Understanding Semantic Readiness: L0 Through L4 Explained
When you connect a vector database to Gateco, it starts at L0 (Not Ready). Your goal is to progressively move up through the readiness levels as you configure policies and metadata. Each level represents a real capability milestone, not a score.
L0 (Not Ready) means the connector is created but not reachable — credentials may be invalid or the database is down. L1 (Connection Ready) means Gateco can authenticate and reach your vector database. This is confirmed when the test connection endpoint returns a successful health check with latency.
L2 (Search Ready) means search and retrieval operations are functional. Your search configuration is set (dimensions, metric, index), and Gateco can execute queries against your vector database. At this level, coarse connector-level controls are possible.
L3 (Resource Policy) is where real security begins. This requires active policies AND resource-level metadata resolution — meaning Gateco can determine the classification, sensitivity, and ownership of individual resources and enforce policies against them. You reach L3 by binding metadata to your resources (via sidecar registry, inline payload, or SQL view) and activating at least one policy.
L4 (Chunk Policy) is the highest granularity. It requires chunk-level policy metadata — each individual vector has its own classification and sensitivity metadata that flows through policy evaluation. This is achievable with inline metadata mode (where each vector payload contains its own metadata) or SQL view mode (when the view returns per-vector-id metadata). Sidecar mode alone cannot reach L4 in the current architecture because sidecar metadata lives on GatedResource records, not individual chunks.
Readiness is separate from coverage. Coverage is an operational metric (e.g., "85% of resources have metadata bound"). Readiness is a capability metric (e.g., "this connector CAN enforce chunk-level policies"). You can have L4 readiness with 10% coverage — the capability exists, you just haven't classified all your data yet.
Related reading
- Why Metadata Filters Aren't Enough for RAG Security7 min read
- Authorization Approaches for RAG Systems: A Comparison8 min read
- Building Custom RAG Authorization vs. Using Gateco7 min read
- Gateco DocumentationFull reference
← Previous
Three Ways to Resolve Metadata: Sidecar, Inline, and SQL Views
Next →
Introducing Gateco: Permission-Aware Retrieval for AI Systems
Ready to secure your AI retrieval?
Start with the free tier — 100 retrievals/month, no credit card required.