git.stella-ops.org/docs/modules/platform/tenant-endpoint-classification.md

Platform Endpoint Tenant Classification

Scope

• Service: src/Platform/StellaOps.Platform.WebService/Endpoints
• Date: 2026-02-22
• Purpose: classify endpoint files by tenant behavior and document intentional non-resolver paths.

Classification Ledger

Endpoint file	Category	Tenant source	Auth baseline	Notes
AdministrationTrustSigningMutationEndpoints.cs	tenant-required business	PlatformRequestContextResolver	platform policy groups	Tenant-scoped key/issuer/certificate operations.
AnalyticsEndpoints.cs	tenant-required business	PlatformRequestContextResolver	PlatformPolicies.AnalyticsRead	Aggregation paths require tenant context for cache keys and result shaping.
ContextEndpoints.cs	tenant-required business	PlatformRequestContextResolver	PlatformPolicies.ContextRead/Write	Context preferences keyed by (tenant, actor).
EnvironmentSettingsEndpoints.cs	global/system	none	AllowAnonymous	Setup/bootstrap configuration payload for frontend shell.
EnvironmentSettingsAdminEndpoints.cs	global/system	none	PlatformPolicies.SetupRead/SetupAdmin	DB setting overrides are setup-admin operations, not tenant business data.
EvidenceThreadEndpoints.cs	tenant-required business	PlatformRequestContextResolver	evidence policy groups	Evidence queries are tenant-scoped.
FederationTelemetryEndpoints.cs	tenant-required business	PlatformRequestContextResolver	federation policy groups	Consent/status/bundles remain tenant scoped.
FunctionMapEndpoints.cs	tenant-required business	PlatformRequestContextResolver	function-map policy groups	Tenant-scoped function map catalog and operations.
IntegrationReadModelEndpoints.cs	tenant-required business	PlatformRequestContextResolver	PlatformPolicies.IntegrationsRead	Feed/vex source projections require tenant context.
LegacyAliasEndpoints.cs	tenant-required business	PlatformRequestContextResolver	same as canonical mapped policies	Compatibility aliases enforce same tenant requirements as canonical endpoints.
MigrationAdminEndpoints.cs	global/system	none	PlatformPolicies.SetupAdmin	Migration operations are control-plane/system admin functions.
PackAdapterEndpoints.cs	tenant-required business	PlatformRequestContextResolver	pack adapter policies	Release-pack adaptation paths are tenant-scoped.
PlatformEndpoints.cs	tenant-required business (plus guarded tenant-param admin reads)	PlatformRequestContextResolver + route tenant parity check	health/quota/onboarding/preferences/search/metadata policy groups	Route tenant IDs are now validated against resolved tenant (tenant_forbidden on mismatch).
PolicyInteropEndpoints.cs	tenant-required business	PlatformRequestContextResolver	policy interop policy groups	Import/export and interop views are tenant-scoped.
ReleaseControlEndpoints.cs	tenant-required business	PlatformRequestContextResolver	release-control policy groups	Bundle/version/materialization operations use tenant-bound store calls.
ReleaseReadModelEndpoints.cs	tenant-required business	PlatformRequestContextResolver	release-read policies	Run/activity/release projections are tenant scoped.
ScoreEndpoints.cs	tenant-required business	PlatformRequestContextResolver	score policies	Score history/replay/verify operations are tenant scoped.
SecurityReadModelEndpoints.cs	tenant-required business	PlatformRequestContextResolver	security-read policies	Finding/disposition projections are tenant scoped.
SeedEndpoints.cs	global/system	none	PlatformPolicies.SetupAdmin + STELLAOPS_ENABLE_DEMO_SEED gate	Explicitly system/admin for controlled demo seeding.
SetupEndpoints.cs	tenant-aware admin	resolver when available; controlled bootstrap setup context when platform not initialized	setup policy groups	Intentional bootstrap bypass is bounded to setup lifecycle checks.
TopologyReadModelEndpoints.cs	tenant-required business	PlatformRequestContextResolver	PlatformPolicies.TopologyRead	Topology data assembled from tenant-keyed release control stores.