Glass-box AI: consent before action

The easiest way to ship AI features is to pipe your data to a model and hope you like the result. We don't do that. Across the Twin suite, intelligence features follow one rule: nothing leaves your device without a consent step that shows you the exact payload first.

Local by default

Classification, importance scoring, and entity extraction run on-device. They're fast, they work offline, and they never cross a network boundary. For most of what "AI" does in an inbox, that's enough — and it's the default.

The boundary crossing

Some actions genuinely benefit from a larger model: summarizing a long thread, drafting a reply, answering a question across many messages. Those cross a boundary, so we treat them as a boundary: a consent sheet appears showing the precise content to be sent, you approve it for that one action, and both the request and the response are written to an encrypted audit log. Drafts are pre-fill only — we never auto-send.

Why "glass-box"

A black box asks for trust. A glass box earns it: inputs in, outputs out, both visible, both logged. You can always answer the question "what did this feature just do with my data?" — because the answer is on the screen and in the audit trail.

That's the standard for every product we build. If a feature can't be honest about what it sends, it doesn't ship.