Safety model

Layer one is OpenAI omni-moderation-latest on the kid input. The wrapper lives in lib/moderation/client.ts. It carries a 10-second timeout and a fail-closed classifier for every error path. A network error or a timeout returns a flagged outcome by default. The review gate forbids the call site from wrapping this in try/catch; the rule is in the file header. What it catches: sexual content directed at minors, explicit self-harm language, credible threats, explicit hate, and the long tail of the OpenAI categories.

Layer two is the Anthropic-side safety prompt. The kid-first voice, refusal patterns, and reading-level rules live in lib/prompts/build-assistant.md. The model declines inside the call rather than after it. What it catches: things the model is better positioned to refuse than a content classifier. A request to write code that impersonates a real person, for example. Or a prompt that is coherent English but morally wrong for an 8-year-old.

Layer three is the Tekku tuning layer over OpenAI Moderation. Kid build-talk is full of phrases a generic moderator flags as violent. "Kill the timer." "Shoot the ball." "Hit the enemy." The tuning layer is an allowlist keyed on phrase plus context (project type, kid age, recent prompts). TODO-003 in TODOS.md is the build-out, blocked on four weeks of real Stage 1 moderation events to tune against. What falls through today: cold-start false positives that send a kid to the redirect flow when they did nothing wrong. This is the biggest live tuning surface.

Layer four is OpenAI moderation on the Claude output. Same wrapper, different direction. What it catches: rare cases where the model emits something a classifier flags, usually an echo of the flagged input that slipped past the redirect. Output-side moderation is a cheap insurance policy.

The COPPA 2026 rule takes effect April 22, 2026. The penalty is $51,744 per violation per day per kid. Enforcement is active: Epic paid $520M, YouTube paid $170M, Disney paid $10M in December 2025, TikTok is in active litigation. The regulator is not patient with retrofit compliance. Every product that launches after the deadline is expected to be compliant from day one. Tekku is built for the new regime.

Stage 1 ships without the full verified-consent stack on the basis that user number one is the founder's 8-year-old son. The parent is verified because he wrote the code. The moment user number two joins, the Stage 2 stack turns on: Persona or Stripe Identity for verified parental consent, a signed consent artifact stored with a dated reference, a no-model-training clause in the privacy policy, a 90-day transcript retention cron, and parent-initiated cascading delete. TODO-001 in TODOS.md is the Stage 2 build-out; it is roughly one week of focused work and is the hard gate for expansion past founding families.

The data-use contracts on the API tier are written to the no-training standard. Anthropic's data-use configuration is set to the no-training tier. OpenAI Moderation is audit-only and does not feed training pipelines. Moderation events are stored for policy review, not for classifier improvement. When we eventually train a concept classifier of our own, it runs on synthetic data and on anonymized aggregate labels, never on raw kid transcripts.

A kid profile carries a nickname, an age, and a parent linkage. No surname, no address, no device-identifying beacon beyond what the auth layer needs. The parent record carries the identity-verification artifact and the signed consent reference. Project files persist until the parent deletes the account. Transcripts and snapshots live in the ai_transcripts and snapshots tables in Supabase and are deleted on a 90-day rolling cron. Retention is short on purpose: the less kid data we hold, the less harm we can cause.

Parent-facing export and delete controls ship with the Stage 2 COPPA stack. One button exports everything about a kid as JSON. A second button deletes everything in a cascading transaction: kid profile, transcripts, snapshots, shipped apps, moderation events. The confirmation email is the legal record. There is no support ticket in between the click and the delete.

What we do not store: raw keystrokes, screen recordings, device gyroscope data, browser fingerprints beyond what auth requires, any identifier that would make a kid re-identifiable across sites. We have no ad pixels. We have no data broker integrations. The analytics stack is opt-in at the parent level and carries no kid-level identifiers to any third party.

Kid inputs, kid code, and kid chat history are not used to train Anthropic, OpenAI, or any Tekku-owned model. The clause is written into the API-tier contracts with Anthropic and OpenAI. It is the first sentence of the Tekku privacy policy. It is the first thing the parent reads during consent. Enforcement runs at three layers: the API provider configuration (set to no-training), the data-use contract signed with the provider, and the Tekku pipeline which never writes kid data to any training bucket.

When we train our own concept classifier (Stage 2, TODO-002), the training set is synthetic data generated from documented concept patterns, plus anonymized aggregate labels. No raw kid transcript, no kid-attributable code sample, no parent-identifiable metadata. The training data schema and the generation script will be published with the classifier release so the no-training claim is auditable.

The moderation event log is audit-only. It is retained so a human reviewer can confirm the tuning layer did the right thing. It is not retained to improve a classifier. TODO(safety): publish the moderation retention schedule on the public transparency page.

A safety incident is any event where a harmful message reached a kid, a kid-identifiable data record left our systems, a moderation false-negative was logged, or a parent reports a concerning interaction. The playbook is four steps: detect, contain, notify, publish.

Detect. The moderation event log feeds a live dashboard. Any flagged-but-allowed output is reviewed inside 24 hours by a named human reviewer during Stage 1. Any false-negative that surfaces later (parent report, manual audit) is logged as an incident with a severity tier. The on-call rotation is documented in the Stage 2 operations runbook. TODO(safety): publish the on-call schedule and escalation tree in the data room once the first operational hire lands.

Contain. The immediate action on a live incident is to suspend the affected kid session, freeze the moderation rule that allowed the event, and open a review thread with the on-call reviewer and counsel. Containment has a 1-hour target. The session freeze is a feature flag flip, not a deploy.

Notify. Parent notification is the next step. For a severe event the notification goes out the same day. For a tuning-layer false-negative with no actual harm, the notification goes out in the weekly parent email with a specific explanation. Regulatory notification follows the rule in force: COPPA has a notification trigger in the modernized rule, and counsel is in the thread from detection onward. TODO(safety): counsel to confirm the COPPA notification trigger language for Tekku's specific data shape.

Publish. The public transparency page publishes every moderation event category monthly, including any confirmed incidents, what was changed, and what the new posture is. The page is live at /safety on the marketing site. Parents read it before they subscribe. It is the strongest possible demonstration that the safety claim is not marketing copy.