# Multi-Tenant Same-Key Acceptance Matrix Date: 2026-02-22 Source sprint: `SPRINT_20260222_053_DOCS_multi_tenant_same_api_key_contract_baseline.md` Used by sprint: `SPRINT_20260222_060_FE_playwright_multi_tenant_end_to_end_matrix.md` ## Scope - Validate tenant selection and tenant isolation behavior for: - Platform + Topology APIs - Scanner APIs (scans, triage, webhooks, unknowns) - Graph APIs - Web primary pages with global tenant selector ## Status Matrix (API) | Area | Representative route(s) | Valid tenant | Missing tenant | Cross-tenant attempt | Required evidence | | --- | --- | --- | --- | --- | --- | | Platform context | `/api/v1/platform/context/preferences` | `200` tenant-scoped preferences | deterministic auth/context rejection | `403/404` (tenant mismatch/forbidden) | Command output + payload snippets + test assertion output | | Platform topology | `/api/v1/platform/topology/*` | `200` tenant-scoped topology | deterministic auth/context rejection | `403/404` | Integration test output with overlapping IDs across two tenants | | Scanner scans | `/api/v1/scans/*` | `200/202` for owned scans | deterministic auth/context rejection | `403/404` on non-owned scan id | Test output for scan ownership + replay/read paths | | Scanner triage | `/api/v1/triage/*` | `200` for tenant-owned findings | deterministic auth/context rejection | `404` on non-owned finding id | Test output for triage query/status/isolation cases | | Scanner webhooks | `/api/v1/webhooks/{provider}/{sourceName}` | `2xx` only for tenant-scoped source mapping | `400 tenant_missing` (where required) | deterministic reject/no cross-dispatch | Test output showing same `sourceName` across tenants does not collide | | Scanner unknowns | `/api/v1/unknowns/*` | `200` tenant-scoped list/detail | deterministic auth/context rejection | `404` cross-tenant detail/evidence/history | Test output for unknown detail isolation | | Graph query/search/export | `/api/v1/graph/*` | `200` for authorized tenant + scopes | deterministic auth/context rejection | `403/404` mismatch + ownership denial | Graph API test output with auth + tenant negative paths | ## Status Matrix (UI Pages) | Page group | Routes | Expected tenant indicator behavior | Expected backend call behavior | Negative assertion | | --- | --- | --- | --- | --- | | Mission Control | `/mission-control/*` | Header selector shows selected tenant name and persists after navigation | Requests carry canonical tenant context | No stale content from previous tenant after switch | | Releases | `/releases/*` | Tenant selector remains available; selected tenant stable | Tenant-scoped API calls after switch | No cross-tenant release data visible | | Security | `/security/*` | Selected tenant remains active across subroutes | Scanner/Graph-related requests reflect selected tenant | No findings/advisories leak from previous tenant | | Evidence | `/evidence/*` | Selected tenant persists through refresh | Tenant-scoped evidence requests | No evidence thread from previous tenant persists post-switch | | Ops | `/ops/*` | Tenant context remains globally applied | Platform/ops requests include selected tenant context | No mixed-tenant cards/widgets | | Setup | `/setup/*` | Selector remains visible and stable | Topology/setup reads align with selected tenant where tenant-scoped | No topology entities from previous tenant | | Admin | `/administration/*` (or equivalent admin routes) | Selector persists and selected tenant is clear | Authority admin reads operate in selected tenant scope | No client/user entries leaked from other tenant | ## Required Artifacts - Tier 2a: - Raw command outputs for Platform/Scanner/Graph targeted verification. - Response/status assertions for valid, missing, and cross-tenant requests. - Tier 2c: - Playwright command output. - Trace zip and screenshots for tenant switch and post-switch navigation checks. - Desktop and mobile viewport results. - Cross-cutting: - Test counts from targeted runs (not suite totals only). - List of new tests written and bugs fixed (if any). - Final go/no-go decision + residual risks. ## Pass/Fail Gate - Pass: - All matrix rows have deterministic positive and negative-path evidence. - No unresolved cross-tenant leakage failures. - Fail: - Any cross-tenant leakage, nondeterministic auth behavior, or missing Tier 2 evidence blocks rollout.