Sprint 11
Table of Contents
This page documents a sprint (Sprint 11) of ORE Studio v0. It captures the sprint's mission, current status, and the stories that compose it. For the surrounding context — version goals, sprint order, and product identity — see Version 0.
Mission
Add multi-tenant support. Delivered: a complete multi-tenant foundation that touches every layer. Schema (tenant_id on ~70 tables, RBAC roles, RLS), seeding (system tenant), test isolation (tenant-per-test), codegen (tenant-aware by default), C++ entities (strong-typed tenant_id), handlers (per-request context to close the data-leakage risk), and validation (shell, librarian publication, DQ metadata, eventing).
Status
| Field | Value |
|---|---|
| State | DONE |
| Parent version | Version 0 |
| Previous | Sprint 10 |
| Start | 2026-01-28 |
| End (expected) | 2026-02-06 |
| Now | Sprint closed 2026-02-06. One task carries forward: the sqlgen bound-parameters work, BLOCKED on upstream getml/sqlgen#119. |
| Waiting on | Upstream sqlgen bound-parameter support. |
| Next | Sprint 12 |
| Release Notes | Release notes |
| Last touched | 2026-02-06 |
Achievements
- Multi-tenant architecture established end-to-end: schema, seeding, RLS, and per-request context.
- Each test isolated in its own tenant via tenancy-based test isolation.
- Telemetry database sink introduced (ores.telemetry.database).
- Service accounts and audit trail with performed_by stamping across all mutations.
- sqlgen improved with libpq audit and upstream bound-params work.
- Tenancy validated and enforced across shell, librarian, DQ, and eventing surfaces.
Stories
For the definitions of the themes see Themes.
Infrastructure
| Story | State | Start | End | Description |
|---|---|---|---|---|
| Engineering hygiene | DONE | 2026-02-06 | past review comments; apt-get retry; vcpkg cache fix. | |
| Database role split and schema consolidation | DONE | 2026-01-31 | preconditions: RBAC, single public schema, SQL tree tidy-up. | |
| Tenancy foundation | DONE | 2026-02-01 | schema, seeding, login/test plumbing. | |
| Tenancy-based test isolation | DONE | 2026-02-01 | tenant_context service, per-test tenants, RLS. | |
| Tenancy codegen and entity types | DONE | 2026-02-03 | Mustache templates, pgTAP, C++ tenant entities, protocol bump 26.1. | |
| Telemetry database sink | DONE | 2026-02-03 | ores.telemetry.database; test logging; three-tier tenant lifecycle. | |
| Service accounts and audit | DONE | 2026-02-04 | account_type + performed_by audit field + telemetry deadlock fix. | |
| Per-request tenant context | DONE | 2026-02-06 | security fix; tenant_id wrapper; system tenant nil → max UUID. | |
| Validate tenancy across surfaces | DONE | 2026-02-06 | shell, librarian, DQ metadata, eventing. |
Tooling
| Story | State | Start | End | Description |
|---|---|---|---|---|
| sqlgen improvements | DONE | 2026-02-06 | libpq audit; upstream notice + bound-params work. |
Agile
| Story | State | Start | End | Description |
|---|---|---|---|---|
| Sprint 11 housekeeping | DONE | 2026-02-06 | backlog + OCR. |
Charts
Charts generated via sprint_charts cmake target.
PRs & Commits per Day
Dual-axis bar chart. PRs (left axis) and commits (right axis) per day. A high commits-to-PR ratio may indicate scope creep.
Daily Line Churn
Lines added (green) and deleted (red) per day. Building work produces mostly additions; refactoring produces a mix. Days with no churn may indicate blockers.
Cumulative Stories Done
Line chart tracking stories marked DONE during the sprint. Steady upward slope is healthy; plateauing signals a stall.
Retrospective
What went well
- Multi-tenant landed end-to-end inside one sprint window. Schema → seeding → tests → codegen → C++ entities → handlers → validation all in nine days.
- Tenant-per-test was the right call — order of magnitude faster than tear-down + recreate, and far closer to production reality.
- The reversal of the sprint-10 metadata/production schema split was uneventful; the prefix-naming convention carried the namespacing without the operational overhead.
- The per-request tenant-context refactor caught a real cross-tenant leakage risk that had been silently present.
- Three sqlgen issues filed upstream cleanly; one PR landed for review.
What hurt
- The bound-parameters story is blocked on upstream sqlgen — we still have libpq escapes we want to retire and can't.
- The system-tenant nil-UUID confusion (default-construct collides with system identity) was caught only when the handler refactor forced explicit construction. Could have been spotted earlier.
- Reversing the sprint-10 schema split is a good outcome but it's also evidence that we got the previous decision wrong; the cost is real even when it's the right call.
- Tenancy touched almost everything in the codebase; the PR queue felt long this sprint.
What changed
publicschema is back as the single SQL home; sprint-10's metadata/production split is gone.- Database access goes through RBAC group roles + LOGIN service users; no more single all-rights admin account.
tenant_idis on every entity table; the system tenant is the max UUID per RFC 9562 (no longer nil).- Codegen is tenant-aware by default; tenant-less tables are the exception.
- Handlers build their database context per request from the session's tenant_id.
- Services authenticate via session and have their own
account_type; audit splitsperformed_byfrommodified_by.