Trust and controlled execution
These are the mechanisms Jithox actually ships — and, just as important, what they do not prove.
Mechanisms
- Human approval
- A side-effecting action runs only after an explicit human yes — or a valid, scoped delegation. Approval binds to the exact content: workspace, approver, document snapshot, recipient, subject, body and attachment identity.
- Immutable snapshots
- What you approved is what executes. Documents and e-mail packages are hashed; any edit after approval produces a new identity, the stale approval is withdrawn, and dispatch refuses drifted content before any network call.
- Exactly-once execution
- Dispatch claims an idempotency key before the provider is called. A double click, a retry, a lost response or a second tab can never produce a second send.
- OAuth and scopes
- The public MCP authenticates every call with OAuth 2.1 and scopes; its five tools are read-only. A token without the right scope is refused.
- Signed receipts
- Confirmed executions and verified delivery events produce append-only, signed receipts with commitments instead of raw personal data.
- Truthful provider states
- Provider acceptance is never shown as delivery. Delivery appears only after a verified provider event; ambiguous outcomes stay ambiguous and are never retried blindly.
- Revoke and recovery
- Suppressed recipients (hard bounce, complaint) are blocked before a new proposal is even created. A corrected address requires a fresh approval. Access and pilot grants are revocable.
Honest limits
- Internal testing is not an independent penetration test. An independent security assessment is planned before broad activation; it has not happened yet.
- Not all systems are independently certified. We do not claim SOC 2, ISO 27001 or similar certifications.
- A signed receipt proves what Jithox executed and observed — it does not automatically prove legal or fiscal correctness of a document.
- Delivery means the receiving mail server accepted the message. It does not prove a human read it, agreed with it, or will pay it.
- An “unavailable” answer from a registry or provider is an availability fact — never a negative business fact about you or a counterparty.
Security contact
Found a vulnerability or an incident? Mail info.jithox@gmail.com — a human reads every report. Please do not include exploit details of live customer data in the first message.