{% extends "base.html" %}
Private Workspace Data Boundary

Identity can add workspace scope, not weaker safety.

Paid private workspace access is planned around authorized private context. It does not weaken tenant isolation, redaction, protected review, destructive-action safeguards, or audit requirements.

Read JSON Contract Workspace Scaffold Access Request Preview
Current State

Public is usable; private remains planned.

These pages are planning and readiness surfaces only. They do not create accounts, start checkout, accept private documents, or enable private workspace answers.

Public knowledge
free and available
Billing
{% if status.billingLive %}active{% else %}planned, not live{% endif %}
Private ingestion
{% if status.privateIngestionLive %}active{% else %}planned, not live{% endif %}
Private Ask/Search
{% if status.privateAskLive or status.privateSearchLive %}active{% else %}planned, not live{% endif %}
{% if page_kind == "readiness" %}
Readiness Matrix

What is available, planned, blocked, and operator-controlled

{% endif %} {% if page_kind == "lifecycle" %}
Lifecycle Preview

Future private workspace flow

{% endif %} {% if page_kind == "data_boundary" %}
Data Boundary

Paid private access cannot weaken core safety

Public knowledge stays public and free

Public KB, public Ask, public discovery, and safety guidance remain available without paid private workspace access.

Paid value comes from authorized private workspace data

Private value is planned around workspace-scoped private sources, search, answers, audit, retention, and team controls.

Identity expands authorized workspace scope only

Knowing who a user is may allow workspace-scoped access in the future; it does not grant global or cross-tenant access.

Payment is not a safety bypass

Paid users still cannot bypass redaction, tenant isolation, protected review, destructive-action safeguards, or audit requirements.

No cross-tenant access

Private reads, citations, exports, and answers must be limited to the authorized workspace.

No credential exposure

Public and private routes must keep credentials, tokens, provider values, account secrets, and database settings out of browser-visible output.

No raw traces or stack traces

Diagnostics and errors must use compact categories and redaction flags instead of trace details.

No protected reviewer or admin data exposure

Protected reviewer values, private drafts, protected raw records, and admin-only output stay server-side.

No destructive mutation without confirmation, idempotency, and audit

Future private workspace mutations need explicit confirmation, idempotency, authorization, and audit-safe records.

{% endif %}
Machine-readable planning

Public-safe APIs define the future contract.

Agents can inspect the readiness, lifecycle, retention, audit, and future request schema without submitting private content or triggering a protected workflow.