Customer data isolation

Compliance-grade separation between customers, enforced by construction — separate databases, separate Pages projects, no cross-customer queries.

Trigger

STM and Transgesco are separate customers despite both currently sitting under the OneDrive - STM folder. Transgesco's mandate explicitly requires IT autonomy separate from STM, with PL-104 / LCOM compliance implications. TFD-0019 Context

How it's enforced (EA catalog example)

• One D1 database per customer. Database name = customer slug (transgesco, stm). TFD-0019 §2 + §4
• Each DAE is a tagged catalog inside the customer's database (catalogs.dae + catalog discriminators), so cross-DAE queries within a customer are fine; cross-customer queries are structurally impossible.
• A single shared D1 with a customer column was rejected outright. TFD-0019 Alternatives

Implication for Maya

Each Maya deployment reads only its configured corpus_path. No cross-tenant leakage. Citations always include source path. This is not a v1 nice-to-have — it's a TFD-0019-grade compliance constraint that propagates to every talent. [WO-0008 order.md Scope/Compliance]

Linked

• Foundry independence
• Cloudflare D1 + Pages