Tenant Runtime · Planning

Context

งานนี้มี 2 ส่วนที่รวมกันเป็น "Tenant": Enterprise Upload (SUB-3/SUB-4) = upload surface + 9-stage normalisation pipeline + conflict matrix + coverage score. Hybrid Intake Workspace = 8-panel workspace ผสม wizard + upload · shared state · multi-user · same approval gates. เหนือสองส่วนนี้คือ Tenant Registry ที่ provision per-tenant Nerve instance + data partitioning + cross-tenant marketplace listing.

docs/kb/data/enterprise_intake.json13 source_origins · 4 unit_modes · coverage_scoring · conflict_resolution · review_gates · tenant_ownership

docs/kb/data/hybrid_intake_workspace.json8 panels · state_model · collaboration · workspace_view_modes

docs/kb/data/multi_source_intake.jsonMulti-source ingest pipeline

docs/kb/data/source_mapping_engine.jsonSource → canonical mapping rules

docs/kb/data/tenant_scope.jsonTenant roles · scope transitions · app_registry_handoff · feature_flag_handoff

docs/kb/data/approval_matrix.jsonrow-tenant-instantiate-nerve gate

docs/kb/data/publish_workflow.jsonStages + rollback

docs/kb/data/living_city.jsontenant_replication template_checklist_hint

Scope

Upload surface: drag-drop + folder picker + URL input + AI bundle upload · 4 unit_modes
Normalisation pipeline: 9-stage — ingest → language-detect → flatten → chunk → OCR → PDF parse → embed → map → validate
Conflict matrix: compare same concept across multiple sources · visual diff + resolution UI
Coverage score: dimensions per coverage_scoring · progress dashboard per tenant
Review gates: reviewer assignment · sign-off · re-run · publish
Tenant registry: per tenant_scope.app_registry_handoff fields · schema for tenants table
Per-tenant Nerve provisioning: K8s namespace + per-tenant DB schema · template replication
Tenant-scoped data partitioning: row-level security on all tenant-bound tables · tenant_id in every join
Tenant-group management UI: admin surface
Cross-tenant marketplace listing: read-only catalog (no payment in this phase)
Tenant-local template installer: honour semver + immutable template · publish_workflow stages
Hybrid workspace: 8 panels + shared state + multi-user cursor · switchable mid-flow

Field Mapping — Enterprise Intake upload surface + pipeline

Source: enterprise_intake root fields.

B Field	B Type	A Runtime Target	A Owner	Approval Gate	Binding	Notes
source_origins[]	enum(13)	Upload form radio group + origin tag on each asset	Backend + FE	none	mapped-not-bound	13: founder · canonical · concept · system · legacy-wiki · partner-doc · regulator · press · chatgpt · claude · gemini · perplexity · mixed
unit_modes[]	enum(4)	Upload widget mode selector	Frontend	none	mapped-not-bound	single-file · folder · link · ai-bundle
coverage_scoring.dimensions	array	Coverage dashboard · per-dimension meter	Backend + FE	none	mapped-not-bound	—
coverage_scoring.thresholds	object	Thresholds → pass/warn/fail colour	Backend	none	mapped-not-bound	Block tenant go-live until green
conflict_resolution	object	Conflict matrix UI · resolution form	Frontend	gate-conflict-resolution	mapped-not-bound	Each conflict needs sign-off · T1 source wins by default per authority rules
review_gates	array	Step gating in publish workflow	Backend	gate-review	mapped-not-bound	Each gate = reviewer role + SLA
tenant_ownership	object	Tenant DB schema + RLS policies	Backend + Infra	gate-tenant-instantiate	mapped-not-bound	Founder sign-off for first pilot tenant
shareability_and_resellability	object	Marketplace listing rules	Backend	gate-marketplace	mapped-not-bound	Payment + contract brokering explicitly OUT of scope per handoff deferred list

Field Mapping — Hybrid Intake Workspace 8 panels + state

Source: hybrid_intake_workspace.workspace_panels.

Panel (B)	A Runtime Component	A Owner	Binding	Notes
panel-overview	Workspace home · KPI + status	Frontend	mapped-not-bound	Always visible · sidebar nav
panel-wizard	Embedded Wizard (shared w/ Wizard Runtime)	Frontend	mapped-not-bound	See Wizard Runtime page for details
panel-upload	Upload dropzone + progress	Frontend	mapped-not-bound	4 unit_modes
panel-normalise	9-stage pipeline viewer · stage-by-stage logs	Backend + FE	mapped-not-bound	Real-time SSE feed
panel-conflict	Conflict matrix · resolve form	Frontend	mapped-not-bound	—
panel-review-queue	Reviewer queue · assignment	Frontend	mapped-not-bound	Shared w/ Cases queue pattern
panel-coverage	Coverage dashboard	Frontend	mapped-not-bound	Per dimension meter
panel-handoff	Draft KB → live KB promote form	Backend + FE	mapped-not-bound	Gated: tenant go-live approval

Shared state: state_model.persisted_fields → WebSocket + CRDT · state_merge_rules → conflict resolution per-field.

Field Mapping — Tenant Registry tenant_scope.app_registry_handoff

B Field	A Runtime Target	A Owner	Binding	Notes
tenant_id	`tenants.id` PK	Backend	mapped-not-bound	Embedded in every JWT · used in RLS
tenant_roles	`tenant_user_roles` table	Backend	mapped-not-bound	Per-tenant role assignment
scope_transitions	State machine for tenant lifecycle	Backend	mapped-not-bound	draft → review → pilot → live · rollback allowed
feature_flag_handoff	Per-tenant flag override in flag registry	Backend	mapped-not-bound	Depends on Feature Flag Registry runtime

A-owned Runtime Boundary ขอบเขต A vs B

B owns (read-only for A)

Contract JSON (all fields listed in "Context" block above)
Trilingual label parity
honest_note + requires_human_review flags
Contract evolution (schema-versioned)

A owns (this runtime)

All tables + indexes for entities in ER diagram below
API endpoints in API Sketch block
Frontend components + chart/form rendering
Cache + feature flag integration
Auth + sign-off capture
Audit trail

ER Diagram A-owned tables · Tenant · registry + partition + publish

Tenant · registry + partition + publish

API Sketch FastAPI endpoints

POST/api/tenant/register

Create tenant · status=draft · founder sign-off required before go-live

POST/api/tenant/{id}/source/upload

Upload source · 13 origins × 4 unit modes

GET/api/tenant/{id}/coverage

Coverage score per dimension · pass/warn/fail

POST/api/tenant/{id}/publish

Move stage · gated by publish_workflow approvals

POST/api/tenant/{id}/rollback

Rollback stage · immutable history

Sequence Flow Tenant onboarding · first pilot

Tenant onboarding · first pilot

Dependencies

Upstream (must be done first)

Auth + JWT with tenant claim
Feature flag registry
Approval matrix integration
Publish workflow engine
K8s / infrastructure for per-tenant provisioning
Tenant billing (if commercial) — out of scope this phase

Blocks (this blocks)

Enterprise customer onboarding
Multi-tenant MICE scenarios
Cross-tenant dashboards (future phase)

Human Approval Gates

gate-tenant-instantiate approval_matrix.row-tenant-instantiate-nerve · tenant-admin + platform-governance dual + founder for first pilot
gate-conflict-resolution Reviewer sign-off per conflict
gate-review Review gate per stage
gate-marketplace Marketplace listing approval (read-only phase)
gate-pdpa-tenant Per-tenant PDPA review before data partitioning

Risks

Tenant data bleed across partition boundary

High

Row-level security policies on every tenant-bound table · penetration test before pilot · CI check

AI bundle upload contains PII

High

PII scan at ingest · tenant must sign data handling agreement · SHA-256 for PII fields per CLAUDE.md

Cross-tenant conflict (same POI different data)

Med

Conflict matrix + authority rules (T1 wins) · per-tenant branch kept separate

Coverage threshold too strict → blocks small tenants

Med

B's thresholds have per-dimension override · A surfaces override UI to governance

Per-tenant Nerve provisioning cost explosion

Med

Shared infra with namespace isolation · cost monitoring per tenant

Template immutability violated during migration

High

Template versioned · immutable once published · semver enforced · deprecation grace window deferred per handoff

Definition of Done

All 13 source_origins + 4 unit_modes functional in upload UI
9-stage normalisation pipeline produces auditable output + coverage score
Conflict matrix renders + resolves + signs off
Hybrid workspace 8 panels navigable + shared state persists across users
Tenant registry CRUD with RLS verified via penetration test
First pilot tenant provisioned end-to-end · founder sign-off captured
Per-tenant Nerve instance boots + connects to scoped DB
Feature flag override works per-tenant
PDPA compliance audit passed for pilot tenant
All 5 approval gates signed off · WORM audit log

Deferred

Cross-tenant marketplace payments + contract brokering (handoff: out of platform scope)
Template deprecation grace-window policy (DEC-level · deferred)
Cross-border PDPA transfer legal opinions (tenant legal + platform legal joint work)
Multi-tenant dashboard sharing (future)
Tenant-to-tenant direct messaging
Self-serve tenant registration (pilot uses manual path)

Tenant Runtime 04 · ผู้เช่า / องค์กร · enterprise upload + hybrid intake + tenant registry

Context

Scope

Field Mapping — Enterprise Intake upload surface + pipeline

Field Mapping — Hybrid Intake Workspace 8 panels + state

Field Mapping — Tenant Registry tenant_scope.app_registry_handoff

A-owned Runtime Boundary ขอบเขต A vs B

B owns (read-only for A)

A owns (this runtime)

ER Diagram A-owned tables · Tenant · registry + partition + publish

API Sketch FastAPI endpoints

Sequence Flow Tenant onboarding · first pilot

Dependencies

Upstream (must be done first)

Blocks (this blocks)

Human Approval Gates

Risks

Definition of Done

Deferred