Security & trust
Private by default. Isolated by tenant. Audited end to end.
The whole product is a trust argument. These are the guarantees the architecture enforces — not policies we promise, but mechanisms the system can’t bypass.
Private by default
Nothing is shared until you explicitly grant it. An external agent sees only the nodes you've released — never the raw store.
Tenant isolation (RLS)
Every row is scoped to a workspace and enforced at the database with row-level security. There is no query path that returns another tenant's data.
Append-only audit log
Every access and action records who, what, the decision (allow / deny / propose), the outcome, and why. The log only grows — it's a moat, not a courtesy.
Credentials in a vault
Per-workspace connector keys live in an encrypted vault, reachable only by background workers — never shipped to the browser.
No autonomous action
The system can propose a real-world action, but executing it always requires a human approval. Propose-not-commit is enforced by hooks, not by convention.
No unsourced facts
A fact or decision without provenance is blocked before it's returned. If U.md can't show the source, it doesn't assert it.
The one non-negotiable test
Cross-tenant isolation is proven on every change.
A blocking test seeds two separate workspaces and asserts — through the same client every user hits — that neither can read or write a single row belonging to the other. If any table could leak, the change can’t ship. It’s the most important test in the codebase.