safety— signed intents only, no custody, no automation of live trades

Sage does not hold custody of your funds. The custodial wallet feature, when it ships, will run inside a self-contained Phase-5 module with explicit opt-in. Until that ships, no Sage process can move money.

Sage does not execute trades on your behalf. The /trade routes pre-fill a trade ticket and pass you to the venue's own UI. There is no auto-execute path.

Sage does not bypass geofencing. If your IP resolves to a region a venue does not serve, the venue's UI will reject the trade — Sage is not in that loop and does not try to be.

Sage emits signed intents (a Discord-side or webhook-side message describing what a caller suggests). Whether to act on them is entirely on you. The signal record is auditable in /signals and /ops/audit.

Auto-copy, when enabled per-caller per-user, sends you a DM the moment a verified caller fires. The DM does not include a one-click trade link — copy the entry into the venue's UI yourself.

Do not paste secrets (API keys, tokens, wallet seeds) into any Sage surface — neither Discord, the dashboard, nor support channels. Sage staff will never ask for them.

The dashboard stores only your Discord user ID, current tier, and (if you generated one) your custodial wallet address. Audit events are retained for 90 days.