If your human asks for a sitrep (or any PII-containing info) in a group
|
||||
asked.** If your human asks for a sitrep (or any sensitive info) in a group
|
||||
channel, you can't just dump it there — other people can read it.
|
||||
|
||||
### AGENTS.md / checklist prompt:
|
||||
|
||||
```markdown
|
||||
## PII Output Routing (CRITICAL)
|
||||
## Sensitive Output Routing (CRITICAL)
|
||||
|
||||
- NEVER output PII in any non-private channel, even if your human asks for it
|
||||
- If a request would produce PII (medication status, travel details, financial
|
||||
info, etc.) in a shared channel: send the response via DM instead, and reply
|
||||
in-channel with "sent privately"
|
||||
- NEVER output sensitive information in any non-private channel, even if your
|
||||
human asks for it
|
||||
- This includes: PII, secrets, credentials, API keys, and sensitive operational
|
||||
information (flight numbers/times/dates, locations, travel plans, medical
|
||||
info, financial details, etc.)
|
||||
- If a request would produce any of the above in a shared channel: send the
|
||||
response via DM instead, and reply in-channel with "sent privately"
|
||||
- The rule is: the audience determines what you can say, not who asked
|
||||
- This applies to: group chats, public issue trackers, shared Mattermost
|
||||
channels, Discord servers — anywhere that isn't a 1:1 DM
|
||||
@ -1619,10 +1624,10 @@ channel, you can't just dump it there — other people can read it.
|
||||
### Why this matters:
|
||||
|
||||
This is a real failure mode. If someone asks "sitrep" in a group channel and you
|
||||
respond with medication names, partner details, travel dates, and hotel names —
|
||||
you just leaked all of that to everyone in the channel. The human asking is
|
||||
authorized to see it; the channel audience is not. Always check WHERE you're
|
||||
responding, not just WHO asked.
|
||||
respond with medication names, partner details, travel dates, hotel names, or
|
||||
API credentials — you just leaked all of that to everyone in the channel. The
|
||||
human asking is authorized to see it; the channel audience is not. Always check
|
||||
WHERE you're responding, not just WHO asked.
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -273,7 +273,8 @@ poll. Structure it like this:
|
||||
|
||||
## Checks (rotate through these, 2-4 times per day)
|
||||
|
||||
- Emails — any urgent unread messages?
|
||||
- Notifications — any unread items? (Gitea notifications, emails, or
|
||||
whatever inbox sources you've integrated)
|
||||
- Calendar — upcoming events in next 24-48h?
|
||||
- Open issues/PRs — anything assigned to me?
|
||||
- Workspace sync — any uncommitted changes to push?
|
||||
@ -336,32 +337,36 @@ Then add a reference to this checklist in the MEMORY.md checklist index.
|
||||
|
||||
Reference:
|
||||
https://git.eeqj.de/sneak/clawpub/raw/branch/main/OPENCLAW_TRICKS.md
|
||||
(see "PII Output Routing" and "Checklists Over Prose")
|
||||
(see "Sensitive Output Routing" and "Checklists Over Prose")
|
||||
```
|
||||
|
||||
### 5.2 PII output routing
|
||||
### 5.2 Sensitive output routing
|
||||
|
||||
Prevents leaking private info in shared channels. Paste this to your agent:
|
||||
Prevents leaking private info, secrets, and operational details in shared
|
||||
channels. Paste this to your agent:
|
||||
|
||||
```
|
||||
Add the following warning banner near the TOP of AGENTS.md (before the
|
||||
session startup section):
|
||||
|
||||
**⚠️ NEVER output PII in non-private channels.** If asked for
|
||||
PII-containing info (medical, financial, personal) in a shared channel,
|
||||
send via DM to your human instead.
|
||||
**⚠️ NEVER output sensitive information in non-private channels.** This
|
||||
includes PII, secrets, credentials, API keys, and sensitive operational
|
||||
information (flight numbers/times/dates, locations, travel plans,
|
||||
medical info, etc.). If asked for any of this in a shared channel, send
|
||||
via DM to your human instead.
|
||||
|
||||
Also add a PII section to memory/checklist-messaging.md:
|
||||
Also add a sensitive-info section to memory/checklist-messaging.md:
|
||||
|
||||
## PII Check (before every message in shared channels)
|
||||
## Sensitive Info Check (before every message in shared channels)
|
||||
|
||||
1. Contains names, addresses, medical info, financial info? → DM only
|
||||
2. Contains login credentials or tokens? → NEVER send, period
|
||||
3. When in doubt → send via DM
|
||||
1. Contains PII (names, addresses, medical info, financial info)? → DM only
|
||||
2. Contains secrets, credentials, API keys, or tokens? → NEVER send, period
|
||||
3. Contains operational details (flight numbers, travel plans, locations)? → DM only
|
||||
4. When in doubt → send via DM
|
||||
|
||||
Reference:
|
||||
https://git.eeqj.de/sneak/clawpub/raw/branch/main/OPENCLAW_TRICKS.md
|
||||
(see "PII-Aware Output Routing")
|
||||
(see "Sensitive Output Routing")
|
||||
```
|
||||
|
||||
### 5.3 Additional checklists
|
||||
|
||||
Loading…
Reference in New Issue
Block a user