aaune

Trust and safety

Security model for delegated booking

A model's words never create booking truth. Consequential actions are constrained by narrow OAuth scopes, explicit user confirmation, server-side revalidation, atomic database transactions, principal ownership, idempotency, and auditable consent.

Authorization
OAuth 2.1 + PKCE S256 + narrow scopes
Booking truth
Atomic canonical database transaction
Credentials
Opaque/hash-at-rest; encrypted secrets
Webhooks
Public HTTPS/443 + HMAC + SSRF controls
Telemetry
Allowlisted attributes; no raw PII or prompts
Security contact
hello@aune.ai

Agent authority

  • Search is data-minimized; protected reads and writes are bound to OAuth client, user, audience, ownership, and exact scope.
  • Aune ignores instructions in provider, customer, crawled, or model-generated text that attempt to change authorization or system policy.
  • Confirmation requires an explicit user-selected option, fresh consent, exact terms acceptance, and server-side provider/price/slot revalidation.
  • Only a canonical response with `booking_created`, `provider_selected`, `availability_checked`, and `booking.status=confirmed` proves success.

Replay and concurrency

  • One-use authorization codes and rotating refresh tokens limit credential replay; detected refresh reuse revokes the family and grant.
  • Idempotency binds the principal, client, action, and request fingerprint. Safe retries return the same result; changed payloads conflict.
  • A database exclusion constraint prevents overlapping confirmed provider slots even across instances.
  • Booking state and notification intent commit together; webhook or email failure cannot reverse or fabricate booking truth.

Webhooks and network safety

Webhook endpoints require public HTTPS on port 443. Aune rejects credentials, redirects, local/internal names, and private, loopback, link-local, multicast, or reserved addresses. Consumers verify timestamped raw-body HMAC signatures and deduplicate event IDs before side effects.

Privacy and observability

  • Contact details and street addresses are collected only after the user chooses a real option or explicitly requests provider follow-up.
  • Telemetry drops unknown fields and redacts values resembling contact data, addresses, postcodes, credentials, signed options, or secrets.
  • Raw prompts, free-form job text, tokens, OTPs, webhook bodies, and signing secrets are not telemetry attributes.
  • See `/privacy` for data-subject rights and contact information; `/status` reports canary-derived service state without exposing customer data.

Report a vulnerability

Report suspected vulnerabilities privately to `hello@aune.ai`. Include the affected surface, reproducible steps, impact, and a safe proof of concept. Do not access other users' data, disrupt production, or include credentials or personal data in the report.