# Data Model: Tenant Operate Hub / Tenant Overview IA **Date**: 2026-02-09 **Branch**: 085-tenant-operate-hub This feature is primarily UI/IA + navigation behavior. It introduces **no new database tables**. ## Entities (existing) ### Workspace - Purpose: primary isolation boundary and monitoring scope. - Source of truth: `workspaces` + membership. ### Tenant - Purpose: managed environment; tenant-plane routes live under `/admin/t/{tenant}`. - Access: entitlement-based. ### OperationRun - Purpose: canonical run tracking for all operational workflows. - Surface: - Index: `/admin/operations` - Detail: `/admin/operations/{run}` ### Alert (placeholder) - Purpose: future operator signals. - Surface: `/admin/alerts`. ### Audit Event / Audit Log (placeholder) - Purpose: immutable record of sensitive actions. - Surface: `/admin/audit-log`. ## Session / Context State (existing) ### Workspace context - Key: `WorkspaceContext::SESSION_KEY` (`current_workspace_id`) - Meaning: selected workspace id for the current session. ### Last tenant per workspace (session-based) - Key: `WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY` (`workspace_last_tenant_ids`) - Shape: - Map keyed by workspace id string → tenant id int - Example: - `{"12": 345}` - APIs: - `WorkspaceContext::rememberLastTenantId(int $workspaceId, int $tenantId, Request $request)` - `WorkspaceContext::lastTenantId(Request $request): ?int` - `WorkspaceContext::clearLastTenantId(Request $request)` ### Filament tenant context - Source: `Filament::getTenant()` (may persist across panels depending on Filament tenancy configuration). - Used to determine “active tenant context” for Monitoring UX. **Spec 085 scope note**: Monitoring may use session-based last-tenant memory as a tenant-context signal when Filament tenant context is absent (e.g., when navigating from the tenant panel into central Monitoring). It must not be inferred from arbitrary deep links. ### Stale tenant context behavior (no entitlement) - If tenant context is active but the user is not entitled, Monitoring pages behave as workspace-wide views and must not display tenant identity. ## Validation / Rules - Tenant context MUST NOT be implicitly mutated by canonical monitoring pages. - Deny-as-not-found (404) applies when the actor is not entitled to tenant/workspace scope. - Forbidden (403) applies only after membership is established but capability is missing.