access-tags-subset-gate
IN premise
A tagged node is visible only when its `access_tags` are a subset of the caller's `visible_to` set; partial overlap (intersection without containment) is insufficient for access.
Summary
Content visibility requires that every tag on a node be present in the caller's allowed set — having some but not all of the required tags is not enough. This prevents information leakage through partial permission matches, ensuring that access control is strictly conjunctive rather than permissive.
Dependents
These beliefs depend on this one:
- access-control-is-transitive-subset-gated — Access control enforces transitive subset-based authorization: visibility requires the caller's tags to be a superset of the node's tags, derived nodes inherit the sorted union of all ancestor tags transitively, and enforcement occurs at read boundaries only — write operations are unrestricted.
Details
| Source | entries/2026/04/29/tests-test_access_tags.md |