MPCoreDeveloper
diff --git a/‎.github/issue-drafts/multitenancy-v1.6.0/00-epic-multitenant-saas-hardening-v1.6.0.md‎
Lines changed: 6 additions & 3 deletions b/‎.github/issue-drafts/multitenancy-v1.6.0/00-epic-multitenant-saas-hardening-v1.6.0.md‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎.github/issue-drafts/multitenancy-v1.6.0/09-tenant-encryption-key-management.md‎
Lines changed: 3 additions & 1 deletion b/‎.github/issue-drafts/multitenancy-v1.6.0/09-tenant-encryption-key-management.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.github/issue-drafts/multitenancy-v1.6.0/10-per-tenant-quotas-and-limits.md‎
Lines changed: 3 additions & 1 deletion b/‎.github/issue-drafts/multitenancy-v1.6.0/10-per-tenant-quotas-and-limits.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.github/issue-drafts/multitenancy-v1.6.0/11-tenant-audit-and-security-events.md‎
Lines changed: 3 additions & 1 deletion b/‎.github/issue-drafts/multitenancy-v1.6.0/11-tenant-audit-and-security-events.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.github/issue-drafts/multitenancy-v1.6.0/12-saas-sample-docs-and-threat-model.md‎
Lines changed: 3 additions & 1 deletion b/‎.github/issue-drafts/multitenancy-v1.6.0/12-saas-sample-docs-and-threat-model.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.github/issue-drafts/multitenancy-v1.6.0/13-tenant-ops-backup-restore-migrate.md‎
Lines changed: 16 additions & 0 deletions b/‎.github/issue-drafts/multitenancy-v1.6.0/13-tenant-ops-backup-restore-migrate.md‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎docs/server/MULTITENANT_BACKUP_RESTORE_MIGRATION_v1.6.0.md‎
Lines changed: 42 additions & 0 deletions b/‎docs/server/MULTITENANT_BACKUP_RESTORE_MIGRATION_v1.6.0.md‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎docs/server/MULTITENANT_OPERATIONS_RUNBOOK_v1.6.0.md‎
Lines changed: 4 additions & 0 deletions b/‎docs/server/MULTITENANT_OPERATIONS_RUNBOOK_v1.6.0.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/SharpCoreDB.Server.Core/Api/TenantsController.cs‎
Lines changed: 235 additions & 0 deletions b/‎src/SharpCoreDB.Server.Core/Api/TenantsController.cs‎
Lines changed: 235 additions & 0 deletions
@@ -2,14 +2,17 @@
 Deliver first-class multi-tenant SaaS support in `SharpCoreDB.Server` on top of current `v1.6.0` capabilities.
 
 ## Status
-Implemented in workspace:
+**State:** RESOLVED for the current multitenancy draft set in the repository.
+
+Resolved workstreams in repository:
 - [x] `09-tenant-encryption-key-management.md`
 - [x] `10-per-tenant-quotas-and-limits.md`
 - [x] `11-tenant-audit-and-security-events.md`
 - [x] `12-saas-sample-docs-and-threat-model.md`
+- [x] `13-tenant-ops-backup-restore-migrate.md`
 
-Next planned work:
-- [ ] `13-tenant-ops-backup-restore-migrate.md`
+Roadmap note:
+- [x] Multitenancy roadmap implementation complete in the current draft set.
 
 Current baseline in codebase:
 - Multi-database hosting in one server instance is available (`DatabaseRegistry`, `ServerConfiguration.Databases`).
 
@@ -2,7 +2,9 @@
 Introduce per-tenant encryption key integration and rotation hooks.
 
 ## Status
-Completed in workspace.
+**State:** RESOLVED
+
+Completed in workspace and committed/pushed to repository.
 
 ## Completed Implementation Notes
 - Added `ITenantEncryptionKeyProvider` and `ConfigurationTenantEncryptionKeyProvider`.
 
@@ -2,7 +2,9 @@
 Add configurable per-tenant quotas and limit enforcement.
 
 ## Status
-Completed in workspace.
+**State:** RESOLVED
+
+Completed in workspace and committed/pushed to repository.
 
 ## Completed Implementation Notes
 - Added `TenantQuotaPolicy` model and tenant quota catalog persistence.
 
@@ -2,7 +2,9 @@
 Implement tenant-aware audit trail and security event logging.
 
 ## Status
-Completed in workspace.
+**State:** RESOLVED
+
+Completed in workspace and committed/pushed to repository.
 
 ## Completed Implementation Notes
 - Added tenant security audit event model, in-memory store, sink abstraction, and emission service.
 
@@ -2,7 +2,9 @@
 Publish a complete SaaS reference sample and documentation set for multi-tenant deployments.
 
 ## Status
-Completed in workspace.
+**State:** RESOLVED
+
+Completed in workspace and committed/pushed to repository.
 
 ## Completed Implementation Notes
 - Added a multi-tenant SaaS reference sample under `Examples/Server/SharpCoreDB.MultiTenantSaaSSample`.
 
@@ -1,6 +1,22 @@
 ## Summary
 Add per-tenant operational tooling for backup, restore, and migration workflows.
 
+## Status
+**State:** RESOLVED
+
+Completed in workspace. Pending git commit/push for the latest phase-13 changes in the current working tree.
+
+## Completed Implementation Notes
+- Added tenant-scoped backup and restore operation contracts.
+- Implemented `TenantBackupRestoreService` with validation and rollback handling.
+- Added `TenantMigrationPlanningService` with migration steps and execution hooks.
+- Exposed tenant backup, restore, and migration-plan REST endpoints.
+- Published operational guidance in `docs/server/MULTITENANT_BACKUP_RESTORE_MIGRATION_v1.6.0.md`.
+
+## Validation
+- Integration tests cover restore correctness and rollback behavior.
+- Workspace build passed.
+
 ## Why
 SaaS operations need tenant-scoped disaster recovery and move/maintenance workflows.
 
 
@@ -0,0 +1,42 @@
+# SharpCoreDB Server Tenant Backup Restore and Migration Guide v1.6.0
+
+## Overview
+This guide documents tenant-scoped backup, restore, and migration procedures for database-per-tenant deployments.
+
+## Goals
+- back up a single tenant without a broad outage
+- restore a single tenant with validation before activation
+- prepare migration cutover plans between server instances
+
+## REST Endpoints
+- `POST /api/v1/tenants/{tenantId}/databases/{databaseName}/backup`
+- `POST /api/v1/tenants/{tenantId}/databases/{databaseName}/restore`
+- `POST /api/v1/tenants/{tenantId}/databases/{databaseName}/migration-plan`
+
+## Backup Flow
+1. resolve tenant database mapping from the tenant catalog
+2. export the tenant database file to a backup artifact path
+3. record lifecycle events for start/completion/failure
+4. retain the artifact in durable operator storage
+
+## Restore Flow
+1. resolve tenant database mapping
+2. create a rollback copy of the active tenant database when present
+3. drain and detach only the tenant database being restored
+4. copy the backup artifact to the target restore path
+5. validate the restored file by opening it before activation
+6. re-register the tenant database and update catalog location metadata if needed
+7. roll back to the original file if validation or registration fails
+
+## Migration Planning
+Migration plans generate:
+- source database path and size metadata
+- suggested backup artifact path
+- ordered cutover steps
+- export, restore, and validation execution hooks for operator automation
+
+## Operational Guidance
+- back up `master` separately before control-plane changes
+- export tenant backup artifacts to durable storage outside the server host
+- validate tenant isolation after restore or migration cutover
+- keep encryption key references available before restoring encrypted tenant databases
@@ -3,6 +3,10 @@
 ## Scope
 Operational guidance for tenant lifecycle, encryption, quotas, auditing, and incident response.
 
+See also:
+- `docs/server/MULTITENANT_BACKUP_RESTORE_MIGRATION_v1.6.0.md`
+- `docs/server/MULTITENANT_SAAS_REFERENCE_v1.6.0.md`
+
 ## Daily Operations
 - review `GET /api/v1/tenant-security/audit`
 - review `GET /api/v1/tenant-access/audit`
 
@@ -24,6 +24,8 @@ public sealed class TenantsController(
     TenantProvisioningService provisioningService,
     TenantEncryptionKeyRotationService keyRotationService,
     TenantQuotaEnforcementService quotaEnforcementService,
+    TenantBackupRestoreService backupRestoreService,
+    TenantMigrationPlanningService migrationPlanningService,
     TenantCatalogRepository catalogRepository,
     ILogger<TenantsController> logger) : ControllerBase
 {
@@ -454,6 +456,160 @@ public async Task<ActionResult<TenantQuotaApiResponse>> UpsertTenantQuotas(
             UpdatedAt = effective.UpdatedAt,
         });
     }
+
+    /// <summary>
+    /// Creates a tenant-scoped backup export.
+    /// POST /api/v1/tenants/{tenantId}/databases/{databaseName}/backup
+    /// </summary>
+    [HttpPost("{tenantId}/databases/{databaseName}/backup")]
+    [ProducesResponseType(200)]
+    [ProducesResponseType(400)]
+    [ProducesResponseType(404)]
+    public async Task<ActionResult<TenantBackupApiResponse>> CreateTenantBackup(
+        string tenantId,
+        string databaseName,
+        [FromBody] CreateTenantBackupApiRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        if (string.IsNullOrWhiteSpace(request.BackupDirectory))
+        {
+            return BadRequest(new ErrorResponse { Message = "BackupDirectory is required" });
+        }
+
+        var tenant = await catalogRepository.GetTenantByIdAsync(tenantId, cancellationToken);
+        if (tenant is null)
+        {
+            return NotFound(new ErrorResponse { Message = "Tenant not found" });
+        }
+
+        var operation = await backupRestoreService.CreateBackupAsync(
+            tenantId,
+            databaseName,
+            request.BackupDirectory,
+            request.IdempotencyKey ?? Guid.NewGuid().ToString("N"),
+            cancellationToken);
+
+        if (operation.Status == TenantDataOperationStatus.Failed)
+        {
+            return StatusCode(500, new ErrorResponse { Message = operation.ErrorMessage ?? "Backup failed" });
+        }
+
+        return Ok(new TenantBackupApiResponse
+        {
+            OperationId = operation.OperationId,
+            TenantId = operation.TenantId,
+            DatabaseName = operation.DatabaseName,
+            BackupPath = operation.BackupPath,
+            BackupSizeBytes = operation.BackupSizeBytes,
+            Status = operation.Status.ToString(),
+            StartedAt = operation.StartedAt,
+            CompletedAt = operation.CompletedAt,
+        });
+    }
+
+    /// <summary>
+    /// Restores a tenant database from a tenant-scoped backup export.
+    /// POST /api/v1/tenants/{tenantId}/databases/{databaseName}/restore
+    /// </summary>
+    [HttpPost("{tenantId}/databases/{databaseName}/restore")]
+    [ProducesResponseType(200)]
+    [ProducesResponseType(400)]
+    [ProducesResponseType(404)]
+    public async Task<ActionResult<TenantRestoreApiResponse>> RestoreTenantBackup(
+        string tenantId,
+        string databaseName,
+        [FromBody] RestoreTenantBackupApiRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        if (string.IsNullOrWhiteSpace(request.BackupPath))
+        {
+            return BadRequest(new ErrorResponse { Message = "BackupPath is required" });
+        }
+
+        var tenant = await catalogRepository.GetTenantByIdAsync(tenantId, cancellationToken);
+        if (tenant is null)
+        {
+            return NotFound(new ErrorResponse { Message = "Tenant not found" });
+        }
+
+        var operation = await backupRestoreService.RestoreBackupAsync(
+            tenantId,
+            databaseName,
+            request.BackupPath,
+            request.TargetDatabasePath,
+            request.IdempotencyKey ?? Guid.NewGuid().ToString("N"),
+            cancellationToken);
+
+        if (operation.Status == TenantDataOperationStatus.Failed)
+        {
+            return StatusCode(500, new ErrorResponse { Message = operation.ErrorMessage ?? "Restore failed" });
+        }
+
+        return Ok(new TenantRestoreApiResponse
+        {
+            OperationId = operation.OperationId,
+            TenantId = operation.TenantId,
+            DatabaseName = operation.DatabaseName,
+            SourceBackupPath = operation.SourceBackupPath,
+            RestoredDatabasePath = operation.RestoredDatabasePath,
+            ValidationPassed = operation.ValidationPassed,
+            RollbackApplied = operation.RollbackApplied,
+            Status = operation.Status.ToString(),
+            StartedAt = operation.StartedAt,
+            CompletedAt = operation.CompletedAt,
+        });
+    }
+
+    /// <summary>
+    /// Creates a migration plan for moving a tenant database to another server instance.
+    /// POST /api/v1/tenants/{tenantId}/databases/{databaseName}/migration-plan
+    /// </summary>
+    [HttpPost("{tenantId}/databases/{databaseName}/migration-plan")]
+    [ProducesResponseType(200)]
+    [ProducesResponseType(400)]
+    [ProducesResponseType(404)]
+    public async Task<ActionResult<TenantMigrationPlanApiResponse>> CreateTenantMigrationPlan(
+        string tenantId,
+        string databaseName,
+        [FromBody] CreateTenantMigrationPlanApiRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        if (string.IsNullOrWhiteSpace(request.TargetServer) || string.IsNullOrWhiteSpace(request.ExportDirectory))
+        {
+            return BadRequest(new ErrorResponse { Message = "TargetServer and ExportDirectory are required" });
+        }
+
+        var tenant = await catalogRepository.GetTenantByIdAsync(tenantId, cancellationToken);
+        if (tenant is null)
+        {
+            return NotFound(new ErrorResponse { Message = "Tenant not found" });
+        }
+
+        var plan = await migrationPlanningService.CreateMigrationPlanAsync(
+            tenantId,
+            databaseName,
+            request.TargetServer,
+            request.ExportDirectory,
+            cancellationToken);
+
+        return Ok(new TenantMigrationPlanApiResponse
+        {
+            PlanId = plan.PlanId,
+            TenantId = plan.TenantId,
+            DatabaseName = plan.DatabaseName,
+            SourceDatabasePath = plan.SourceDatabasePath,
+            TargetServer = plan.TargetServer,
+            ExportArtifactPath = plan.ExportArtifactPath,
+            DatabaseSizeBytes = plan.DatabaseSizeBytes,
+            Steps = plan.Steps,
+            ExportHook = plan.ExecutionHooks.ExportHook,
+            RestoreHook = plan.ExecutionHooks.RestoreHook,
+            ValidationHook = plan.ExecutionHooks.ValidationHook,
+            CreatedAt = plan.CreatedAt,
+        });
+    }
+
+    // ...existing code...
 }
 
 // API Request/Response DTOs
@@ -629,3 +785,82 @@ public sealed class TenantQuotaApiResponse
     public required int MaxBatchSize { get; init; }
     public required DateTime? UpdatedAt { get; init; }
 }
+
+/// <summary>
+/// Request to create a tenant backup.
+/// </summary>
+public sealed class CreateTenantBackupApiRequest
+{
+    public required string BackupDirectory { get; init; }
+    public string? IdempotencyKey { get; init; }
+}
+
+/// <summary>
+/// Response from tenant backup request.
+/// </summary>
+public sealed class TenantBackupApiResponse
+{
+    public required string OperationId { get; init; }
+    public required string TenantId { get; init; }
+    public required string DatabaseName { get; init; }
+    public required string BackupPath { get; init; }
+    public required long BackupSizeBytes { get; init; }
+    public required string Status { get; init; }
+    public required DateTime StartedAt { get; init; }
+    public required DateTime? CompletedAt { get; init; }
+}
+
+/// <summary>
+/// Request to restore a tenant backup.
+/// </summary>
+public sealed class RestoreTenantBackupApiRequest
+{
+    public required string BackupPath { get; init; }
+    public string? TargetDatabasePath { get; init; }
+    public string? IdempotencyKey { get; init; }
+}
+
+/// <summary>
+/// Response from tenant restore request.
+/// </summary>
+public sealed class TenantRestoreApiResponse
+{
+    public required string OperationId { get; init; }
+    public required string TenantId { get; init; }
+    public required string DatabaseName { get; init; }
+    public required string SourceBackupPath { get; init; }
+    public required string RestoredDatabasePath { get; init; }
+    public required bool ValidationPassed { get; init; }
+    public required bool RollbackApplied { get; init; }
+    public required string Status { get; init; }
+    public required DateTime StartedAt { get; init; }
+    public required DateTime? CompletedAt { get; init; }
+}
+
+/// <summary>
+/// Request to create a tenant migration plan.
+/// </summary>
+public sealed class CreateTenantMigrationPlanApiRequest
+{
+    public required string TargetServer { get; init; }
+    public required string ExportDirectory { get; init; }
+}
+
+/// <summary>
+/// Response from tenant migration plan request.
+/// </summary>
+public sealed class TenantMigrationPlanApiResponse
+{
+    public required string PlanId { get; init; }
+    public required string TenantId { get; init; }
+    public required string DatabaseName { get; init; }
+    public required string SourceDatabasePath { get; init; }
+    public required string TargetServer { get; init; }
+    public required string ExportArtifactPath { get; init; }
+    public required long DatabaseSizeBytes { get; init; }
+    public required string[] Steps { get; init; }
+    public required string ExportHook { get; init; }
+    public required string RestoreHook { get; init; }
+    public required string ValidationHook { get; init; }
+    public required DateTime CreatedAt { get; init; }
+}