Zero-Trust Architecture

Per-request nonce CSP + security headers; edge-verified jose JWT sessions injected as identity headers.

PostgreSQL Row-Level Security — a query from one tenant cannot return another tenant’s data.

AES-256-GCM with per-tenant HKDF-derived keys; the platform KEK + per-tenant salt derive the DEK (never stored).

Append-only audit_logs enforced by a database trigger; every sensitive action emits an entry.

Natural-language→SQL runs behind a fail-closed lexical gate, proven by deterministic tests on every build.

Decommission destroys the per-tenant salt — ciphertext, including backups, becomes permanent mathematical noise.