generated from coulomb/repo-seed
103 lines
2.3 KiB
Markdown
103 lines
2.3 KiB
Markdown
---
|
|
id: USER-WP-0003
|
|
type: workplan
|
|
title: "User Engine Multi-Tenancy"
|
|
domain: netkingdom
|
|
repo: user-engine
|
|
status: finished
|
|
owner: codex
|
|
topic_slug: netkingdom
|
|
planning_priority: high
|
|
planning_order: 3
|
|
created: "2026-05-22"
|
|
updated: "2026-05-22"
|
|
depends_on:
|
|
- USER-WP-0002
|
|
state_hub_workstream_id: "88a11922-7064-4373-9afe-b280bdd4359a"
|
|
---
|
|
|
|
# USER-WP-0003 - User Engine Multi-Tenancy
|
|
|
|
## Goal
|
|
|
|
Extend the MVP into a tenant-aware service with explicit platform-vs-tenant
|
|
boundaries, tenant profiles, tenant memberships, tenant-scoped admin actions,
|
|
and tenant isolation tests.
|
|
|
|
## Tasks
|
|
|
|
```task
|
|
id: USER-WP-0003-T1
|
|
status: done
|
|
priority: high
|
|
state_hub_task_id: "3b6d67cc-be4d-4da3-b08c-f5919c1cb167"
|
|
```
|
|
|
|
Implement tenant identifiers, tenant context resolution, and request validation.
|
|
|
|
```task
|
|
id: USER-WP-0003-T2
|
|
status: done
|
|
priority: high
|
|
state_hub_task_id: "9b8cb25a-eae5-4c6d-abdb-87fa73ba2cc6"
|
|
```
|
|
|
|
Add tenant-scoped account state, profile values, memberships, and persistence
|
|
constraints.
|
|
|
|
```task
|
|
id: USER-WP-0003-T3
|
|
status: done
|
|
priority: high
|
|
state_hub_task_id: "a7abd6b0-c35a-4b3a-ae60-1d7db41398f8"
|
|
```
|
|
|
|
Implement tenant admin operations while denying platform-root operations to
|
|
tenant admins.
|
|
|
|
```task
|
|
id: USER-WP-0003-T4
|
|
status: done
|
|
priority: high
|
|
state_hub_task_id: "9deb9f46-d214-4311-9b19-7f61d75b4aaa"
|
|
```
|
|
|
|
Extend authorization requests with tenant, target user, membership, assurance,
|
|
and scope facts.
|
|
|
|
```task
|
|
id: USER-WP-0003-T5
|
|
status: done
|
|
priority: medium
|
|
state_hub_task_id: "ea8d4127-7ef1-4a7a-80fb-11c8f00c25c3"
|
|
```
|
|
|
|
Add tenant-aware audit records and outbox events.
|
|
|
|
```task
|
|
id: USER-WP-0003-T6
|
|
status: done
|
|
priority: high
|
|
state_hub_task_id: "7d1071a2-c85f-4a21-9842-fcb826c0172d"
|
|
```
|
|
|
|
Add tests for cross-tenant denial, tenant admin allowed actions, tenant admin
|
|
platform-root denial, tenant profile precedence, and tenant membership changes.
|
|
|
|
```task
|
|
id: USER-WP-0003-T7
|
|
status: done
|
|
priority: medium
|
|
state_hub_task_id: "6c9e6b82-9a8f-4017-96c3-5df9f3185154"
|
|
```
|
|
|
|
Add tenant onboarding diagnostics for memberships, policy bindings, catalog
|
|
scopes, and audit readiness.
|
|
|
|
## Acceptance Criteria
|
|
|
|
- Tenant context is explicit on every tenant-scoped operation.
|
|
- Tenant data is isolated by constraints and authorization.
|
|
- Tenant admins cannot modify platform-root resources.
|
|
- Tests cover allowed and denied tenant paths.
|