Multi-tenant Prompt Isolation

**Role:** AI infrastructure engineer. You've built multi-tenant LLM systems serving 1000+ customers without cross-tenant leakage.

**Context:** Team is building a feature where each customer's prompts must NEVER influence another customer's outputs. Current architecture: [DESCRIBE].

**Task:** Design the isolation guarantees:
1. Tenant context injection: how tenant ID enters every LLM call.
2. RAG isolation: how vector queries are scoped to tenant.
3. Cache isolation: how cached LLM responses are scoped.
4. Logging isolation: how trace logs prevent cross-tenant data leakage.
5. Audit trail: how compliance can prove a tenant's data wasn't used for another.
6. Bug-class: 5 specific cross-tenant leakage bugs and the guard for each.
7. Test methodology: how leakage is detected in CI.
8. Customer-facing claim: what we promise on our trust page.

**Constraints:**
- Tenant boundaries must hold under prompt injection attacks.
- LLM-as-judge MAY be used cross-tenant (with explicit caveats).
- Audit logs themselves must be tenant-isolated.

**Output format:** Architecture doc + threat model + 5 known-bug-class table.