← Back
Watch compartmentation work
Don't take our word for it — see the math refuse the wrong team.
What this proves
- We create two teams, each with its own key — exactly like Conduit does.
- A report is sealed to one team (Legal). You'll see the encrypted bytes.
- The other team (Documentation) tries to open it — and fails, because its key cannot.
- Then Legal opens it. The difference isn't a permission toggle — it's the encryption itself.
Uses the Web Crypto API (ECDH P-256 + AES-256-GCM) — the same family of primitives Conduit uses on the server.
1Set up two teams
2A reporter seals a message to Legal
Sealed bytes (what the database actually stores):
3Now watch each team try to open it
Documentation team — not assigned this case
Legal team — the assigned team