# MailSubsystem Managed Service Boundary

The MailSubsystem Managed Service runs the same agent pipeline as the open-source Core, hosted on Cloudflare. The intelligence is the same code users can read; the service is the operational shell around it: tenancy, identity, audit, billing, and the running of it, so families and small teams do not have to stand up PostgreSQL or a Rust daemon.

## Promise

The managed service exists so the people it was built for - family members, caregivers, and small teams dealing with suspicious email - get the protection of the Core without needing a developer to run it for them.

The public promise remains:

> Your mom and dad shouldn't be scammed.

## Boundary

Core owns the intelligence. The service owns the experience.

| Core (OSS) | Managed Service |
| --- | --- |
| LLM workflows, RAG, classification, filing logic | Tenant records, identity and RBAC, audit infrastructure, billing |
| Single-user developer runtime | Multi-tenant hosted orchestration |
| AGPL open-source base | Private commercial service |

The service does not fork the agent logic; it runs the Core. If a user does not trust how a decision was made, the code that made it is public.

## Tenant Model

- Account boundaries for metadata, authorization, and audit events.
- Deny-by-default RBAC with explicit grants for cross-tenant access.
- Reference-handled secrets; mailbox credentials never appear in logs.
- Caregiver access is scoped to risk feeds and review queues rather than full shared inbox access.

## Operations

- Support access is scoped, time-bound, and recorded.
- Destructive actions require dry-run preview and explicit confirmation.
- Incident review uses the same audit log the user sees, with no shadow record.