# AUTH-TEN-47-001 ยท Tenant Scope Contract (v1) Purpose: define tenant scoping fields and enforcement expectations so Concelier tasks (CONCELIER-TEN-48-001) can proceed without merging behavior. ## Data contract - `tenantId` (string, required): immutable per request; canonical form `urn:tenant:{uuid}`. - `issuer` (string, required): authority instance issuing the token; aids audit. - `scopes` (array, required): must include `concelier.read` or `concelier.linkset.read` for evidence fetch; `concelier.linkset.write` for backfill/ingest; `concelier.tenant.admin` for tenancy capabilities endpoint. - `capabilities` (object, optional): - `mergeAllowed` (bool, default false): must remain false for Link-Not-Merge paths. - `offlineAllowed` (bool, default true): governs offline bundle use. - `attribution` (object, optional): - `actor` (string): subject or client-id. - `traceId` (string): optional trace correlation. - `issuedAt` (string, ISO-8601 UTC), `expiresAt` (string, ISO-8601 UTC): required for enforcement. ## Enforcement rules (Authority) - Tokens missing `tenantId` or `concelier.*` scopes are rejected with 403 and error code `auth/tenant-scope-missing`. - `mergeAllowed` must be evaluated server-side; clients cannot set true when Link-Not-Merge mode is active. - Refresh/rotation must preserve `tenantId`; changing tenant requires re-auth. ## Fixtures - JSON fixture: `docs/modules/authority/fixtures/auth-ten-47-001.json` (included) shows a minimal token payload. - Determinism: field order canonicalized lexicographically for hashing; timestamps normalized to `Z`. ## Actions for consumers (Concelier) - Validate `tenantId` present and stable across request and event emission. - Expose `/capabilities/tenant` endpoint echoing `tenantId`, scopes, and `mergeAllowed=false` when LNM is enabled. - Log `tenantId`, `actor`, and `traceId` on every linkset backfill or advisory read for audit. ## Owners - Authority Guild (contract) - Concelier Core Guild (consumer) ## Change control - Add-only evolution. New capabilities must default to the most restrictive value.