4.3 KiB
4.3 KiB
Multi-Tenant Same-Key Acceptance Matrix
Date: 2026-02-22
Source sprint: SPRINT_20260222_053_DOCS_multi_tenant_same_api_key_contract_baseline.md
Used by sprint: SPRINT_20260222_060_FE_playwright_multi_tenant_end_to_end_matrix.md
Scope
- Validate tenant selection and tenant isolation behavior for:
- Platform + Topology APIs
- Scanner APIs (scans, triage, webhooks, unknowns)
- Graph APIs
- Web primary pages with global tenant selector
Status Matrix (API)
| Area | Representative route(s) | Valid tenant | Missing tenant | Cross-tenant attempt | Required evidence |
|---|---|---|---|---|---|
| Platform context | /api/v1/platform/context/preferences |
200 tenant-scoped preferences |
deterministic auth/context rejection | 403/404 (tenant mismatch/forbidden) |
Command output + payload snippets + test assertion output |
| Platform topology | /api/v1/platform/topology/* |
200 tenant-scoped topology |
deterministic auth/context rejection | 403/404 |
Integration test output with overlapping IDs across two tenants |
| Scanner scans | /api/v1/scans/* |
200/202 for owned scans |
deterministic auth/context rejection | 403/404 on non-owned scan id |
Test output for scan ownership + replay/read paths |
| Scanner triage | /api/v1/triage/* |
200 for tenant-owned findings |
deterministic auth/context rejection | 404 on non-owned finding id |
Test output for triage query/status/isolation cases |
| Scanner webhooks | /api/v1/webhooks/{provider}/{sourceName} |
2xx only for tenant-scoped source mapping |
400 tenant_missing (where required) |
deterministic reject/no cross-dispatch | Test output showing same sourceName across tenants does not collide |
| Scanner unknowns | /api/v1/unknowns/* |
200 tenant-scoped list/detail |
deterministic auth/context rejection | 404 cross-tenant detail/evidence/history |
Test output for unknown detail isolation |
| Graph query/search/export | /api/v1/graph/* |
200 for authorized tenant + scopes |
deterministic auth/context rejection | 403/404 mismatch + ownership denial |
Graph API test output with auth + tenant negative paths |
Status Matrix (UI Pages)
| Page group | Routes | Expected tenant indicator behavior | Expected backend call behavior | Negative assertion |
|---|---|---|---|---|
| Mission Control | /mission-control/* |
Header selector shows selected tenant name and persists after navigation | Requests carry canonical tenant context | No stale content from previous tenant after switch |
| Releases | /releases/* |
Tenant selector remains available; selected tenant stable | Tenant-scoped API calls after switch | No cross-tenant release data visible |
| Security | /security/* |
Selected tenant remains active across subroutes | Scanner/Graph-related requests reflect selected tenant | No findings/advisories leak from previous tenant |
| Evidence | /evidence/* |
Selected tenant persists through refresh | Tenant-scoped evidence requests | No evidence thread from previous tenant persists post-switch |
| Ops | /ops/* |
Tenant context remains globally applied | Platform/ops requests include selected tenant context | No mixed-tenant cards/widgets |
| Setup | /setup/* |
Selector remains visible and stable | Topology/setup reads align with selected tenant where tenant-scoped | No topology entities from previous tenant |
| Admin | /administration/* (or equivalent admin routes) |
Selector persists and selected tenant is clear | Authority admin reads operate in selected tenant scope | No client/user entries leaked from other tenant |
Required Artifacts
- Tier 2a:
- Raw command outputs for Platform/Scanner/Graph targeted verification.
- Response/status assertions for valid, missing, and cross-tenant requests.
- Tier 2c:
- Playwright command output.
- Trace zip and screenshots for tenant switch and post-switch navigation checks.
- Desktop and mobile viewport results.
- Cross-cutting:
- Test counts from targeted runs (not suite totals only).
- List of new tests written and bugs fixed (if any).
- Final go/no-go decision + residual risks.
Pass/Fail Gate
- Pass:
- All matrix rows have deterministic positive and negative-path evidence.
- No unresolved cross-tenant leakage failures.
- Fail:
- Any cross-tenant leakage, nondeterministic auth behavior, or missing Tier 2 evidence blocks rollout.