UDBIsolation that holds across every path
RLS alone is not enough — CDC, backup/restore, replication, TRUNCATE, constraints, and cross-backend paths can bypass tenant isolation unless they’re explicitly closed. UDB closes them, and treats HA, tenant isolation, compliance, and SDK parity as release gates, not marketing claims.
Per-tenant RLS
Row-level security with tenant context applied via SET LOCAL (transaction-scoped, pool-safe). Where a backend can’t enforce engine RLS, the broker applies tenant predicates on every read and write — and capability reporting never claims RLS it can’t enforce.
Field-level encryption
AES-256-GCM-SIV encryption-at-rest for UDB-owned sensitive state: outbox/CDC payloads, object/native-service state, and auth secrets — with active-version selection, old-version decrypt, and a key rotation / compromise workflow.
mTLS by default
Mutual TLS for internal gRPC — broker-to-broker, the control-plane listener, internal workers, and the WebRTC peer listener. UDB_REQUIRE_SECURE_TRANSPORT hardens client-facing transport; enterprise mode refuses insecure transport unless explicitly configured for development.
Tenant isolation, everywhere data moves
| Path | How UDB closes it |
|---|---|
| Request body tenant | Native handlers validate the decoded request tenant/project against the authenticated principal — a body tenant_id can’t override the bearer scope. |
| CDC streams | Tenant-scoped topics refuse to emit or stream without tenant scope; replay/live events are filtered by tenant/project, and the envelope carries tenant + redaction status. |
| Backup / restore | Unscoped backup/export is rejected; cross-tenant restore is blocked unless an explicit privileged override is present. |
| Replication | Publications require a tenant scope or explicit tenant filter; unknown scope fails closed. |
| RLS-bypass ops | TRUNCATE, FK cascades, unique/PK leakage, and privileged maintenance are guarded. |
| Endpoint security | A descriptor-driven method-security tower layer enforces auth mode, scopes/roles, tenant/project equality, CSRF, internal-only, and credential-type contracts per RPC. |
When something’s wrong, UDB denies
- ✓Revocation-store errors deny in fail-closed mode; a short-TTL cluster jti denylist accelerates cross-node revocation.
- ✓Signing-key / JWKS errors fail closed; rotation actually re-signs with the active key, and compromised keys are excluded.
- ✓Descriptor decode failure aborts startup — a corrupt contract never serves traffic.
- ✓Audit sink validation rejects invalid or non-redacted events in enterprise mode, before insert.
- ✓Transactional audit — every multi-op auth mutation commits with its audit/outbox event or rolls back.
- ✓API-key rate-limit store errors fail closed in production.
One compliance audit envelope
Every lane — authn, authz, API keys, IdP, tenant, notification, storage, asset, WebRTC, policy governance, emergency ops, and CDC delivery — emits the same envelope: actor, auth method, decision id, policy revision, operation, resource, trace/correlation, and redaction status. A production incident can be traced from SDK request → gRPC handler → auth decision → backend op → outbox event → CDC publish → audit export.
SOC 2 Type 2
Hardened config profile, evidence collection, audit-log retention, access review, and incident response workflows.
ISO 27001 / 27017
Named posture requirements enforced by config validation, with a checked-in hardened YAML that passes production validation.
PCI / HIPAA
A deployment posture mapped to real UDB_* settings and proven by tests — a tested posture, not just a document.