Access Control Matrix
Conduit uses role-based access control across four organizational roles. Permissions are enforced at multiple layers: route guards (web app), API guards (server actions), RLS policies (database), and gateway-level checks (proxy).
Roles
MLS Admin — Administrators of an MLS organization. Full control over governance policies, vendor access, audit logs, and revenue dashboards for their MLS.
Vendor — AI vendor organizations with approved access to query MLS data through the governed proxy. Scoped to their own usage, billing, and audit trails.
Developer — Legacy developer organizations using the gateway for non-governed MCP server access. Scoped to their own servers and usage.
Platform Admin — Conduit platform operators with service-role database access. Used for incident response, billing reconciliation, and system maintenance.
Permission matrix
| Resource | MLS Admin | Vendor | Developer | Platform Admin |
|---|---|---|---|---|
| MLS profiles | CRUD (own) | Read | — | CRUD (all) |
| Governance policies | CRUD (own) | — | — | CRUD (all) |
| Policy field rules | CRUD (own) | — | — | CRUD (all) |
| Vendor access grants | CRUD (own) | Read + Request | — | CRUD (all) |
| Audit logs | Read (own MLS) | Read (own) | — | Read (all) |
| Revenue ledger | Read (own) | — | — | Read (all) |
| Vendor profiles | Read | CRUD (own) | — | CRUD (all) |
| API keys | CRUD (own org) | CRUD (own org) | CRUD (own org) | CRUD (all) |
| MCP servers | — | — | CRUD (own org) | CRUD (all) |
| Organizations | Read/Update (own) | Read/Update (own) | Read/Update (own) | CRUD (all) |
| Users | Read (own org) | Read (own org) | Read (own org) | CRUD (all) |
| Stripe transfers | — | — | — | CRUD (all) |
| OAuth tokens | — | — | — | CRUD (all) |
| RESO field registry | Read | Read | Read | CRUD (all) |
CRUD = Create, Read, Update, Delete. "Own" = scoped to the user's organization. "—" = no access.
Enforcement mechanisms
Route guards (web app)
Next.js middleware and layout-level checks redirect unauthorized users. Organization type determines dashboard routing: /mls/* for MLS orgs, /vendor/* for vendor orgs, /dashboard/* for developers.
API guards (server actions)
Server actions and API route handlers verify the authenticated user's organization type and ownership before performing mutations. Organization ID is derived from the Supabase auth session, never from client input.
RLS policies (database)
Every table has row-level security enabled. Policies use auth.uid() and get_user_org_id() to enforce organization-scoped access. Even if application-level checks fail, the database refuses unauthorized queries.
Gateway-level checks (proxy)
The Cloudflare Workers proxy validates API key ownership, organization type, and governance context before proxying any request. Vendor requests require an approved mls_vendor_access record with active billing status. Non-vendor requests require server ownership.
[i]Defense in depth