Per-tenant runtime isolation — make the tenant a process/network/key boundary (not a directory), with a per-tenant vector namespace + server-side tenant binding, so a poisoned/sensitive atom is contained to ONE tenant
task-per-tenant-runtime-isolation-boundary
Per-tenant runtime isolation — process/network/key boundary, not a directory
DEC-0059's blast-radius-containment leg at the runtime substrate. A siloed git repo contains the data but not the injection — containment depends on the runtime substrate. So make the tenant a process / network / key boundary, not just a directory.
Four leak channels, four guarantees (from the research)
| Shared resource | Leak | Guarantee |
|---|---|---|
| Vector index | poisoned embedding retrievable cross-tenant if pooled by a client-supplied filter | per-tenant namespace/index; inject the tenant filter server-side from a signed claim |
| MCP server process | in-flight data / session-hijack across tenants | one server instance per tenant (own process + network namespace); session bound server-side to <tenant_id>:<session_id>; token passthrough forbidden (RFC 8693 exchange, per-tenant scoped creds) |
| Extraction-agent context | injection in tenant A's content steers tenant B's run | one tenant per run, fresh context, no shared memory (fresh process — subagents share the parent's process/sandbox) |
| Model/prompt cache | cross-tenant cache disclosure | UNVERIFIED — treat low-likelihood; per-tenant cache scope until confirmed |
A per-tenant key also enables crypto-shred on offboarding — and the vector index is in-scope PII (DEC-0059 (a): embeddings do not anonymize).
Where this sits in the graph
This extends MCP agentic foundation — tenant-scoped GraphRAG over the OKF KB (one-server-one-tenant at the file boundary) down to the runtime/process/index level, builds on Fix git-per-tenant isolation when a tenant root is nested inside another repo (git-per-tenant), and intersects the Agentic-agency runtime topology — compile personas from the OKF graph and activate the reserved BoardWorker over the deterministic spine per-tenant fleet topology — its invariant (4) already names per-tenant serialization and cross-tenant-isolation-by-construction; this task hardens it for the sensitive-data + injection case. The OS-layer process/network boundary mechanism (the substrate that wraps the per-tenant LiveTurnRunner process, deriving its fs boundary from confineToTenant) is specified by DEC-0071 (@anthropic-ai/sandbox-runtime); this task realizes the index/server-side-binding/key half — the substrate contains the process, not the index.
Why a task, not a fix-in-place
Real runtime + MCP hardening (process model, vector namespacing, server-side binding, token exchange) with a cross-tenant containment demonstration — owner judgment + code. Detail + citations: research/2026-06-18-sensitive-data-and-injection-defense.md §9f and §2. confidence: inferred (agent-filed from DEC-0059).