# AI Security Rules

## Read-Only Execution

The assistant may only perform read operations through Prisma delegates. Raw SQL execution is blocked by design and by AST validation.

## Validation

Every query plan must pass validation before execution:

* table must exist in Prisma metadata
* field references must exist on the selected model
* operation must be read-only
* aggregate columns must be numeric or date-compatible for the aggregate
* filters must target real scalar fields
* limit must be bounded

## RBAC

The assistant checks the active auth session before running. Admin and super admin users have read access. Other users need reporting, dashboard, or module read permissions.

## Branch Scope

Models with a `branchId` field are automatically scoped to an authorized branch. Users without all-branch access cannot remove or bypass this branch filter.

## Audit Logging

Every assistant query records:

* user question
* generated AST
* tables used
* execution time
* returned record count
* response preview
* validation errors, when applicable

Logs are stored in the existing `AuditLog` table with entity `AIQuery`.

## Sensitive Tables

Auth/security fields such as password hashes, token hashes, secrets, and vault data are excluded from assistant output.