Mission treats operational context, credentials, connectors, external actions, and agent autonomy as security-sensitive surfaces.
Mission is designed for controlled local operation, explicit connectors, approval-gated external actions, and evidence-backed recommendations. Sensitive actions should remain human-approved unless trust has been deliberately graduated.
API keys, OAuth tokens, webhooks, and service credentials should be stored using the workspace's configured secret mechanism, not pasted into public documents or committed into source control. Connector setup should be limited to the scopes needed for the workflow.
Agents should receive the smallest useful context, clear action classes, and explicit approval constraints. Public claims, spending, account changes, legal commitments, pricing, apologies, and irreversible actions stay gated.
Important actions should leave receipts: what was prepared, what was approved, what was sent or changed, what evidence was used, and what outcome followed.
Send security concerns to founders@phenomenalabs.com with the affected workspace, connector, or workflow and steps to reproduce if available.