Security & trust
SpendSignoff moves real ad spend, so the safety contract is the product. Here is exactly what the AI can do, what it can never do, and how we prove it.
Default access
Read-only
Every connection starts able to read & draft — nothing more.
Spend authority
You
No tool, scope, or loop can push money live without a human.
Audit log
Append-only
KMS-signed, tamper-evident, exportable end to end.
Token storage
KMS-vaulted
OAuth tokens are encrypted at rest; never returned to the model.
The guarantee
One sentence the whole architecture is built to keep true.
Your AI can read and draft — it can never spend without your approval.
This is not a setting you can turn off. The split between drafting and pushing live is enforced server-side in the policy core: the AI client is only ever issued read and draft scopes, and the act of going live requires a separately authenticated human action. There is no autonomous spend in V1, and the 24-hour envelope is a hard daily ceiling, not a suggestion.
How it’s enforced
AI can draft, never spend
The model proposes a change as a draft. Going live is a separate, server-enforced step that only a signed-in human can take. There is no scope, prompt, or autonomy setting that bypasses it.
Two-step approve & push live
Money-moving changes arm on the first click and confirm on the second — a deliberate alertdialog, not a one-tap toggle. The before→after diff is shown in full before you commit.
KMS-signed append-only audit
Every read, draft, approval, push, and rollback is written to an append-only ledger and signed with a KMS key. Entries cannot be edited or deleted — only appended — so the record is tamper-evident.
OAuth, read-first
You connect each ad account over the platform’s own OAuth. SpendSignoff requests read access first and surfaces exactly what it would change — write access stays dormant until you approve a specific draft.
KMS-vaulted tokens
Platform OAuth tokens are encrypted with envelope encryption and stored in a managed vault. They are decrypted only inside the policy core at the moment of an approved action — never exposed to the AI client.
Reversible by design
Because the prior state is captured in the diff and the ledger, an approved change can be rolled back in one click. Every rollback is itself a signed audit entry.
What the AI client is issued
SpendSignoff maps every MCP capability to an explicit scope. The approve scope is never minted for a model.
mcp.readRead accounts, campaigns, metricsGranted on connectmcp.draftPropose changes as draftsGranted on connectmcp.approvePush spend liveNever issued to the AIWant the full picture? The safety model is documented end to end.