Cross-agent isolation

Effective identity comes from authenticated key or session metadata, not the request body.

Default scope

Private lanes such as working, session, and private_agent are visible only to the same effective agent/app/run. Shared owner facts require promotion to canonical durable state with a clean trust bucket.

Enforcement points

Scope filters run before scoring, after fusion, after graph expansion, after Google Memory Bank merge, after profile assembly, and before prompt formatting. Vectorize metadata filters are coarse; D1 hydration is the final authority.