Phase 1.3 — Tenancy & Permission Implementation

Goal

Реализовать ratified Phase 1.3 spec (plans/permission-and-tenancy-model.md, Part 1 + Part 2) — 12 numbered tasks 1.3.1-1.3.12 в docs/rendered/launch-plan-stage-1.html. Roma scaffold + Ilya tech estimate без новых вопросов «что должно происходить».

Tasks

1.3.1-1.3.12 (numbered tasks из launch-plan-stage-1.html)

• [ ] 1.3.1 Entity model design — Client / Organisation / Project / Unit / Buyer + 5 ролей (Owner / Admin / Sales Manager / Content Editor / Sales Agent) + Organisation types multi-select (Studio / Agency / Developer).
• [ ] 1.3.2 Multi-tenant data scoping — org_id everywhere, query-layer filter, tool-call-level scoping для MCP wrapper (Phase 1.5.6) per Learning «MCP wrapper prerequisites».
• [ ] 1.3.3 Login / auth multi-role flow — Google OAuth (PKCE + signed state) + email/password (NIST-compliant, haveibeenpwned check). Single cookie *.offplan.online. Hybrid login surfaces (branded subdomain + central app. fallback).
• [ ] 1.3.4 Per-unit stock allocation S·1 — Closed pool default + Open mode toggle. units.assigned_to polymorphic FK + audit per change. Pessimistic lock 500ms timeout + fall-through to optimistic conflict modal.
• [ ] 1.3.5 Scoped URL routing — {slug}.offplan.online/projects/{project-slug}/... + buyer tokenised URLs (?b=<token>).
• [ ] 1.3.6 Cross-entity invitations — forward (Developer → Studio/Agency) + reverse (Studio → Developer = Free Guest path) + personal (within Org).
• [ ] 1.3.7 Invitation token generation — opaque + 7d expiry + single-use (decline consumes). Server-side hash lookup constant-time + rate-limit per IP.
• [ ] 1.3.8 Organisation type multi-select — Studio / Agency / Developer galочки внутри Organisation card.
• [ ] 1.3.9 Content Editor vs Sales Agent distinction — отдельные permission rows; one role per Organisation rule (если нужно content + sales → Admin).
• [ ] 1.3.10 Referral relationship architecture — referral_codes + referrals tables; ?ref= URL param + form-field backup; lazy 6-char base32 code generation; dual-condition eligible activation; cycle detection at Org creation.
• [ ] 1.3.11 Signup & tenant data model — organisations schema (id / name / subdomain / country / client_types / plan / status / owner_user_id / payment_provider / external_customer_id / referred_by_user_id / home_org_id setup для Clients).
• [ ] 1.3.12 Permission model + team management UI — Settings → Team page; invite form; role dropdown; remove member; audit log surface (Org Settings → Audit log + Project Settings → Activity log).

21 HIGH SPEC-AMEND tickets ✅ CLOSED CONV-34 (v4.17 + v4.18 patches)

См. plans/permission-and-tenancy-model.md → Risks & Edge Cases → From Business Review → HIGH findings (21) + Treatment plan. All 21 closed via inline patches; sub-plan status remained ratified (patches, не re-ratification).

• [x] Theme 1 — Token mechanics hardening (v4.17, 5 closed): reverse-invite TTL 7d → 30d (§ 1.4.A + 1.4.C); funnel visibility surface (§ 1.4.C); legal basis stub + gate (§ 1.4.C); invite token entropy + rate-limit + burst alert (§ 1.4.D); buyer tokenised URL mechanics — scope-to-(buyer,unit), forced rotation, noindex/Referrer-Policy/CSP headers (§ 1.7.J new).
• [x] Theme 2 — Session/permission re-eval policy (v4.17, 5 closed): server-side session revoke cross-subdomain + per-action DB permission check + stock-wipe modal (§ 1.5.B); cascade triage view + batch digest (§ 1.5.E); ownership transfer target-Org gate + operator SLA + identity-verification checklist (§ 1.5.F); SA project-switcher non-jarring banner + 24h grace (§ 1.3 Edge cases).
• [x] Theme 3 — Audit immutability + GDPR retention (v4.18, 4 closed): insert-only audit_writer DB role + monthly hash-chain seal + off-box S3 Object Lock archive + pii_class column + JSONB metadata registry + pseudonymisation post-12mo + controller_org_id annotation (§ 2.4.C); ADR 0004 v2 (12mo + 7yr Cyprus); ADR 0014 placeholder shell (MCP wrapper auth — Phase 1.5.6 gate); buyer joint-controller gate (§ 2.4.C → legal sub-plan).
• [x] Theme 4 — Ownership transfer + billing precision (v4.18, 7 closed): Stripe customer cleanup on Trial → Free Guest (§ 1.8.B); chargeback overrides grace + cash-basis revenue (§ 1.8.C); ADR 0013 proration (§ 1.8.F — upgrade prorated, downgrade end-of-period); referral 12mo cap (§ 2.3 pick 1); referral Organisation-bound attribution (§ 2.3 pick 5); 2FA-loss recovery (§ 1.2.F); operator dashboard per-email lookup (§ 1.5.C).

29 MED findings — implementation guidance

См. Risks → From Business Review → MED findings (29). Reviewed during workstream kickoff; non-blocking для Stage 1 launch.

What's Next

Track A (SPEC-AMEND) ✅ closed CONV-34. Track B unblocked.

Track B — Roma scaffold kickoff (now active): Roma reads Part 1 + Part 2 + Risks + v4.17 + v4.18 patches → 12 numbered Phase 1.3 tasks (1.3.1-1.3.12) implementation. Self-contained для tech estimate; HIGH findings inline-folded, MED documented, LOW deferred Stage 2.

Outstanding blocker для Track B-derived work:

• Phase 1.5.6 MCP wrapper — blocked до ADR 0014 full ratification (placeholder shell CONV-34; spec deferred к dedicated /plan session). Roma scaffold MAY include org_id propagation interface на ORM/service layer, но actual MCP wrapper code = blocked.
• ADR 0008 (Tier model) numbers/limits — pending plans/onboarding-trial-mode.md sub-plan ratification (next P0 в очереди).

Key Context

• Plan: plans/permission-and-tenancy-model.md (~1700 lines now, status: ratified CONV-33 + SPEC-AMEND v4.17/v4.18 CONV-34)
• ADRs anchored: ADR 0009 (Tenancy & Permission), ADR 0010 (Stock allocation), ADR 0008 (Tier model, skeleton), ADR 0005 v3 (Google + email/password Stage 1; Microsoft + SAML Stage 2 Tier 3), ADR 0004 v2 (Audit log retention 12mo active + 7yr Cyprus archive + pseudonymisation + insert-only DB role + monthly hash-chain seal), ADR 0013 (Proration policy — asymmetric), ADR 0014 placeholder (MCP wrapper auth — Phase 1.5.6 gate).
• HTML callout: docs/rendered/launch-plan-stage-1.html line 1528 → ratified callout pointing to sub-plan + v4.17/v4.18 SPEC-AMEND closure.
• Changelog: docs/rendered/launch-plan-changelog.html → v4.17 + v4.18 entries (2026-05-11, CONV-34) + v4.16 entry (CONV-33).
• Sister sub-plans pending: plans/onboarding-trial-mode.md (P0) → plans/legal-multi-party-framework.md (P1, Art. 26 framework для buyer joint-controller v4.18 gate) → plans/buyer-profile-and-presentation.md (P1).
• 6 concern agents reviewed plan (Studios / Sales motion / Customer Success / Legal+Compliance / Security / Finance+Billing) — 21 HIGH / 29 MED / 15 LOW findings. 21 HIGH all closed CONV-34.
• Learnings cited в Risks: «MCP wrapper prerequisites» (live constraint, anchors ADR 0014), «Multi-level access 5-tier» (STALE), «Invite клиента уже есть» (STALE), «Платёжные провайдеры Stripe/Paddle/Checkout» (live constraint, anchors § 1.8.B Stripe customer retention).

Session Log

• CONV-33 (2026-05-11): Workstream created. Part 2 Decision Log ratified pack-mode (11 разделов + 6 new picks). Business review 6 parallel concern agents → 21 HIGH / 29 MED / 15 LOW findings consolidated в Risks section. 21 HIGH grouped в 4 SPEC-AMEND themes для CONV-34 patch session. Foundational §2 patched (Microsoft OAuth → Stage 2 Tier 3). Phase 1.3 callout updated. Changelog v4.16 entry. Commits: os befac90 + preview d9e94ec pushed origin/main. Notion Sessions row CONV-32 created (local CONV-33 ahead by 1).
• CONV-34 (2026-05-11): SPEC-AMEND patch session — 21 HIGH closed via v4.17 (Themes 1+2 = 10 HIGH) + v4.18 (Themes 3+4 = 11 HIGH). Sub-plan status remained ratified (inline patches, не re-ratification). 6 plan-document touches (sub-plan +189 lines, ADR 0004 v2 +84 lines, 2 new ADRs 0013+0014, launch-plan-stage-1.html callout, launch-plan-changelog.html v4.17+v4.18 entries). Architectural risks expanded (MCP wrapper block + audit DR runbook + pseudonymisation vault key custody). Treatment plan section flipped «pending» → «closed CONV-34» с full mapping all 21 findings → patched sections. Track A closed; Track B (Roma scaffold) unblocked. Commits: os 2447c55 + preview 8bcb5e5 pushed origin/main.