3.9 KiB
id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, depends_on, state_hub_workstream_id
| id | type | title | domain | repo | status | owner | topic_slug | planning_priority | planning_order | created | updated | depends_on | state_hub_workstream_id | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| NK-WP-0016 | workplan | User Engine Multi-Tenancy | netkingdom | net-kingdom | ready | codex | netkingdom | high | 16 | 2026-05-22 | 2026-05-22 |
|
2d592e18-e63d-4856-97a1-f8c3e019e150 |
NK-WP-0016 - User Engine Multi-Tenancy
Goal
Extend the isolated MVP into a tenant-aware service that follows the
NetKingdom recursive platform model: tenant:platform is distinct from
tenant planes such as tenant:coulomb, and tenant administration must not
grant platform-root authority.
Scope
In scope:
- tenant model and context propagation;
- tenant-scoped profiles and memberships;
- tenant admin scopes;
- tenant-aware authorization checks;
- tenant isolation in persistence and APIs;
- tenant-aware audit/events;
- tenant onboarding diagnostics and tests.
Out of scope:
- multi-application catalog governance beyond what NK-WP-0017 owns;
- enterprise SCIM provisioning;
- UI implementation;
- changing the NetKingdom tenant claim standard.
Tasks
id: NK-WP-0016-T1
status: todo
priority: high
state_hub_task_id: "d4bb49a9-dffe-4317-aea2-761d737c5627"
Tenant model and context. Implement tenant identifiers aligned with NetKingdom conventions, request tenant context resolution, tenant validation, and explicit platform-vs-tenant plane handling.
id: NK-WP-0016-T2
status: todo
priority: high
state_hub_task_id: "4a9083c0-f0bd-4dad-b221-c4563ed53209"
Tenant-scoped data model. Add tenant-scoped account state, tenant profile values, tenant memberships, and database constraints that prevent accidental cross-tenant joins or updates.
id: NK-WP-0016-T3
status: todo
priority: high
state_hub_task_id: "4fd57616-53dc-4c10-bf95-553319186005"
Tenant administration boundary. Implement scope-admin operations for tenant users and memberships while denying platform-root operations to tenant admins. Model break-glass and platform operator paths as separate policy cases.
id: NK-WP-0016-T4
status: todo
priority: high
state_hub_task_id: "dc0fc00a-5228-4b99-9fa1-6a7f6b557aac"
flex-auth tenant integration. Extend authorization requests with tenant, resource, action, target user, membership, assurance, and scope facts. Add resource/action manifests or fixtures for tenant user management operations.
id: NK-WP-0016-T5
status: todo
priority: medium
state_hub_task_id: "17460786-7af0-4e67-8169-80c2c29934e6"
Tenant-aware events and audit. Ensure audit records and outbox events carry tenant context, correlation IDs, actor tenant, target tenant, and redacted change summaries.
id: NK-WP-0016-T6
status: todo
priority: high
state_hub_task_id: "a899832f-63e6-4417-bc1d-ca3c5ea89061"
Tenant test scenarios. Add tests for cross-tenant denial, tenant admin allowed actions, tenant admin platform-root denial, tenant profile precedence, tenant membership changes, local issuer rejection in production mode, and audit correlation.
id: NK-WP-0016-T7
status: todo
priority: medium
state_hub_task_id: "187cdc5d-7cba-432e-8201-34bb437ba8e8"
Tenant onboarding diagnostics. Add a diagnostic command or endpoint that reports whether a tenant has required applications, memberships, policy bindings, catalog scopes, and audit readiness.
Acceptance Criteria
- Tenant context is explicit on every tenant-scoped operation.
- Tenant data is isolated by schema constraints and authorization checks.
- Tenant admins cannot modify platform-root resources or global policy boundaries.
- Profile resolution includes global and tenant layers deterministically.
- Tenant audit and event records are correlated and redacted.
- Tenant tests include both allowed and denied paths.
Dependencies And Sequencing
- Depends on the isolated MVP in NK-WP-0015.
- Can run partly in parallel with NK-WP-0017 after shared app and catalog interfaces are stable.