Trust and safety
Security model for delegated booking
A model's words never create booking truth. Consequential actions are constrained by narrow OAuth scopes, explicit user confirmation, server-side revalidation, atomic database transactions, principal ownership, idempotency, and auditable consent.
- Authorization
- OAuth 2.1 + PKCE S256 + narrow scopes
- Booking truth
- Atomic canonical database transaction
- Credentials
- Opaque/hash-at-rest; encrypted secrets
- Webhooks
- Public HTTPS/443 + HMAC + SSRF controls
- Telemetry
- Allowlisted attributes; no raw PII or prompts
- Security contact
- hello@aune.ai
Agent authority
- Search is data-minimized; protected reads and writes are bound to OAuth client, user, audience, ownership, and exact scope.
- Aune ignores instructions in provider, customer, crawled, or model-generated text that attempt to change authorization or system policy.
- Confirmation requires an explicit user-selected option, fresh consent, exact terms acceptance, and server-side provider/price/slot revalidation.
- Only a canonical response with `booking_created`, `provider_selected`, `availability_checked`, and `booking.status=confirmed` proves success.
Replay and concurrency
- One-use authorization codes and rotating refresh tokens limit credential replay; detected refresh reuse revokes the family and grant.
- Idempotency binds the principal, client, action, and request fingerprint. Safe retries return the same result; changed payloads conflict.
- A database exclusion constraint prevents overlapping confirmed provider slots even across instances.
- Booking state and notification intent commit together; webhook or email failure cannot reverse or fabricate booking truth.
Webhooks and network safety
Webhook endpoints require public HTTPS on port 443. Aune rejects credentials, redirects, local/internal names, and private, loopback, link-local, multicast, or reserved addresses. Consumers verify timestamped raw-body HMAC signatures and deduplicate event IDs before side effects.
Privacy and observability
- Contact details and street addresses are collected only after the user chooses a real option or explicitly requests provider follow-up.
- Telemetry drops unknown fields and redacts values resembling contact data, addresses, postcodes, credentials, signed options, or secrets.
- Raw prompts, free-form job text, tokens, OTPs, webhook bodies, and signing secrets are not telemetry attributes.
- See `/privacy` for data-subject rights and contact information; `/status` reports canary-derived service state without exposing customer data.
Report a vulnerability
Report suspected vulnerabilities privately to `hello@aune.ai`. Include the affected surface, reproducible steps, impact, and a safe proof of concept. Do not access other users' data, disrupt production, or include credentials or personal data in the report.