feat: tenant isolation for single-instance multi-tenant deployment#671
Draft
Copilot wants to merge 3 commits into
Draft
feat: tenant isolation for single-instance multi-tenant deployment#671Copilot wants to merge 3 commits into
Copilot wants to merge 3 commits into
Conversation
7 tasks
- Add Flyway migration V1_8 to add tenant column to scl_file table
- Add GLOBAL_TENANT constant ("global") for no-auth mode
- Add TenantService to resolve tenant from JWT issuer or fall back to "global"
- Update CompasSclDataRepository interface: all methods take tenant as first param
- Update PostgreSQL repository SQL to filter/insert by tenant
- Update SoftDeleteCompasSclDataPostgreSQLRepository with tenant in DELETE SQL
- Update CompasSclDataService: all public methods take tenant as first param
- Update REST resource (CompasSclDataResource) to inject TenantService
- Update WebSocket event models and endpoints with tenant field
- Update CompasPluginsResourceService and CompasPluginsResource with tenant
- Add TenantServiceTest with 6 unit tests covering all scenarios
- Update all existing tests to use tenant parameter
- Strip trailing slash before extracting last path segment so that "http://host/realms/compas/" correctly returns "compas" - Guard against bare hostname URLs (e.g. "http://host") returning the hostname as tenant by checking that the char before lastSlash is not also a slash (i.e. not the "://" separator) - Fix test method name typo: AssTenant → AsTenant - Update no-path test to assert GLOBAL_TENANT (was incorrectly asserting "host") - Add new trailing-slash test case
Copilot
AI
changed the title
[WIP] Implement single backend instance deployment for multiple tenants
feat: tenant isolation for single-instance multi-tenant deployment
Jun 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A single deployed backend instance needs to serve users within a company under an isolated tenant scope, with tenant derived automatically — no manual configuration required.
Approach
Tenant resolution (
TenantService):"global"http://host/realms/compas→"compas")"global"Database (
V1_8Flyway migration):tenant varchar(255) NOT NULL DEFAULT 'global'+ index toscl_file"global"tenantLayer changes —
tenantthreaded as first parameter through every read/write path:CompasSclDataRepositoryinterface + PostgreSQL implementation (all SQL queries filter/insert by tenant)SoftDeleteCompasSclDataPostgreSQLRepository(DELETE SQL updated)CompasSclDataService— all public methodsCompasSclDataResource+CompasPluginsResource— injectTenantService, resolve per requestCreateEventRequest,GetEventRequest,GetVersionEventRequest,UpdateEventRequest) + all 4 endpoints +CompasSclDataEventHandlerCompasPluginsResourceService(list,count,upload)scl_labelis unaffected — tenant isolation is enforced via thescl_fileFK, no column needed there.