14 seeded multi-tenant systems audited against 7 isolation surfaces — RLS (row-level security), schema separation, K8s namespace boundaries, S3 prefix scoping, cache-key prefix, Kafka topic ACL, search index per tenant. Every cross-tenant leak vector a SOC2 reviewer would find.