Security & Trust Boundaries

ADR 0004 names the eight boundaries tb-1 through tb-8 — browser, web plane, agent kernel, compute plane, storage, external providers, share/export, and the admin plane. Cross-boundary calls are signed and schema-validated.

Every record is one of: public, org-internal, tenant-restricted, or secret. Routes, declassifiers, and telemetry redaction all reason about this label — there is no implicit "this is fine to share."

ADR 0005 routes all outbound traffic through a proxy with frozen rate-limit guards. Edge functions cannot ad-hoc fetch external hosts; knowledge fetchers go through signed providers.

ADR 0006 freezes a typed declassifier that share, fork, export, and notify routes pass through. A tenant-restricted field never silently becomes public — the declassifier records what was stripped, with byte counts and reasons.

ADR 0008: zero long-lived keys. Encrypted storage for secrets. AWS workload identity. No source-controlled credentials. Tenant-managed secrets via the secrets service.

The docs/runbooks/security-incident.md runbook covers severity ladders (info / warning / risky), on-call routing per trust boundary, and freeze/response procedures.