# Tenant Isolation & Redaction Manifest (FL5) **Purpose:** Document how Findings Ledger enforces tenant boundaries and which fields are redacted in deterministic exports. ## Isolation controls - Storage: all ledger, projection, history, and merkle tables are **LIST-partitioned by `tenant_id`** (PostgreSQL). Cross-tenant queries are disallowed at repo level. - Queueing: Merkle batches and projector pipelines are keyed by `(tenant_id, chain_id)`; no mixing. - Exports: `/ledger/export/*` requires `X-Stella-Tenant`; service rejects multi-tenant requests. - Hashing: event/projection hashes include `tenant_id` as part of canonical envelope, preventing replay across tenants. ## Redaction policy - User-generated content (comments, attachments metadata) is excluded from compact exports and masked in canonical exports per manifest. - Actor identifiers are truncated to realm (`user:`); emails/PII never emitted. - Evidence bundle references are retained, but inline evidence payloads are not stored in ledger. ## Manifest - Path: `docs/modules/findings-ledger/redaction-manifest.yaml` (JSON twin: `redaction-manifest.json` for offline tooling). - Content: declarative list of fields redacted or truncated for each export shape. - The manifest is signed in checksum list `docs/modules/findings-ledger/golden-checksums.json`; sha256 must match before release. ### Applying the manifest - Canonical exports apply `redact: mask` rules only to PII (`actorId`, `comment`); compact exports drop (`drop: true`) the same fields plus verbose rationale arrays. - Log pipelines ensure `event_body` is never written to logs; only metadata/hashes appear (see `observability.md`). ## Validation steps 1. `sha256sum docs/modules/findings-ledger/redaction-manifest.yaml` matches `golden-checksums.json`. 2. Run `python tools/LedgerReplayHarness/scripts/verify_export.py --input fixtures/golden/findings-canonical.ndjson --schema export.v1.canonical --manifest docs/modules/findings-ledger/redaction-manifest.json` (script enforces mask/drop rules offline). 3. Confirm export responses in staging omit masked fields for the requesting tenant.