SHAIP Multi-Tenant Operator Dashboard

Gateway connection (click to toggle)

Gateway URL Tenant A id Tenant A JWT Tenant B id Tenant B JWT

JWTs live in the browser only — never sent anywhere except the gateway.

Paste both tenants' JWTs above and click Connect. JWTs are obtained via the Okta M2M client-credentials grant — the provision_tenant.py output bundle in Secrets Manager holds the client_id + client_secret needed.

Five-layer isolation evidence

Static map from docs/multi-tenant-readiness.md. Each layer's status badge updates when the corresponding live probe in the cross-tenant section below fires.

untested L1 — Identity Okta server-stamps tenant_id; JWT signature + iss + aud + exp verified at the authorizer
untested L2 — Authz read STS-tagged session + DDB ResourcePolicy with dynamodb:LeadingKeys
untested L3 — Agent registry owner_tenant_id filter — tenants see only their own + _platform-shared agents
untested L4 — Tool calls tenant_injector REQUEST interceptor injects tenant_id into every tool argument
untested L5 — Audit Every audit row carries tenant_id; S3 Object Lock COMPLIANCE retention

Cross-tenant denial probes

Live probes against the deployed gateway. Each row asserts the cross-tenant invariant — Acme cannot read Globex's resources. All must report PASS for the multi-tenant guarantee to hold.

Layer	Probe	Expected	Got	Result
Run Run isolation probes to populate.