// Technology / MLS Policy

Labels become enforcement.

QHx maps identity groups to classification, compartment, and releasability labels, then uses those labels to constrain resources and flows.

Network isolation Cross-domain →

// Mechanism

The label is the gate.

The QHx admission controller applies and validates MLS labels at resource creation. Users cannot arbitrarily upgrade classification or escape a compartment by changing metadata after the fact.

ClassificationResources receive levels such as unclassified, confidential, secret, or top secret equivalents.
CompartmentSpecial-access or mission compartments constrain which workloads can interact.
ReleasabilityPartner release sets can be bounded by the principal’s authorized groups.
ImmutabilityClassification and compartment labels are protected against unauthorized change.

PRINCIPAL GROUPS

mls:classification:secret

mls:releasability:us,uk,au

mls:compartment:quantum

RESOURCE LABELS

mls.qhx.dev/level: us:s

mls.qhx.dev/releasability: us,uk,au

mls.qhx.dev/compartment: quantum