Abstract
In a multi-domain application monolith, data is partitioned one database schema per business domain. Strong isolation is normally pushed into the database (GRANT/REVOKE, per-schema connection roles, row-level security). When all domains share one connection pool, an application-layer contract is needed that (a) denies accidental or malicious cross-schema access on the general read/write path, while (b) still permitting deliberate, controlled cross-domain reads. This publication discloses a dual-channel contract: a deny-direct channel that statically analyzes every facade-emitted SQL string and hard-denies foreign-schema references, and an allow-through-a-constrained-compiler channel that re-admits cross-domain reads only via a read-only, mutation-free pipe-query language whose compiler resolves relation names through an indirection table, caps rows, parameterizes literals, and unconditionally injects the authenticated-tenant predicate into every emitted query. The two channels form one coherent isolation policy without relying solely on database RLS. The disclosure includes architecture and data-flow diagrams, the indirection/data model, a worked example, a STRIDE-style threat table, framework mappings, an evaluation methodology, and an enumerated list of inventive aspects.
Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 License.
Recommended Citation
Assuncao, gustavo matthew, "Dual-Channel Domain Data-Isolation", Technical Disclosure Commons, ()
https://www.tdcommons.org/dpubs_series/10864