Safe automation
Use the public API and CLI in ways that preserve workspace isolation and billing clarity.
Workspace isolation
API keys and app sessions determine the workspace. Tools should not accept user-supplied workspace ids unless the product explicitly supports switching workspaces.
Credit-spending actions
Generation and analysis creation can spend credits. Agent tools should make those actions explicit and keep read-only operations separate.
Logging
Safe logs include:
- request ids,
- job ids when needed,
- high-level status,
- sanitized media metadata.
Unsafe logs include:
- API keys,
- signed URLs,
- raw private media URLs,
- excessive user content or transcripts.