diff --git a/docs/gateway/security/index.md b/docs/gateway/security/index.md index edf828e8638..d0e54ca0be7 100644 --- a/docs/gateway/security/index.md +++ b/docs/gateway/security/index.md @@ -505,6 +505,7 @@ Treat the snippet above as **secure DM mode**: - Default: `session.dmScope: "main"` (all DMs share one session for continuity). - Local CLI onboarding default: writes `session.dmScope: "per-channel-peer"` when unset (keeps existing explicit values). - Secure DM mode: `session.dmScope: "per-channel-peer"` (each channel+sender pair gets an isolated DM context). +- Cross-channel peer isolation: `session.dmScope: "per-peer"` (each sender gets one session across all channels of the same type). If you run multiple accounts on the same channel, use `per-account-channel-peer` instead. If the same person contacts you on multiple channels, use `session.identityLinks` to collapse those DM sessions into one canonical identity. See [Session Management](/concepts/session) and [Configuration](/gateway/configuration). @@ -919,22 +920,20 @@ Details: [Logging](/gateway/logging) In group chats, only respond when explicitly mentioned. -### 3. Separate Numbers +### 3) Separate numbers (WhatsApp, Signal, Telegram) -Consider running your AI on a separate phone number from your personal one: +For phone-number-based channels, consider running your AI on a separate phone number from your personal one: - Personal number: Your conversations stay private - Bot number: AI handles these, with appropriate boundaries -### 4. Read-Only Mode (Today, via sandbox + tools) +### 4) Read-only mode (via sandbox + tools) -You can already build a read-only profile by combining: +You can build a read-only profile by combining: - `agents.defaults.sandbox.workspaceAccess: "ro"` (or `"none"` for no workspace access) - tool allow/deny lists that block `write`, `edit`, `apply_patch`, `exec`, `process`, etc. -We may add a single `readOnlyMode` flag later to simplify this configuration. - Additional hardening options: - `tools.exec.applyPatch.workspaceOnly: true` (default): ensures `apply_patch` cannot write/delete outside the workspace directory even when sandboxing is off. Set to `false` only if you intentionally want `apply_patch` to touch files outside the workspace.