Security Model
StandIn is constrained by architecture, not policy. These aren't configuration options or promises. They're hard limits built into the system.
What StandIn can access
StandIn's access is enforced technically, not just by policy.
The system cannot access private messages, drafts, or unpublished content. There is no configuration, admin setting, or escalation path that enables this access — the capability does not exist.
If content is not explicitly published in a wrap, committed to a system of record, or linked as a public artifact, it is invisible to StandIn.
This boundary is enforced automatically and cannot be bypassed.
How StandIn responds to questions
Every question falls into one of three categories. The behavior is consistent and predictable.
1. Answer
Explicitly published
If a human wrote it in a wrap, committed it to code, or updated a linked ticket, StandIn treats it as fact and answers from it.
Only when the source is explicit, published, and within scope.<br/>
1. Answer
Explicitly published
If a human wrote it in a wrap, committed it to code, or updated a linked ticket, StandIn treats it as fact and answers from it.
Redirection does not expose private context.<br/>
1. Answer
Explicitly published
If a human wrote it in a wrap, committed it to code, or updated a linked ticket, StandIn treats it as fact and answers from it.
Refusal is enforced at the system level.<br/>
What StandIn cannot do
These are not policy restrictions. They are hard-coded constraints that cannot be configured, toggled, or overridden.
There is no “admin override” for these features because they do not exist in the product.
No passive monitoring
StandIn does not watch your screen, track your mouse, or log your active hours.
No private messages
DMs are invisible to StandIn. If you didn't post it publicly, it doesn't exist.
No intent inference
StandIn doesn't guess why someone did something. It only reports what they explicitly wrote.
No management oversight queries
Managers cannot ask “who is working hard?” or “summarize activity.” Those queries fail.
StandIn does not log, analyze, or summarize behavior in ways that would reconstruct these prohibited signals.
Architecture over intent
StandIn doesn't rely on users following the rules. The system is built so that the rules cannot be broken.
Fixed data scopes
Hard limits on what data the system can access. There is no way to expand these scopes.
Fixed data scopes
Hard limits on what data the system can access. There is no way to expand these scopes.
Fixed data scopes
Hard limits on what data the system can access. There is no way to expand these scopes.
Fixed data scopes
Hard limits on what data the system can access. There is no way to expand these scopes.
Even well-intentioned misuse is blocked.
What a Representative never does
RepresentativeRepresentativeRepresentative
These are the same architectural constraints that govern the entire system. A Representative inherits them. There is no admin toggle, no escalation path, no workaround.