--- id: USER-WP-0003 type: workplan title: "User Engine Multi-Tenancy" domain: netkingdom repo: user-engine status: finished owner: codex topic_slug: netkingdom planning_priority: high planning_order: 3 created: "2026-05-22" updated: "2026-05-22" depends_on: - USER-WP-0002 state_hub_workstream_id: "88a11922-7064-4373-9afe-b280bdd4359a" --- # USER-WP-0003 - User Engine Multi-Tenancy ## Goal Extend the MVP into a tenant-aware service with explicit platform-vs-tenant boundaries, tenant profiles, tenant memberships, tenant-scoped admin actions, and tenant isolation tests. ## Tasks ```task id: USER-WP-0003-T1 status: done priority: high state_hub_task_id: "3b6d67cc-be4d-4da3-b08c-f5919c1cb167" ``` Implement tenant identifiers, tenant context resolution, and request validation. ```task id: USER-WP-0003-T2 status: done priority: high state_hub_task_id: "9b8cb25a-eae5-4c6d-abdb-87fa73ba2cc6" ``` Add tenant-scoped account state, profile values, memberships, and persistence constraints. ```task id: USER-WP-0003-T3 status: done priority: high state_hub_task_id: "a7abd6b0-c35a-4b3a-ae60-1d7db41398f8" ``` Implement tenant admin operations while denying platform-root operations to tenant admins. ```task id: USER-WP-0003-T4 status: done priority: high state_hub_task_id: "9deb9f46-d214-4311-9b19-7f61d75b4aaa" ``` Extend authorization requests with tenant, target user, membership, assurance, and scope facts. ```task id: USER-WP-0003-T5 status: done priority: medium state_hub_task_id: "ea8d4127-7ef1-4a7a-80fb-11c8f00c25c3" ``` Add tenant-aware audit records and outbox events. ```task id: USER-WP-0003-T6 status: done priority: high state_hub_task_id: "7d1071a2-c85f-4a21-9842-fcb826c0172d" ``` Add tests for cross-tenant denial, tenant admin allowed actions, tenant admin platform-root denial, tenant profile precedence, and tenant membership changes. ```task id: USER-WP-0003-T7 status: done priority: medium state_hub_task_id: "6c9e6b82-9a8f-4017-96c3-5df9f3185154" ``` Add tenant onboarding diagnostics for memberships, policy bindings, catalog scopes, and audit readiness. ## Acceptance Criteria - Tenant context is explicit on every tenant-scoped operation. - Tenant data is isolated by constraints and authorization. - Tenant admins cannot modify platform-root resources. - Tests cover allowed and denied tenant paths.