# Authority Routing Decision **Decision ID:** DECISION-AUTH-001 **Status:** DEFAULT-APPROVED **Effective Date:** 2025-12-06 **48h Window Started:** 2025-12-06T00:00:00Z ## Decision Authority claim routing uses **RBAC-standard routing** patterns aligned with existing `docs/security/scopes-and-roles.md`. ## Rationale 1. RBAC patterns are well-established and auditable 2. Consistent with Authority module implementation 3. Supports multi-tenancy requirements 4. Compatible with external IdP integration (OIDC, SAML) ## Routing Matrix | Claim | Source | Routing | Scope | |-------|--------|---------|-------| | `tenant_id` | Token/Session | Per-request | All endpoints | | `project_id` | Token/Header | Per-request | Project-scoped | | `user_id` | Token | Per-request | User-scoped | | `role` | Token claims | Authorization | Role-based access | | `scope` | Token claims | Authorization | Fine-grained access | ## Claim Priority When claims conflict: 1. Explicit header overrides token claim (if authorized) 2. Token claim is authoritative for identity 3. Session context provides defaults ## Implementation Pattern ```csharp // Authority claim resolution public class ClaimResolver : IClaimResolver { public AuthorityContext Resolve(HttpContext context) { var tenantId = context.Request.Headers["X-Tenant-Id"] ?? context.User.FindFirst("tenant_id")?.Value; var projectId = context.Request.Headers["X-Project-Id"] ?? context.User.FindFirst("project_id")?.Value; return new AuthorityContext(tenantId, projectId); } } ``` ## Impact - Tasks unblocked: ~5 - Sprint files affected: SPRINT_0303 ## Reversibility To change routing patterns: 1. Update `docs/security/scopes-and-roles.md` 2. Get Authority Guild + Security Guild sign-off 3. Update `AuthorityClaimsProvider` implementations 4. Migration path for existing integrations ## References - [Scopes and Roles](../security/scopes-and-roles.md) - [Auth Scopes](../security/auth-scopes.md) - [Tenancy Overview](../security/tenancy-overview.md)