Zone 2

Session Manager

Session isolation, per-session encryption keys, and workspace context binding. Sessions cannot access data outside their scope.

Full architecture Security
Z0 Auth Gateway Z1 API Router Z2 Session Manager Z3 Memory Engine Z4 Compute Sandbox Z5 Integration Layer Z6 MCP Gateway Z7 Security Policy Engine

Overview

The Session Manager enforces logical isolation for teams and projects through workspace context boundaries. Every active session is bound to a specific workspace with its own encryption keys, access policies, and data scope. Cross-workspace sharing is controlled by explicit policies — no implicit access is ever granted. This zone ensures that even within the same organization, teams only see what they are authorized to see.

Key capabilities

Workspace Isolation

Logical isolation for teams and projects with per-workspace context boundaries and encryption.

Per-Session Encryption

Derived encryption keys unique to each session ensure data isolation even if a token is compromised.

Context Binding

Sessions are bound to workspace context — users cannot access resources outside their assigned scope.

Cross-Workspace Sharing

Explicit sharing controls allow controlled data exchange between workspaces with full audit logging.

Session Lifecycle

Automatic session expiry, idle timeout, and key destruction when sessions end.

Concurrent Session Management

Configurable limits on concurrent sessions per user with policy-based session priority.

Security implications

How Zone 2 enforces bRRAIn's zero-trust security model:

  • Per-session encryption keys ensure compromised tokens cannot access other sessions
  • Workspace isolation prevents cross-team data leakage
  • Session keys are destroyed when sessions end — no residual access
  • Cross-workspace sharing requires explicit policy approval and is fully audited
  • Idle sessions are automatically terminated after configurable timeout periods
Every zone enforces its own security boundary. No zone trusts another implicitly.

How it connects

Zone 2 binds session context and encryption keys before passing operations to Zone 3 for memory storage and retrieval.

Zone 1 — API Router Zone 2 Session Manager Zone 3 — Memory Engine Zone 7 — Security Policy Engine inspects all zone transitions

Related certifications

bRRAIn professionals who interact with Zone 2:

Implementation Specialist

Designs workspace structures, configures isolation policies, and manages cross-workspace sharing rules.

Access Controller

Audits session policies, monitors concurrent access, and enforces workspace boundaries.

See Zone 2 in action

Request a demo to see how bRRAIn's zero-trust architecture protects your institutional memory.

Request a demo Explore architecture