04 · Trust

Kept by the organization.Shared only by you.

The organization stores and protects the session record, the way it stores code. Reading it is a separate matter: a raw session opens only to its author, and reaches a team only when the author shares it — under safeguards everyone can see.

The starting point

“My chats feel private.”

It's the right instinct, and the design starts from it.

A session with an agent reads like a chat, and every other chat in a person's life is private. So HX treats that instinct as a requirement: by default, the only person who can read a raw session is the person who wrote it.

At the same time, the record itself is work product, and the organization keeps it — stored, backed up, protected — so it survives lost laptops and tool changes. Keeping a record and reading it are different things. The organization does the first. The author decides the second.

What follows is how a faithful implementation handles the moment sharing does happen — because on a good team it does, and it should.

Sharing safeguards

Four conditions, checked every time

HX CARE calls for tight safeguards on when a session can be shared with a team. A faithful implementation checks at least these four conditions — all of them — before a session is visible to anyone but its author.

A session1A work repositorya repo used for company work2A connected projectwired into the workspace3An explicit teama named roster, granted access4A personal yesapproved by the authorThe team's shared view
1A work repository. The session happened in a folder wired to a git repository used for company work. Personal projects, personal machines, personal agents are out of scope.
2A connected project. That same repository is explicitly connected to a project in the organization's workspace. No connection, no collection.
3An explicit team. A named team — with a member list anyone on it can read — has been granted that exact project.
4The author's yes. The author receives a share request and approves it, scoped to that team. The approval can be withdrawn, and both the request and the approval are recorded.
And the conditions hold from every direction: a colleague with full access to the project — but on a different team — sees nothing. An administrator who can configure the workspace sees nothing. If any one condition is missing, nothing is shared.
Why share at all

What sharing is for

A session shared with the six people who work the same code is how craft spreads: “look at this disaster,” “here's how I finally got it to work,” “watch what happens when I ask it this way.”

Offices used to carry that trade by osmosis; distributed work quietly lost it. The safeguards exist to make sharing feel this comfortable.

All the time

What the charter guarantees

Sharing is one moment. These hold all the time — written down in the charter the organization signs and displays where the measurement happens.

The record

Kept by the organization — preserved, backed up, never lost to a laptop or network failure.

Reading

A raw session opens to its author. Sharing it further is the author's decision.

Team views

Numbers above the individual describe teams. The only person who sees a number about you is you.

Answers

Raise a problem and something visible comes back — a change, a decision, or a clear no with the reason.

The full text is the CARE Charter — seven articles in plain language, free to adopt.

For implementers

What to check in any implementation

Six checks that separate an implementation from a brochure. Your people will run them whether or not they say them out loud.

  • Sharing consent is scoped to a named team with a readable member list — never to “the organization.”
  • Collection follows the repository connection, not the device.
  • A share request is explicit, revocable, and recorded.
  • Views above the individual describe groups, never a person.
  • Anyone can see who accessed data that includes them.
  • The charter is displayed in the product — versioned, signed, changes announced first.