"RAG Core Study (25/26) — Security, Permissions, and Re-indexing Operations"

In production RAG, a spectacular answer is still a failure if it came from a document the user should never have seen.

Most RAG study paths spend much more time on embeddings than on permissions. Production systems cannot afford that imbalance. Security, source control, versioning, and re-indexing are not side concerns. They are structural retrieval concerns. Part 25 explains why permissions must be enforced before retrieval, not after it, and why stale indexes are operationally dangerous.

0. Prerequisites

  • Part 7 metadata design
  • Part 19 query routing
  • Parts 23 and 24, where retrieval becomes more structurally complex

1. Learning Objectives

  1. Explain why security must be embedded into retrieval rather than added afterward.
  2. Distinguish RBAC, ABAC, and row-level filtering.
  3. Understand why re-indexing and versioning matter operationally.
  4. Recognise the role of audit logs in production RAG.

2. ํ•ต์‹ฌ ์š”์•ฝ

The core operational rule is filter-first security. The retriever should search only within the set of documents the user is allowed to access. RBAC handles role-based access, ABAC handles attribute-based access, and row-level retrieval filters can enforce document- or chunk-level permissions. At the same time, stale indexes can quietly produce outdated or revoked information, so re-indexing and version tracking are part of the same operational discipline.

3. Intuition — Why Post-filter Security Is Too Late

If an unauthorised document already entered the candidate set, then:

  • it may appear in reranker inputs
  • it may be stored in traces
  • its contents may influence answer generation

That is why permission checks should not be an afterthought. They should shape the searchable space from the start.

4. Definitions — Core Operational Terms

Term Definition
RBAC role-based access control
ABAC attribute-based access control
Row-level Security applying access control at document or chunk level
Re-indexing rebuilding or updating embeddings and indices after source changes
Versioning tracking which document or index version was used
Audit Log trace of who searched what and what evidence was returned

5. Mechanism — Security Belongs Inside the Retrieval Pipeline

The usual order should be:

  1. identify the user and permission scope
  2. restrict allowed collections and namespaces
  3. apply metadata filters
  4. run retrieval and reranking
  5. log the event for auditability

Security is therefore a retrieval design decision, not only an application-layer feature.

6. Walkthrough — Security Filters and Re-index Control

6.1 Permission-aware filters

filters = {
    "security_level": {"$in": user.allowed_levels},
    "department": {"$in": user.allowed_departments},
    "version_status": "active",
}
hits = vector_store.search(query, filter=filters, k=10)

6.2 Re-index trigger

if document.updated_at > index.last_built_at:
    enqueue_reindex(document.id)

6.3 Audit logging

log_event({
    "user_id": user.id,
    "query": query,
    "retrieved_doc_ids": [doc.id for doc in hits],
    "index_version": current_index_version,
})

Self-explanation: Why is pre-retrieval filtering safer than post-retrieval filtering?

7. Variants and Use Cases

7.1 RBAC-driven retrieval

What changes
Collections or filters depend mainly on the user’s role.

Why it matters
It is easy to reason about when organisational boundaries are stable.

What it enables
Fast and understandable permission-aware retrieval.

Limit and next step
Complex organisations often need finer-grained attribute logic.

7.2 ABAC-driven retrieval

Attributes such as region, project code, contract status, or classification level may all influence access.

7.3 Version-aware retrieval

Retrieval may default to active documents while still allowing explicit historical lookup when authorised and requested.

8. Limits and Failure Modes

8.1 Permission tags can be wrong

If metadata is missing or inaccurate, the retrieval filter inherits the same mistake.

8.2 Delayed re-indexing creates stale answers

Updated source documents do not help if the index still reflects older content.

8.3 No audit trail means poor incident recovery

Without query and evidence logs, quality failures and security incidents become difficult to investigate.

8.4 Next step — The final step is to integrate all of these ideas into one project

The series ends not with another isolated concept, but with a small capstone that forces the ideas to work together. That is Part 26.

8.5 Common Pitfalls

# Pitfall Symptom Fast Check
1 post-filter security unauthorised candidates enter the pipeline enforce filter-first policy
2 stale index management outdated answers monitor re-index lag
3 weak metadata quality broken permission filters validate metadata pipelines
4 no audit log poor incident analysis log user, query, and evidence IDs
5 no active/archive distinction old policies outrank new ones track status and version fields

9. Self-check — Answer Before Looking

Q1. What is the first rule of secure RAG retrieval?

Answer Retrieve only from documents the user is authorised to access.
Why Once unauthorised documents enter the pipeline, damage may already be done.

Q2. Why does re-indexing matter for correctness?

Answer Because stale embeddings and stale indices can keep retrieving outdated evidence.
Why Source updates do not automatically propagate into retrieval quality.

Q3. Why are audit logs important?

Answer They let the team trace what was retrieved, for whom, and under which index version.
Why That is critical for both quality debugging and security investigation.

Cheat Sheet — One-page Summary

Definitions - RBAC: role-based access control - ABAC: attribute-based access control - Re-indexing: updating retrieval structures after source change

Minimal code

hits = vector_store.search(query, filter=security_filters, k=10)

When to use what | Situation | Control style | |---|---| | simple organisation | RBAC | | complex entitlement logic | ABAC | | recency-sensitive retrieval | version-aware filtering |

References

Supporting notes

  • User notes, chapter 22 security and operations

Bridge to the Next Part

The last step is to assemble the series into one small, coherent project. Part 26 is the personal-documents RAG capstone and roadmap.

๋Œ“๊ธ€

๋Œ“๊ธ€ ์“ฐ๊ธฐ

์ด ๋ธ”๋กœ๊ทธ์˜ ์ธ๊ธฐ ๊ฒŒ์‹œ๋ฌผ

Agent Memory Engine (2/10) — Building an AI Agent Memory System with SQLite Alone

← 1/10 SQLite Memory Engine f… ๐Ÿ“š Series Index 3/10 memcore Completed → A memory engine that runs without daemons, without dependencies, anywhere ํ•ต์‹ฌ ์š”์•ฝ This post covers how to design an AI agent memory engine (memcore) on a single-file SQLite backend. - Structure: 25 modules, ~6,464 lines, 22 DB tables - Principles: no daemon, single-file portability, no required external dependencies, host-agnostic - Core techniques: 4-layer hybrid search (topic · vector · FTS5 · LIKE), U-tag dialectic-based confidence evolution, ingestion-layer bias rejection rules What This Post Covers One approach to building AI agent memory without a server or cloud vector DB. Specifically: (1) the limitations of text-file-based memory, (2) vector DB alternatives compared and selection criteria, (3) how to layer search tiers, (4) how to evolve confidence scores over time, and (5) how to block biased memory accumulation at the ingestion stage. Design Principles: Why Single-File SQLite Text-file-based ...
Read more »

"ML Foundations (9/9) — PyTorch vs TensorFlow, and the Road to Local LLMs"

์ด๋ฏธ์ง€
← 8/9 Deep Learning Architec… ๐Ÿ“š Series Index (series end) The final part. So far we've focused on models. Now we focus on the tools that actually run them . We'll lay out the philosophical difference between PyTorch and TensorFlow, and trace how Hugging Face transformers , llama.cpp , MLX , and Ollama built the bridge to running large language models on your own machine. By the end you should have the full mental model of "download a pretrained LLM and serve it locally." 0. Learning Objectives Explain the eager-vs-graph difference between PyTorch and TensorFlow. Explain, in graph terms, how autograd automates the backward pass. Use Hugging Face transformers ' AutoModel , AutoTokenizer , and pipeline abstractions. Describe llama.cpp's GGUF quantization, INT4 inference, and CPU-first flow. Describe Apple MLX's use of unified memory and how it differs from PyTorch. Run a local LLM with Ollama and call it through an OpenAI-compatible API. ...
Read more »

"RAG Core Study (14/26) — Evaluation Sets with RAGAS & DeepEval"

์ด๋ฏธ์ง€
Series overview: Series index ๐Ÿ“š Series Index Without an evaluation set, every RAG improvement is a story, not evidence. RAG systems fail in more than one place: retrieval, context selection, answer generation, and grounding. That means "looks better" is not a metric. Part 14 explains how to build a golden dataset , how RAGAS and DeepEval fit into the workflow, and why teams must separate retrieval quality from answer quality if they want tuning decisions to hold up. 0. Prerequisites Part 13 reranking — system quality now depends on multi-stage ranking. Part 1 grounding — a correct-looking answer is not enough. Part 12 Hybrid — multiple retrieval settings need comparison on fixed data. 1. Learning Objectives Build a small but useful golden dataset for RAG. Distinguish retrieval metrics from answer metrics . Use RAGAS and DeepEval in the right roles. Avoid the common traps in judge-model-based evaluation. 2. ํ•ต์‹ฌ ์š”์•ฝ An evaluation set for RAG is ...
Read more »

"ML Foundations (8/9) — Deep Learning Architectures: CNN, RNN, Attention"

์ด๋ฏธ์ง€
← 7/9 Deep Learning Training ๐Ÿ“š Series Index 9/9 PyTorch vs TensorFlow → What did we keep adding on top of an MLP? Vision went CNN, sequences went RNN/LSTM, and eventually both converged on Attention and the Transformer. Each architecture is easier to remember if you read it as what it gave up to gain something else . This part is the one-line summary of the decisive inflection points: LeNet → AlexNet → ResNet → LSTM → Attention → Transformer. 0. Learning Objectives Explain why CNN's convolution, pooling, and weight sharing match images so well. Trace what got unblocked from LeNet → AlexNet → VGG → ResNet as depth grew. State BPTT for RNNs and the vanishing/exploding gradient problem. Write the LSTM gate equations (forget, input, output) with intuition. Write the attention formula in query/key/value form and the scaled dot-product variant. State the precise reasons Transformers replaced RNNs (parallelism + long-range dependencies). 1. ํ•ต์‹ฌ ์š”์•ฝ CNN : weight sharin...
Read more »

"ML Foundations (7/9) — Deep Learning Training: Optimizers, Regularization, Initialization"

← 6/9 Neural Networks ๐Ÿ“š Series Index 8/9 Deep Learning Architec… → Building an MLP, as we did in Part 6, is not the same as getting it to train well . The right optimizer, regularization, initialization, and learning rate — when these line up, deep networks converge. When they don't, the network refuses to learn at all. This part is the catalog of those crafts, with formulas, paper citations, and code in one place. 0. Learning Objectives Compare and write the update rules for SGD, Momentum, Nesterov, and Adam. Explain how Dropout, BatchNorm, and LayerNorm work and where they belong in a model. Derive the variance formulas for Xavier and He initialization and match them to activations. Implement step, cosine, and warmup learning-rate schedules in PyTorch. Explain why gradient clipping is effectively required for RNNs and Transformers. Diagnose the most common training failures (NaN, plateau, overfitting) and apply first-line fixes. 1. ํ•ต์‹ฌ ์š”์•ฝ SGD : \(w \leftarro...
Read more »

OpenClaw to Hermes Migration (2/13) — What to Preserve, Partially Port, or Discard

← 1/13 Current Structure Inve… ๐Ÿ“š Series Index 3/13 What Moves to Hermes → A code review record classifying operational scripts into three tiers: preserve, partial-preserve, and discard. What This Post Covers An asset classification framework (preserve / partial-preserve / discard) for migrating a legacy agent system to a successor A concrete case applying the Strangler Fig + Subset Migration strategy to a memory pipeline Classification results evaluated across LOC, external dependencies, and replaceability axes A method for slimming down a bloated single file (1,310 LOC) using the migration as a natural entry point Problem Definition: Port Everything or Cut Deep? The OpenClaw inventory comprises multiple agents, multiple scheduler/daemon processes, and multiple operational scripts. When moving to the successor system, Hermes, the choice is not binary. A full port carries accumulated technical debt along with it; a minimal port discards hard-won domain logic. Code-revie...
Read more »

AI Agents I Built (5/7) — Building an Automated Blogger API Publishing System

← 4/7 My Life Organizer Agent ๐Ÿ“š Series Index 6/7 Dual → Designing a Markdown-Based Auto-Publish Pipeline with Blogger API v3 + OAuth 2.0 Key Summary Blogger API v3 + OAuth 2.0 enables a pipeline that converts Markdown files into publishable HTML posts blogger_publish.py handles the full flow — frontmatter parsing → body cleanup → HTML conversion → CSS injection → API post — in a single script For bulk publishing, quota management (delay, retry, TOC suppression) is the critical design concern Platform Selection Criteria API access is mandatory for AI agent-driven content publishing. A comparison of platforms: Platform API Cost AdSense Decision WordPress.com REST API Paid plan required Paid only Cost overhead Ghost REST API Self-hosted or paid Manual setup Ops overhead Blogger v3 API Free Native integration Adopted Blogger is free, exposes a REST API, and integrates natively with AdSense. For personal blog automation, this combination i...
Read more »