Last reviewed against v0.9.0
source:
infra/terraform/modules/cognito/main.tf Spaces isolation
Every list query carries WHERE space_id. Cloud-side IAM uses dynamodb:LeadingKeys to enforce per-Space partitions at AWS.
Spaces are enforced at two layers.
Application layer
Every list query carries WHERE space_id = ?. Cross-Space reads need an explicit “include all Spaces” flag (used by global search).
Cloud / IAM layer
Cognito Identity Pool credentials map to a per-tier IAM role with a dynamodb:LeadingKeys condition restricting access to:
USER#<sub>for personal scopeSPACE#<id>for Shared Spaces
A member can’t read another Space’s partition even if the desktop is compromised — AWS rejects the request at the IAM layer.