Tenant boundary
Receipt feeds don't cross orgs. Agent transfers between orgs require explicit countersign from both. Standard SaaS multi-tenancy — your org's data is yours.
Per-project ACLs within an org
org-public / members-only / private — see /use-cases/access-control.
Per-engineer attribution within an org
human_id captures the engineer. Cross-engineer queries respect ACL boundaries.
External sharing
Receipts can be shared via signed JWT links to external auditors / customers. Sharing doesn't move tenancy; it's a read-only view.
Org admin model
Single admin or multi-admin. Admins manage billing, ACLs, install tokens. Members can issue receipts. Granular roles in v0.8.
White-label tenancy
Enterprise tier white-label lets your org's receipts be signed by your domain. External viewers see your branding, not GenZAgents.