Safety & limits

Books AI is a junior with a clipboard, not an autopilot. This page is the design contract — the explicit list of what it can and can't reach, so you know what you're agreeing to when you turn it on.

Confirmation is non-negotiable

Every mutation — every entry posted, every entry deleted — goes through a card in the chat with an explicit button. The card calls the same API endpoints as the manual UI, which means:

• Period locks still apply. If the date falls in a locked window, the Post fails the same way the form would.
• Account validation still applies. Archived accounts are rejected.
• The audit trail records the resulting CREATE or DELETE exactly as if you had clicked through the form. There is no separate "AI did this" path.

If you click Cancel, nothing was sent. If you close the chat panel without clicking, nothing was sent.

Org scope

The AI sees only your active organization — the one shown in the org switcher. It cannot read or write to other orgs you're a member of. Switching the active org reroutes the AI in the same request.

It uses the same permission checks as the rest of the app: you have to be a member of the org, and your role decides what's allowed. If you don't have rights to post or delete a transaction manually, the AI can't do it for you either.

Rate limit

Each user is allowed 100 messages per day. The counter:

• Increments on every message you send.
• Resets at UTC midnight, not local midnight.
• Is shared across all your sessions and devices.

The remaining count is shown in the chat panel's header ("83 left today"). Read-only tool calls the AI makes (like searchAccounts) don't burn a message — only your own sends do.

When you hit zero, sends fail with a clear error and the panel keeps the conversation intact. Wait until UTC midnight and you're back.

What the AI cannot reach

• Files & folders. The AI cannot list, read, upload, attach, or delete files. The Files product is a separate surface.
• API keys. It cannot create, list, or revoke org API keys.
• Settings & members. Cannot rename the org, change currency, invite or remove members, or alter roles.
• Period locks. Cannot set or clear them.
• Other orgs. As above — strict active-org scope.
• The audit trail. It can't read the audit log of an entry, and there's no way for it to remove or alter audit rows. They're append-only at the database level.

Data and providers

The chat is served by an external LLM provider over an authenticated proxy from our server. The prompt the model receives includes the system instructions plus your conversation history, plus the results of any read tools it ran in this turn (account hits, transaction hits, today's date). It does not include your full ledger, your file contents, or anything from other orgs.

We don't fine-tune on your books, and we don't retain message bodies beyond the rate-limit counter (which is just an integer per user per day in Redis).

Things to remember

• Read the proposal card. The card is your safety net — line amounts, account names, date, total. The AI can make mistakes; posting is on you.
• Push back when it's wrong. "Use 6010 Lease, not 6000 Rent" or "the amount should be $1,234.56, not $1,234.50" — the AI will redo the proposal.
• Use Reset between unrelated tasks. Long conversations let stale context bleed into new questions. When you switch from "book this rent" to "what were our biggest expenses last month?", consider starting fresh.
• For period-end work, prefer the manual flow. Closing books, posting accruals, anything where the cost of a wrong click is high — do those by hand and let the AI assist with the boring middle.

That's the contract. Use it like a sharp tool, keep the cards honest, and it pays for itself.