Command Safety & Limitations
How Command keeps your data and operations safe — confirmations, boundaries, and what to expect
Safety by Design
Command is built with guardrails that protect your account while still being useful. Every action falls into one of two categories:
| Category | Behavior | Examples |
|---|---|---|
| Auto-run | Executes immediately when intent is clear | Content edits, data lookups, uploads, contact updates |
| Confirmation-required | Pauses for your approval before executing | Publishing, sending messages, billing changes, deletes |
Command will never perform a sensitive action without your explicit approval.
The Confirmation Flow
When Command wants to do something sensitive:
Command: "I'm ready to publish the blog post 'Spring Sale' to your website.
This will make it publicly visible. Approve?"
[Approve] [Deny]
| Your Action | What Happens |
|---|---|
| Approve | Command executes the action immediately |
| Deny | Command stops and suggests an alternative |
| Deny with reason | Command notes your preference and adjusts |
You can deny any confirmation without consequence. Command won't retry the same action — it will pivot to a safer alternative or ask how you'd like to proceed.
Confirmation Triggers
Command asks for confirmation when an action involves:
| Trigger | Why It's Protected |
|---|---|
| Publishing or scheduling content | Goes live publicly, visible to your audience |
| Sending SMS or email | Reaches real people — can't be unsent |
| Changing ad spend or budgets | Direct financial impact |
| Refunds, payments, subscription changes | Affects billing |
| Deleting or removing content | Hard to reverse |
| Changing credentials or permissions | Security risk |
| Destructive WordPress operations | Could break your website |
| Scheduling future sends | Time-sensitive, can't easily undo |
Data Access Boundaries
What Command Can See
Command accesses your data through specific resource endpoints. It does not have unrestricted database access.
| Resource | Scope |
|---|---|
| Billing overview | Your invoices, contract, balance |
| Reports | Monthly reports for your account |
| SEO data | Search rankings and performance for your websites |
| Website list | Your websites and their connection status |
| Knowledge Base | Documents your agency or you have created |
| Assets | Files in your asset library |
| WordPress | Content on your connected WordPress sites |
What Command Cannot See
- Other clients' accounts, even within the same agency
- Your agency's internal settings or other clients' billing
- Raw API keys, tokens, or credentials (Command uses them but never displays them)
- Data from disabled portal features (if your agency turned off a section, Command can't access it)
Session Limits
| Limit | Value | What Happens When Reached |
|---|---|---|
| Tool actions per message | 6 | Command stops and asks you to continue if more steps are needed |
| Conversation history per session | 40 events | Older messages are retained but may not be included in the active context |
| Attachment size | 8 MB | Larger files must go through the Asset Library |
| Session history | No hard limit | Sessions persist until you archive them |
If Command hits the 6-action limit, it will stop mid-task and explain what still needs to be done. Just send another message to continue.
Verification After Changes
After making website changes, Command automatically verifies the result:
- Makes the change (e.g., updates WordPress content)
- Checks that the change is live
- If verification shows it's pending, Command waits and retries
- If verification fails, Command investigates and attempts a fix
This means you can trust that when Command says something is done, it's actually live — not just queued.
Privacy & Data Handling
| Question | Answer |
|---|---|
| Are my conversations stored? | Yes — sessions are saved so you can revisit them. Your agency admin can also view sessions. |
| Who can see my Command sessions? | You and your agency's authorized admins |
| Does Command train on my data? | No — your data is not used for model training |
| How long are sessions kept? | Until you archive them. Your agency sets retention policies for archived sessions. |
| Can Command share my data with other clients? | No — strict client isolation. Command is scoped to your account only. |
| What happens if I deny a confirmation? | The action is canceled. No partial changes are made. |
Feature Availability
Your agency controls which portal features are enabled for your account. If a feature is disabled:
- It won't appear in your portal sidebar
- Command cannot access that data or perform actions in that area
- Command will tell you directly: "That feature is not available for your portal"
If you need access to a disabled feature, contact your agency. They can enable it from their admin panel.
Error Handling
If something goes wrong during an operation:
| Scenario | What Command Does |
|---|---|
| A tool call fails | Command reports the error and suggests next steps |
| Too many tool loops | Command stops and explains it needs more input from you |
| Feature is disabled | Command tells you the feature isn't available |
| Data not found | Command asks you to clarify or provide the missing info |
| Network interruption | Your session is preserved — just send another message to resume |
When to Contact Your Agency Instead
Command is powerful, but it's not a replacement for your agency team. Reach out directly for:
- Strategic decisions — marketing direction, campaign planning
- Contract changes — new services, pricing adjustments
- Major website overhauls — redesigns, new site builds
- Billing disputes — charge disputes, payment issues
- Urgent issues — site down, broken functionality
Command will often direct you to your agency when it recognizes a request is outside its operational scope.
