Answering without exporting: a query model for context-graph privacy

Threat model

The realistic adversary is not an intruder; it is our own future product code, under deadline, asking for more context than its task needs. Once a subgraph is exported to a feature process, the graph's guarantees no longer govern it. The design goal is therefore blunt: raw subgraphs never leave the graph service.

Queries as contracts

A consumer does not request nodes; it submits a query with a declared output type and a stated task identity. The planner compiles the query to a traversal, computes the scope the traversal touches, and validates that scope against the user's grant ledger and the task's read budget before a single node is visited. The answer returned is the declared type — a boolean, a date, a ranked list of opaque handles — never the evidence used to derive it.

query next_deadline
  task     morning-brief
  declare  output: {title, due: date}    max 3 fields
  traverse user -> projects -> tasks     scope: work.read
  check    scope ⊆ grants(user)          ✓
  check    fields(output) <= budget(task) ✓
  answer   {title: "Aria brief", due: thu}

Export budgets

Byte limits are the wrong unit; a single embedding can leak a document. Budgets are counted in typed fields per task per day, set so the cheapest correct implementation passes and a scraping implementation cannot. Field counts are recorded to the same audit trail as accesses (see R-004), making over-extraction visible as a budget anomaly rather than a forensic discovery.

Limitations are real: aggregate answers still leak bits over many queries, and we do not yet apply formal differential-privacy accounting to budget depletion. That accounting is the active line of work; the architecture was shaped so it can be added without changing a single consumer.