The tenancy model
Every typed record carries an organization id, a tenant id, and a classification. The runtime resolves the tenant context from the request and refuses cross-tenant reads or writes at every storage boundary.
Admin surfaces
The /admin route exposes org-wide metrics, user management, billing overview, case audits, plans, guardrails, compliance, and review queues. Admin actions are typed and audited like any other tool call.
SSO and SCIM
SAML / OIDC SSO and SCIM provisioning are wired through apps/web/app/api/scim and the auth routes. Group membership maps to role-based capabilities (workspace admin, reviewer, analyst, guest).
BYOK
Tenants that require it can bring their own KMS keys. Encrypted storage (packages/storage) reads keys from the tenant scope before encrypting tenant-restricted or secret-class payloads.