Developer · Compliance
Technical safeguards
Nine controls that prevent the platform from being used as a bot network or coordinated inauthentic-behavior tool. Enforced server-side — not by client trust.
- 01
Editorial queue with human approval
Every supporter republish enters a per-client editorial queue. A human operator (the client's communications staff) must approve each item before it goes out. Bandeira itself does not author or auto-approve content.
Enforcement: Application layer · per-client state machine
- 02
Automatic visible attribution
Republished posts carry a visible attribution marker (e.g. "via @origin_account"). Removing the marker is impossible from the UI and would be caught by the audit log if attempted via direct API call.
Enforcement: Publish pipeline · template-enforced
- 03
Daily cap per account
Hard limit of 3 reposts per day per supporter account. Enforced by a PostgreSQL stored function called inside the INSERT path — even a direct psql session bypassing the application would hit the constraint.
Enforcement: Database · stored function + check constraint
- 04
Blackout window (22:00 – 07:00)
No publishing during the local-time blackout window. Two purposes: respect supporter sleep hours (good UX, reduces revocation), and avoid the pattern signature of automated overnight activity that Meta flags as suspicious.
Enforcement: Database · stored function checks supporter timezone
- 05
Time jitter on scheduled publishes
Scheduled publish times are randomized within ±10 minutes per supporter. Defeats fingerprintable patterns (multiple accounts posting at identical seconds), which are the strongest signal Meta uses to detect coordinated inauthentic behavior.
Enforcement: Scheduler · per-publish randomization
- 06
Pre-publish AI content filter
Every queued item is classified by Anthropic Claude before becoming eligible for human approval. Classes flagged: hate speech, calls for violence, electoral disinformation, undisclosed paid promotion. Flagged items require explicit override with logged reason.
Enforcement: Application layer · async classifier · audited override
- 07
Crisis detector on comments
Comment-rate and sentiment anomalies trigger alerts to the client's operations contact (e.g. sudden 10× spike in negative comments on a recent repost). Allows pulling content before a small issue scales.
Enforcement: Stream processor · windowed anomaly detection
- 08
Immutable audit log (5-year retention)
Every relevant event (supporter authorization, repost, revocation, AI override, admin action) writes to an append-only audit_events table. A BEFORE UPDATE OR DELETE trigger raises an exception — even DBA-level access cannot tamper without leaving evidence.
Enforcement: Database · append-only trigger · 5-year retention
- 09
Self-service supporter revocation
Supporters can revoke their OAuth grant at any time from a public link in their own Instagram bio or via direct URL. Revocation is instant: the next scheduled publish for their account is canceled, and the revocation event is logged for audit.
Enforcement: OAuth revocation · idempotent cancel + audit write
Why these are server-side, not in the UI
UI checks are documentation, not defense. Anything a malicious operator could disable in the browser is enforced again in the application layer or in the database — typically both. The audit log records every override, so even legitimate exceptions leave a reviewable trail.