# Multi-tenancy

Purpose
- Ensure strict tenant isolation across APIs, storage, and observability.

Tenant lifecycle
- Create tenants with scoped roles and default policies.
- Suspend or retire tenants with audit records.
- Migrations and data retention follow governance policy.

Isolation model
- Tokens carry tenant identifiers and scopes.
- APIs require tenant headers; cross-tenant actions are explicit.
- Datastores enforce tenant_id and RLS where supported.

Observability
- Metrics, logs, and traces always include tenant.
- Cross-tenant access attempts emit audit events.

Offline posture
- Offline bundles are tenant scoped.
- Tenant list in offline mode is limited to snapshot contents.

Related references
- security/identity-tenancy-and-scopes.md
- security/row-level-security.md
- docs/operations/multi-tenancy.md