14:02:31ingeststep.startclassify ticket TCK-1

Disclosure

Tenants

Principal-bound isolation, proven. Policy 07 permits an action only when the principal's tenant matches the resource's tenant. A tenant-A call against tenant-B data is denied with the reason chain shown.

Same tenant

PERMIT
principal
tenant = tenant-A
action
getAccount
resource
ACC-1 · tenant = tenant-A

The agent acts as a tenant-A principal on a tenant-A account. The read is permitted (policy 03, with PII redaction applied).

Allowed: User::"agent" Action::"getAccount" on Account::"ACC-1" - policy 03-hubspot-pii-redacted (ASI04 Data Exfiltration - HubSpot account and contact reads are permitted only when agent-shield will apply PII redaction to the response. Mitigates leakage of PII into LLM context or downstream tool calls.).

  • [PERMIT] 03-hubspot-pii-redacted: ASI04 Data Exfiltration - HubSpot account and contact reads are permitted only when agent-shield will apply PII redaction to the response. Mitigates leakage of PII into LLM context or downstream tool calls.
ASI04 Data Exfiltration

Cross tenant

DENY
principal
tenant = tenant-A
action
getAccount
resource
ACC-8 · tenant = tenant-B

The identical request against a tenant-B account is denied. Only the resource tenant changed; policy 07 forbids the crossing.

Denied: User::"agent" Action::"getAccount" on Account::"ACC-8" - forbidden by policy 07-tenant-isolation (ASI06 Inter-Agent / Cross-Boundary - Cross-tenant access is denied. A principal may only act on resources within its own tenant; principal.tenant must equal resource.tenant.).

  • [FORBID] 07-tenant-isolation: ASI06 Inter-Agent / Cross-Boundary - Cross-tenant access is denied. A principal may only act on resources within its own tenant; principal.tenant must equal resource.tenant.
ASI06 Inter-Agent / Cross-Boundary

Both decisions are evaluated through agent-shield against the same policy 07 the agent enforces. Only the resource tenant differs between the two requests.

The policy that decides

One forbid rule, enforced on every tool call. There is no allow-list of tenant pairs to maintain; the crossing itself is what the policy denies.

@id("07-tenant-isolation")
@asi("ASI06 Inter-Agent / Cross-Boundary")
forbid ( principal, action, resource )
when {
  principal has tenant && resource has tenant
  && principal.tenant != resource.tenant
};