### security_tenancy

```{eval-rst}
.. plantuml::

   @startuml
   skinparam shadowing false
   skinparam packageStyle rectangle
   title Security & Tenancy — Namespaces, ACLs, TLS
   
   package "AlgoX2" {
     node "Namespace: tracto-prod" as NS {
       [Topic: features.*]
       [Topic: labels.*]
       [Topic: inference.events.*]
       [Topic: control.triggers.*]
     }
   }
   
   actor "Tracto Service Account\n(CN=tracto-prod)" as SA
   rectangle "mTLS / ACLs / Quotas" as SEC
   
   SA --> SEC : TLS client cert\nmap to principal
   SEC --> NS : allow produce/consume per topic\n(rate/byte quotas, retention, policy)
   
   note right
   - Per-tenant namespaces
   - ACLs per topic/prefix
   - Quotas (throughput, connections)
   - Audit logs
   end note
   @enduml