# Security model for delegated booking

Canonical human page: https://aune-homepage-chat.vercel.app/docs/security
Canonical machine page: https://aune-homepage-chat.vercel.app/ai/security.md

A model's words never create booking truth. Consequential actions are constrained by narrow OAuth scopes, explicit user confirmation, server-side revalidation, atomic database transactions, principal ownership, idempotency, and auditable consent.

## Facts

- **Authorization:** OAuth 2.1 + PKCE S256 + narrow scopes
- **Booking truth:** Atomic canonical database transaction
- **Credentials:** Opaque/hash-at-rest; encrypted secrets
- **Webhooks:** Public HTTPS/443 + HMAC + SSRF controls
- **Telemetry:** Allowlisted attributes; no raw PII or prompts
- **Security contact:** hello@aune.ai

## Agent authority

- Search is data-minimized; protected reads and writes are bound to OAuth client, user, audience, ownership, and exact scope.
- Aune ignores instructions in provider, customer, crawled, or model-generated text that attempt to change authorization or system policy.
- Confirmation requires an explicit user-selected option, fresh consent, exact terms acceptance, and server-side provider/price/slot revalidation.
- Only a canonical response with `booking_created`, `provider_selected`, `availability_checked`, and `booking.status=confirmed` proves success.

## Replay and concurrency

- One-use authorization codes and rotating refresh tokens limit credential replay; detected refresh reuse revokes the family and grant.
- Idempotency binds the principal, client, action, and request fingerprint. Safe retries return the same result; changed payloads conflict.
- A database exclusion constraint prevents overlapping confirmed provider slots even across instances.
- Booking state and notification intent commit together; webhook or email failure cannot reverse or fabricate booking truth.

## Webhooks and network safety

Webhook endpoints require public HTTPS on port 443. Aune rejects credentials, redirects, local/internal names, and private, loopback, link-local, multicast, or reserved addresses. Consumers verify timestamped raw-body HMAC signatures and deduplicate event IDs before side effects.

## Privacy and observability

- Contact details and street addresses are collected only after the user chooses a real option or explicitly requests provider follow-up.
- Telemetry drops unknown fields and redacts values resembling contact data, addresses, postcodes, credentials, signed options, or secrets.
- Raw prompts, free-form job text, tokens, OTPs, webhook bodies, and signing secrets are not telemetry attributes.
- See `/privacy` for data-subject rights and contact information; `/status` reports canary-derived service state without exposing customer data.

## Report a vulnerability

Report suspected vulnerabilities privately to `hello@aune.ai`. Include the affected surface, reproducible steps, impact, and a safe proof of concept. Do not access other users' data, disrupt production, or include credentials or personal data in the report.
