Security 1. Authentication Mock: For development; fixed user/tenant Keycloak: OIDC/OAuth2, JWT validation LDAP: Via Keycloak LDAP federation 2. Authorization (RBAC) Roles: admin, user, viewer Permissions: create_kb, read_kb, delete_kb, chat, upload, etc. Tenant isolation: users see only their tenant's data 3. Tenant Isolation tenant_id in all queries Postgres RLS policies Qdrant: separate collections per tenant S3: path prefix per tenant 4. Secrets Env vars / Kubernetes secrets No secrets in code or logs Rotate credentials periodically 5. Sandbox (Code Interpreter) Isolated process/container No network access by default Resource limits: CPU, memory, timeout Allowlist: pandas, matplotlib, numpy (no os, subprocess, etc.) Output sanitization 6. Content Filters Input validation, max length PII redaction (optional) Output filtering for harmful content