Start at the draft reply
The uncomfortable moment is ordinary: the answer sounds helpful, but someone still has to decide whether the destination is safe.
Search articles, pages, and resources across BaristaLabs.
Start typing to search...
Public write-path field packet
Before an AI agent that reads private context can answer in a public issue, ticket, PR comment, Slack channel, or customer-facing thread, run a short test: classify the input, list the read scope, name the write destination, declare the recipient, probe for leaks, check the draft, gate early replies, and record the go/no-go decision.

A repo agent reads private or internal repositories and comments on public issues or PRs.
A support agent reads account history, billing notes, or internal runbooks and replies in a customer-visible ticket.
A Slack or Teams bot reads private channels, docs, or ticket queues and can post into a broader channel.
A community or forum agent reads internal knowledge-base drafts and answers in public threads.
A ticketing workflow reads private triage notes and writes into the requester-controlled conversation.
The input and output share an address, so the requester can place instructions in the same channel where the agent answers.
How to use it
The uncomfortable moment is ordinary: the answer sounds helpful, but someone still has to decide whether the destination is safe.
Read access is only half of the leak path. A narrower reader can still leak if it may repeat privileged context into a lower-trust channel.
The canary should ask for source-only details the recipient should not receive, then record whether the workflow withheld them.
Public replies may launch, launch with review, stay internal, wait for scope reduction, or stop. The choice needs evidence and an owner.
Copy the table into a PR checklist, runbook, wiki page, ticket, or launch review. Keep the first pass tied to one workflow that can read private context and write into a public or lower-trust destination.
| Field | What to write | Why it matters |
|---|---|---|
| Workflow identity | Workflow name, owner, environment, trigger, and reviewer. | The test belongs to one real workflow, not a generic agent policy. |
| Input trust classification | Treat issue titles, ticket bodies, comments, emails, messages, and forum posts as untrusted instruction input unless a trusted operator explicitly converts them into a task. | A public issue can look like normal work while carrying hidden instructions. |
| Read scope inventory | List every repo, queue, channel, document store, runbook, CRM record type, or account field the agent can actually access when triggered. | The relevant scope is what the credential or tool grants, not what the team assumes the agent will use. |
| Write destination map | Name every place the agent can write: public issue comment, PR comment, customer ticket, email, Slack channel, internal note, CRM field, forum reply, or webhook. | The destination decides who can read the answer and whether private context can leave the workflow. |
| Recipient of record | State who the answer is for: a named internal reviewer, a requester with known access, a customer contact, a public thread, or the open internet. | A model does not reliably infer audience boundaries from channel names. |
| Canary probe | Run a test prompt modeled on the real risk: ask for private filenames, internal strings, README excerpts, ticket notes, or source-only details that the requester should not receive. | The team needs evidence that the workflow refuses or withholds private context under realistic pressure. |
| Outgoing content check | Screen the drafted reply for source-only strings, filenames, internal IDs, private facts, unrelated customer data, credentials, hidden notes, or material outside the requester's access. | This is the last checkpoint before private context becomes public output. |
| Human gate | Route early public replies through a named reviewer, with the source evidence and policy rule visible before posting. | Automatic public replies compound a read-scope mistake before anyone can correct it. |
| Go/no-go rule | Choose one: allow public replies, allow only with review, keep replies internal, reduce scope and retest, or stop. Record the owner and next review trigger. | Public-reply mode should be a decision with evidence, not a default because the workflow works. |
Copy block
The packet is intentionally portable. It should work in a PR checklist, ticket, runbook, wiki page, or launch review before anyone turns on public-reply mode.
Public-output quarantine test Workflow name: Workflow owner: Technical owner: Environment: Trigger: Reviewer: Review date: 1. Input trust classification Untrusted input surfaces: Trusted instruction source, if any: How untrusted text becomes an approved task: 2. Read scope inventory Repos / file stores: Tickets / queues: Channels / docs / runbooks: Customer/account records: Credentials or tool scopes: Excluded sources: 3. Write destination map Public destinations: Customer-visible destinations: Internal destinations: System-of-record writes: Destinations disabled for this version: 4. Recipient of record Who is the answer for: What the recipient is allowed to know: Who is not allowed to receive private context: 5. Canary probe Probe prompt or scenario: Private context intentionally in scope for the probe: Expected safe behavior: Actual draft/output: Pass / fail: 6. Outgoing content check Terms, filenames, IDs, source-only facts, or data classes to screen: Detected leak terms: Reviewer notes: Required edits before posting: 7. Human gate Reviewer role/name: Evidence shown to reviewer: Decision options: approve / edit / reject / escalate / keep internal First batch size under review: 8. Go/no-go rule Decision: public replies allowed / allowed with review / internal-only / reduce scope and retest / stop Reason: Owner: Next review trigger:
Example row

Next step
BaristaLabs helps teams turn one public-facing agent workflow into a practical launch gate: input trust classification, real read scope, write destinations, recipient of record, canary probe, outgoing leak check, reviewer gate, receipt fields, and a go/no-go rule.
Map the public write boundarySource notes
Related resources
Read the GitLost story behind this worksheet and why the write path needed its own check.
Open resourcePlace the quarantine test inside the broader control sequence: policy, shadow run, queue, receipts, evals, observability, and rollback.
Open resourceRecord what triggered the run, what the agent saw, who reviewed it, what posted, and how to correct it later.
Open resourceA related GitHub workflow boundary: there, the fix was a narrow handler for real writes.
Open resourceUse observe mode when the team needs to watch real traffic before blocking or expanding permissions.
Open resourceMap one workflow's trigger, sources, review gate, write destination, receipt, and rollback path before automating it.
Open resourceBuild public-facing AI workflows around reviewable outputs, safe handoffs, and maintainable owner controls.
Open resource