AUTH-TEN-47-001 · Tenant Scope Contract (v1)

Purpose: define tenant scoping fields and enforcement expectations so Concelier tasks (CONCELIER-TEN-48-001) can proceed without merging behavior.

Data contract

tenantId (string, required): immutable per request; canonical form urn:tenant:{uuid}.
issuer (string, required): authority instance issuing the token; aids audit.
scopes (array, required): must include concelier.read or concelier.linkset.read for evidence fetch; concelier.linkset.write for backfill/ingest; concelier.tenant.admin for tenancy capabilities endpoint.
capabilities (object, optional):
- mergeAllowed (bool, default false): must remain false for Link-Not-Merge paths.
- offlineAllowed (bool, default true): governs offline bundle use.
attribution (object, optional):
- actor (string): subject or client-id.
- traceId (string): optional trace correlation.
issuedAt (string, ISO-8601 UTC), expiresAt (string, ISO-8601 UTC): required for enforcement.

Tokens missing tenantId or concelier.* scopes are rejected with 403 and error code auth/tenant-scope-missing.
mergeAllowed must be evaluated server-side; clients cannot set true when Link-Not-Merge mode is active.
Refresh/rotation must preserve tenantId; changing tenant requires re-auth.

JSON fixture: docs/modules/authority/fixtures/auth-ten-47-001.json (included) shows a minimal token payload.
Determinism: field order canonicalized lexicographically for hashing; timestamps normalized to Z.

Validate tenantId present and stable across request and event emission.
Expose /capabilities/tenant endpoint echoing tenantId, scopes, and mergeAllowed=false when LNM is enabled.
Log tenantId, actor, and traceId on every linkset backfill or advisory read for audit.

Add-only evolution. New capabilities must default to the most restrictive value.