Keep principals explicit
Humans, agents, services, and system jobs have distinct ownership, grants, authentication strength, and evidence.
For security and governance
Onterix is being designed to turn agent intent into an inspectable, versioned transaction: who is acting, under whose authority, on which data, toward which destination, with which protection and policy decisions, and with what evidence.
Authority model
The target runtime resolves distinct principals and narrows authority across the human subject, actor, agent, client, credential, source system, capability, and tenant policy.
Humans, agents, services, and system jobs have distinct ownership, grants, authentication strength, and evidence.
On-behalf-of access is the intersection of subject, actor, client, credential, source, capability, and tenant policy—never their union.
When a source expresses ACLs, roles, ownership, scopes, fields, or revisions, the runtime is not intended to grant broader authority.
Agents, model providers, and client hosts should receive capability results—not downstream connector or customer database credentials.
Approval integrity
The target approval is sealed to the normalized payload and destination, along with source revisions and the applicable capability, policy, provider, ruleset, and transformation versions. It authorizes neither a broader tool nor a later variant.
Data boundary
Source authorization alone does not decide whether content may enter an agent context, leave for a model, become a tool argument, appear in an artifact, or reach an external recipient.
Evaluate source-to-agent, agent-to-model, capability-input, write-payload, artifact, download, and delivery boundaries independently.
Combine baseline checks with enterprise DLP, classifiers, tokenization, sanitization, model-routing, or customer-local typed modules.
Target decisions include minimization, masking, tokenization, safe derivatives, forced routes, approval, metadata-only handling, quarantine, and denial.
Strict target deployment modes
In customer-data-plane and fully self-hosted target modes, content-bearing execution and its sensitive operational state are intended to stay with the assigned customer runtime.
Connector secrets, customer database credentials, source content, indexes, chunks, embeddings, and protected artifacts remain in the active data plane.
Findings, token vaults, quarantines, workflow payloads, approval evidence, and execution-local state remain with the sensitive path.
The target central service coordinates tenant metadata, signed configuration, deployment registry, and narrow operational control—not raw customer payloads.
These controls and deployment boundaries are target commitments under active private-preview development. Onterix does not claim completed production verification, compliance certifications, customer-hosted availability, production service levels, or exhaustive connector coverage.
Security and governance review
Bring the identity model, data classes, source permissions, destinations, reviewers, providers, residency constraints, and evidence requirements behind a real blocked workflow.