ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects 1 Releases Wiki Activity

SCOPE-001: DB-level workspace isolation via workspace_id #112

Merged
ahmido merged 2 commits from 093-scope-001-workspace-id-isolation into dev 2026-02-14 22:34:03 +00:00
Conversation 0 Commits 2 Files Changed 47 +2673
ahmido commented 2026-02-14 22:10:12 +00:00
Owner
Copy Link

Implements Spec 093 (SCOPE-001) workspace isolation at the data layer.

What changed

  • Adds workspace_id to 12 tenant-owned tables and enforces correct binding.
  • Model write-path enforcement derives workspace from tenant + rejects mismatches.
  • Prevents tenant_id changes (immutability) on tenant-owned records.
  • Adds queued backfill command + job (tenantpilot:backfill-workspace-ids) with OperationRun + AuditLog observability.
  • Enforces DB constraints (NOT NULL + FK workspace_idworkspaces.id + composite FK (tenant_id, workspace_id)tenants(id, workspace_id)), plus audit_logs invariant.

UI / operator visibility

  • Monitor backfill runs in Monitoring → Operations (OperationRun).

Tests

  • vendor/bin/sail artisan test --compact tests/Feature/WorkspaceIsolation

Notes

  • Backfill is queued: ensure a queue worker is running (vendor/bin/sail artisan queue:work).

Spec package

  • specs/093-scope-001-workspace-id-isolation/ (plan, tasks, contracts, quickstart, research)
Implements Spec 093 (SCOPE-001) workspace isolation at the data layer. What changed - Adds `workspace_id` to 12 tenant-owned tables and enforces correct binding. - Model write-path enforcement derives workspace from tenant + rejects mismatches. - Prevents `tenant_id` changes (immutability) on tenant-owned records. - Adds queued backfill command + job (`tenantpilot:backfill-workspace-ids`) with OperationRun + AuditLog observability. - Enforces DB constraints (NOT NULL + FK `workspace_id` → `workspaces.id` + composite FK `(tenant_id, workspace_id)` → `tenants(id, workspace_id)`), plus audit_logs invariant. UI / operator visibility - Monitor backfill runs in **Monitoring → Operations** (OperationRun). Tests - `vendor/bin/sail artisan test --compact tests/Feature/WorkspaceIsolation` Notes - Backfill is queued: ensure a queue worker is running (`vendor/bin/sail artisan queue:work`). Spec package - `specs/093-scope-001-workspace-id-isolation/` (plan, tasks, contracts, quickstart, research)
ahmido added 2 commits 2026-02-14 22:10:13 +00:00
ahmido merged commit 92a36ab89e into dev 2026-02-14 22:34:03 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: ahmido/TenantAtlas#112
No description provided.
Delete Branch "093-scope-001-workspace-id-isolation"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?