Draft v0.4 — Ready For Build
LIFE Company Knowledge Base
A focused, secure knowledge base for LIFE — built so humans and AI agents can read, write, and review company knowledge with strong access controls and minimal complexity.
Executive Summary
What we're building, in one paragraph
A small web service that becomes the single way LIFE employees and AI tools (Claude Code, Codex, Cowork) read, search, write, review, and publish company knowledge. Content stays in markdown — readable, portable, AI-friendly. Access is gated by Google Workspace login and group membership. Confidential and restricted material requires human review before it becomes canonical.
4–8 wks
Estimated build with AI agents
~$35/mo
Indicative infrastructure cost
3
Sensitivity classifications
5
Components in the system
In one sentence
The Knowledge Base is a controlled door in front of LIFE's company knowledge: every read and write goes through one service that checks who you are, what your AI tool is allowed to see, and whether the content needs human review before publication.
Why Build This
The problem we're solving
LIFE has knowledge scattered across Notion, Google Docs, Slack threads, and people's heads. AI assistants (Claude Code, Codex) can be enormously useful — but only if they can safely read the right material. Existing tools weren't built for this.
What's broken today
- Knowledge is fragmented. Decisions, processes, and context live in different tools. New hires can't find things; AI assistants can't either.
- AI access is all-or-nothing. If we point Claude Code at our Notion, it sees everything an admin sees. There's no per-document gate, no audit, no way to keep HR or finance material out of certain workflows.
- We don't know who read what. Notion's audit is limited. We can't prove that confidential material wasn't accessed by an AI tool we didn't intend.
- No review on AI-generated content. If an agent writes a doc and saves it, there's no checkpoint. For decision records or sensitive material, that's a problem.
Why not just use Notion / Confluence / Slack search?
We considered it. None of them give us per-document AI-client gating, the audit trail we want, or the ability to require human review before AI-drafted content becomes canonical. Building a small, focused service of our own is cheaper and faster than retrofitting any of those — and it sits naturally alongside the LIFE app's existing infrastructure.
System at a Glance
Five components, one canonical store
The architecture is deliberately small. There's one service, one database, one place where authorization decisions are made.
KB Web UI
Where humans read, write, and review
Local AI Clients
Claude Code, Codex, Cowork
↓
KB Service
Authentication, authorization, validation, publish, search, audit — the only path in or out for protected content
↓
Postgres
Canonical store: documents, versions, ACLs, audit, search
Cloudflare R2
Quarantined raw files (PDFs, images, originals)
pg_boss (Postgres)
Imports, conversions, search indexing
What this gets us
Every protected read and write passes through one place. That makes access control testable, audit trustworthy, and the system small enough for AI coding agents to build correctly.
Key Decisions & Why
The six decisions that shape v1
Each of these was a fork in the road. We picked the simpler, safer option in every case — and the spec went through two independent expert reviews before landing.
1
Postgres is the canonical store, not GitHub
Decision
All KB content (markdown bodies, metadata, access rules, history, search index, audit) lives in Postgres. GitHub is not used at all in v1.
Why
The first draft used GitHub as the canonical store — markdown files in protected repos. That created a parallel security perimeter we'd have to maintain (rebase logic, branch protection, force-push purge runbooks, GitHub App-only writers, secret scanning before every commit). Putting everything in Postgres deletes ~30% of the spec's complexity and removes a whole class of "what if Git history leaks a secret" problems. We still keep markdown — bodies are stored as text in a Postgres column, and exports are .md files.
Tradeoff
We lose native GitHub diff/history UI and the option for engineers to clone the repo and read locally. With our "KB service is the only access path" rule, neither was usable for protected content anyway.
2
One service is the only door
Decision
All reads, searches, and publishes go through the KB service. No direct database access for users, no GitHub access for users, no signed download links to raw files. The KB service checks access on every request.
Why
Defense in depth backfires when you have multiple paths to the same content. If a confidential doc can be read via the web UI or a GitHub clone or a direct database query, every access rule has to be enforced in three places. With one door, the rule lives in one place and is testable.
Tradeoff
Engineers can't grep a local clone; if the KB service is down, nobody reads anything. We accept that — and back it with daily encrypted Postgres backups and a 4-hour recovery target.
3
Three sensitivity levels, not four
Decision
Internal (any LIFE employee), Confidential (specific team — leadership, finance, etc.), Restricted (highly sensitive, narrow audience — HR investigations, legal matters).
Why
Earlier drafts had a "public" level for content that's safe to publish externally. We have no such content today, and reviewers warned the term would confuse readers ("does public mean external or just company-wide?"). Removing it eliminates ambiguity. If we ever need an external-facing doc category, we'll add a clearly-named "external public" level.
Tradeoff
None meaningful. We can add the level later in 30 minutes of policy work.
4
AI agents can directly publish "internal", but everything else requires human review
Decision
Claude Code or Codex can publish company-wide notes, articles, and process docs without review. Confidential or restricted material always goes to a human reviewer first. So do all decision records, classification changes, and imported (Notion / Drive) content.
Why
Speed for the 80% case (general company knowledge, captured by AI from chat or work sessions), strong gating for the 20% that matters most. Aligns "trust but verify" with the actual risk level of each content class.
Tradeoff
Slightly slower flow for confidential material. We think this is correct — these are exactly the cases where AI mistakes are expensive.
5
Imports start in quarantine
Decision
Anything uploaded to Drive or imported from Notion lands in an "unclassified" staging area. It's treated as the most sensitive category until a human assigns a classification, audience, and owner.
Why
Before classification, we don't know what's in the file. Treating it as "internal" by default risks leaking HR or legal content into general visibility before anyone reads it. Quarantine treats unknowns as restricted: no external AI processing, not searchable, only the uploader and reviewers can see it. This is also where the Notion bootstrap lands.
Tradeoff
Slower onboarding of legacy content — the Notion migration becomes a series of reviewed batches rather than a one-click import. We see this as a feature.
6
Slack and Jira are not in v1
Decision
v1 does not ingest Slack messages, fetch external links from Slack, generate Slack summaries, or read/write Jira. KB documents may include manual links to Slack threads or Jira tickets.
Why
Both integrations were tempting but expensive. Slack ingestion brings deletion-propagation, link-fetch security, channel-permission mapping, and synthesis quality issues. Jira writes bring delegated identity, workflow side effects, and project-permission complexity. Both become much safer to add once the core KB is proven and groups are populated. Both expert reviewers recommended cutting them; we agreed.
Tradeoff
We don't get automatic capture of decisions made in Slack threads. We accept this for v1 and revisit in v1.1.
Security Posture
How protected content stays protected
The system is built around five hard rules that hold even when individual components misbehave.
The five non-negotiables
- Authentication is Google Workspace. No KB-specific passwords. MFA is enforced through Google. If your Google account is disabled, your KB access ends within 5 minutes.
- Group membership is the access boundary. Confidential content is gated by Google groups — leadership, finance, people, legal, security. Group resolution failure denies access; we never default-allow.
- AI clients are pre-registered with a maximum sensitivity. Claude Code can be approved for confidential; Codex for internal only. The KB service decides what to send each client based on its registration, not what the client claims about itself.
- Approval binds to an exact version hash. If a reviewer approves "version A" and someone tries to publish "version B", the approval doesn't carry. This stops a class of "switch the document after review" attacks.
- Every protected access leaves an audit trail. Reads, denials, searches, publishes, approvals, AI-tool runs — all recorded in append-only logs. The logs never contain document body text.
What "fail closed" means here
If the KB service can't reach Google to verify your group membership, it denies access. If the access policy file fails to load on startup, the service refuses all reads and writes and pages an operator. If a database row has missing or invalid metadata, it's treated as inaccessible. We never default to "allow" when something is unclear. This is a cheap rule that prevents most accidental data leaks.
What we still need to be careful about
The biggest residual risk is operational: backups, key management, and the "break-glass" procedure when a security admin needs to investigate something. These are documented as runbooks (with two-admin approval for sensitive reads) rather than automated UI, because automating rare emergency procedures is itself a risk.
Scope Discipline
What's in v1 — and what we deliberately deferred
v1 went through aggressive scope cuts to hit a 4–8 week build window. The cuts aren't permanent; most are clean v1.1 additions once the core is proven.
In v1
- Google Workspace SSO with MFA enforced
- KB web UI for reading, searching, writing, reviewing
- Three local AI clients: Claude Code, Codex, Cowork
- Postgres canonical store with version history
- Cloudflare R2 for raw uploaded files (quarantined)
- Drive ingestion for markdown, Google Docs, docx, PDF text
- Notion bootstrap as quarantined import + reviewed publish
- Postgres full-text search with access filtering
- Human review for confidential/restricted content
- Audit logging for all access decisions
- Backup & recovery with 4-hour recovery target
- Markdown export for portability
Deferred to v1.1+
- Slack ingestion (per-thread records, summaries)
- Slack link fetching (article extraction)
- Jira (read, search, and writes — all deferred)
- External web fetching
- Semantic / vector search
- OCR for images
- Audio transcription
- Spreadsheet / slides conversion
- Bulk export of confidential or restricted content
- GitHub mirror for portability (admin export bundle replaces it)
- Persistent local cache for restricted content
- AI-driven content repair in publish flow
Why the cuts are aggressive
Each deferred item has its own security model to design (Slack permissions, Jira workflows, web-fetch sandboxing). Trying to ship them all in v1 was the original spec's biggest risk. By cutting them, we get a working KB in roughly half the time, and we get to design each integration on top of a proven base.
How We Build
AI agents writing the code, with explicit guardrails
The implementation is being driven by AI coding agents (Claude, Codex). The spec is structured to make that safe.
What the agents can and can't do
- Build to spec. Schemas, authorization functions, search queries, validation rules are all explicitly defined.
- Run tests. Every authorization rule has a corresponding test in the spec's "Definition of Done." Agents can't merge code that fails an authorization-matrix or search-leakage test.
- Cannot invent access rules. The spec explicitly forbids agents from adding new sensitivity levels, new policy modes, or new local-cache behavior without human approval.
- Cannot bypass the single authorization function. Search must call the same gate as reads. The spec calls this out as a tested invariant.
- Cannot see production secrets or restricted content during development. They build against a synthetic dataset.
Why this is workable
The system is small enough — five components, one access control function, one search query — that a coding agent can hold the whole shape in context. The two independent expert reviews specifically tested whether the spec could be safely built by AI agents; both said yes after the v0.4 fixes.
Indicative Costs
What this costs to run
Monthly infrastructure cost at LIFE's current size. The stack is chosen to keep cost low without compromising the access controls, backup posture, or the architecture in this spec.
Monthly infrastructure
Postgres (Supabase Pro — PITR, daily encrypted backups, 8 GB)~$25
KB service hosting (Cloud Run — scales to zero, free tier covers small-team usage)~$0–10
Object storage (Cloudflare R2 — zero egress fees)~$1–3
Worker queue (pg_boss running inside Postgres — no extra service)$0
Logs & monitoring (Axiom or Cloud Logging free tier)$0
GitHub plan (already paid; KB content not stored here)$0
Google Workspace (already paid; SSO and groups)$0
Estimated monthly~$30–40
Why this stack
Supabase Pro provides managed Postgres with the PITR + encrypted backup story v1 needs at a fraction of the cost of Cloud SQL. Cloudflare R2 is S3-compatible with the same security primitives as GCS, but charges nothing for egress — meaningful since every artifact read goes through the KB service. Running the worker queue inside Postgres (pg_boss) eliminates an entire service. Cloud Run's free tier comfortably covers a small-team internal KB.
Nothing in this stack ties us to a vendor. Postgres is portable; R2 is S3-compatible; Cloud Run is just a container — the same image runs on Fly.io, Railway, or any container host. Migration cost is low if any of these prices change.
AI provider costs (separate)
Anthropic Enterprise zero-retention is already paid for the LIFE app; KB usage adds a small overhead (classification proposals, draft generation) — likely under $30/month additional. Other providers are optional. Restricted content uses local-only models (no per-request cost).
Risks & Mitigations
What could go wrong, and what we've done about it
The biggest residual risks after the v0.4 spec, and how each is handled.
Risk
Confidential content leaks via the AI tool channel — an agent reads a doc it shouldn't, or sends it to an external model.
Mitigation
Each AI client is pre-registered with a maximum sensitivity. Confidential content goes only to clients approved for it, with declared retention/deployment metadata. Restricted content is local-only.
Residual
Once a client receives confidential content, what happens in their session memory or local logs is partially their concern. Rule applies the same restrictions to those local artifacts.
Risk
Postgres is the only canonical store — if it's lost, the KB is lost.
Mitigation
Point-in-time recovery enabled. Daily encrypted backups. Restore drill tested in staging before launch. RPO 15 min, RTO 4 hr.
Residual
A catastrophic Postgres failure could lose up to 15 minutes of writes. Acceptable for a small-team KB.
Risk
Imported content (Notion, Drive) leaks before classification — an HR doc lands in the wrong searchable bucket.
Mitigation
All imports start as "unclassified" in quarantine. Treated as restricted (no AI, not searchable, only uploader+reviewers see it) until a human assigns a classification.
Residual
If a reviewer mis-classifies, content can land in the wrong audience. Reviewers must be in the right groups; access changes are audited.
Risk
Coding agents introduce subtle authorization bugs — search query leaks, ACL drift, missing checks.
Mitigation
One canonical authorization function used by every read path. Single canonical search query. Definition-of-Done test suite covers every (actor, client, classification, action) combination as table-driven tests. Agents can't ship code that fails them.
Residual
Tests cover what we've thought of. New attack patterns over time will need new tests; we plan periodic security reviews.
What We Need From You
Decisions and prerequisites for v1 launch
A short list of things only the CEO/CFO can sign off on, plus a few one-time prerequisites.
Decision Needed
Sign-off on the v1 scope cuts
Slack ingestion, Jira, OCR, audio, semantic search, and bulk export of confidential content are deferred to v1.1+. We are confident this is the right call, but it means v1 doesn't replace any current tool — it sits alongside them.
Decision Needed
Hosting choice
Recommended stack: Supabase Pro (Postgres) + Cloud Run (KB service) + Cloudflare R2 (artifacts). Total ~$30–40/month, no vendor lock-in. Alternative all-GCP stack (Cloud SQL + Cloud Run + GCS) costs ~4× more without meaningful capability gain. Confirm the recommended stack or override.
Prerequisite
Google Workspace groups need to be created
v1 launch needs these groups created in Google Workspace and populated: company@, leadership@, finance@, people@, legal@, security@, plus reviewer groups (kb-reviewers@, leadership-leads@, policy-admins@) and console-role groups. None of these exist today; we'd ask the CEO/CFO to confirm membership for at least the leadership and finance groups.
Prerequisite
Backup & recovery target confirmation
Default targets: lose at most 15 minutes of writes if disaster strikes; back online within 4 hours. These are standard for managed Postgres and are baked into the ~$80/mo database cost. Tighter targets (5 min / 1 hr) would add ~$200–400/mo and aren't recommended unless KB downtime would block daily work.
Decision Needed
Approved AI providers for confidential content
Default: Anthropic Enterprise zero-retention is the only approved provider for confidential content. OpenAI Enterprise zero-retention is approved for internal. Restricted content is local-only (no external SaaS). Confirm or let us know if other providers should be approved.
Indicative Timeline
From sign-off to v1 launch
A rough sequence assuming groups are created and hosting is chosen at week 0.
| Week |
Milestone |
Status |
| 0 | CEO/CFO sign-off on scope; Google groups created; hosting chosen | Awaiting |
| 1–2 | Postgres schema, KB service skeleton, Google SSO, authorization function, audit log | Planned |
| 2–3 | Publish flow, review queue, version history, search | Planned |
| 3–4 | KB web UI for read, write, review | Planned |
| 4–5 | Local AI client integration (Claude Code, Codex, Cowork) | Planned |
| 5–6 | Drive intake, conversion sandbox, Notion bootstrap pipeline | Planned |
| 6–7 | Hardening, test suite, backup/restore drill, security review | Planned |
| 7–8 | Notion content reviewed and migrated; soft launch to LIFE team | Planned |
Bottom Line
Why this is the right thing to build now
LIFE is at the size where company knowledge is starting to fragment, and where AI tools (Claude Code, Codex) are becoming a real part of how work gets done. Without a controlled door in front of company knowledge, we either give AI tools too much access or we keep them isolated from the context they need.
The v1 we're proposing is small, focused, and reversible. It uses tools we already pay for (Google Workspace, Postgres). It ships in 4–8 weeks. It establishes the access patterns that Slack, Jira, and richer integrations will plug into later — and it does so with a security posture that survived two independent expert reviews.
The alternative — keep using Notion for everything, give AI tools blanket access, hope nothing leaks — is cheaper in the short term and worse in every other way.