Bandeira

Developer · Compliance

Technical safeguards

Nine controls that prevent the platform from being used as a bot network or coordinated inauthentic-behavior tool. Enforced server-side — not by client trust.

  1. 01

    Editorial queue with human approval

    Every supporter republish enters a per-client editorial queue. A human operator (the client's communications staff) must approve each item before it goes out. Bandeira itself does not author or auto-approve content.

    Enforcement: Application layer · per-client state machine

  2. 02

    Automatic visible attribution

    Republished posts carry a visible attribution marker (e.g. "via @origin_account"). Removing the marker is impossible from the UI and would be caught by the audit log if attempted via direct API call.

    Enforcement: Publish pipeline · template-enforced

  3. 03

    Daily cap per account

    Hard limit of 3 reposts per day per supporter account. Enforced by a PostgreSQL stored function called inside the INSERT path — even a direct psql session bypassing the application would hit the constraint.

    Enforcement: Database · stored function + check constraint

  4. 04

    Blackout window (22:00 – 07:00)

    No publishing during the local-time blackout window. Two purposes: respect supporter sleep hours (good UX, reduces revocation), and avoid the pattern signature of automated overnight activity that Meta flags as suspicious.

    Enforcement: Database · stored function checks supporter timezone

  5. 05

    Time jitter on scheduled publishes

    Scheduled publish times are randomized within ±10 minutes per supporter. Defeats fingerprintable patterns (multiple accounts posting at identical seconds), which are the strongest signal Meta uses to detect coordinated inauthentic behavior.

    Enforcement: Scheduler · per-publish randomization

  6. 06

    Pre-publish AI content filter

    Every queued item is classified by Anthropic Claude before becoming eligible for human approval. Classes flagged: hate speech, calls for violence, electoral disinformation, undisclosed paid promotion. Flagged items require explicit override with logged reason.

    Enforcement: Application layer · async classifier · audited override

  7. 07

    Crisis detector on comments

    Comment-rate and sentiment anomalies trigger alerts to the client's operations contact (e.g. sudden 10× spike in negative comments on a recent repost). Allows pulling content before a small issue scales.

    Enforcement: Stream processor · windowed anomaly detection

  8. 08

    Immutable audit log (5-year retention)

    Every relevant event (supporter authorization, repost, revocation, AI override, admin action) writes to an append-only audit_events table. A BEFORE UPDATE OR DELETE trigger raises an exception — even DBA-level access cannot tamper without leaving evidence.

    Enforcement: Database · append-only trigger · 5-year retention

  9. 09

    Self-service supporter revocation

    Supporters can revoke their OAuth grant at any time from a public link in their own Instagram bio or via direct URL. Revocation is instant: the next scheduled publish for their account is canceled, and the revocation event is logged for audit.

    Enforcement: OAuth revocation · idempotent cancel + audit write

Why these are server-side, not in the UI

UI checks are documentation, not defense. Anything a malicious operator could disable in the browser is enforced again in the application layer or in the database — typically both. The audit log records every override, so even legitimate exceptions leave a reviewable trail.

← Back to Developer Documentation