36 lines
3.7 KiB
Markdown
36 lines
3.7 KiB
Markdown
# Multi-Tenant Same-Key Service Impact Ledger
|
|
|
|
Date: 2026-02-22
|
|
Source sprint: `SPRINT_20260222_053_DOCS_multi_tenant_same_api_key_contract_baseline.md`
|
|
Related ADR: `docs/architecture/decisions/ADR-002-multi-tenant-same-api-key-selection.md`
|
|
|
|
## Purpose
|
|
- Provide a single implementation ledger for services affected by same-key multi-tenant selection.
|
|
- Prevent contract drift across Authority, Router/Gateway, Platform, Scanner, Graph, and Web.
|
|
|
|
## Change Ledger
|
|
|
|
| Service | Sprint | File-level touchpoint categories | Owner role | Depends on | Verification evidence |
|
|
| --- | --- | --- | --- | --- | --- |
|
|
| Authority | `20260222.054` | `Console/Admin endpoints`, `OpenIddict handlers`, `Client metadata stores`, `Auth abstractions`, `Authority tests` | Developer + Test Automation | ADR-002 | Targeted Authority test project pass logs for client credentials/password grant tenant selection, token validation mismatch, `/console/tenants`, and admin client CRUD tenant assignments. |
|
|
| Router + Gateway | `20260222.055` | `Identity header policy middleware`, `tenant override gating`, `route passthrough policy`, `middleware parity tests` | Developer + Security architect | `20260222.054` | Targeted Router and Gateway tests proving spoof stripping, no authenticated default fallback, mismatch rejection, and feature-flagged override behavior. |
|
|
| Platform | `20260222.056` | `Request context resolver`, `tenant-required endpoint groups`, `topology/read-model store callers`, `context preferences`, `platform integration tests` | Developer + Test Automation | `20260222.055` | Platform test project outputs validating endpoint classification, tenant parity checks, topology isolation, and tenant-scoped preference behavior. |
|
|
| Scanner | `20260222.057` | `Scanner request resolver`, `scan submission/coordinator`, `triage query contracts`, `webhook tenant lookup`, `unknowns endpoints`, `scanner tests` | Developer + Test Automation | `20260222.055` | Scanner tenant isolation test outputs for scan ownership, triage isolation, webhook source collision routing, unknowns isolation, and middleware partitioning. |
|
|
| Graph | `20260222.058` | `Graph request resolver`, `endpoint auth policies`, `scope handling`, `rate-limit/audit tenant keys`, `graph API tests` | Developer + Test Automation | `20260222.055` | Graph API test outputs covering missing tenant, cross-tenant denial, missing-scope denial, and export ownership checks. |
|
|
| Web Console | `20260222.059` | `Topbar tenant selector`, `console/auth/platform context stores`, `tenant interceptor`, `authority console client`, `component/unit tests` | Developer + Test Automation | `20260222.054`, `20260222.055` | Web unit/component test outputs for selector UX, state synchronization, interceptor canonical+legacy headers, switch rollback, and URL context sync. |
|
|
| QA / Playwright matrix | `20260222.060` | `Playwright fixtures`, `tenant-switch specs`, `Tier 2a API verification docs`, `Tier 2c artifact bundle` | QA + Test Automation | `20260222.054`..`20260222.059` | Playwright run output, traces/screenshots, and module-level API isolation evidence with explicit go/no-go decision. |
|
|
|
|
## Ownership and Dependency Notes
|
|
- Authority is the contract anchor for selected-tenant-per-token issuance and assignment validation.
|
|
- Router/Gateway establishes canonical header rewrite and anti-spoofing behavior for downstream services.
|
|
- Platform, Scanner, and Graph must consume resolved tenant context and reject cross-tenant mismatches deterministically.
|
|
- Web must maintain one runtime tenant source of truth and propagate it through canonical interceptor paths.
|
|
|
|
## Completion Mapping
|
|
- `DOC-TEN-03` completion is satisfied when each ledger row has:
|
|
- explicit touchpoint categories,
|
|
- clear owner role,
|
|
- dependency reference,
|
|
- verification evidence definition.
|
|
|