06 / audience acl

Audience ACL Security

Cross-tenant injection defense is enforced in SQL, Qdrant filters, and hydrate re-checks.

Phase 1 Beta

Cross-tenant injection: blocked at SQL layer · 0 incidents · last red-team test passed May 5, 2026

Cross-tenant requests never reach another workspace's rows. Qdrant payload filters and hydrate checks repeat the same boundary.

Step 1

source chunk

Step 2

audience tag

Step 3

scoped key

Step 4

Qdrant retrieval filter

Step 5

blocked result

Security posture widget

The cross-tenant moat uses Postgres RLS before retrieval, Qdrant payload filters during vector search, Qdrant collection payloads for audience tags, Qdrant result hydration checks, Qdrant cache keys with scope hashes, and Qdrant false-positive evals. Qdrant is never trusted alone: SQL scope, Qdrant scope, and response assembly must all agree before a chunk reaches the model. This cross-tenant path is red-team tested against malicious chunks and malicious prompts.

Cross-tenant denial probe

Workspace boundary

Switch workspace, run the query, and the MSW recall endpoint returns only that tenant's scoped result or a cross-tenant denial.