Product specification What Aside does — and why it does it

Audience

Six categories Aside is designed for

Every capability and action below is tagged with one or more of these categories. The tags answer the question “why is this in the product?” — never as decoration.

Voice & conversation

How Aside listens and replies

The shell of every interaction. These primitives compose into “hands-free, eyes-free, no apps” — the load-bearing premise.

Core capabilities

Standing features available on every turn

Persistent surfaces — always available, no command needed.

Action surface

Curated, audited Android Intent wrappers

Every action is a small Kotlin function around a known-safe Android Intent or system call — never a generic “agent that can do anything.” Each one is a deliberate, reviewable change. Step-by-step guides for every action live in the How-to guides.

Navigation: open_maps · navigate_to

Communication (drafts only — never auto-sends): dial · compose_email · compose_sms · share_text · add_note

Time, calendar & reminders: set_timer · set_alarm · reminder_at · create_calendar_event · open_calendar_today

App launch & system navigation: open_app · open_settings · open_url · open_web_search · go_home / go_back

Media & capture: youtube_search · spotify_search · open_camera · take_selfie · record_voice_memo · copy_to_clipboard

System controls & safety: flashlight · set_volume · set_ringer · find_my_phone

Memory ops (server-side & on-device): remember · forget

Memory architecture (v2)

Ambient, on-device, never logged

Memory is the single most defensible pillar for an assistant — and the highest-risk feature for trust collapse if done badly. Privacy posture is load-bearing: memories live on the user’s phone, period.

• On-device storage (Room v1 schema). Bi-temporal schema: memory(id, category, content, observed_at, valid_from, valid_to, source_turn_id, source_quote, confidence, status, format_version). AES-GCM at rest via Android Keystore. Categories: semantic (facts), procedural (preferences), episodic (events), vault (verbatim items), sensitive (health / finance / legal — explicit-only).
• Per-turn extraction (/v1/memory/extract). Async after the done event, client posts the last N user turns + running summary; server runs a Haiku-class meta-prompt with a four-op vocabulary (ADD / UPDATE / DELETE / NONE); returns ops with provenance quotes; client commits to Room as status=candidate. Server retains nothing.
• Tainted-source guard. Only the user’s spoken or typed turns are eligible to write memory. External content (web fetches, NotificationListenerService, email bodies, calendar invite descriptions, document bodies) is flagged and excluded from extraction input. Blocks the indirect-prompt-injection class.
• Sensitive-tier guard. Health, finance, sexual, legal, precise-location categories are explicit-only; auto-extraction is blocked.
• Memory tab UI. Direct on-device queries — instant, offline-capable. Per-row Forget; candidate-only Keep; top-bar “Forget all.” How to use the Memory tab.
• “Memory updated” canary. Audible chime + visible toast on every memory write. Trust + a poisoning canary — the absence of the chime when memory was written would be the attack vector.
• Decay & consolidation. Decay worker runs at 3am local, daily. TTL: episodic 60d, candidates 14d unprompted; semantic / procedural / vault / sensitive durable.
• Backup & export. Android Auto Backup with E2E encryption (device passcode is the unlock key). Explicit Export / Import pair → AES-GCM .aside-memory file the user saves where they choose.

Per-turn injection: full semantic + procedural + vault + top-k episodic. Sensitive tier never injected unless the query semantically requires it. Wire field is memory_block on POST /v1/turn, capped at ~3.5 KB; server logs record only the memory_block_hash + size, never contents.

Accessibility-first UI primitives

UI v3 — calm warm paper, brand-locked tokens

None of this is “a11y settings” bolted onto a finished design — it’s the design.

• Bundled fonts. Plus Jakarta Sans (display + body) + JetBrains Mono (eyebrow / metadata / status). Bundled as Android assets — runtime never hits Google Fonts. Zero third-party font fetches.
• Live text-size slider on the Accessibility settings page with a real-time preview card. How to enlarge the text.
• High-contrast toggle for partial-vision users + bright outdoor lighting. How to turn it on.
• Reduce-motion toggle that folds system pref OR user pref. Orb breathe + status-dot pulse become static when active. How to turn motion off.
• ≥ 56dp hit targets, ≥ 18sp body type. Above the WCAG 2.5.5 AAA threshold (44×44px). A user with a tremor or arthritis can still hit the right thing.
• 5-screen plain-language onboarding. Welcome → Permissions in plain language → Teach me about you → Voice setup with live waveform → Ready. Walk through onboarding.
• Empty home state — just the orb + the prompt “Tell me everything.” No tutorials, no buttons, no menus. Removes every decision before the user can start.
• Mic-denied banner — if microphone permission is denied, an inline banner deep-links to the Application info screen. How to recover.
• Offline banner via Android’s connectivity callback. Users get explicit feedback that the assistant won’t work right now — never a silent failure.
• Memory taxonomy in plain language. In-sheet groupings: About you / People / Routines / Sensitive. The underlying schema is preserved; only the labels are user-facing.

Privacy & trust posture

What the architecture promises the user, by construction

Every commitment below is enforced at the code or operational layer — not as policy text.

• Your model on your server. Aside speaks to OpenAI’s API directly from the operator’s VPS. Prompts and replies are never proxied through a third-party “AI assistant” product surface.
• No tools at the model. The server calls OpenAI’s chat completions endpoint with no tools or functions defined — the model has no filesystem, no shell, and no outbound network access. Even a successful prompt-injection attack cannot escape the API boundary.
• Curated, auditable action surface. Each action is a small Kotlin function around a known-safe Android Intent. The set of actions is enumerable.
• Defense in depth. Tools off at the model. Concurrency cap = 1. Body size cap. URL scheme allowlist. One action per turn. None of the actions sends, calls, or spends money silently.
• Per-bearer auth, rate-limited. Bearer token in /etc/aside/token (file-mode 600). 30 req/min per token. Concurrency cap of 1 per token.
• No memory contents in logs. Server log writes record memory_block_hash + size, never the contents. log_redact_memory: true at every layer.
• No bootloader unlock, no root. Runs on a stock device with a permanently-locked bootloader. No Magisk, no Shizuku, no custom ROMs. Anyone who depends on their phone can install Aside without operator-level work.

Distribution & onboarding

From a website visit to a working app, fully automated

Two channels, no manual onboarding work. A user signs up and is in the app, regardless of their familiarity with Play.

• Self-serve waitlist form on g3nr8.ai. Replaces the prior mailto: CTAs that required manual onboarding for every tester.
• Auto-onboarding pipeline. Every signup triggers three parallel actions: a Postgres write, a Gmail SMTP send (with the Play opt-in URL + sideload fallback), and a Workspace Group members.insert via the Admin SDK Directory API.
• Play tester-source wiring attaches the Workspace Group directly to the Closed Testing alpha track via the Play Developer API.
• Play arm readiness gate. A “Aside is ready” email is gated by a server-side sentinel that’s set only after a real install via the Play Closed Testing alpha roster has been verified end-to-end.

Build & operational discipline

The discipline that lets a solo founder ship a high-trust accessibility product

Each rule below exists because of a specific past incident or a specific class of mistake we can’t afford with this user base.

• Single sanctioned release path. One script is the only way an APK or AAB reaches a tester. Refuses to run on a dirty git tree.
• Branding sanity check on the built artifact. Aborts unless package, label, and absence of legacy strings all check out. Born of an incident where a renamed-but-not-rebuilt artifact reached a tester.
• Build identity stamping. Every build carries the 12-char short commit SHA + UTC timestamp, rendered on the main screen. A tester screenshot is enough to identify the exact commit.
• Signing key custody. PKCS12 release keystore + 40-char password live in a credential vault, never in git.
• 3-region HA, automatic failover. Two app + DB regions plus a witness region. Cloudflare Tunnel auto-routes around dead origins; Postgres auto-promotes the secondary in <30s on primary unreachable.
• Nightly encrypted backups + weekly automated restore drill. Off-region storage, validated end-to-end without operator presence.
• Observability. Metrics + logs into Grafana Cloud; backend + frontend exceptions into Sentry. User-impacting issues are detected before the user reports them.

Non-goals

What Aside is deliberately not

Each non-goal is load-bearing: ruling these out is what lets the things above be true.

• Not a full agent OS. Every action is a deliberate addition. There is no “general tool execution.” The action surface is enumerable.
• Not a third-party-vendor product surface. The user’s prompts are never proxied through a vendor’s “AI assistant” product. We use OpenAI’s API for inference (gpt-5-mini) and nothing else leaves the operator’s VPS.
• Not permission-greedy. No permission is requested “just in case.” Each new permission has to be justified by an action that needs it.
• Not a rooted-phone product. No bootloader unlock, no Magisk, no Shizuku, no custom ROMs. Runs on a stock device a disabled user cannot afford to brick.