stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

Refactor code structure for improved readability and maintainability; removed redundant code blocks and optimized function calls.
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
api-governance / spectral-lint (push) Has been cancelled
Details

Browse Source
This commit is contained in:
master
2025-11-20 07:50:52 +02:00
parent 616ec73133
commit 10212d67c0
473 changed files with 316758 additions and 388 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
docs/modules/authority/tenant-scope-47-001.md Normal file
View File

@@ -0,0 +1,36 @@
# AUTH-TEN-47-001 · Tenant Scope Contract (v1)
Purpose: define tenant scoping fields and enforcement expectations so Concelier tasks (CONCELIER-TEN-48-001) can proceed without merging behavior.
## Data contract
- `tenantId` (string, required): immutable per request; canonical form `urn:tenant:{uuid}`.
- `issuer` (string, required): authority instance issuing the token; aids audit.
- `scopes` (array<string>, required): must include `concelier.read` or `concelier.linkset.read` for evidence fetch; `concelier.linkset.write` for backfill/ingest; `concelier.tenant.admin` for tenancy capabilities endpoint.
- `capabilities` (object, optional):
- `mergeAllowed` (bool, default false): must remain false for Link-Not-Merge paths.
- `offlineAllowed` (bool, default true): governs offline bundle use.
- `attribution` (object, optional):
- `actor` (string): subject or client-id.
- `traceId` (string): optional trace correlation.
- `issuedAt` (string, ISO-8601 UTC), `expiresAt` (string, ISO-8601 UTC): required for enforcement.
## Enforcement rules (Authority)
- Tokens missing `tenantId` or `concelier.*` scopes are rejected with 403 and error code `auth/tenant-scope-missing`.
- `mergeAllowed` must be evaluated server-side; clients cannot set true when Link-Not-Merge mode is active.
- Refresh/rotation must preserve `tenantId`; changing tenant requires re-auth.
## Fixtures
- JSON fixture: `docs/modules/authority/fixtures/auth-ten-47-001.json` (included) shows a minimal token payload.
- Determinism: field order canonicalized lexicographically for hashing; timestamps normalized to `Z`.
## Actions for consumers (Concelier)
- Validate `tenantId` present and stable across request and event emission.
- Expose `/capabilities/tenant` endpoint echoing `tenantId`, scopes, and `mergeAllowed=false` when LNM is enabled.
- Log `tenantId`, `actor`, and `traceId` on every linkset backfill or advisory read for audit.
## Owners
- Authority Guild (contract)
- Concelier Core Guild (consumer)
## Change control
- Add-only evolution. New capabilities must default to the most restrictive value.