stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
534aabfa2a8c9264f2479541a5c11e48de7b97fa
git.stella-ops.org/docs/qa/feature-checks/multi-tenant-acceptance-matrix.md

57 lines
4.3 KiB
Markdown
Raw Blame History

# Multi-Tenant Same-Key Acceptance Matrix
Date: 2026-02-22
Source sprint: `SPRINT_20260222_053_DOCS_multi_tenant_same_api_key_contract_baseline.md`
Used by sprint: `SPRINT_20260222_060_FE_playwright_multi_tenant_end_to_end_matrix.md`
## Scope
- Validate tenant selection and tenant isolation behavior for:
- Platform + Topology APIs
- Scanner APIs (scans, triage, webhooks, unknowns)
- Graph APIs
- Web primary pages with global tenant selector
## Status Matrix (API)
| Area | Representative route(s) | Valid tenant | Missing tenant | Cross-tenant attempt | Required evidence |
| --- | --- | --- | --- | --- | --- |
| Platform context | `/api/v1/platform/context/preferences` | `200` tenant-scoped preferences | deterministic auth/context rejection | `403/404` (tenant mismatch/forbidden) | Command output + payload snippets + test assertion output |
| Platform topology | `/api/v1/platform/topology/*` | `200` tenant-scoped topology | deterministic auth/context rejection | `403/404` | Integration test output with overlapping IDs across two tenants |
| Scanner scans | `/api/v1/scans/*` | `200/202` for owned scans | deterministic auth/context rejection | `403/404` on non-owned scan id | Test output for scan ownership + replay/read paths |
| Scanner triage | `/api/v1/triage/*` | `200` for tenant-owned findings | deterministic auth/context rejection | `404` on non-owned finding id | Test output for triage query/status/isolation cases |
| Scanner webhooks | `/api/v1/webhooks/{provider}/{sourceName}` | `2xx` only for tenant-scoped source mapping | `400 tenant_missing` (where required) | deterministic reject/no cross-dispatch | Test output showing same `sourceName` across tenants does not collide |
| Scanner unknowns | `/api/v1/unknowns/*` | `200` tenant-scoped list/detail | deterministic auth/context rejection | `404` cross-tenant detail/evidence/history | Test output for unknown detail isolation |
| Graph query/search/export | `/api/v1/graph/*` | `200` for authorized tenant + scopes | deterministic auth/context rejection | `403/404` mismatch + ownership denial | Graph API test output with auth + tenant negative paths |
## Status Matrix (UI Pages)
| Page group | Routes | Expected tenant indicator behavior | Expected backend call behavior | Negative assertion |
| --- | --- | --- | --- | --- |
| Mission Control | `/mission-control/*` | Header selector shows selected tenant name and persists after navigation | Requests carry canonical tenant context | No stale content from previous tenant after switch |
| Releases | `/releases/*` | Tenant selector remains available; selected tenant stable | Tenant-scoped API calls after switch | No cross-tenant release data visible |
| Security | `/security/*` | Selected tenant remains active across subroutes | Scanner/Graph-related requests reflect selected tenant | No findings/advisories leak from previous tenant |
| Evidence | `/evidence/*` | Selected tenant persists through refresh | Tenant-scoped evidence requests | No evidence thread from previous tenant persists post-switch |
| Ops | `/ops/*` | Tenant context remains globally applied | Platform/ops requests include selected tenant context | No mixed-tenant cards/widgets |
| Setup | `/setup/*` | Selector remains visible and stable | Topology/setup reads align with selected tenant where tenant-scoped | No topology entities from previous tenant |
| Admin | `/administration/*` (or equivalent admin routes) | Selector persists and selected tenant is clear | Authority admin reads operate in selected tenant scope | No client/user entries leaked from other tenant |
## Required Artifacts
- Tier 2a:
- Raw command outputs for Platform/Scanner/Graph targeted verification.
- Response/status assertions for valid, missing, and cross-tenant requests.
- Tier 2c:
- Playwright command output.
- Trace zip and screenshots for tenant switch and post-switch navigation checks.
- Desktop and mobile viewport results.
- Cross-cutting:
- Test counts from targeted runs (not suite totals only).
- List of new tests written and bugs fixed (if any).
- Final go/no-go decision + residual risks.
## Pass/Fail Gate
- Pass:
- All matrix rows have deterministic positive and negative-path evidence.
- No unresolved cross-tenant leakage failures.
- Fail:
- Any cross-tenant leakage, nondeterministic auth behavior, or missing Tier 2 evidence blocks rollout.
Reference in New Issue View Git Blame Copy Permalink