# Platform Endpoint Tenant Classification

## Scope
- Service: `src/Platform/StellaOps.Platform.WebService/Endpoints`
- Date: 2026-02-22
- Purpose: classify endpoint files by tenant behavior and document intentional non-resolver paths.

## Classification Ledger
| Endpoint file | Category | Tenant source | Auth baseline | Notes |
| --- | --- | --- | --- | --- |
| `AdministrationTrustSigningMutationEndpoints.cs` | tenant-required business | `PlatformRequestContextResolver` | platform policy groups | Tenant-scoped key/issuer/certificate operations. |
| `AnalyticsEndpoints.cs` | tenant-required business | `PlatformRequestContextResolver` | `PlatformPolicies.AnalyticsRead` | Aggregation paths require tenant context for cache keys and result shaping. |
| `ContextEndpoints.cs` | tenant-required business | `PlatformRequestContextResolver` | `PlatformPolicies.ContextRead/Write` | Context preferences keyed by `(tenant, actor)`. |
| `EnvironmentSettingsEndpoints.cs` | global/system | none | `AllowAnonymous` | Setup/bootstrap configuration payload for frontend shell. |
| `EnvironmentSettingsAdminEndpoints.cs` | global/system | none | `PlatformPolicies.SetupRead/SetupAdmin` | DB setting overrides are setup-admin operations, not tenant business data. |
| `EvidenceThreadEndpoints.cs` | tenant-required business | `PlatformRequestContextResolver` | evidence policy groups | Evidence queries are tenant-scoped. |
| `FederationTelemetryEndpoints.cs` | tenant-required business | `PlatformRequestContextResolver` | federation policy groups | Consent/status/bundles remain tenant scoped. |
| `FunctionMapEndpoints.cs` | tenant-required business | `PlatformRequestContextResolver` | function-map policy groups | Tenant-scoped function map catalog and operations. |
| `IntegrationReadModelEndpoints.cs` | tenant-required business | `PlatformRequestContextResolver` | `PlatformPolicies.IntegrationsRead` | Feed/vex source projections require tenant context. |
| `LegacyAliasEndpoints.cs` | tenant-required business | `PlatformRequestContextResolver` | same as canonical mapped policies | Compatibility aliases enforce same tenant requirements as canonical endpoints. |
| `MigrationAdminEndpoints.cs` | global/system | none | `PlatformPolicies.SetupAdmin` | Migration operations are control-plane/system admin functions. |
| `PackAdapterEndpoints.cs` | tenant-required business | `PlatformRequestContextResolver` | pack adapter policies | Release-pack adaptation paths are tenant-scoped. |
| `PlatformEndpoints.cs` | tenant-required business (plus guarded tenant-param admin reads) | `PlatformRequestContextResolver` + route tenant parity check | health/quota/onboarding/preferences/search/metadata policy groups | Route tenant IDs are now validated against resolved tenant (`tenant_forbidden` on mismatch). |
| `PolicyInteropEndpoints.cs` | tenant-required business | `PlatformRequestContextResolver` | policy interop policy groups | Import/export and interop views are tenant-scoped. |
| `ReleaseControlEndpoints.cs` | tenant-required business | `PlatformRequestContextResolver` | release-control policy groups | Bundle/version/materialization operations use tenant-bound store calls. |
| `ReleaseReadModelEndpoints.cs` | tenant-required business | `PlatformRequestContextResolver` | release-read policies | Run/activity/release projections are tenant scoped. |
| `ScoreEndpoints.cs` | tenant-required business | `PlatformRequestContextResolver` | score policies | Score history/replay/verify operations are tenant scoped. |
| `SecurityReadModelEndpoints.cs` | tenant-required business | `PlatformRequestContextResolver` | security-read policies | Finding/disposition projections are tenant scoped. |
| `SeedEndpoints.cs` | global/system | none | `PlatformPolicies.SetupAdmin` + `STELLAOPS_ENABLE_DEMO_SEED` gate | Explicitly system/admin for controlled demo seeding. |
| `SetupEndpoints.cs` | tenant-aware admin | resolver when available; controlled bootstrap setup context when platform not initialized | setup policy groups | Intentional bootstrap bypass is bounded to setup lifecycle checks. |
| `TopologyReadModelEndpoints.cs` | tenant-required business | `PlatformRequestContextResolver` | `PlatformPolicies.TopologyRead` | Topology data assembled from tenant-keyed release control stores. |