Privacy + safety model

• No SERP scraping. The agent only calls the official Google Search Console API.
• No invented data. Volume, difficulty, and SERP positions beyond GSC’s average position are never produced.
• No guaranteed rankings. Recommendations are advisory.
• No automatic publishing. Output is a prompt, checklist, or markdown brief.
• No auto-deploy. The agent does not push code, open PRs, or modify your live site.
• No DNS or billing changes. The agent has no integration that could alter those.
• No background MCP write tools. The MCP bridge is read-only.

Every keyword in the workspace carries a dataSource label:

• Verified — the row is populated from a recent GSC fetch. Clicks, impressions, CTR, and average position come straight from the official Search Console API.
• Manual — the operator typed the keyword themselves. The agent surfaces the operator-typed currentPosition with a “(manual)” suffix so it’s never blended with verified GSC averages.

Every workflow follows Analyze → Prepare → Review → Approve → Execute. The agent’s execute function rejects any workflow that isn’t in the approved state. Workflow outputs are limited to prompts, checklists, and markdown briefs the operator copies into a tool of their choice.

• Google OAuth refresh tokens are encrypted server-side (the M17 vault) and never returned to the browser.
• MCP tokens are stored as SHA-256 hashes. The plaintext is shown once at issuance and never echoed again.
• Workflow plans + results carry only operator-readable scalars and the safe Claude prompt. Raw API responses, OAuth payloads, billing secrets, and database URLs are never written.

• The agent only reads from the workspace’s own Search Console properties.
• The agent does not pull from competitors, third-party trackers, or any unofficial source.
• Workspace data is RLS-gated server-side; cross-workspace ids are silently invisible.