What is a tenant?
What a tenant is
A tenant is an isolation boundary. A tenant has its own set of allowed objects, its own ledger, and its own capabilities. A tenant cannot read another tenant's receipts or invoke another tenant's objects. Suspending a tenant kills every one of its tokens instantly.
Why it matters
The build started as one operator's system. The object-capability layer was always designed to support delegation. Tenancy proves that the isolation works: each tenant is a separate compartment with its own auth and its own audit trail.
Proof
Live tenants: GET /api/dispatch?tenancy=1. Tenant ledger: GET /api/dispatch?tenant_invocations=<id>. The owner plane is unrestricted; a tenant plane is walled.
Machine shape
tenant_id, allow_keys, allow_prefixes, risk_ceiling, status. Every capability row carries a tenant_id. Every invocation carries the actor's tenant. The ledger query filters by tenant actors.