Built for operational trust

Opera's safety model starts from a simple premise: the system should be unable to do the things you're afraid of, not merely instructed to avoid them. These are construction constraints, not policies.

The guardrails

• No destructive writes. There is no code path that deletes or overwrites your data — in Sheets or in ad accounts.
• Schema validation before every write. Opera re-reads the report's structure each run and matches it against the stored mapping.
• Schema drift detection. If a column was renamed, a section moved, a row inserted — the run halts and flags the diff. Opera never guesses where data goes.
• Preview before execution. Writes, edits and launches show exactly what will change before it changes.
• Append-only report updates. New rows land at the detected anchor; formula regions are protected and extended, never replaced.
• Duplicate-period checks. A week that already exists in the report cannot be appended again.
• Campaigns created paused by default. Going live is always an explicit human approval.
• Approval workflows. Budget increases, targeting changes and go-lives route through sign-off at thresholds you define.
• Full audit logs. Every pull, write, edit and launch: what changed, when, from which data, on whose instruction.
• Client-level isolation. Credentials, data, definitions, schedules and logs are scoped per client and never cross.

Access: least privilege, easy revocation

Opera asks for the narrowest access that does the job. Mapping a report needs view access; maintaining it needs edit on that file — not your Drive. Ad-platform connections use the platforms' own OAuth with their scoped permissions, and read-only reporting can run without any write scope at all. Every connection is revocable from the source platform in one click, independently of Opera.

What Opera will not do

• Launch a live campaign autonomously — created paused, always
• Delete campaigns, ads, rows, tabs or files
• Exceed budget caps or act outside a client's stored constraints
• Write into a structure it can't verify
• Mix one client's data, rules or credentials with another's

Failure behavior

When something is wrong — a source API down, a drifted schema, an out-of-range anomaly — the run halts, writes nothing, and alerts the channel you chose with the reason. No partial writes, no silent retries that mask a real problem. A system you can trust is mostly a system that fails loudly and conservatively.

You stay in control

Opera proposes and previews; you approve. You decide which actions need sign-off, who can give it, and what each client's constraints are. The operating philosophy is delegation with receipts — which is the only kind that survives contact with production.