Private previewDesign partner program is open

Onterix Actions

From agent intent to governed action.

Reads create confidentiality risk. Writes add integrity, financial, operational, and reputational risk. Onterix is designed to make every mutation explicit before it becomes real.

GOVERNED TRANSACTION
Interactive trace

“Prepare the Acme renewal brief, update the forecast, and send the customer follow-up.”

STEP 01

Bind the real actor and client

Maya asks Codex to prepare a renewal brief and update Salesforce. Onterix binds her identity, tenant, client, and exact capability versions before any source is touched.

Identity established
Actor
Maya Chen · Revenue Ops
Client
Codex · verified
Capabilities
4 requested · 3 visible

Exact-action governance

Approve one mutation—not a blank check.

An approval is bound to the exact capability, payload, destination, source revisions, policy, and protection versions. Material change supersedes the approval.

01Normalize the proposed mutation and recipientsintent
02Resolve actor, agent, client, source, and destinationcontext
03Inspect data and classify action riskprotect
04Compute a human-readable payload and diffpreview
05Evaluate policy and acquire eligible approvalapprove
06Seal versions, hashes, and source revisionsbind
07Revalidate immediately before executionrecheck
08Execute idempotently and record evidenceprove

Transaction semantics

The controls serious actions require.

A confirmation dialog is not an approval system. Enterprise actions need durable state, separation of duties, revision safety, and proof of what actually happened.

DIFF

Review the exact payload

Show old and new values, recipients, artifacts, affected records, risk, and policy reason—not just a tool name.

SEPARATION

Agents cannot approve themselves

Eligible reviewers are resolved through tenant roles and policy. Approval never expands what the actor could otherwise do.

REVALIDATION

Stale approval is not permission

Changed payload, destination, source revision, policy, ruleset, or transformation invalidates the prior decision.

IDEMPOTENCY

Retry without duplicate impact

Execution keys and durable state distinguish a safe retry from a second mutation, message, task, or charge.

One request, multiple transactions

Govern each consequence independently.

“Update the opportunity and email the customer” is not one action. Onterix separates the CRM mutation from external delivery so policy can allow one, transform another, and require approval for the highest-risk consequence.

CRM

Forecast update

Permitted fields, current record revision, old/new values, owner authority, and idempotent mutation.

MAIL

Customer follow-up

Recipients, body, attachments, inherited classification, protection decision, and separate reviewer.

AUDIT

Connected evidence

One parent intent with two distinct decisions, approvals, execution states, and outcomes.

Design partner workflow

Choose one write that matters. Govern it end to end.

The strongest private-preview pilots begin with a concrete mutation that is valuable enough to automate and sensitive enough to require real controls.