H33
Isolation verified · June 2, 2026

Two tenants. One database.
Zero leakage.

Two tenants share the same canonical-auth runtime — same database, same code, same substrate signing keys. Their authority reconstructions are byte-distinct, their identifiers are structurally disjoint, and a cross-tenant injection attack returns ProvenanceBroken with zero active grants.

View the isolation matrix JSON Regulator Replay (Tenant A) Markdown report
What was proven · 10-second read

Three layers. Every cell of the matrix true.

01
fetch(A) returns only A's events; fetch(B) returns only B's events.
02
replay_until on each tenant produces distinct state_ids with disjoint identifiers.
03
Cross-tenant provenance attacks fail closed — verdict ProvenanceBroken, zero active grants.
Reading any H33 proof · the six questions

Same six answers. Different scope. The reader recognizes the machine.

  1. 1What happened?

    Two tenants sharing the same database, code, and signing keys produced distinct authority states with zero cross-tenant identifier leakage; an injection attack was rejected at the replay layer.

  2. 2Who had authority?

    Tenant A: princ_customer_9 (real). Tenant B: princ_customer_99001 (structural). Neither sees the other's authority.

  3. 3How was authority reconstructed?

    Three layers: storage filter quarantines events at fetch · independent replay_until per tenant bound to its own tenant_root · injection probe replays B's events under A's root and expects ProvenanceBroken.

  4. 4What state was produced?

    state_id(A) = 24a06e84…66f9db9 · state_id(B) = c11b3ca7…f116e20f15 · injection verdict ProvenanceBroken with 0 active grants.

  5. 5What artifact was returned?

    isolation-matrix.json — all three layers documented (storage / replay / injection), with quote-bound identifier searches included.

  6. 6How can a third party verify it?

    Run scif-backend tests/multi_tenant_isolation_001.rs at SHA 2be2df3f8; expect both state_ids, zero leakage, ProvenanceBroken on injection.

01Two tenants, structurally identical, cryptographically distinct

Tenant A · V101 first-proof real tenant

princ_customer_9

tenant_id
tenant_v101_44962d9b-…
root
princ_root_v101_44962d9b-…
authority_id
auth_44962d9b-…_v101_export
state_id
24a06e84…66f9db9
verdict
Valid
Tenant B · structural test tenant

princ_customer_99001

tenant_id
tenant_v101_7905888e-…
root
princ_root_v101_7905888e-…
authority_id
auth_7905888e-…_v101_export
state_id
c11b3ca7…f116e20f15
verdict
Valid

Both tenants registered the same policy_id = pol_v101_exporter_v1 independently (each with its own signed policy_register event). Both issued an export_content_bundle grant against that policy to their own customer principal. The grants are structurally identical but cryptographically distinct — different authority_id, different granted_by, different granted_to, different 148-hex signature.

Tenant B's creator_uuid was derived from the locked NS_H33_CREATORS_V1 namespace: uuid5(NS_H33_CREATORS_V1, "99001") = 7905888e-…. Same derivation Tenant A used; deterministic and reproducible.

02Three layers tested

Layer 1

Store — PostgresEventLogSource

Pass

fetch(TENANT_A) returned only A's two events. fetch(TENANT_B) returned only B's two events. Quote-bounded substring checks confirmed: A's events contain zero of B's identifiers; B's events contain zero of A's. Positive sanity: each tenant's own root identifier was found in its own blob.

Layer 2

Replay — replay_until

Pass

Both replays returned verdict Valid. The two state_ids are byte-distinct. A's snapshot JSON contains zero of B's identifiers, and vice versa. Each snapshot contains exactly one active grant — its own.

Layer 3

Injection — A's events under B's root

Rejected · ProvenanceBroken

A malicious caller fed Tenant A's events to replay_until with Tenant B's tenant_root_principal claimed as the root authority. The "No Derived Authority Without Provenance" invariant rejected the attack:

verdict       = ProvenanceBroken
active_grants = 0

Because A's grants were granted by princ_root_v101_44962d9b-…, not by princ_root_v101_7905888e-…, the chain to the claimed root cannot be reconstructed. The replay engine does not return "partial" authority — it returns no authority and a clear verdict explaining why.

03Why this is different

Most "multi-tenant" systems rely on a WHERE clause and trust the developer to write it correctly every time. H33's isolation is structural: the replay engine doesn't have a global view; it has the events it's given plus a claimed root, and it refuses to derive authority that can't trace to that root. The injection test isn't theatrical — it's the actual attack a misconfigured query would produce. The engine catches it at the provenance layer, not at the database layer, because the database layer is allowed to be wrong.

This is what "No Derived Authority Without Provenance" buys: the failure mode is verdict ProvenanceBroken, observable, auditable, and zero authority — never "almost the right thing" or "a partial leak."

04Isolation matrix

PropertyResult
fetch(A) returns only Atrue
fetch(B) returns only Btrue
A events contain no B identifierstrue
B events contain no A identifierstrue
state_id(A) ≠ state_id(B)true
A snapshot contains no B identifierstrue
B snapshot contains no A identifierstrue
Injection (A events, B root) rejectedtrue (ProvenanceBroken)
Injection active_grants after attack0

Full machine-readable artifact: isolation-matrix.json.

05Independent reconstruction

A third party with read access to canonical_auth_events for both tenants, plus the test harness, reproduces this proof:

H33_TEST_PG_URL='postgres://…?sslmode=require' \
  cargo test --test multi_tenant_isolation_001 -- --ignored --nocapture

Expected outputs (byte-identical):

state_id_A = 24a06e845ce573dd773298451ad9a05da213cea52068e8b93e054ae9166f9db9
state_id_B = c11b3ca74742c191bf1f2846970f91a104b78a2e375bcceef23c48f116e20f15
injection verdict = ProvenanceBroken, active_grants = 0

06Known limitations

  1. Tenant B is structural, not a real customer. A's identity chain reaches all the way to Auth1 (real EdDSA Bearer, real OTP login, real audit trail). B's identity chain stops at the canonical event log. Sufficient to prove isolation, not sufficient to be a "second customer." When the first second-customer proof lands, B gets replaced.
  2. Two tenants, not many. Scale-of-isolation (10, 100, 10,000 tenants) is not yet measured. Belongs in Proof #5 (Scale).
  3. Single point-in-time check. Isolation verified at one moment with one event set per tenant. Continuous isolation under churn (grants and revokes interleaved across tenants) is not yet tested.
  4. Bundle issuance for Tenant B not exercised. Tenant B's grant resolved correctly in replay; whether the V101 bundle-issue endpoint produces an anchored receipt for B is not part of this proof.
  5. Same signing keys for both tenants. The isolation proven is at the application layer. Cryptographic isolation (different keys per tenant) is a different proof not yet undertaken.

07Evidence appendix

FieldValue
state_id(A)24a06e845ce573dd773298451ad9a05da213cea52068e8b93e054ae9166f9db9
state_id(B)c11b3ca74742c191bf1f2846970f91a104b78a2e375bcceef23c48f116e20f15
Injection verdictProvenanceBroken
Injection active_grants0
Replay-until T (ms)1800000000000
Tenant A events count2
Tenant B events count2
Tenant B creator_uuid derivationuuid5(NS_H33_CREATORS_V1, "99001") = 7905888e-…
Isolation matrixisolation-matrix.json
Harness sourcetests/multi_tenant_isolation_001.rs (scif-backend @ 2be2df3f8)
Upstream proofRegulator Replay #001
Original V101 bundled9adcfb0-…692b ↗

08Deployment commit SHAs

ComponentSHA
scif-backend (isolation harness)2be2df3f8 — proof(canonical-auth): #3 Multi-Tenant Isolation reconstruction test
scif-backend (regulator replay harness)d310d8134 — proof(canonical-auth): #2 Regulator Replay reconstruction test
scif-backend (runtime)99756176c — fix(canonical-auth): background JWKS refresh
auth1 (deployed)2f49d0a — Auth1 Phase 2 canonical-token endpoint
V101 (deployed)68034b1 — V101 Content Bundle endpoint

09Readiness determination

Determination

Multi-Tenant Isolation: PROVEN IN OPERATION for two tenants at one moment in time, with structural Tenant B.

What this unlocks: customer conversations about "what happens if you onboard a second customer; what happens if you serve a competitor; what happens if you make a typo in a WHERE clause." The answer is the isolation matrix.

What this does not unlock: scale-of-isolation (#5), continuous-churn isolation, cryptographic isolation (different signing keys per tenant), or commercial-second-customer claims. Each earns its own published proof.

Strict wording

Tenant B is structural, not a real customer. When the first second-real-customer proof lands, B is replaced. The isolation property being proven is structural; promotion to "two real production customers" earns its own published proof against the same yardstick.

Issued by H33, Inc. · Eric Beans, CEO · 2026-06-02

Independently reconstructable. Inputs: Tenant A's replay (Proof #2) · canonical event log access · harness at scif-backend @ 2be2df3f8.