Private previewDesign partner program is open

For security and governance

Approve the exact action—not a vague tool permission.

Onterix is being designed to turn agent intent into an inspectable, versioned transaction: who is acting, under whose authority, on which data, toward which destination, with which protection and policy decisions, and with what evidence.

WHOActor, subject, agent, service, and client trustbound
WHATCapability, source, resource, payload, and current revisionbound
WHERERuntime, region, model route, recipient, and destinationbound
HOWProtection providers, transforms, policy, and credential classbound
PROOFVersions, hashes, approval, execution state, and outcomebound

Authority model

Agency cannot manufacture access.

The target runtime resolves distinct principals and narrows authority across the human subject, actor, agent, client, credential, source system, capability, and tenant policy.

IDENTITY

Keep principals explicit

Humans, agents, services, and system jobs have distinct ownership, grants, authentication strength, and evidence.

INTERSECTION

Narrow authority at every layer

On-behalf-of access is the intersection of subject, actor, client, credential, source, capability, and tenant policy—never their union.

CEILING

Preserve source-native limits

When a source expresses ACLs, roles, ownership, scopes, fields, or revisions, the runtime is not intended to grant broader authority.

SECRETS

Resolve credentials after decision

Agents, model providers, and client hosts should receive capability results—not downstream connector or customer database credentials.

Approval integrity

Material change requires a new decision.

The target approval is sealed to the normalized payload and destination, along with source revisions and the applicable capability, policy, provider, ruleset, and transformation versions. It authorizes neither a broader tool nor a later variant.

01Compute a human-readable payload and diffpreview
02Resolve an eligible reviewer and separation of dutiesreview
03Seal payload, destination, revisions, and versionsapprove
04Revalidate identity, policy, source, and destinationrecheck
05Supersede stale approval or execute idempotentlyenforce

Data boundary

Access and disclosure are different decisions.

Source authorization alone does not decide whether content may enter an agent context, leave for a model, become a tool argument, appear in an artifact, or reach an external recipient.

CONTEXT

Inspect where meaning changes

Evaluate source-to-agent, agent-to-model, capability-input, write-payload, artifact, download, and delivery boundaries independently.

COMPOSITION

Use approved protection providers

Combine baseline checks with enterprise DLP, classifiers, tokenization, sanitization, model-routing, or customer-local typed modules.

OUTCOME

Choose more than allow or block

Target decisions include minimization, masking, tokenization, safe derivatives, forced routes, approval, metadata-only handling, quarantine, and denial.

Strict target deployment modes

The shared control plane is not a customer-content proxy.

In customer-data-plane and fully self-hosted target modes, content-bearing execution and its sensitive operational state are intended to stay with the assigned customer runtime.

LOCAL

Credentials and source content

Connector secrets, customer database credentials, source content, indexes, chunks, embeddings, and protected artifacts remain in the active data plane.

LOCAL

Protection and workflow state

Findings, token vaults, quarantines, workflow payloads, approval evidence, and execution-local state remain with the sensitive path.

NARROW

Central coordination

The target central service coordinates tenant metadata, signed configuration, deployment registry, and narrow operational control—not raw customer payloads.

STATUS

These controls and deployment boundaries are target commitments under active private-preview development. Onterix does not claim completed production verification, compliance certifications, customer-hosted availability, production service levels, or exhaustive connector coverage.

Security and governance review

Interrogate one transaction before trusting the runtime.

Bring the identity model, data classes, source permissions, destinations, reviewers, providers, residency constraints, and evidence requirements behind a real blocked workflow.