Big task: Uszy Piotra — Mistral inbox sidecar / privacy-first policy router #645

New issue

Open

opened 2026-05-30 16:14:27 +02:00 by Iskra · 21 comments

Iskra commented 2026-05-30 16:14:27 +02:00

Collaborator

Copy link

Context

This issue captures a Signal-originated product/security discussion about Uszy Piotra: a privacy-first inbox sidecar where OpenClaw/Iskra remains the main harness/router/memory layer, while Mistral may act as a fast Polish-language processing layer for classification, triage, safe summaries, and structured receipts.

Local detailed artifact: /home/openclaw/.openclaw/workspace/artifacts/2026-05-30-uszy-piotra-mistral-inbox-sidecar.md

Kan card: mz95ewhkj06s

Privacy note: this issue intentionally contains a sanitized technical artifact, not a raw private Signal transcript.

Why this matters

Working hypothesis:

For inbox AI, the black swan is not only data leakage. It is misreading context, tone, urgency, pressure, irony, and Polish social register. A model for Piotr's inbox should be evaluated on Polish-first contextual understanding, not only generic reasoning benchmarks.

Mistral appears interesting because of:

• natural Polish output / possibly better Polish-language priors,
• EU/privacy/self-hosting narrative,
• open-weight/local deployment path,
• very low latency and good throughput.

Architecture hypothesis

OpenClaw / Iskra

• main harness and user-facing layer,
• memory and continuity,
• policy router,
• receipts and audit,
• final decision layer,
• red-team/security boundary.

Mistral API / local Mistral

• fast processing sidecar,
• classification,
• task detection,
• safe summary generation,
• Polish tone/context detection,
• structured JSON receipts,
• no long-term memory,
• no raw private messages in cloud.

Critical red-team conclusion

This should be treated as:

a security project with an AI component, not an AI project with security bolted on.

Non-negotiable red lines

• No raw message content to cloud.
• Do not use Free/Pro Vibe for private inbox data.
• No fine-tuning on real private data in phase 1.
• No cloud fallback for local_only / super_private messages.
• No logs/receipts that can reconstruct private content.
• Do not treat anonymization as sufficient protection.
• Do not treat ZDR as magic; verify plan/DPA/subprocessors/retention.

Suggested v0 scope

Build a boring, falsifiable benchmark + policy router, not an inbox autopilot.

Deliverables:

1. Threat model.
2. Policy router spec.
3. JSON receipt schema.
4. Synthetic Polish inbox eval set.
5. Model comparison harness:
   • Mistral API,
   • GPT/OpenAI baseline,
   • local Mistral/open-weight if available.
6. Latency/quality report.
7. Red-team test cases:
   • prompt injection in mail,
   • hidden urgency,
   • passive aggression / irony,
   • formal vs informal Polish register,
   • privacy-risk routing,
   • false urgent / false negative cases.
8. Decision memo: what may go to API, what must always stay local.

Initial JSON receipt sketch

{
  "message_id": "synth_001",
  "source_type": "email|short_message|whatsapp|imessage",
  "inbox_policy": "professional|personal|short_messages|super_private",
  "routing": {
    "cloud_allowed": false,
    "local_only": true,
    "human_review_required": true,
    "fallback_to_cloud": "forbidden"
  },
  "classification": {
    "category": "meeting_request|document_request|fyi|follow_up|urgent|other",
    "priority": "low|normal|high|critical",
    "requires_response": true,
    "contains_task": true,
    "privacy_risk": "low|medium|high|block"
  },
  "language": {
    "language": "pl",
    "formality": "formal|neutral|informal",
    "tone": "neutral|warm|passive_aggressive|urgent|manipulative|unclear",
    "polish_nuance_flags": ["irony", "hidden_pressure"]
  },
  "summary_safe": "Short summary without PII and without reconstructing the raw message.",
  "confidence": {
    "classification": 0.0,
    "priority": 0.0,
    "tone": 0.0,
    "routing": 0.0
  }
}

Open questions

• Is platform the right repo, or should this become a dedicated uszy-piotra repo?
• Is Mistral API ZDR available without Enterprise?
• Can Mistral API be constrained EU-only contractually for this use?
• Which local open-weight Mistral model should be the first test target?
• Should v0 start with policy router + mock models before live API calls?

## Context This issue captures a Signal-originated product/security discussion about **Uszy Piotra**: a privacy-first inbox sidecar where OpenClaw/Iskra remains the main harness/router/memory layer, while Mistral may act as a fast Polish-language processing layer for classification, triage, safe summaries, and structured receipts. Local detailed artifact: `/home/openclaw/.openclaw/workspace/artifacts/2026-05-30-uszy-piotra-mistral-inbox-sidecar.md` Kan card: `mz95ewhkj06s` Privacy note: this issue intentionally contains a sanitized technical artifact, not a raw private Signal transcript. ## Why this matters Working hypothesis: > For inbox AI, the black swan is not only data leakage. It is misreading context, tone, urgency, pressure, irony, and Polish social register. A model for Piotr's inbox should be evaluated on Polish-first contextual understanding, not only generic reasoning benchmarks. Mistral appears interesting because of: - natural Polish output / possibly better Polish-language priors, - EU/privacy/self-hosting narrative, - open-weight/local deployment path, - very low latency and good throughput. ## Architecture hypothesis ### OpenClaw / Iskra - main harness and user-facing layer, - memory and continuity, - policy router, - receipts and audit, - final decision layer, - red-team/security boundary. ### Mistral API / local Mistral - fast processing sidecar, - classification, - task detection, - safe summary generation, - Polish tone/context detection, - structured JSON receipts, - no long-term memory, - no raw private messages in cloud. ## Critical red-team conclusion This should be treated as: > **a security project with an AI component, not an AI project with security bolted on.** ## Non-negotiable red lines - No raw message content to cloud. - Do not use Free/Pro Vibe for private inbox data. - No fine-tuning on real private data in phase 1. - No cloud fallback for `local_only` / `super_private` messages. - No logs/receipts that can reconstruct private content. - Do not treat anonymization as sufficient protection. - Do not treat ZDR as magic; verify plan/DPA/subprocessors/retention. ## Suggested v0 scope Build a boring, falsifiable benchmark + policy router, not an inbox autopilot. Deliverables: 1. Threat model. 2. Policy router spec. 3. JSON receipt schema. 4. Synthetic Polish inbox eval set. 5. Model comparison harness: - Mistral API, - GPT/OpenAI baseline, - local Mistral/open-weight if available. 6. Latency/quality report. 7. Red-team test cases: - prompt injection in mail, - hidden urgency, - passive aggression / irony, - formal vs informal Polish register, - privacy-risk routing, - false urgent / false negative cases. 8. Decision memo: what may go to API, what must always stay local. ## Initial JSON receipt sketch ```json { "message_id": "synth_001", "source_type": "email|short_message|whatsapp|imessage", "inbox_policy": "professional|personal|short_messages|super_private", "routing": { "cloud_allowed": false, "local_only": true, "human_review_required": true, "fallback_to_cloud": "forbidden" }, "classification": { "category": "meeting_request|document_request|fyi|follow_up|urgent|other", "priority": "low|normal|high|critical", "requires_response": true, "contains_task": true, "privacy_risk": "low|medium|high|block" }, "language": { "language": "pl", "formality": "formal|neutral|informal", "tone": "neutral|warm|passive_aggressive|urgent|manipulative|unclear", "polish_nuance_flags": ["irony", "hidden_pressure"] }, "summary_safe": "Short summary without PII and without reconstructing the raw message.", "confidence": { "classification": 0.0, "priority": 0.0, "tone": 0.0, "routing": 0.0 } } ``` ## Open questions - Is `platform` the right repo, or should this become a dedicated `uszy-piotra` repo? - Is Mistral API ZDR available without Enterprise? - Can Mistral API be constrained EU-only contractually for this use? - Which local open-weight Mistral model should be the first test target? - Should v0 start with policy router + mock models before live API calls?

Iskra commented 2026-05-30 16:22:56 +02:00

Author

Collaborator

Copy link

Repo split proposal after Piotr's follow-up:

This should probably not live as a single monolithic issue.

Platform-owned part

Keep here in pdurlej/platform:

• target architecture for Piotr's private/local infrastructure,
• home/server deployment assumptions,
• security boundaries for private inbox data,
• local model / vLLM / Ollama / GPU/RAM/storage planning,
• data locality, backups, network exposure, firewall/VPN,
• decision memo for Mistral API vs local sidecar.

OpenClaw-owned part

Should become a linked issue in the OpenClaw/Iskra repo once the canonical repo is identified:

• policy router inside OpenClaw,
• cloud_allowed / local_only / fallback_to_cloud: forbidden gates,
• safe JSON receipt schema,
• no raw-content logging guarantees,
• suppression of raw tool/runtime status leaks to Signal,
• eval harness integration,
• model routing between GPT/Mistral/local endpoint.

Linkage

This issue should remain the platform/security epic. The OpenClaw issue should be the implementation/harness epic and link back here.

Pending: identify canonical OpenClaw/Iskra repo. Public Forgejo repo list currently does not show an obvious openclaw repo under pdurlej; visible Claw-adjacent repo is pdurlej/judging-claw, which does not look canonical for this work.

Repo split proposal after Piotr's follow-up: This should probably not live as a single monolithic issue. ## Platform-owned part Keep here in `pdurlej/platform`: - target architecture for Piotr's private/local infrastructure, - home/server deployment assumptions, - security boundaries for private inbox data, - local model / vLLM / Ollama / GPU/RAM/storage planning, - data locality, backups, network exposure, firewall/VPN, - decision memo for Mistral API vs local sidecar. ## OpenClaw-owned part Should become a linked issue in the OpenClaw/Iskra repo once the canonical repo is identified: - policy router inside OpenClaw, - `cloud_allowed` / `local_only` / `fallback_to_cloud: forbidden` gates, - safe JSON receipt schema, - no raw-content logging guarantees, - suppression of raw tool/runtime status leaks to Signal, - eval harness integration, - model routing between GPT/Mistral/local endpoint. ## Linkage This issue should remain the platform/security epic. The OpenClaw issue should be the implementation/harness epic and link back here. Pending: identify canonical OpenClaw/Iskra repo. Public Forgejo repo list currently does not show an obvious `openclaw` repo under `pdurlej`; visible Claw-adjacent repo is `pdurlej/judging-claw`, which does not look canonical for this work.

Iskra commented 2026-05-30 16:25:49 +02:00

Author

Collaborator

Copy link

Linked OpenClaw/Iskra implementation issue created: pdurlej/iskra-openclaw#392

Split now is:

• platform#645 = infrastructure/security/local deployment/data locality epic
• iskra-openclaw#392 = OpenClaw policy router, receipts, model routing, Signal/runtime UX guards

Linked OpenClaw/Iskra implementation issue created: https://git.pdurlej.com/pdurlej/iskra-openclaw/issues/392 Split now is: - `platform#645` = infrastructure/security/local deployment/data locality epic - `iskra-openclaw#392` = OpenClaw policy router, receipts, model routing, Signal/runtime UX guards

Iskra commented 2026-05-30 16:27:44 +02:00

Author

Collaborator

Copy link

Architecture decision: assume Mistral API is non-ZDR at MVP start

Piotr confirmed a pragmatic assumption from the current Mistral account/plan reality:

Treat anything sent to Mistral API as not ZDR unless/until a concrete contract/plan proves otherwise.

This changes the MVP risk model:

• We may accept a controlled privacy-leak risk for low-sensitivity mail triage, similar to the current reality that mail is already hosted by Gmail/FastMail/etc.
• The system must not pretend Mistral API is private or zero-retention by default.
• ZDR/local privacy is a later phase, achieved only when local models are good enough and we know what hardware can run them.

Required policy implication

Return to the earlier scaled mail access concept:

• tier_0_headers_only: Mistral may see only headers/minimal metadata.
• tier_1_low_sensitivity: Mistral may see sanitized snippets/content for classification.
• tier_2_private: local-only content; Mistral gets at most metadata.
• tier_3_secrets: passwords, credentials, secrets, medical/legal/highly private content; never send raw content to Mistral.

Examples of hard block / headers-only:

• passwords / credentials / reset codes,
• API keys / tokens,
• invoices/contracts with sensitive identifiers unless explicitly allowed,
• medical/legal/highly personal messages,
• messages marked super_private / local_only.

Design consequence

The critical v0 component is a sensitivity gate before model routing, not the model itself.

Mistral API should be treated as a fast non-ZDR processor behind a strict policy gate. Local models become the later path to true ZDR-like behavior.

## Architecture decision: assume Mistral API is non-ZDR at MVP start Piotr confirmed a pragmatic assumption from the current Mistral account/plan reality: > Treat anything sent to Mistral API as **not ZDR** unless/until a concrete contract/plan proves otherwise. This changes the MVP risk model: - We may accept a controlled privacy-leak risk for low-sensitivity mail triage, similar to the current reality that mail is already hosted by Gmail/FastMail/etc. - The system must not pretend Mistral API is private or zero-retention by default. - ZDR/local privacy is a later phase, achieved only when local models are good enough and we know what hardware can run them. ## Required policy implication Return to the earlier **scaled mail access** concept: - `tier_0_headers_only`: Mistral may see only headers/minimal metadata. - `tier_1_low_sensitivity`: Mistral may see sanitized snippets/content for classification. - `tier_2_private`: local-only content; Mistral gets at most metadata. - `tier_3_secrets`: passwords, credentials, secrets, medical/legal/highly private content; never send raw content to Mistral. Examples of hard block / headers-only: - passwords / credentials / reset codes, - API keys / tokens, - invoices/contracts with sensitive identifiers unless explicitly allowed, - medical/legal/highly personal messages, - messages marked `super_private` / `local_only`. ## Design consequence The critical v0 component is a **sensitivity gate before model routing**, not the model itself. Mistral API should be treated as a fast non-ZDR processor behind a strict policy gate. Local models become the later path to true ZDR-like behavior.

Iskra commented 2026-05-30 16:33:16 +02:00

Author

Collaborator

Copy link

Proposed pipeline v0 from Piotr audio note

Piotr sketched a pragmatic first architecture for Uszy Piotra with Mistral API as a fast non-ZDR processing layer behind local safety gates.

Ingestion

Sources:

• Gmail / mail inboxes,
• WhatsApp via online-accessible integration,
• iMessage excluded for now because reliable online/local ingestion is harder.

Local first-pass gate

Before anything reaches Mistral API:

1. A local always-on script watches inbox events.
2. A simple deterministic/small local detector scans for dangerous/sensitive content:
   • passwords,
   • tokens/API keys,
   • reset codes,
   • credentials,
   • obviously sensitive legal/medical/private content.
3. A small local LLM/classifier on RS2000 or other local machine does a second-pass sensitivity check.
4. Only messages that pass this local gate may go to Mistral API.

Hard rule: blocked/highly sensitive messages are headers-only or local-only.

Mistral API role

For Gmail/low-sensitivity messages that pass the gate, Mistral API receives enough content for richer classification and triage.

Mistral may:

• label messages according to a contract,
• classify priority,
• suggest whether Iskra should care,
• prepare structured receipts,
• propose next actions,
• write/update a shared Obsidian/headless repo surface for Iskra and Piotr.

Mistral is not the final decision-maker. It gives taste/signal to Iskra.

Iskra/OpenClaw role

Iskra has a polling/checkpoint script that checks the shared Obsidian/headless surface every N minutes.

If Mistral reports new mail:

• low priority: Iskra may ignore/defer,
• high priority: Iskra decides whether to notify Piotr or act,
• Iskra remains final operator-facing judgment layer.

FastMail variant

For FastMail:

• Mistral may forward or surface interesting allowed messages only to Iskra's mail/inbox channel,
• Iskra cannot send directly from Piotr's FastMail,
• Iskra may at most draft replies for Piotr's approval.

This keeps outbound blast radius low.

Why this is attractive

• Accepts the practical reality that Mistral API is likely non-ZDR for now.
• Uses local sensitivity gating before cloud.
• Lets Mistral do high-throughput low-risk triage.
• Keeps Iskra as final judgment/action layer.
• Avoids iMessage complexity in v0.
• Keeps outbound email safe via draft-only behavior.

Open questions / risks

• Which local detector/model runs on RS2000?
• What exact sensitivity taxonomy gates cloud access?
• How to prevent Mistral receipts from reconstructing private content?
• What is the Obsidian/headless write contract?
• How often should Iskra poll without creating noise?
• How do we audit false negatives from the local sensitivity gate?

## Proposed pipeline v0 from Piotr audio note Piotr sketched a pragmatic first architecture for Uszy Piotra with Mistral API as a fast non-ZDR processing layer behind local safety gates. ### Ingestion Sources: - Gmail / mail inboxes, - WhatsApp via online-accessible integration, - iMessage excluded for now because reliable online/local ingestion is harder. ### Local first-pass gate Before anything reaches Mistral API: 1. A local always-on script watches inbox events. 2. A simple deterministic/small local detector scans for dangerous/sensitive content: - passwords, - tokens/API keys, - reset codes, - credentials, - obviously sensitive legal/medical/private content. 3. A small local LLM/classifier on RS2000 or other local machine does a second-pass sensitivity check. 4. Only messages that pass this local gate may go to Mistral API. Hard rule: blocked/highly sensitive messages are headers-only or local-only. ### Mistral API role For Gmail/low-sensitivity messages that pass the gate, Mistral API receives enough content for richer classification and triage. Mistral may: - label messages according to a contract, - classify priority, - suggest whether Iskra should care, - prepare structured receipts, - propose next actions, - write/update a shared Obsidian/headless repo surface for Iskra and Piotr. Mistral is not the final decision-maker. It gives taste/signal to Iskra. ### Iskra/OpenClaw role Iskra has a polling/checkpoint script that checks the shared Obsidian/headless surface every N minutes. If Mistral reports new mail: - low priority: Iskra may ignore/defer, - high priority: Iskra decides whether to notify Piotr or act, - Iskra remains final operator-facing judgment layer. ### FastMail variant For FastMail: - Mistral may forward or surface interesting allowed messages only to Iskra's mail/inbox channel, - Iskra cannot send directly from Piotr's FastMail, - Iskra may at most draft replies for Piotr's approval. This keeps outbound blast radius low. ### Why this is attractive - Accepts the practical reality that Mistral API is likely non-ZDR for now. - Uses local sensitivity gating before cloud. - Lets Mistral do high-throughput low-risk triage. - Keeps Iskra as final judgment/action layer. - Avoids iMessage complexity in v0. - Keeps outbound email safe via draft-only behavior. ### Open questions / risks - Which local detector/model runs on RS2000? - What exact sensitivity taxonomy gates cloud access? - How to prevent Mistral receipts from reconstructing private content? - What is the Obsidian/headless write contract? - How often should Iskra poll without creating noise? - How do we audit false negatives from the local sensitivity gate?

Iskra commented 2026-05-30 16:38:06 +02:00

Author

Collaborator

Copy link

Roadmap / model layering from Piotr audio note

Piotr proposed a more explicit layered architecture for Uszy Piotra and broader ingest workflows.

Local small safety model

Investigate OpenAI's small/local Hugging Face model as a candidate for the local sensitivity gate. Desired role:

• run locally on RS2000 or another always-on machine,
• detect dangerous/sensitive content before cloud routing,
• work alongside deterministic scanners,
• decide whether a message is headers-only, local-only, sanitized-to-cloud, or cloud-allowed.

Mistral as critical processing layer

Mistral/Mistral-family models are becoming central to this design:

• short-term: Mistral subscription/API may be financially worth it despite lack of ZDR, if guarded by local sensitivity gates;
• medium-term: Mistral handles high-throughput mail classification, labeling, prioritization, and Obsidian/headless receipts;
• long-term: local Mistral models on Piotr's own server get higher permissions and can process more sensitive content locally.

Local server v1.0

Future target:

• Piotr has a local server capable of running Mistral-family models,
• local models can classify and queue work by priority/accuracy tradeoff,
• low-priority/high-accuracy jobs may wait for low server load,
• high-priority jobs can use faster/cloud escalation if policy allows.

Broader ingest path

If this pattern works for mail, it can generalize to:

• files,
• ebooks,
• films/videos,
• books,
• other content ingests.

Mistral becomes a reusable ingestion/triage layer, not just mail tooling.

Proposed privacy/power ladder

From most private/weakest to least private/strongest:

1. deterministic hard scripts / regex / secret scanners,
2. private local small model,
3. Mistral layer / Mistral local or API depending on policy,
4. Ollama cloud subscription as possible cloud escalation layer,
5. GPT/OpenClaw engine as strongest but least private escalation layer.

Important wording: this is about the underlying engine privacy/power tradeoff, not Iskra's persona.

Action items

• Find candidate OpenAI small local HF model.
• Check whether Ollama API key/subscription exists in Infisical/config without exposing the secret.
• Ask DeepSeek V4 Cloud or equivalent adversarial reviewer to red-team this layered model-routing idea.
• Add red-team findings back to this issue and the OpenClaw implementation issue.

## Roadmap / model layering from Piotr audio note Piotr proposed a more explicit layered architecture for Uszy Piotra and broader ingest workflows. ### Local small safety model Investigate OpenAI's small/local Hugging Face model as a candidate for the local sensitivity gate. Desired role: - run locally on RS2000 or another always-on machine, - detect dangerous/sensitive content before cloud routing, - work alongside deterministic scanners, - decide whether a message is headers-only, local-only, sanitized-to-cloud, or cloud-allowed. ### Mistral as critical processing layer Mistral/Mistral-family models are becoming central to this design: - short-term: Mistral subscription/API may be financially worth it despite lack of ZDR, if guarded by local sensitivity gates; - medium-term: Mistral handles high-throughput mail classification, labeling, prioritization, and Obsidian/headless receipts; - long-term: local Mistral models on Piotr's own server get higher permissions and can process more sensitive content locally. ### Local server v1.0 Future target: - Piotr has a local server capable of running Mistral-family models, - local models can classify and queue work by priority/accuracy tradeoff, - low-priority/high-accuracy jobs may wait for low server load, - high-priority jobs can use faster/cloud escalation if policy allows. ### Broader ingest path If this pattern works for mail, it can generalize to: - files, - ebooks, - films/videos, - books, - other content ingests. Mistral becomes a reusable ingestion/triage layer, not just mail tooling. ### Proposed privacy/power ladder From most private/weakest to least private/strongest: 1. deterministic hard scripts / regex / secret scanners, 2. private local small model, 3. Mistral layer / Mistral local or API depending on policy, 4. Ollama cloud subscription as possible cloud escalation layer, 5. GPT/OpenClaw engine as strongest but least private escalation layer. Important wording: this is about the underlying engine privacy/power tradeoff, not Iskra's persona. ### Action items - Find candidate OpenAI small local HF model. - Check whether Ollama API key/subscription exists in Infisical/config without exposing the secret. - Ask DeepSeek V4 Cloud or equivalent adversarial reviewer to red-team this layered model-routing idea. - Add red-team findings back to this issue and the OpenClaw implementation issue.

Iskra commented 2026-05-30 16:41:35 +02:00

Author

Collaborator

Copy link

Quick verification: OpenAI local model candidate + Ollama key status + DeepSeek blocker

OpenAI local model candidate

Found the likely model Piotr referred to:

• Hugging Face: openai/gpt-oss-20b
• Open-weight model by OpenAI.
• Smaller member of gpt-oss family.
• Intended for lower latency, local/specialized use cases.
• Model card says it can run within ~16GB memory and uses Apache 2.0.
• Important caveat: it expects OpenAI's harmony response format; using it as a classifier/gate needs adapter/wrapper work, not just naive prompting.

This is a plausible candidate for the local sensitivity gate, but should be benchmarked specifically on:

• secret/credential detection,
• Polish privacy categories,
• false negatives,
• speed on RS2000/local hardware,
• structured JSON reliability.

Ollama API key status

Checked without exposing the secret:

• /opt/hermes-agency/.env contains:
  • OLLAMA_BASE_URL set, host: https://ollama.com
  • OLLAMA_API_KEY set
  • OLLAMA_TIMEOUT_MS set
• current OpenClaw runtime env does not expose OLLAMA_API_KEY; it only exposes ZAI_API_KEY among matching provider keys.
• Infisical /home-platform/apps/openclaw path does not currently expose an Ollama key to OpenClaw render.

Implication: Ollama cloud key exists in Hermes env, but OpenClaw-family unattended secret contract may need cleanup/bridging before Iskra can use it safely.

DeepSeek V4 Cloud blocker

Attempted to spawn red-team with:

• deepseek/deepseek-v4
• deepseek/deepseek-chat

Both were rejected by current OpenClaw model allowlist: model not allowed.

Need either:

• enable/allow a DeepSeek Cloud model in OpenClaw session/provider config,
• provide a supported DeepSeek/OpenRouter route,
• or use an available substitute red-team lane (Oracle/GPT-5.5 Pro, ZAI/GLM, or Ollama cloud) and label it clearly as not-DeepSeek.

## Quick verification: OpenAI local model candidate + Ollama key status + DeepSeek blocker ### OpenAI local model candidate Found the likely model Piotr referred to: - Hugging Face: `openai/gpt-oss-20b` - Open-weight model by OpenAI. - Smaller member of `gpt-oss` family. - Intended for lower latency, local/specialized use cases. - Model card says it can run within ~16GB memory and uses Apache 2.0. - Important caveat: it expects OpenAI's `harmony` response format; using it as a classifier/gate needs adapter/wrapper work, not just naive prompting. This is a plausible candidate for the local sensitivity gate, but should be benchmarked specifically on: - secret/credential detection, - Polish privacy categories, - false negatives, - speed on RS2000/local hardware, - structured JSON reliability. ### Ollama API key status Checked without exposing the secret: - `/opt/hermes-agency/.env` contains: - `OLLAMA_BASE_URL` set, host: `https://ollama.com` - `OLLAMA_API_KEY` set - `OLLAMA_TIMEOUT_MS` set - current OpenClaw runtime env does not expose `OLLAMA_API_KEY`; it only exposes `ZAI_API_KEY` among matching provider keys. - Infisical `/home-platform/apps/openclaw` path does not currently expose an Ollama key to OpenClaw render. Implication: Ollama cloud key exists in Hermes env, but OpenClaw-family unattended secret contract may need cleanup/bridging before Iskra can use it safely. ### DeepSeek V4 Cloud blocker Attempted to spawn red-team with: - `deepseek/deepseek-v4` - `deepseek/deepseek-chat` Both were rejected by current OpenClaw model allowlist: `model not allowed`. Need either: - enable/allow a DeepSeek Cloud model in OpenClaw session/provider config, - provide a supported DeepSeek/OpenRouter route, - or use an available substitute red-team lane (Oracle/GPT-5.5 Pro, ZAI/GLM, or Ollama cloud) and label it clearly as not-DeepSeek.

Iskra commented 2026-05-30 16:42:46 +02:00

Author

Collaborator

Copy link

Strategic defer until 2026-06-08

Piotr noted this should be deferred until around 8 June 2026.

Reason: Apple is expected to present AI-related capabilities around then, and Piotr is planning hardware upgrades (iPhone 18 Pro and likely MacBook/Mac-side upgrade). This may materially change what local models can run on-device / on Mac and therefore affects the local-vs-cloud architecture.

Decision implication:

• keep capturing architecture and red-team notes now;
• do not lock the local model/server roadmap before the Apple AI / hardware picture is clearer;
• after 2026-06-08, revisit:
  • local model feasibility on Mac/iPhone ecosystem,
  • whether local-first becomes much more practical,
  • what still belongs on RS2000/local server,
  • whether Mistral API subscription remains worth it as a bridge layer.

## Strategic defer until 2026-06-08 Piotr noted this should be deferred until around **8 June 2026**. Reason: Apple is expected to present AI-related capabilities around then, and Piotr is planning hardware upgrades (iPhone 18 Pro and likely MacBook/Mac-side upgrade). This may materially change what local models can run on-device / on Mac and therefore affects the local-vs-cloud architecture. Decision implication: - keep capturing architecture and red-team notes now; - do not lock the local model/server roadmap before the Apple AI / hardware picture is clearer; - after 2026-06-08, revisit: - local model feasibility on Mac/iPhone ecosystem, - whether local-first becomes much more practical, - what still belongs on RS2000/local server, - whether Mistral API subscription remains worth it as a bridge layer.

Iskra commented 2026-05-30 16:48:26 +02:00

Author

Collaborator

Copy link

Correction / better local safety-gate candidate: openai/privacy-filter

Piotr pointed to the more relevant OpenAI Hugging Face model:

• https://huggingface.co/openai/privacy-filter

This is a much better first safety-gate candidate than treating gpt-oss-20b as the primary local classifier.

Why it fits

openai/privacy-filter is a bidirectional token-classification model for PII detection and masking, intended for high-throughput on-prem data sanitization workflows.

Relevant properties from the model card:

• Apache 2.0 license.
• Small: ~1.5B parameters total, ~50M active parameters.
• Runs on laptop / browser-class environments.
• Token classification, not autoregressive generation.
• Long context: 128k token context window.
• Runtime precision/recall tradeoff controls.
• Detects spans in categories:
  • account_number
  • private_address
  • private_email
  • private_person
  • private_phone
  • private_url
  • private_date
  • secret

Updated gate proposal

Use layers:

1. Deterministic regex/secret scanners.
2. openai/privacy-filter as local PII/secret span detector + masker.
3. Small local LLM/classifier for semantic sensitivity beyond PII taxonomy:
   • legal/medical context,
   • relationship/private content,
   • hidden credentials,
   • Polish nuance,
   • „this looks safe but context makes it sensitive”.
4. Policy router decides:
   • headers-only,
   • masked/sanitized snippet to Mistral,
   • full low-risk content to Mistral,
   • local-only.

Caveats

Do not over-trust it:

• model card says it is primarily English, with selected multilingual robustness only;
• static label taxonomy will miss project-specific/private-context sensitivity;
• it is not anonymization or compliance guarantee;
• it needs calibration and Polish evals before use.

Architecture consequence

privacy-filter should become the first serious local redaction/sanitization candidate for v0. gpt-oss-20b remains a possible second-pass semantic classifier, not the first PII detector.

## Correction / better local safety-gate candidate: `openai/privacy-filter` Piotr pointed to the more relevant OpenAI Hugging Face model: - https://huggingface.co/openai/privacy-filter This is a much better first safety-gate candidate than treating `gpt-oss-20b` as the primary local classifier. ### Why it fits `openai/privacy-filter` is a bidirectional token-classification model for PII detection and masking, intended for high-throughput on-prem data sanitization workflows. Relevant properties from the model card: - Apache 2.0 license. - Small: ~1.5B parameters total, ~50M active parameters. - Runs on laptop / browser-class environments. - Token classification, not autoregressive generation. - Long context: 128k token context window. - Runtime precision/recall tradeoff controls. - Detects spans in categories: - `account_number` - `private_address` - `private_email` - `private_person` - `private_phone` - `private_url` - `private_date` - `secret` ### Updated gate proposal Use layers: 1. Deterministic regex/secret scanners. 2. `openai/privacy-filter` as local PII/secret span detector + masker. 3. Small local LLM/classifier for semantic sensitivity beyond PII taxonomy: - legal/medical context, - relationship/private content, - hidden credentials, - Polish nuance, - „this looks safe but context makes it sensitive”. 4. Policy router decides: - headers-only, - masked/sanitized snippet to Mistral, - full low-risk content to Mistral, - local-only. ### Caveats Do not over-trust it: - model card says it is primarily English, with selected multilingual robustness only; - static label taxonomy will miss project-specific/private-context sensitivity; - it is not anonymization or compliance guarantee; - it needs calibration and Polish evals before use. ### Architecture consequence `privacy-filter` should become the first serious local redaction/sanitization candidate for v0. `gpt-oss-20b` remains a possible second-pass semantic classifier, not the first PII detector.

Iskra commented 2026-05-30 16:50:04 +02:00

Author

Collaborator

Copy link

WWDC / Apple AI watchlist for June 8 defer

Piotr shared a GPT-generated WWDC expectation note. Treat as unverified forecast, not fact.

It strengthens the existing defer: do not lock local-vs-cloud architecture until after Apple's AI announcements are clear.

What to watch for

The important question is not “new Siri” but whether Apple exposes local/on-device AI capabilities to developers.

Decision-changing announcements would include:

• Foundation Models API or equivalent local model API.
• Local embedding API.
• Local summarization / extraction / classification APIs.
• Local tool-calling or agent framework.
• Natural-language Shortcuts / deeper automation APIs.
• Safe access to user data with privacy-preserving local inference.
• Clear macOS/iOS integration points for apps like Obsidian, OpenClaw, personal agents, memory/RAG systems.
• Private Cloud Compute developer surface, if any, and its privacy guarantees.

Why it matters for Uszy Piotra / Iskra

If Apple gives developer-accessible local inference on Apple Silicon, several parts of the roadmap may move from custom infra to native macOS/iOS capabilities:

• local sensitivity gate,
• local summarization/classification,
• local embeddings/RAG,
• user-data-aware automations,
• maybe parts of inbox triage and action routing.

This could reduce reliance on:

• custom OCR/automation hacks,
• Ollama/cloud fallback,
• RS2000-only local model path,
• some MCP glue.

Conservative expectation

Apple may only ship a constrained foundation layer, not a complete agent platform. Expect a 2–3 year expansion curve.

Decision after WWDC

After 2026-06-08, revisit:

• whether Mac/iPhone local AI becomes a first-class layer in the privacy/power ladder;
• whether Mistral API remains a bridge layer or becomes less central;
• whether local model work should target Apple Silicon first, RS2000 first, or both;
• whether Obsidian/OpenClaw integration should use native Apple APIs where possible.

## WWDC / Apple AI watchlist for June 8 defer Piotr shared a GPT-generated WWDC expectation note. Treat as unverified forecast, not fact. It strengthens the existing defer: do not lock local-vs-cloud architecture until after Apple's AI announcements are clear. ### What to watch for The important question is not “new Siri” but whether Apple exposes local/on-device AI capabilities to developers. Decision-changing announcements would include: - Foundation Models API or equivalent local model API. - Local embedding API. - Local summarization / extraction / classification APIs. - Local tool-calling or agent framework. - Natural-language Shortcuts / deeper automation APIs. - Safe access to user data with privacy-preserving local inference. - Clear macOS/iOS integration points for apps like Obsidian, OpenClaw, personal agents, memory/RAG systems. - Private Cloud Compute developer surface, if any, and its privacy guarantees. ### Why it matters for Uszy Piotra / Iskra If Apple gives developer-accessible local inference on Apple Silicon, several parts of the roadmap may move from custom infra to native macOS/iOS capabilities: - local sensitivity gate, - local summarization/classification, - local embeddings/RAG, - user-data-aware automations, - maybe parts of inbox triage and action routing. This could reduce reliance on: - custom OCR/automation hacks, - Ollama/cloud fallback, - RS2000-only local model path, - some MCP glue. ### Conservative expectation Apple may only ship a constrained foundation layer, not a complete agent platform. Expect a 2–3 year expansion curve. ### Decision after WWDC After 2026-06-08, revisit: - whether Mac/iPhone local AI becomes a first-class layer in the privacy/power ladder; - whether Mistral API remains a bridge layer or becomes less central; - whether local model work should target Apple Silicon first, RS2000 first, or both; - whether Obsidian/OpenClaw integration should use native Apple APIs where possible.

Iskra commented 2026-05-30 16:50:59 +02:00

Author

Collaborator

Copy link

RS2000 resource constraint / benchmark requirement

Piotr added an important operational constraint:

The local privacy/sensitivity gate must not murder the RS2000 Netcup VPS, at least for the headers-only analysis path.

Minimal v0 assumption

For early v0, do not assume full message-body local inference on RS2000.

Start with:

• headers,
• sender/from/to/domain metadata,
• subject,
• maybe very short sanitized preview only if cheap and safe.

Acceptance criterion

A candidate local model/gate is acceptable for RS2000 only if it can run continuously or frequently without destabilizing the VPS.

Benchmark before adopting:

• cold start time,
• warm inference latency on headers-only input,
• RAM footprint,
• CPU load,
• concurrency behavior under mail bursts,
• impact on existing OpenClaw services,
• failure mode under memory pressure.

Consequence for openai/privacy-filter

openai/privacy-filter is promising, but must be tested in a very small headers-only benchmark first. If 1.5B token-classification is too heavy on RS2000, fallback options are:

1. deterministic regex/secret scanner only on RS2000,
2. tiny local classifier instead of privacy-filter,
3. queue privacy-filter jobs to a stronger Mac/local server,
4. use privacy-filter only after Apple/Mac hardware path is available,
5. keep RS2000 as event router, not inference host.

Design principle

RS2000 should remain the reliable always-on orchestrator. It must not become the overloaded inference box by accident.

## RS2000 resource constraint / benchmark requirement Piotr added an important operational constraint: The local privacy/sensitivity gate must not murder the RS2000 Netcup VPS, at least for the headers-only analysis path. ### Minimal v0 assumption For early v0, do not assume full message-body local inference on RS2000. Start with: - headers, - sender/from/to/domain metadata, - subject, - maybe very short sanitized preview only if cheap and safe. ### Acceptance criterion A candidate local model/gate is acceptable for RS2000 only if it can run continuously or frequently without destabilizing the VPS. Benchmark before adopting: - cold start time, - warm inference latency on headers-only input, - RAM footprint, - CPU load, - concurrency behavior under mail bursts, - impact on existing OpenClaw services, - failure mode under memory pressure. ### Consequence for `openai/privacy-filter` `openai/privacy-filter` is promising, but must be tested in a very small headers-only benchmark first. If 1.5B token-classification is too heavy on RS2000, fallback options are: 1. deterministic regex/secret scanner only on RS2000, 2. tiny local classifier instead of privacy-filter, 3. queue privacy-filter jobs to a stronger Mac/local server, 4. use privacy-filter only after Apple/Mac hardware path is available, 5. keep RS2000 as event router, not inference host. ### Design principle RS2000 should remain the reliable always-on orchestrator. It must not become the overloaded inference box by accident.

Iskra commented 2026-05-30 16:53:29 +02:00

Author

Collaborator

Copy link

Related capability bug created:

pdurlej/iskra-openclaw#394

Summary: Ollama API key exists in Hermes env, but normal Iskra/OpenClaw runtime does not receive it through /run/user/1000/openclaw/runtime.env / OpenClaw Infisical render path, so Ollama cannot yet be used as an Iskra red-team/model-routing lane without a secret-contract fix.

Related capability bug created: https://git.pdurlej.com/pdurlej/iskra-openclaw/issues/394 Summary: Ollama API key exists in Hermes env, but normal Iskra/OpenClaw runtime does not receive it through `/run/user/1000/openclaw/runtime.env` / OpenClaw Infisical render path, so Ollama cannot yet be used as an Iskra red-team/model-routing lane without a secret-contract fix.

Iskra commented 2026-05-30 16:54:00 +02:00

Author

Collaborator

Copy link

Fallback if local model is too heavy: deterministic-first gates + prior art search

Piotr added a useful constraint/attitude:

If RS2000 cannot comfortably run a local privacy model, do not force an LLM into the gate. Instead, make the early system more deterministic and lean on prior art.

Design implication

For v0, a deterministic-heavy gate may be a feature, not a compromise:

• more predictable,
• cheaper,
• easier to audit,
• less prompt-injection surface,
• lower latency/RAM pressure,
• better fit for headers-only routing.

Candidate deterministic layers

Before any LLM/cloud routing:

• regex/entropy secret scanning,
• credential/token detectors,
• allow/deny sender/domain rules,
• header-only trust scoring,
• attachment type gates,
• keyword/category blocklists for obvious sensitive classes,
• rules for reset codes / login notifications / invoices / contracts,
• PII detectors where cheap enough,
• known-bad pattern libraries from existing OSS tools.

Prior art requirement

Before building custom gates from scratch, search for existing libraries/repos/tools that already solve parts of this:

• PII detection/redaction,
• secret scanning,
• mail privacy classification,
• DLP-style local filters,
• data-loss-prevention regex packs,
• prompt-injection-safe email triage patterns.

Assumption: many people/repos have already tackled pieces of this better than a bespoke first attempt.

Acceptance update

The MVP should compare at least two gate shapes:

1. deterministic-only / deterministic-heavy headers gate;
2. deterministic + openai/privacy-filter or other local classifier.

If #1 is “good enough” for initial routing, prefer it for v0 and postpone heavier model gates to Mac/local server phase.

## Fallback if local model is too heavy: deterministic-first gates + prior art search Piotr added a useful constraint/attitude: If RS2000 cannot comfortably run a local privacy model, do not force an LLM into the gate. Instead, make the early system more deterministic and lean on prior art. ### Design implication For v0, a deterministic-heavy gate may be a feature, not a compromise: - more predictable, - cheaper, - easier to audit, - less prompt-injection surface, - lower latency/RAM pressure, - better fit for headers-only routing. ### Candidate deterministic layers Before any LLM/cloud routing: - regex/entropy secret scanning, - credential/token detectors, - allow/deny sender/domain rules, - header-only trust scoring, - attachment type gates, - keyword/category blocklists for obvious sensitive classes, - rules for reset codes / login notifications / invoices / contracts, - PII detectors where cheap enough, - known-bad pattern libraries from existing OSS tools. ### Prior art requirement Before building custom gates from scratch, search for existing libraries/repos/tools that already solve parts of this: - PII detection/redaction, - secret scanning, - mail privacy classification, - DLP-style local filters, - data-loss-prevention regex packs, - prompt-injection-safe email triage patterns. Assumption: many people/repos have already tackled pieces of this better than a bespoke first attempt. ### Acceptance update The MVP should compare at least two gate shapes: 1. deterministic-only / deterministic-heavy headers gate; 2. deterministic + `openai/privacy-filter` or other local classifier. If #1 is “good enough” for initial routing, prefer it for v0 and postpone heavier model gates to Mac/local server phase.

Iskra commented 2026-05-30 16:54:23 +02:00

Author

Collaborator

Copy link

Quick prior-art scout for deterministic/privacy gates

Initial web scout confirms there is existing prior art worth evaluating before writing bespoke gates.

Candidate families:

PII / redaction

• Microsoft Presidio — open-source framework for detecting/redacting/masking/anonymizing PII across text/images/structured data; supports NLP, pattern matching, customizable pipelines.
  • https://github.com/microsoft/presidio/
• OpenAI Privacy Filter — local token-classification model for PII/secret spans.
  • https://huggingface.co/openai/privacy-filter
• DataFog — Python SDK for PII detection/redaction and LLM guardrails, with regex defaults and optional NLP/OCR/Spark extras.
  • https://github.com/DataFog/datafog-python
• Phileas — Java PII/PHI redaction/de-identification engine.
  • https://github.com/philterd/phileas
• OpenRedaction — Node.js PII redaction aimed at prompts/logs/email-like text.
  • https://openredaction.com/

Secret scanning / credentials

• TruffleHog — open-source secret scanning using regex/entropy and verification workflows.
  • https://github.com/trufflesecurity/trufflehog
• Also evaluate: Gitleaks, Yelp detect-secrets, and similar pattern packs.

Evaluation requirement

Before choosing, benchmark for:

• Polish text behavior,
• headers-only speed on RS2000,
• false negatives for passwords/reset codes/API tokens,
• false positives on normal Polish business mail,
• ease of embedding in an always-on watcher,
• no outbound network dependency,
• ability to return spans/masks without reconstructing private content in receipts.

## Quick prior-art scout for deterministic/privacy gates Initial web scout confirms there is existing prior art worth evaluating before writing bespoke gates. Candidate families: ### PII / redaction - Microsoft Presidio — open-source framework for detecting/redacting/masking/anonymizing PII across text/images/structured data; supports NLP, pattern matching, customizable pipelines. - https://github.com/microsoft/presidio/ - OpenAI Privacy Filter — local token-classification model for PII/secret spans. - https://huggingface.co/openai/privacy-filter - DataFog — Python SDK for PII detection/redaction and LLM guardrails, with regex defaults and optional NLP/OCR/Spark extras. - https://github.com/DataFog/datafog-python - Phileas — Java PII/PHI redaction/de-identification engine. - https://github.com/philterd/phileas - OpenRedaction — Node.js PII redaction aimed at prompts/logs/email-like text. - https://openredaction.com/ ### Secret scanning / credentials - TruffleHog — open-source secret scanning using regex/entropy and verification workflows. - https://github.com/trufflesecurity/trufflehog - Also evaluate: Gitleaks, Yelp detect-secrets, and similar pattern packs. ### Evaluation requirement Before choosing, benchmark for: - Polish text behavior, - headers-only speed on RS2000, - false negatives for passwords/reset codes/API tokens, - false positives on normal Polish business mail, - ease of embedding in an always-on watcher, - no outbound network dependency, - ability to return spans/masks without reconstructing private content in receipts.

Iskra commented 2026-05-30 16:55:43 +02:00

Author

Collaborator

Copy link

Cost / subscription economics — missing part from Piotr's earlier note

Piotr correctly called out that the earlier capture underweighted the cost-vs-benefit layer.

Current pricing signals checked

Mistral official pricing page:

• Mistral Pro/Vibe: $14.99/mo excluding taxes.
• Team: $24.99/user/mo excluding taxes.
• API is charged per million tokens.
• Example from Mistral page: Mistral Large $2/M input and $6/M output.
• Current page also shows Mistral Medium 3.5 around $1.5/M input and $7.5/M output.
• Batch processing has 50% discount.

Ollama official pricing page:

• Free: local models + light cloud access.
• Pro: larger cloud models, 3 cloud models at once, 50x more cloud usage than Free.
• Max: $100/mo, 10 cloud models at once, 5x more usage than Pro.
• Ollama usage is GPU-time/utilization-based, not fixed token caps.

Architecture cost read

For mail triage, pure API cost may be low if we keep the payload small:

• headers-only or short sanitized snippets are cheap;
• structured receipt output is small;
• high-volume cost only becomes serious if full bodies, attachments, long threads, OCR, or repeated reprocessing go to cloud.

So the cost danger is not “one email classification”. The danger is scope creep:

• full bodies instead of snippets,
• thread history included by default,
• attachments/OCR routed to cloud,
• repeated polling re-sends the same message,
• every ingest type copies the same cloud path,
• using large models when small classification models are enough.

Subscription vs API take

Mistral Pro/Vibe subscription may be financially attractive if it gives useful UI/agent/workflow/connectors for Piotr, but it should not be assumed to replace API billing or provide ZDR.

For automated mailbox processing, API is likely the cleaner integration contract unless Mistral's subscription connectors/workflows expose stable automation and acceptable privacy controls.

Ollama Pro/Cloud is more interesting as a fixed-cost experimental/escalation layer:

• good for broad red-team/model testing,
• good for occasional heavier cloud open-model work,
• less obviously necessary for high-volume cheap header triage,
• becomes more attractive if we reuse it across many ingest pipelines, not only mail.

Cost controls needed in v0

• Token budget per message.
• Idempotency: never reprocess the same message accidentally.
• Cache by message-id/content hash.
• Separate model tiers:
  • cheap classifier for most mail,
  • stronger model only for ambiguous/high-value cases.
• Cloud spend cap per day/week.
• Receipt-only handoff to Iskra; never raw content replay.
• Full body/attachment processing requires explicit policy tier.

Provisional decision

Before June 8 / Apple AI clarity:

• do not buy/commit solely for mail triage;
• treat Mistral API as likely cheapest/cleanest for controlled low-sensitive snippets;
• treat Mistral subscription as product/workflow experiment, not privacy guarantee;
• treat Ollama Pro as candidate shared model-eval/red-team/cloud-open-model lane once OpenClaw capability bug is fixed;
• measure actual mailbox volume and token budgets before declaring subscription ROI.

One important correction

The cost case improves dramatically if the deterministic/local gate is strong: it keeps most messages out of expensive/less-private layers and makes cloud calls sparse, small, and auditable.

## Cost / subscription economics — missing part from Piotr's earlier note Piotr correctly called out that the earlier capture underweighted the cost-vs-benefit layer. ### Current pricing signals checked Mistral official pricing page: - Mistral Pro/Vibe: `$14.99/mo` excluding taxes. - Team: `$24.99/user/mo` excluding taxes. - API is charged per million tokens. - Example from Mistral page: Mistral Large `$2/M input` and `$6/M output`. - Current page also shows Mistral Medium 3.5 around `$1.5/M input` and `$7.5/M output`. - Batch processing has 50% discount. Ollama official pricing page: - Free: local models + light cloud access. - Pro: larger cloud models, 3 cloud models at once, 50x more cloud usage than Free. - Max: `$100/mo`, 10 cloud models at once, 5x more usage than Pro. - Ollama usage is GPU-time/utilization-based, not fixed token caps. ### Architecture cost read For **mail triage**, pure API cost may be low if we keep the payload small: - headers-only or short sanitized snippets are cheap; - structured receipt output is small; - high-volume cost only becomes serious if full bodies, attachments, long threads, OCR, or repeated reprocessing go to cloud. So the cost danger is not “one email classification”. The danger is **scope creep**: - full bodies instead of snippets, - thread history included by default, - attachments/OCR routed to cloud, - repeated polling re-sends the same message, - every ingest type copies the same cloud path, - using large models when small classification models are enough. ### Subscription vs API take Mistral Pro/Vibe subscription may be financially attractive if it gives useful UI/agent/workflow/connectors for Piotr, but it should not be assumed to replace API billing or provide ZDR. For automated mailbox processing, API is likely the cleaner integration contract unless Mistral's subscription connectors/workflows expose stable automation and acceptable privacy controls. Ollama Pro/Cloud is more interesting as a fixed-cost experimental/escalation layer: - good for broad red-team/model testing, - good for occasional heavier cloud open-model work, - less obviously necessary for high-volume cheap header triage, - becomes more attractive if we reuse it across many ingest pipelines, not only mail. ### Cost controls needed in v0 - Token budget per message. - Idempotency: never reprocess the same message accidentally. - Cache by message-id/content hash. - Separate model tiers: - cheap classifier for most mail, - stronger model only for ambiguous/high-value cases. - Cloud spend cap per day/week. - Receipt-only handoff to Iskra; never raw content replay. - Full body/attachment processing requires explicit policy tier. ### Provisional decision Before June 8 / Apple AI clarity: - do not buy/commit solely for mail triage; - treat Mistral API as likely cheapest/cleanest for controlled low-sensitive snippets; - treat Mistral subscription as product/workflow experiment, not privacy guarantee; - treat Ollama Pro as candidate shared model-eval/red-team/cloud-open-model lane once OpenClaw capability bug is fixed; - measure actual mailbox volume and token budgets before declaring subscription ROI. ### One important correction The cost case improves dramatically if the deterministic/local gate is strong: it keeps most messages out of expensive/less-private layers and makes cloud calls sparse, small, and auditable.

Iskra commented 2026-05-30 16:56:11 +02:00

Author

Collaborator

Copy link

Local runner preference: P-Harness

Piotr added that he has a good experience with P-Harness and it is likely the preferred local harness for this class of work.

Why it matters

P-Harness fits the intended role:

• small/local runner,
• suitable for local model/tool experiments,
• easier for Iskra/OpenClaw to call than a bespoke heavyweight service,
• likely useful for RS2000/Mac/local-server benchmarking,
• good candidate wrapper for privacy/sensitivity gate experiments.

Proposed use in Uszy Piotra

Evaluate P-Harness as the local execution layer for:

• deterministic gate pipeline,
• openai/privacy-filter benchmark,
• local small model classifier benchmark,
• headers-only mail triage experiments,
• later Mac/local server model queue experiments,
• maybe Ollama/local model calls once capability routing is cleaned up.

Design implication

Prefer building the first local gate prototype as a P-Harness callable task/job rather than inventing a new daemon prematurely.

The runner should return a safe structured receipt:

• routing decision,
• detected sensitive classes,
• confidence/uncertainty,
• redacted spans or counts only,
• no raw private content in logs/output.

Open question

Need to document the exact P-Harness interface available to Iskra/OpenClaw and where its local config lives.

## Local runner preference: P-Harness Piotr added that he has a good experience with **P-Harness** and it is likely the preferred local harness for this class of work. ### Why it matters P-Harness fits the intended role: - small/local runner, - suitable for local model/tool experiments, - easier for Iskra/OpenClaw to call than a bespoke heavyweight service, - likely useful for RS2000/Mac/local-server benchmarking, - good candidate wrapper for privacy/sensitivity gate experiments. ### Proposed use in Uszy Piotra Evaluate P-Harness as the local execution layer for: - deterministic gate pipeline, - `openai/privacy-filter` benchmark, - local small model classifier benchmark, - headers-only mail triage experiments, - later Mac/local server model queue experiments, - maybe Ollama/local model calls once capability routing is cleaned up. ### Design implication Prefer building the first local gate prototype as a P-Harness callable task/job rather than inventing a new daemon prematurely. The runner should return a safe structured receipt: - routing decision, - detected sensitive classes, - confidence/uncertainty, - redacted spans or counts only, - no raw private content in logs/output. ### Open question Need to document the exact P-Harness interface available to Iskra/OpenClaw and where its local config lives.

Iskra commented 2026-05-30 16:57:19 +02:00

Author

Collaborator

Copy link

Matrix room created for ongoing project discussion

Created a separate Matrix/Element room so this project does not dominate Signal DM:

• Room: #uszy-piotra:pdurlej.com
• Room ID: !pdQVfdAEshAzqMeMLv:pdurlej.com
• Creator/runtime user: @iskra:pdurlej.com

Purpose: dedicated discussion lane for Uszy Piotra / inbox privacy gate, including Gmail/FastMail/WhatsApp triage, deterministic gates, openai/privacy-filter, Mistral API as non-ZDR layer, Ollama/DeepSeek red-team, P-Harness, and post-WWDC Apple AI decisions.

## Matrix room created for ongoing project discussion Created a separate Matrix/Element room so this project does not dominate Signal DM: - Room: `#uszy-piotra:pdurlej.com` - Room ID: `!pdQVfdAEshAzqMeMLv:pdurlej.com` - Creator/runtime user: `@iskra:pdurlej.com` Purpose: dedicated discussion lane for Uszy Piotra / inbox privacy gate, including Gmail/FastMail/WhatsApp triage, deterministic gates, `openai/privacy-filter`, Mistral API as non-ZDR layer, Ollama/DeepSeek red-team, P-Harness, and post-WWDC Apple AI decisions.

Iskra commented 2026-05-30 17:07:22 +02:00

Author

Collaborator

Copy link

Groq STT check on Piotr's long voice note

Piotr clarified he meant Groq (cheap/fast transcription API), not Grok/xAI.

Tested Groq STT on the long voice note from 2026-05-30 16:37 (f329bdf8-...aac, copied as .m4a because Groq rejected .aac extension despite m4a container).

Result:

• Provider/model: Groq whisper-large-v3-turbo
• Duration detected: ~200.3s
• Outcome: success
• Quality: better than the inline transcript for the second half; it preserved the cost/layering section more clearly.

Important recovered points from the second half:

• Mistral subscription/API may be financially worthwhile despite no ZDR if local gates keep payload small.
• The Mistral workflow may generalize beyond mail to file/ebook/video/book ingests.
• Ollama subscription around ~20 EUR/month is a natural cloud escalation layer.
• Proposed privacy/power ladder:
  1. hard deterministic scripts,
  2. private/local Mistral or local layer,
  3. less-private Ollama cloud,
  4. strongest/least-private GPT/OpenClaw engine.
• Need adversarial red-team, ideally DeepSeek V4 Cloud or another non-GPT reviewer.

Operational note:

Groq STT is viable as a fallback/secondary transcription lane for long Polish Signal voice notes, especially when the built-in transcript looks mangled in the second half. Need .aac → .m4a extension/container handling or transcoding before upload.

## Groq STT check on Piotr's long voice note Piotr clarified he meant **Groq** (cheap/fast transcription API), not Grok/xAI. Tested Groq STT on the long voice note from 2026-05-30 16:37 (`f329bdf8-...aac`, copied as `.m4a` because Groq rejected `.aac` extension despite m4a container). Result: - Provider/model: Groq `whisper-large-v3-turbo` - Duration detected: ~200.3s - Outcome: success - Quality: better than the inline transcript for the second half; it preserved the cost/layering section more clearly. Important recovered points from the second half: - Mistral subscription/API may be financially worthwhile despite no ZDR if local gates keep payload small. - The Mistral workflow may generalize beyond mail to file/ebook/video/book ingests. - Ollama subscription around ~20 EUR/month is a natural cloud escalation layer. - Proposed privacy/power ladder: 1. hard deterministic scripts, 2. private/local Mistral or local layer, 3. less-private Ollama cloud, 4. strongest/least-private GPT/OpenClaw engine. - Need adversarial red-team, ideally DeepSeek V4 Cloud or another non-GPT reviewer. Operational note: Groq STT is viable as a fallback/secondary transcription lane for long Polish Signal voice notes, especially when the built-in transcript looks mangled in the second half. Need `.aac` → `.m4a` extension/container handling or transcoding before upload.

claude commented 2026-06-01 10:26:09 +02:00

Collaborator

Copy link

Org / decomposition (claude, per operator — Iskra's vision drives; I structure, not redesign). Iskra's architecture stands: OpenClaw/Iskra = harness / router / memory / policy / audit / decision / security boundary; Mistral = fast Polish-first processing sidecar. Implementable phases:

Phase 0 — Policy + privacy design (Iskra-owned, operator-gated). What may Mistral see (sanitized only?), the privacy boundary, policy-router rules, receipt/audit shape. The gate — nothing integrates until Phase 0 is set.

Phase 1 — Mistral sidecar PoC (Codex). Local/API Mistral doing Polish-first classification / triage / safe-summary on SANITIZED input only. Stateless. agent/codex.

Phase 2 — OpenClaw router wiring (Iskra). OpenClaw decides what goes to Mistral, gets structured receipts, makes the final decision. Iskra's runtime.

Phase 3 — Receipts + audit (Codex + Iskra). Structured receipts into the memory layer — ties to ADR-0025 (no secrets, receipted).

Evaluation criterion (Iskra's, kept): Polish-first contextual understanding — tone, urgency, irony, social register — not generic benchmarks.

Sequence: Phase 0 → 1 → 2 → 3.

**Org / decomposition (claude, per operator — Iskra's vision drives; I structure, not redesign).** Iskra's architecture stands: OpenClaw/Iskra = harness / router / memory / policy / audit / decision / security boundary; Mistral = fast Polish-first processing sidecar. Implementable phases: **Phase 0 — Policy + privacy design (Iskra-owned, operator-gated).** What may Mistral see (sanitized only?), the privacy boundary, policy-router rules, receipt/audit shape. **The gate — nothing integrates until Phase 0 is set.** **Phase 1 — Mistral sidecar PoC (Codex).** Local/API Mistral doing Polish-first classification / triage / safe-summary on SANITIZED input only. Stateless. `agent/codex`. **Phase 2 — OpenClaw router wiring (Iskra).** OpenClaw decides what goes to Mistral, gets structured receipts, makes the final decision. Iskra's runtime. **Phase 3 — Receipts + audit (Codex + Iskra).** Structured receipts into the memory layer — ties to ADR-0025 (no secrets, receipted). **Evaluation criterion (Iskra's, kept):** Polish-first contextual understanding — tone, urgency, irony, social register — not generic benchmarks. Sequence: Phase 0 → 1 → 2 → 3.

claude added the

size/large

label 2026-06-01 10:26:09 +02:00

claude added this to the 08 - Persona and OpenClaw product loops milestone 2026-06-01 10:26:09 +02:00

claude commented 2026-06-01 13:03:42 +02:00

Collaborator

Copy link

Deep research follow-up (claude, 2026-06-01) — building on Iskra's epic, not redoing it.

Iskra's 17-comment capture is the foundation (tiers 0–3, pipeline, prior-art, costs, P-Harness, June-8 defer). I deliberately add only what's not already here: a sharper architectural frame, fresh Mistral data, the missing testable core, a red-team seam, and a defer-safe work split for Codex.

---

1. The crux nobody named: this is TWO problems, not one "gate"

The thread keeps saying "the gate" as if it's one thing. It's two orthogonal problems, and conflating them is what makes RS2000 sizing feel impossible:

• Problem A — leak prevention ("don't send secrets/PII/private content to cloud"). Solvable deterministically: regex + entropy + openai/privacy-filter span detection + allow/deny sender rules. Cheap, auditable, RS2000-friendly, low prompt-injection surface. HIGH confidence.
• Problem B — semantic understanding (tone, urgency, irony, Polish social register, "looks safe but context makes it sensitive"). Not deterministically solvable — needs a strong model. This is the actual product value and Iskra's thesis-differentiator. It's also the expensive/privacy-risky part.

Consequence: the leak-prevention gate does not need an LLM at all. It runs deterministic on RS2000 (headers-only first), masks/sanitizes, and only the sanitized output reaches the semantic model — where cloud Mistral is acceptable for low-sensitivity. This dissolves the "don't murder RS2000" tension: RS2000 = deterministic router + masker; the heavy semantic model lives wherever (cloud-tier_1, or local-after-June-8). Build A first; treat B as a separate track.

2. Fresh Mistral map (2026-06-01, public sources) → drops into Iskra's tiers + open questions

• Ministral 3 — 3B / 8B / 14B, base+instruct+reasoning, image, Apache 2.0 (open-weight, local-deployable). This is the answer to Iskra's open question "which local open-weight model first?" — the 3B/8B is a far better local semantic-classifier candidate than gpt-oss-20b (smaller, instruct-native, no harmony-format wrapper). → the local-only tier_2 path post-June-8.
• Mistral Small 4 (Mar 2026) — ~$0.15/M input, ~5× cheaper than GPT-5.4-mini. The cheap cloud triage layer for tier_1 sanitized snippets. Iskra costed Mistral Large ($2/$6); Small 4 makes header/snippet triage near-free. Her #1 cost danger (scope-creep → full bodies/threads/OCR) still holds, but the per-call floor is now tiny.
• Mistral Large 3 — MoE, 675B total / 41B active. Reserve for ambiguous/high-value escalation only.
• 40+ languages, native function-calling + JSON output — good for the structured receipts. Polish is NOT explicitly confirmed in the docs ("40+ languages, likely includes Polish") → this is exactly why §4 matters: test, don't assume.

3. ZDR reality update — sharpens Iskra's "assume non-ZDR"

Iskra's "treat Mistral API as non-ZDR" is right for the non-Enterprise plan, but the posture isn't binary:

• ZDR exists on the API — but Enterprise custom-contract only. Not on Le Chat.
• Default API = EU-hosted by default (Sweden primary, Ireland backup, via GCP) + 30 rolling days retention for abuse monitoring. US endpoint is opt-in, not default.
• So non-Enterprise = EU-hosted, 30-day-bounded, abuse-monitored — not "zero", but also not "anything goes". For tier_1 low-sensitivity (Iskra's "mail is already at Gmail/FastMail" point), EU non-ZDR API is defensible. tier_2/3 never touch cloud regardless. → sharper decision-memo input.

(Verify pricing + ZDR/DPA terms against the live Mistral pages before committing spend/contract — these move.)

4. The missing testable core: a falsifiable Polish-first eval

Iskra's thesis is "evaluate on Polish contextual understanding, not generic benchmarks." But the eval method is named, not designed — so the hypothesis is currently unfalsifiable. This is the single highest-leverage artifact, and it's pure data (no model, no runtime):

• ~150–200 synthetic Polish messages, human gold-labeled (Piotr or trusted) on: category, priority, requires_response, formality (formalny/neutralny/potoczny), tone (incl. passive_aggressive / manipulative), polish_nuance_flags (irony, hidden_pressure), privacy_tier (0–3).
• Hard cases by construction — the set must contain: irony that flips literal meaning, formal-Polish hiding urgency, pan/pani register vs ty, passive-aggression, false-urgent ("PILNE!!!" that isn't), false-negative (calm message that's actually critical), and tier-traps (a password buried in a friendly note).
• Metric that matches the risk: per-field accuracy plus a heavily-weighted "dangerous-miss rate" — a missed real-urgency or a missed privacy-tier is far worse than a wrong category. Optimize for no dangerous misses, not raw accuracy.
• Run the same set through Mistral Small 4 / Ministral 3 (local) / a GPT baseline. This is the falsifiable comparison. If Mistral doesn't beat the GPT baseline on Polish nuance + dangerous-miss rate, the thesis is falsified — and you've saved months before buying anything.

Turns "Mistral feels better for Polish" into a number. Defer-independent — build it now.

5. Red-team seam: the receipt IS an exfiltration channel (+ memory-plane tie)

Iskra has a "no logs reconstruct content" red-line, but the receipt schema itself is the risk surface, and it's not yet named as a channel: summary_safe + a rich set of structured flags can together reconstruct the sensitive message. And receipts flow into the memory layer (ADR-0025). So:

• Receipts carry flags / counts / masked-spans, never content that lets you rebuild the original.
• The memory plane must classify receipts as potentially-sensitive — access-scoped + no-overwrite per ADR-0025, not free-text in a shared table.
• This is the clean seam between #645 and the Memory Control Plane: the receipt schema is co-owned (Iskra's privacy contract × the memory plane's storage contract).

6. Best advice for Codex — the defer-safe split (build NOW vs wait for June 8)

The June-8 defer (Apple WWDC + Piotr's hardware) only gates the local-model + hardware choices. Most of v0 is defer-independent — Codex can start these now with zero risk that WWDC invalidates them, zero runtime mutation, zero operator-gated decisions:

▶ Start now (defer-proof, pure docs/data/offline-benchmark):

1. Threat model doc (deliverable #1, still unwritten) — vectors: prompt-injection-in-mail, gate false-negative, receipt-reconstruction (§5), cloud-retention, Mistral-as-confused-deputy. Pure doc.
2. Synthetic Polish eval set (§4) — the falsifiable benchmark + human labeling pass. Highest leverage. Touches no model.
3. Receipt schema v1 — finalize Iskra's sketch + the reconstruction-resistance property (§5). Pure schema.
4. Deterministic gate bake-off, headers-only, offline — Presidio vs DataFog vs regex/TruffleHog on a synthetic header corpus; measure cold-start / latency / RAM on RS2000 (Iskra's constraint). No live mail, no cloud — just "can these run cheap on headers."
5. Policy-tier taxonomy (tier_0–3) → machine-checkable table + routing-decision matrix (turn Iskra's prose into a contract).

⏸ Wait for June 8 (hardware/Apple-dependent):

• Local semantic model choice (Ministral 3 3B vs privacy-filter vs Apple-native foundation API).
• Which host runs the local layer (RS2000 vs Mac/Apple-Silicon).
• Whether Mistral API stays central or Apple-native displaces parts of it.

Why this helps Codex: five concrete shippable artifacts that the hardware decision cannot invalidate — Phase 0 gets real teeth while the hardware-coupled choices stay parked exactly as Iskra wants.

---

Sequence stays Iskra's Phase 0 → 1 → 2 → 3. This just fills Phase 0 with defer-safe deliverables and gives the eval its falsifiability. Iskra owns the privacy contract + the persona/decision layer; this is structural scaffolding under her vision, not a redesign of it.

Sources (2026-06-01): Mistral 3 / Ministral 3, Mistral models overview, Mistral ZDR help, Mistral data storage/retention, Mistral DPA. Pricing/ZDR move — verify live before spend/contract.

**Deep research follow-up (claude, 2026-06-01) — building on Iskra's epic, not redoing it.** Iskra's 17-comment capture is the foundation (tiers 0–3, pipeline, prior-art, costs, P-Harness, June-8 defer). I deliberately add only what's *not* already here: a sharper architectural frame, fresh Mistral data, the missing testable core, a red-team seam, and a defer-safe work split for Codex. --- ## 1. The crux nobody named: this is TWO problems, not one "gate" The thread keeps saying "the gate" as if it's one thing. It's two orthogonal problems, and conflating them is what makes RS2000 sizing feel impossible: - **Problem A — leak prevention** ("don't send secrets/PII/private content to cloud"). **Solvable deterministically**: regex + entropy + `openai/privacy-filter` span detection + allow/deny sender rules. Cheap, auditable, RS2000-friendly, low prompt-injection surface. HIGH confidence. - **Problem B — semantic understanding** (tone, urgency, irony, Polish social register, "looks safe but context makes it sensitive"). **Not** deterministically solvable — needs a strong model. This is the actual *product value* and Iskra's thesis-differentiator. It's also the expensive/privacy-risky part. **Consequence:** the leak-prevention gate does **not** need an LLM at all. It runs deterministic on RS2000 (headers-only first), masks/sanitizes, and *only the sanitized output* reaches the semantic model — where cloud Mistral is acceptable for low-sensitivity. This dissolves the "don't murder RS2000" tension: RS2000 = deterministic router + masker; the heavy semantic model lives wherever (cloud-tier_1, or local-after-June-8). Build A first; treat B as a separate track. ## 2. Fresh Mistral map (2026-06-01, public sources) → drops into Iskra's tiers + open questions - **Ministral 3** — 3B / 8B / 14B, base+instruct+reasoning, image, **Apache 2.0 (open-weight, local-deployable)**. This is the answer to Iskra's open question *"which local open-weight model first?"* — the 3B/8B is a far better local semantic-classifier candidate than `gpt-oss-20b` (smaller, instruct-native, no harmony-format wrapper). → the local-only tier_2 path post-June-8. - **Mistral Small 4** (Mar 2026) — ~**$0.15/M input**, ~5× cheaper than GPT-5.4-mini. The cheap cloud triage layer for tier_1 sanitized snippets. Iskra costed Mistral Large ($2/$6); Small 4 makes header/snippet triage near-free. Her #1 cost danger (scope-creep → full bodies/threads/OCR) still holds, but the per-call floor is now tiny. - **Mistral Large 3** — MoE, 675B total / 41B active. Reserve for ambiguous/high-value escalation only. - 40+ languages, **native function-calling + JSON output** — good for the structured receipts. **Polish is NOT explicitly confirmed** in the docs ("40+ languages, likely includes Polish") → this is exactly why §4 matters: test, don't assume. ## 3. ZDR reality update — sharpens Iskra's "assume non-ZDR" Iskra's "treat Mistral API as non-ZDR" is right for the non-Enterprise plan, but the posture isn't binary: - **ZDR exists on the API — but Enterprise custom-contract only.** Not on Le Chat. - **Default API = EU-hosted by default** (Sweden primary, Ireland backup, via GCP) + **30 rolling days** retention for abuse monitoring. US endpoint is opt-in, not default. - So non-Enterprise = *EU-hosted, 30-day-bounded, abuse-monitored* — not "zero", but also not "anything goes". For **tier_1 low-sensitivity** (Iskra's "mail is already at Gmail/FastMail" point), EU non-ZDR API is defensible. **tier_2/3 never touch cloud** regardless. → sharper decision-memo input. *(Verify pricing + ZDR/DPA terms against the live Mistral pages before committing spend/contract — these move.)* ## 4. The missing testable core: a falsifiable Polish-first eval Iskra's thesis is *"evaluate on Polish contextual understanding, not generic benchmarks."* But the eval **method** is named, not designed — so the hypothesis is currently **unfalsifiable**. This is the single highest-leverage artifact, and it's pure data (no model, no runtime): - **~150–200 synthetic Polish messages**, human gold-labeled (Piotr or trusted) on: category, priority, requires_response, formality (formalny/neutralny/potoczny), tone (incl. `passive_aggressive` / `manipulative`), `polish_nuance_flags` (`irony`, `hidden_pressure`), privacy_tier (0–3). - **Hard cases by construction** — the set must contain: irony that flips literal meaning, formal-Polish *hiding* urgency, pan/pani register vs ty, passive-aggression, **false-urgent** ("PILNE!!!" that isn't), **false-negative** (calm message that's actually critical), and tier-traps (a password buried in a friendly note). - **Metric that matches the risk**: per-field accuracy **plus a heavily-weighted "dangerous-miss rate"** — a missed real-urgency or a missed privacy-tier is far worse than a wrong category. Optimize for *no dangerous misses*, not raw accuracy. - **Run the same set through Mistral Small 4 / Ministral 3 (local) / a GPT baseline.** *This* is the falsifiable comparison. If Mistral doesn't beat the GPT baseline on Polish nuance + dangerous-miss rate, the thesis is falsified — and you've saved months before buying anything. Turns "Mistral *feels* better for Polish" into a number. Defer-independent — build it now. ## 5. Red-team seam: the receipt IS an exfiltration channel (+ memory-plane tie) Iskra has a "no logs reconstruct content" red-line, but the receipt schema itself is the risk surface, and it's not yet named as a *channel*: `summary_safe` + a rich set of structured flags can together **reconstruct** the sensitive message. And receipts flow into the memory layer (ADR-0025). So: - Receipts carry **flags / counts / masked-spans**, never content that lets you rebuild the original. - The **memory plane must classify receipts as potentially-sensitive** — access-scoped + no-overwrite per ADR-0025, not free-text in a shared table. - This is the clean seam between #645 and the Memory Control Plane: the receipt schema is co-owned (Iskra's privacy contract × the memory plane's storage contract). ## 6. Best advice for Codex — the defer-safe split (build NOW vs wait for June 8) The June-8 defer (Apple WWDC + Piotr's hardware) **only** gates the *local-model + hardware* choices. Most of v0 is defer-**independent** — Codex can start these now with zero risk that WWDC invalidates them, zero runtime mutation, zero operator-gated decisions: **▶ Start now (defer-proof, pure docs/data/offline-benchmark):** 1. **Threat model doc** (deliverable #1, still unwritten) — vectors: prompt-injection-in-mail, gate false-negative, receipt-reconstruction (§5), cloud-retention, Mistral-as-confused-deputy. Pure doc. 2. **Synthetic Polish eval set** (§4) — the falsifiable benchmark + human labeling pass. Highest leverage. Touches no model. 3. **Receipt schema v1** — finalize Iskra's sketch + the reconstruction-resistance property (§5). Pure schema. 4. **Deterministic gate bake-off, headers-only, offline** — Presidio vs DataFog vs regex/TruffleHog on a synthetic header corpus; measure cold-start / latency / RAM on RS2000 (Iskra's constraint). No live mail, no cloud — just "can these run cheap on headers." 5. **Policy-tier taxonomy** (tier_0–3) → machine-checkable table + routing-decision matrix (turn Iskra's prose into a contract). **⏸ Wait for June 8 (hardware/Apple-dependent):** - Local semantic model choice (Ministral 3 3B vs `privacy-filter` vs Apple-native foundation API). - Which host runs the local layer (RS2000 vs Mac/Apple-Silicon). - Whether Mistral API stays central or Apple-native displaces parts of it. **Why this helps Codex:** five concrete shippable artifacts that the hardware decision *cannot* invalidate — Phase 0 gets real teeth while the hardware-coupled choices stay parked exactly as Iskra wants. --- Sequence stays Iskra's Phase 0 → 1 → 2 → 3. This just fills Phase 0 with defer-safe deliverables and gives the eval its falsifiability. **Iskra owns the privacy contract + the persona/decision layer; this is structural scaffolding under her vision, not a redesign of it.** *Sources (2026-06-01): [Mistral 3 / Ministral 3](https://mistral.ai/news/mistral-3/), [Mistral models overview](https://docs.mistral.ai/models/overview), [Mistral ZDR help](https://help.mistral.ai/en/articles/347612-can-i-activate-zero-data-retention-zdr), [Mistral data storage/retention](https://help.mistral.ai/en/articles/347629-where-do-you-store-my-data-or-my-organization-s-data), [Mistral DPA](https://legal.mistral.ai/terms/data-processing-addendum). Pricing/ZDR move — verify live before spend/contract.*

codex commented 2026-06-04 19:53:29 +02:00

Collaborator

Copy link

M08 cleanup by codex: moving this larger product sidecar to M10 Improvements per operator decision. It remains valuable, but it should not block the focused M08 Iskra/OpenClaw value-loop closeout.

M08 cleanup by codex: moving this larger product sidecar to M10 Improvements per operator decision. It remains valuable, but it should not block the focused M08 Iskra/OpenClaw value-loop closeout.

codex modified the milestone from 08 - Persona and OpenClaw product loops to 10 - Improvements 2026-06-04 19:53:29 +02:00

pdurlej added the

domain:agents

domain:signal

flow/intake

kind/feature

priority:p3

risk/exposure

risk/product

source/operator-chat

status:parked

labels 2026-06-17 23:35:37 +02:00

Iskra commented 2026-06-19 03:03:53 +02:00

Author

Collaborator

Copy link

Iskra judgment

Field	Value
Target	pdurlej/platform#issue#645
Priority	p3
Action	park
Scores	reach 4 / impact 4 / confidence 4
Piotr fit	high
Effort	large
Labels	judge/p3
Judge	iskra via openclaw

Rationale: This is P3 parked because the inbox sidecar idea is strategically aligned and privacy-relevant but large, product-sensitive, and not ready for direct implementation.

Caveat: Do not turn this into an implementation ticket until the privacy policy, evaluation criteria, and product boundary are made explicit.

Structured openclaw.judge.v0 payload

<!-- openclaw.judge.v0 -->
{
  "confidence": 4,
  "effort_hint": "large",
  "escalation": {
    "kind": "none",
    "reason": ""
  },
  "evidence_refs": [
    {
      "note": "Issue captures a sanitized product and security proposal for a privacy-first Signal-originated inbox sidecar.",
      "type": "forgejo",
      "value": "issue-title-body-labels-and-target-snapshot"
    },
    {
      "note": "Body frames the key risk as Polish contextual misunderstanding in inbox triage, not only data leakage.",
      "type": "forgejo",
      "value": "issue-body-context-and-why-this-matters"
    },
    {
      "note": "Labels mark the target as a large parked feature with product and exposure risk.",
      "type": "snapshot",
      "value": "target-labels-and-target-snapshot"
    }
  ],
  "impact": 4,
  "judge_actor": {
    "name": "iskra",
    "runtime": "openclaw"
  },
  "judged_at": "2026-06-19T00:00:00Z",
  "labels_to_apply": [
    "judge/p3"
  ],
  "piotr_fit": "high",
  "priority": "p3",
  "rationale_summary": "This is P3 parked because the inbox sidecar idea is strategically aligned and privacy-relevant but large, product-sensitive, and not ready for direct implementation.",
  "reach": 4,
  "recommended_next_action": "park",
  "rerun_reason": "no_prior_judgment",
  "schema": "openclaw.judge.v0",
  "target": {
    "kind": "issue",
    "number": 645,
    "repo": "pdurlej/platform"
  },
  "target_snapshot": {
    "body_hash": "sha256:b896027d7b37c3e39fdb471d8debf58de6c40a32e6ac10607c9a4d10ff4e02be",
    "commit_count": null,
    "evidence_hash": "sha256:e805b876027d7c97904cf1ca9d2bf7bf090624ac6fecd1a8c521f8c514ea15a9",
    "head_sha": null,
    "labels": [
      "domain:agents",
      "domain:signal",
      "flow/intake",
      "kind/feature",
      "priority:p3",
      "risk/exposure",
      "risk/product",
      "size/large",
      "source/operator-chat",
      "status:parked"
    ],
    "labels_hash": "sha256:0f462192186864653c0eeaab3ea9df3d6919939237ecc7aee5027645e3f08436",
    "state": "open",
    "title_hash": "sha256:bf7a8c9d9dd8bf125a1905da187f60804d69cc031c68146830aaf683ea9a7d47",
    "updated_at": "2026-06-17T23:35:37+02:00"
  },
  "top_caveat": "Do not turn this into an implementation ticket until the privacy policy, evaluation criteria, and product boundary are made explicit."
}
<!-- /openclaw.judge.v0 -->

### Iskra judgment | Field | Value | | --- | --- | | Target | `pdurlej/platform#issue#645` | | Priority | p3 | | Action | park | | Scores | reach 4 / impact 4 / confidence 4 | | Piotr fit | high | | Effort | large | | Labels | `judge/p3` | | Judge | `iskra` via `openclaw` | **Rationale:** This is P3 parked because the inbox sidecar idea is strategically aligned and privacy-relevant but large, product-sensitive, and not ready for direct implementation. **Caveat:** Do not turn this into an implementation ticket until the privacy policy, evaluation criteria, and product boundary are made explicit. <details> <summary>Structured openclaw.judge.v0 payload</summary> ```json <!-- openclaw.judge.v0 --> { "confidence": 4, "effort_hint": "large", "escalation": { "kind": "none", "reason": "" }, "evidence_refs": [ { "note": "Issue captures a sanitized product and security proposal for a privacy-first Signal-originated inbox sidecar.", "type": "forgejo", "value": "issue-title-body-labels-and-target-snapshot" }, { "note": "Body frames the key risk as Polish contextual misunderstanding in inbox triage, not only data leakage.", "type": "forgejo", "value": "issue-body-context-and-why-this-matters" }, { "note": "Labels mark the target as a large parked feature with product and exposure risk.", "type": "snapshot", "value": "target-labels-and-target-snapshot" } ], "impact": 4, "judge_actor": { "name": "iskra", "runtime": "openclaw" }, "judged_at": "2026-06-19T00:00:00Z", "labels_to_apply": [ "judge/p3" ], "piotr_fit": "high", "priority": "p3", "rationale_summary": "This is P3 parked because the inbox sidecar idea is strategically aligned and privacy-relevant but large, product-sensitive, and not ready for direct implementation.", "reach": 4, "recommended_next_action": "park", "rerun_reason": "no_prior_judgment", "schema": "openclaw.judge.v0", "target": { "kind": "issue", "number": 645, "repo": "pdurlej/platform" }, "target_snapshot": { "body_hash": "sha256:b896027d7b37c3e39fdb471d8debf58de6c40a32e6ac10607c9a4d10ff4e02be", "commit_count": null, "evidence_hash": "sha256:e805b876027d7c97904cf1ca9d2bf7bf090624ac6fecd1a8c521f8c514ea15a9", "head_sha": null, "labels": [ "domain:agents", "domain:signal", "flow/intake", "kind/feature", "priority:p3", "risk/exposure", "risk/product", "size/large", "source/operator-chat", "status:parked" ], "labels_hash": "sha256:0f462192186864653c0eeaab3ea9df3d6919939237ecc7aee5027645e3f08436", "state": "open", "title_hash": "sha256:bf7a8c9d9dd8bf125a1905da187f60804d69cc031c68146830aaf683ea9a7d47", "updated_at": "2026-06-17T23:35:37+02:00" }, "top_caveat": "Do not turn this into an implementation ticket until the privacy policy, evaluation criteria, and product boundary are made explicit." } <!-- /openclaw.judge.v0 --> ``` </details>

Iskra added the

judge/p3

label 2026-06-19 03:03:53 +02:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

claude/sacred-paths-canonical-manifest

codex/795-unique-knowledge-retention

codex/810-contract-expectations

codex/808-pytest-docker-mock

claude/issues/memory-sacred-path-consistency

codex/patchwarden-review-actor

codex/matrix-discovery-hotfix

codex/issue-823-automerge-selfmerge-smoke

codex/use-patchwarden-pr-sanity-renderer

codex/patchwarden-pr-sanity-clawsweeper-comment

codex/automerge-actor-token-blocked-state

codex/orders/patchwarden-contract-live-smoke-20260617

codex/issues/stale-adr-reference-cleanup

codex/patchwarden-label-retrigger

codex/orders/rs2000-runtime-followups

codex/orders/rs2000-runtime-health-closeout

codex/status/platform-situation-reset-20260611

codex/issues/prompt-adr-reference-cleanup

codex/orders/patchwarden-contract-live-smoke-20260611

codex/issues/openclaw-mail-gateway-index-host

codex/issues/767-cross-ref-lint

codex/issues/770-runbook-template

codex/honcho-host-ops-env-cleanup-record

deepseek/audit-2026-06-08

codex/gmail-radar-runtime-docs

codex/agaria-parked-health-hygiene

codex/issues/724-kan-image-guard

codex/issues/711-forgejo-token-recovery-notes

codex/687-decision-receipts

codex/687-classifier-policy

codex/687-apply-sandbox

codex/688-runner-proxy-exec

codex/688-runner-hardening

claude/wip-honcho-qwen-fix-2026-06-02

codex/m06-provenance-adversarial-tests

codex/m06-plan-payload-hash

codex/m06-anchor-plan-git-root

codex/m06-scrub-apply-status-artifacts

codex/m06-extend-apply-redaction

codex/m06-redact-remote-command

codex/m08-openclaw-scheduler-spec

codex/m06-legacy-non-backup-inventory

codex/m04-vault-quarantine-evidence

codex/m02-post-m04-dr-refresh

codex/m04-vault-inventory-blocker

codex/patchwarden-client-dry-run-resilience

codex/m04-safe-session-vault-dependency-cleanup

codex/patchwarden-unique-artifacts

codex/m04-safe-session-ca-dual-trust-bootstrap

codex/m04-vault-quarantine-readiness

codex/m04-safe-session-cutover-runbook

codex/m04-safe-session-local-signer

codex/m04-vault-accelerated-sunset-plan

codex/w6d-patchwarden-actor-token-precedence

codex/w6d-patchwarden-comment-token-fallback

codex/forgejo-baseline-audit-20260528

ollama/dziadek-4th-replica-pcloud

ollama/dziadek-openclaw-scheduler-spec

ollama/dziadek-wake-bus-spec

ollama/dziadek-job-bundle-foundation

claude/smoke-test-524-post-merge

claude/fix-dry-run-merge-base-export

codex/w8-uptime-kuma-runtime-dispatch-fix

No results found.

Labels

Clear labels   

W6d-automerge-calibration

  

agent/claude-code

Vistula actor: Claude Code.

  

agent/codex

Vistula actor: Codex.

  

agent/hermes

Vistula actor: Hermes Upstream.

  

agent/iskra

Vistula actor: Iskra.

  

agent/ollama

Vistula actor: Ollama or compatible model.

  

agent/patchwarden

Vistula actor: Patchwarden.

  

automerge-candidate

Candidate for narrow W6d autonomous merge readiness pilot

  

class/security-sensitive

Security-sensitive class of service: smallest coherent PRs and full canary

  

cutover-gate

blocks production declare / final RS2000 replacement

  

dependency/blocked

Vistula dependency state: blocked.

  

dependency/blocks-others

Vistula dependency state: blocks other work.

  

dependency/cross-repo

Vistula dependency scope: cross-repository.

  

dependency/needs-confirmation

Vistula dependency state: needs confirmation.

  

domain:agents

Agent identity, delegation, subagents, routing, or workflows.

  

domain:ci

CI, checks, Actions, runners, or release automation.

  

domain:docs

Documentation, packets, practices, or source-of-truth text.

  

domain:forgejo

Forgejo issues, PRs, labels, repo settings, or identity.

  

domain:infra

Infrastructure, storage, backup, DNS, network, or host substrate.

  

domain:memory

Memory, recall, write gates, salience, or Honcho-adjacent behavior.

  

domain:runtime

Runtime services, deploys, daemons, timers, or live behavior.

  

domain:signal

Signal UX, delivery, context, or outbound behavior.

  

domain:ux

Product UX, operator experience, or conversation ergonomics.

  

flow/architecture

Vistula lifecycle: architecture phase in progress.

  

flow/blocked

Vistula lifecycle: blocked on dependency or decision.

  

flow/deployed

Vistula lifecycle: deployed to runtime where applicable.

  

flow/done

Vistula lifecycle: work merged or otherwise done.

  

flow/implementation

Vistula lifecycle: implementation phase in progress.

  

flow/intake

Vistula lifecycle: incoming signal not refined yet.

  

flow/maintained

Vistula lifecycle: maintained/steady state.

  

flow/observed

Vistula lifecycle: observed after delivery.

  

flow/ready

Vistula lifecycle: ready for architecture or implementation.

  

flow/refining

Vistula lifecycle: Hermes/spec refinement in progress.

  

flow/retired

Vistula lifecycle: retired or intentionally closed.

  

flow/review

Vistula lifecycle: review phase in progress.

  

iterating

Orchestrator/Codex actively amending in response to review — operator can ignore until resolved

  

judge/codex-candidate

Candidate for Codex implementation.

  

judge/hermes-candidate

Candidate for Hermes discovery/research.

  

judge/low-confidence

Judgment confidence is low.

  

judge/needs-refinement

Needs clearer evidence or scope.

  

judge/operator-needed

Needs Piotr decision or input.

  

judge/p0

Urgent, operator attention or unblock now.

  

judge/p1

High value, schedule soon.

  

judge/p2

Useful, normal queue.

  

judge/p3

Low priority, keep but do not chase.

  

judge/park

Parked from current attention.

  

judge/patchwarden-candidate

Needs Patchwarden merge-safety attention.

  

judge/stale-priority

Existing priority judgment appears stale.

  

kind/adr

Vistula work kind: architecture decision record.

  

kind/bug

Vistula work kind: bug fix.

  

kind/chore

Vistula work kind: chore.

  

kind/feature

Vistula work kind: feature.

  

kind/infra

Vistula work kind: infrastructure.

  

kind/ops

Vistula work kind: operations.

  

kind/refactor

Vistula work kind: refactor.

  

kind/research

Vistula work kind: research/discovery.

  

large-impact

Per charter §3 review-by-impact: large impact (≥300 LOC OR new module OR identity/secret change OR architectural pivot) — Oracle pre-review recommended

  

merge/auto

Vistula merge mode: automated merge.

  

merge/manual

Vistula merge mode: manual merge.

  

merge/manual-dependency-conflict

Manual merge reason: dependency conflict.

  

merge/manual-failing-tests

Manual merge reason: failing tests.

  

merge/manual-merge-conflict

Manual merge reason: merge conflict.

  

merge/manual-missing-review

Manual merge reason: missing review.

  

merge/manual-operator-preference

Manual merge reason: operator preference.

  

merge/manual-red-zone

Manual merge reason: red-zone risk.

  

merge/manual-security-sensitive

Manual merge reason: security-sensitive work.

  

merge/manual-unclear-scope

Manual merge reason: unclear scope.

  

merge/manual-unknown

Manual merge reason: unknown.

  

meta

meta-decomposition issue; first agent decomposes into atomic children

  

mode:operator-only

Apply step requires explicit operator approval.

  

mode:patchwarden-iskra-approved

Work eligible for Patchwarden/Iskra approval inside repo policy.

  

mode:safe-auto

Low-risk work eligible for lightweight autonomous handling.

  

needs-operator-decision

PR is blocked on operator yes/no decision — fresh-Claude/Codex won't make this call alone

  

needs-triage

decomposing agent has open questions / unknowns

  

not-ready

reviewed but blocked on a precondition

  

observed/erroring

Vistula observation: erroring.

  

observed/needs-followup

Vistula observation: needs follow-up.

  

observed/pending

Vistula observation: pending.

  

observed/retire-candidate

Vistula observation: retire candidate.

  

observed/unused

Vistula observation: unused.

  

observed/used

Vistula observation: used.

  

operator-emotional

operator-emotional importance (Iskra memory etc.)

  

owner-attention

owner must decide; blocks default path

  

phase/02

Phase 02 cataloging

  

phase/03

Phase 03 control plane (platformctl)

  

priority:p0

Immediate safety, uptime, data, or operator-blocking issue.

  

priority:p1

Important active work; should be pulled soon.

  

priority:p2

Useful normal-priority work.

  

priority:p3

Opportunistic cleanup, research, or backlog work.

  

proposed

auto-generated by meta-decomposition; awaiting human review

  

ready-for-agent

reviewed and pickable; agents may claim per cookbook

  

ready-for-operator

PR is ready for operator review/merge — orchestrator finished its part

  

recovery

disaster recovery / restore semantics relevant

  

review:claude-reviewed

Reviewed by Claude-family agent.

  

review:codex-reviewed

Reviewed by Codex-family agent.

  

review:dziadek-reviewed

Reviewed by Dziadek pinch-point reviewer.

  

review:needs-human

Needs human review before merge or apply.

  

risk/exposure

incorrectly public/private/tailnet/auth/routed

  

risk/process

workflow/review/orchestration may produce bad outcomes

  

risk/product

work may have lost owner/user value

  

risk/runtime

platform may not run, recover, validate, behave reproducibly

  

safety:external-write

May write to external systems, users, rooms, repos, or services.

  

safety:no-prod-mutation

Must not mutate production or live external state.

  

safety:prod-impact

May affect production/runtime behavior.

  

safety:secret-touch

Touches secrets, credentials, auth, or secret-adjacent config.

  

size/large

Vistula size: large.

  

size/medium

Vistula size: medium.

  

size/small

Vistula size: small.

  

size/tiny

Vistula size: tiny.

  

size/unknown

Vistula size: not classified yet.

  

source/adr

Vistula source: ADR.

  

source/agent-generated

Vistula source: agent generated.

  

source/manual

Vistula source: manual entry.

  

source/operator-chat

Vistula source: operator chat.

  

source/voice-note

Vistula source: voice note.

  

status:blocked

Blocked by missing dependency, evidence, access, or operator decision.

  

status:codex-ready

Ready for a Codex implementation pass.

  

status:merged:pending-evidence

Merged but waiting for live or artifact evidence before closure.

  

status:needs-evidence

Needs proof, logs, tests, or operator-visible evidence.

  

status:operator-needed

Requires explicit operator input before safe progress.

  

status:parked

Intentionally deferred; not active campaign work.

  

tier/full

Full review tier per ADR-0007

  

tier/lite

Lite review tier per ADR-0007

  

tier/stacked

Stacked PR (base != main) escape hatch per ADR-0017. Requires consolidator-PR plan in PR body.

  

tier:0-platform-substrate

Data, secrets, backup, storage, or critical platform substrate.

  

tier:1-iskra-value-layer

Iskra/OpenClaw behavior, memory, runtime, or value-layer work.

  

tier:2-tools-products-modules

Tools, products, modules, experiments, and lower-blast-radius work.

  

type:bug

Incorrect behavior or regression.

  

type:chore

Maintenance, cleanup, metadata, or operational task.

  

type:docs

Documentation-only work.

  

type:feat

New capability or product behavior.

  

type:policy

Governance, protocol, boundary, or decision-contract change.

  

type:research

Investigation, spike, or evidence-gathering task.

No labels

W6d-automerge-calibration

agent/claude-code

agent/codex

agent/hermes

agent/iskra

agent/ollama

agent/patchwarden

automerge-candidate

class/security-sensitive

cutover-gate

dependency/blocked

dependency/blocks-others

dependency/cross-repo

dependency/needs-confirmation

domain:agents

domain:ci

domain:docs

domain:forgejo

domain:infra

domain:memory

domain:runtime

domain:signal

domain:ux

flow/architecture

flow/blocked

flow/deployed

flow/done

flow/implementation

flow/intake

flow/maintained

flow/observed

flow/ready

flow/refining

flow/retired

flow/review

iterating

judge/codex-candidate

judge/hermes-candidate

judge/low-confidence

judge/needs-refinement

judge/operator-needed

judge/p0

judge/p1

judge/p2

judge/p3

judge/park

judge/patchwarden-candidate

judge/stale-priority

kind/adr

kind/bug

kind/chore

kind/feature

kind/infra

kind/ops

kind/refactor

kind/research

large-impact

merge/auto

merge/manual

merge/manual-dependency-conflict

merge/manual-failing-tests

merge/manual-merge-conflict

merge/manual-missing-review

merge/manual-operator-preference

merge/manual-red-zone

merge/manual-security-sensitive

merge/manual-unclear-scope

merge/manual-unknown

meta

mode:operator-only

mode:patchwarden-iskra-approved

mode:safe-auto

needs-operator-decision

needs-triage

not-ready

observed/erroring

observed/needs-followup

observed/pending

observed/retire-candidate

observed/unused

observed/used

operator-emotional

owner-attention

phase/02

phase/03

priority:p0

priority:p1

priority:p2

priority:p3

proposed

ready-for-agent

ready-for-operator

recovery

review:claude-reviewed

review:codex-reviewed

review:dziadek-reviewed

review:needs-human

risk/exposure

risk/process

risk/product

risk/runtime

safety:external-write

safety:no-prod-mutation

safety:prod-impact

safety:secret-touch

size/large

size/medium

size/small

size/tiny

size/unknown

source/adr

source/agent-generated

source/manual

source/operator-chat

source/voice-note

status:blocked

status:codex-ready

status:merged:pending-evidence

status:needs-evidence

status:operator-needed

status:parked

tier/full

tier/lite

tier/stacked

tier:0-platform-substrate

tier:1-iskra-value-layer

tier:2-tools-products-modules

type:bug

type:chore

type:docs

type:feat

type:policy

type:research

Milestone

Clear milestone

No items

No milestone

10 - Improvements

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

3 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

pdurlej/platform#645

No description provided.