Add gateway tenant ownership enforcement#79
Merged
Conversation
added 6 commits
April 27, 2026 20:18
Add a planning note for the future gateway-to-Jetmon tenant contract, including request context headers, gateway versus Jetmon ownership checks, public error handling, and migration order. Link the contract from the internal API docs and roadmap so the next public-API work starts from an explicit boundary instead of inferring tenant rules from the internal-only API.
Add nullable owner_tenant_id columns for webhooks and alert contacts while preserving the existing unscoped internal API behavior. Thread the owner through repository models and add tenant-scoped CRUD helpers so future gateway-routed handlers can enforce customer ownership without changing delivery workers.
Parse gateway-derived tenant headers only for the gateway consumer, attach the accepted context to API audit metadata, and reject public-context headers from other internal callers. Use the tenant context to scope webhook and alert-contact CRUD, delivery history, manual retry, and alert-contact send-test paths while keeping normal internal requests unscoped.
Add a jetmon_site_tenants mapping table so gateway-routed site visibility can support shared or delegated ownership without changing the legacy site row. Scope site, event, stats, and trigger-now handlers through that mapping when gateway context is present, while preserving unscoped behavior for normal internal callers.
Refresh the public API gateway contract and API reference so they describe the tenant ownership checks that now run for gateway-routed requests. Replace the test-only use of t.Context with context.Background so vet continues to pass under the module's Go 1.22 target, and remove a stale httptest compile guard.
Add a site-tenants import CLI that validates tenant_id,blog_id CSV input, skips duplicate rows, and upserts mappings into jetmon_site_tenants for the gateway ownership backfill path. Keep the import additive so pruning stale mappings can be handled by a later source-specific reconciliation policy, and update the docs/roadmap to describe that boundary.
This was referenced Apr 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stacked PR 7 of 9.
Base:
stack-06-deliverer-openapi-opsHead:
stack-07-gateway-tenantPrevious PR: #78
Summary:
Review notes:
This PR is intentionally isolated because tenant enforcement changes access-control behavior and should be reviewed independently from the base API mechanics.