The Autonomy Ladder
blincr's rule: you are as autonomous as you can be, until you can't. blincr.com only enters where local action genuinely cannot go — checking a trail before it reaches another person, or running a watcher while your browser is closed. Everything else stays in your browser by default.
| Rung | What you can do | Where it runs | Account needed? | blincr.com's role |
|---|---|---|---|---|
| L0 — Local | Annotate the web, build trails, create and run blincrs (page watchers) | Your browser only | No | None — nothing leaves your device |
| L1 — Backup | Store a raw trail in the cloud | Cloud, unchecked | Yes | Storage only. Not shareable yet |
| L2 — Share | Send a trail to another person | Cloud, checked | Yes | Safety check: scans every URL in the trail for malicious sites before it can be shared — you connect to another person through blincr, and blincr looks out for both of you |
| L3 — Always-on | Cron watchers, alert webhooks, agent handoff | Cloud | Yes | Managed infrastructure — checks run 24/7, even with your laptop closed |
Why this order
- Privacy by default. Local-only (L0) data never touches our servers — nothing to leak, nothing to hold under GDPR, nothing for us to see. See Privacy for the full data ledger.
- Sharing is the one place blincr must look. The moment a trail is meant
for someone else, blincr checks every page it visits against
Google Web Risk —
malware, phishing, unwanted software — before a share link is created,
via
gpn-webrisk-worker, the fleet's shared gateway to that API. That check is the entire reason blincr.com exists in the flow. A trail you keep to yourself is never scanned. If a page is flagged, sharing is blocked with the specific page named, so you can remove it and try again; if the check itself fails (network, API outage), sharing is blocked too — a safety gate that quietly lets things through on error isn't a gate. - Always-on is opt-in, not default. Running in your own browser is free, private, and sufficient for most watchers. blincr.com's 24/7 cron is there when you need reliability more than privacy — you choose, every time, before a watcher is created.
Where this shows up
- "Blincr this element" (the extension's page-watcher picker) asks "Run where?" on every watcher: "In this browser (private, only while open)" or "On blincr.com (24/7, needs sign-in)" — with the trade-off spelled out underneath, not hidden in a settings page.
- Local blincrs (no account) live in the extension popup's Trails tab. Each one can be paused, deleted, or moved to blincr.com later with one click — nothing is one-way.
- Trails show a sync badge (
local/synced/modified) in the extension's trail library so it's always visible whether a trail has left your browser.
For agent/automation authors
If you're building on top of blincr (MCP client, webhook consumer, Cowork plugin), the ladder tells you what to expect from each surface:
- Local blincrs and unpublished (L0/L1) trails are not visible to the server API or the MCP tools — by design, the server cannot read what it was never given.
get_trail(MCP) andGET /api/user/trails/:id/bundleonly serve plaintext cloud tiers (t3 / t3_self) — seedocs/trail-bundle.md.- The
blincr.alertwebhook (seedocs/trail-bundle.md§ "Recipe: alert → agent handoff") only fires for L3 watchers — a local blincr has no server side to dispatch from.