Per-Tenant Routing

Picks lowest-latency ACTIVE tunnel in allowed jurisdictions. Prefers preferred_tunnel_id. Checks compliance before routing. BLOCK/DIRECT fallback modes.

HMAC-SHA256 signed attestations. Redis 7-year TTL. Verify endpoint for audit. 10,000 cap per tenant. SOVEREIGN_ATTEST_KEY env var.

Adequacy decisions matrix: EU↔UK, EU↔CA, EU↔JP, EU↔CH. is_transfer_allowed() checks data class + source/dest jurisdiction. Non-adequate transfers blocked.