Context
WorkWell's tenancy today (E13 PR-1, ADR-019) is read-time grouping over one shared in-memory directory and one shared Postgres schema (workwell_spike) — every "WebChart system" (twh, ihn, the scale-proof mhn) lives in the same tables, distinguished only by a tenantId resolved from the synthetic employee catalog. It is sufficient to demo multi-employer rollups and prove aggregation reconciles (All = Σ tenants), but it is not an isolation boundary: the ?tenant= filter is optional and client-supplied, not derived from an authenticated identity, so any authenticated user can currently see across tenants.
Real multi-employer production isolation needs both a data-isolation design (schema/database-per-tenant, or row-level security enforced mandatorily from an authenticated tenant claim) and an auth-isolation design (tenant claims in the identity token once real auth exists — see the auth-fork issue #265 — and tenant-scoped authorization checks, which authorize.ts has no concept of today).
This is explicitly a design-with-MIE item: whether it's needed at all depends on whether one WorkWell instance is meant to serve many employers, or each employer gets its own deployment (sidestepping the isolation problem via topology). Not answerable unilaterally.
Spec to be written when scheduled — see docs/PRODUCTION_READINESS_2026-07.md.
Context
WorkWell's tenancy today (E13 PR-1, ADR-019) is read-time grouping over one shared in-memory directory and one shared Postgres schema (
workwell_spike) — every "WebChart system" (twh,ihn, the scale-proofmhn) lives in the same tables, distinguished only by atenantIdresolved from the synthetic employee catalog. It is sufficient to demo multi-employer rollups and prove aggregation reconciles (All = Σ tenants), but it is not an isolation boundary: the?tenant=filter is optional and client-supplied, not derived from an authenticated identity, so any authenticated user can currently see across tenants.Real multi-employer production isolation needs both a data-isolation design (schema/database-per-tenant, or row-level security enforced mandatorily from an authenticated tenant claim) and an auth-isolation design (tenant claims in the identity token once real auth exists — see the auth-fork issue #265 — and tenant-scoped authorization checks, which
authorize.tshas no concept of today).This is explicitly a design-with-MIE item: whether it's needed at all depends on whether one WorkWell instance is meant to serve many employers, or each employer gets its own deployment (sidestepping the isolation problem via topology). Not answerable unilaterally.
Spec to be written when scheduled — see
docs/PRODUCTION_READINESS_2026-07.md.