- Input trust (from the trigger): trusted (you, in chat) ⇒ the agent may
write
rw. Untrusted (email, web — attacker-controllable, prompt-injectable) ⇒ propose-only (roworkspaces). - Effect reversibility: reversible (a workspace commit) ⇒ auto (git is the undo). Irreversible (send, order) ⇒ gated.
proactive-card.v1 frames on its
Stream: record (a task/note — payload is the file), draft, send (external).
Untrusted agent proposes → human approves → trusted code applies: a record is committed by a trusted
applier; a send is executed by the Integration. There is no
workspace-structure/schema check anywhere — the workspace is just files.