Per-tenant runtime isolation — make the tenant a process/network/key boundary (not a directory), with a per-tenant vector namespace + server-side tenant binding, so a poisoned/sensitive atom is contained to ONE tenant

task-per-tenant-runtime-isolation-boundary

task confidence inferred status backlog 2026-06-19 owner platform-engineer
source log-auditor — surfaced recording 0059-untrusted-by-default-ingestion-serve-boundary (research §9f multi-tenant blast-radius table + §2 vector-index reframe). Board globbed before filing — no open task covered per-tenant process/network/key isolation or a per-tenant vector namespace + server-side tenant binding (DEC-0053's task-agency-runtime-topology-spec is done/topology-level; DEC-0011's isolation is file-boundary, not runtime/index-level; this is the security-hardening of that seam).

Per-tenant runtime isolation — process/network/key boundary, not a directory

DEC-0059's blast-radius-containment leg at the runtime substrate. A siloed git repo contains the data but not the injection — containment depends on the runtime substrate. So make the tenant a process / network / key boundary, not just a directory.

Four leak channels, four guarantees (from the research)

Shared resource Leak Guarantee
Vector index poisoned embedding retrievable cross-tenant if pooled by a client-supplied filter per-tenant namespace/index; inject the tenant filter server-side from a signed claim
MCP server process in-flight data / session-hijack across tenants one server instance per tenant (own process + network namespace); session bound server-side to <tenant_id>:<session_id>; token passthrough forbidden (RFC 8693 exchange, per-tenant scoped creds)
Extraction-agent context injection in tenant A's content steers tenant B's run one tenant per run, fresh context, no shared memory (fresh process — subagents share the parent's process/sandbox)
Model/prompt cache cross-tenant cache disclosure UNVERIFIED — treat low-likelihood; per-tenant cache scope until confirmed

A per-tenant key also enables crypto-shred on offboarding — and the vector index is in-scope PII (DEC-0059 (a): embeddings do not anonymize).

Where this sits in the graph

This extends MCP agentic foundation — tenant-scoped GraphRAG over the OKF KB (one-server-one-tenant at the file boundary) down to the runtime/process/index level, builds on Fix git-per-tenant isolation when a tenant root is nested inside another repo (git-per-tenant), and intersects the Agentic-agency runtime topology — compile personas from the OKF graph and activate the reserved BoardWorker over the deterministic spine per-tenant fleet topology — its invariant (4) already names per-tenant serialization and cross-tenant-isolation-by-construction; this task hardens it for the sensitive-data + injection case. The OS-layer process/network boundary mechanism (the substrate that wraps the per-tenant LiveTurnRunner process, deriving its fs boundary from confineToTenant) is specified by DEC-0071 (@anthropic-ai/sandbox-runtime); this task realizes the index/server-side-binding/key half — the substrate contains the process, not the index.

Why a task, not a fix-in-place

Real runtime + MCP hardening (process model, vector namespacing, server-side binding, token exchange) with a cross-tenant containment demonstration — owner judgment + code. Detail + citations: research/2026-06-18-sensitive-data-and-injection-defense.md §9f and §2. confidence: inferred (agent-filed from DEC-0059).