ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
4e2d7e70af
TenantAtlas/specs/093-scope-001-workspace-id-isolation/quickstart.md
ahmido 92a36ab89e SCOPE-001: DB-level workspace isolation via workspace_id (#112) 
Implements Spec 093 (SCOPE-001) workspace isolation at the data layer.

What changed
- Adds `workspace_id` to 12 tenant-owned tables and enforces correct binding.
- Model write-path enforcement derives workspace from tenant + rejects mismatches.
- Prevents `tenant_id` changes (immutability) on tenant-owned records.
- Adds queued backfill command + job (`tenantpilot:backfill-workspace-ids`) with OperationRun + AuditLog observability.
- Enforces DB constraints (NOT NULL + FK `workspace_id` → `workspaces.id` + composite FK `(tenant_id, workspace_id)` → `tenants(id, workspace_id)`), plus audit_logs invariant.

UI / operator visibility
- Monitor backfill runs in **Monitoring → Operations** (OperationRun).

Tests
- `vendor/bin/sail artisan test --compact tests/Feature/WorkspaceIsolation`

Notes
- Backfill is queued: ensure a queue worker is running (`vendor/bin/sail artisan queue:work`).

Spec package
- `specs/093-scope-001-workspace-id-isolation/` (plan, tasks, contracts, quickstart, research)

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #112
2026-02-14 22:34:02 +00:00

2.9 KiB
Raw Blame History

Quickstart — 093 Workspace ID Isolation

Goal

Run the staged rollout locally/staging to ensure all tenant-owned tables are workspace-bound and audit invariants hold.

Prereqs

  • Sail is running: vendor/bin/sail up -d
  • DB is migrated: vendor/bin/sail artisan migrate
  • Queue worker is running (for Phase 2 jobs): vendor/bin/sail artisan queue:work

Rollout Order

  1. Phase 1 — Add nullable workspace_id columns + indexes
  • Deploy migrations
  1. Phase 1.5 — Deploy app write-path enforcement
  • New/updated tenant-owned writes derive workspace_id from tenant.workspace_id
  • Mismatches are rejected
  1. Phase 2 — Backfill existing rows
  • Dry-run:
    • vendor/bin/sail artisan tenantpilot:backfill-workspace-ids --dry-run
  • Execute:
    • vendor/bin/sail artisan tenantpilot:backfill-workspace-ids

Notes:

  • This command dispatches queued jobs. If no queue worker is running, the run will be created but no rows will be updated.
  • Monitor progress in the UI under Monitoring → Operations (the run will be recorded as an OperationRun).
  1. Phase 3 — Enforce constraints + validate + final indexes
  • Apply NOT NULL + FKs + composite FKs
  • Add audit_logs check constraint

Validation SQL (Postgres)

Run these to confirm no missing bindings remain.

Tenant-owned tables:

  • SELECT count(*) FROM policies WHERE workspace_id IS NULL;
  • SELECT count(*) FROM policy_versions WHERE workspace_id IS NULL;
  • SELECT count(*) FROM backup_sets WHERE workspace_id IS NULL;
  • SELECT count(*) FROM backup_items WHERE workspace_id IS NULL;
  • SELECT count(*) FROM restore_runs WHERE workspace_id IS NULL;
  • SELECT count(*) FROM backup_schedules WHERE workspace_id IS NULL;
  • SELECT count(*) FROM inventory_items WHERE workspace_id IS NULL;
  • SELECT count(*) FROM inventory_links WHERE workspace_id IS NULL;
  • SELECT count(*) FROM entra_groups WHERE workspace_id IS NULL;
  • SELECT count(*) FROM findings WHERE workspace_id IS NULL;
  • SELECT count(*) FROM entra_role_definitions WHERE workspace_id IS NULL;
  • SELECT count(*) FROM tenant_permissions WHERE workspace_id IS NULL;

Audit invariant:

  • SELECT count(*) FROM audit_logs WHERE tenant_id IS NOT NULL AND workspace_id IS NULL;

Tenant/workspace mismatch spot checks:

  • SELECT count(*) FROM policies p JOIN tenants t ON t.id = p.tenant_id WHERE p.workspace_id IS NOT NULL AND p.workspace_id <> t.workspace_id;
  • SELECT count(*) FROM backup_sets b JOIN tenants t ON t.id = b.tenant_id WHERE b.workspace_id IS NOT NULL AND b.workspace_id <> t.workspace_id;
  • SELECT count(*) FROM findings f JOIN tenants t ON t.id = f.tenant_id WHERE f.workspace_id IS NOT NULL AND f.workspace_id <> t.workspace_id;

Rollback notes

  • Phase 1 migrations are reversible (drop columns / indexes) but may be large operations on production datasets.
  • Prefer forward-fix for production if Phase 2/3 is partially applied.