Add multitenant SaaS sample docs and threat model

Author: MPCoreDeveloper

.github/issue-drafts/multitenancy-v1.6.0/00-epic-multitenant-saas-hardening-v1.6.0.md

@@ -6,9 +6,10 @@ Implemented in workspace:
 - [x] `09-tenant-encryption-key-management.md`
 - [x] `10-per-tenant-quotas-and-limits.md`
 - [x] `11-tenant-audit-and-security-events.md`
+- [x] `12-saas-sample-docs-and-threat-model.md`
 
 Next planned work:
-- [ ] `12-saas-sample-docs-and-threat-model.md`
+- [ ] `13-tenant-ops-backup-restore-migrate.md`
 
 Current baseline in codebase:
 - Multi-database hosting in one server instance is available (`DatabaseRegistry`, `ServerConfiguration.Databases`).

.github/issue-drafts/multitenancy-v1.6.0/12-saas-sample-docs-and-threat-model.md

@@ -1,24 +1,18 @@
 ## Summary
 Publish a complete SaaS reference sample and documentation set for multi-tenant deployments.
 
-## Why
-Feature completeness must be paired with clear adoption guidance.
-
-## Scope
-- End-to-end sample: tenant onboarding, routing, secure connection, isolation checks.
-- Docs: recommended patterns (DB-per-tenant default, shared DB optional), migration path, ops runbook.
-- Threat model: cross-tenant access risks and mitigations.
+## Status
+Completed in workspace.
 
-## Implementation Plan
-1. Build reference sample with provisioning and scoped access.
-2. Add validation scripts for isolation tests.
-3. Publish docs under `docs/server` and link from package readmes.
-4. Add architecture and threat model diagrams.
+## Completed Implementation Notes
+- Added a multi-tenant SaaS reference sample under `Examples/Server/SharpCoreDB.MultiTenantSaaSSample`.
+- Added sample configuration, REST onboarding flow, and PowerShell isolation validation script.
+- Published docs under `docs/server` for reference architecture, operations runbook, and threat model.
+- Linked new multitenancy docs/sample from package and repository readmes.
 
-## Acceptance Criteria
-- New users can implement multi-tenant setup using docs/sample.
-- Threat model and mitigations are explicit.
-- Docs are versioned and aligned with released behavior.
+## Validation
+- Documentation and sample assets added for onboarding and isolation validation.
+- Workspace build passed.
 
-## Dependencies
-- Finalization issue; depends on most technical tracks.
+## Why
+Feature completeness must be paired with clear adoption guidance.

Examples/Server/SharpCoreDB.MultiTenantSaaSSample/README.md

@@ -0,0 +1,45 @@
+# SharpCoreDB Multi-Tenant SaaS Reference Sample v1.6.0
+
+This reference sample demonstrates a database-per-tenant SaaS deployment with runtime tenant provisioning, scoped JWT access, tenant quotas, tenant encryption keys, and security audit inspection.
+
+## Goals
+- onboard a tenant with the tenant management API
+- connect with tenant-scoped users
+- validate same-tenant access succeeds
+- validate cross-tenant access is denied
+- inspect tenant audit/security traces
+
+## Sample Layout
+- `appsettings.multitenant.sample.json` - reference server configuration
+- `validate-tenant-isolation.ps1` - PowerShell validation script
+- `tenant-onboarding.http` - manual REST flow for provisioning and validation
+
+## Recommended Topology
+```mermaid
+flowchart LR
+    Admin[Platform Admin] -->|HTTPS REST| Server[SharpCoreDB.Server]
+    TenantA[Tenant A User] -->|JWT + HTTPS/gRPC| Server
+    TenantB[Tenant B User] -->|JWT + HTTPS/gRPC| Server
+    Server --> Master[(master)]
+    Server --> TenantADB[(tenant_tenant_a)]
+    Server --> TenantBDB[(tenant_tenant_b)]
+    Master --> Catalog[(tenant catalog + quotas + audits)]
+```
+
+## Quick Start
+1. Copy `appsettings.multitenant.sample.json` into your server deployment as a starting point.
+2. Start `SharpCoreDB.Server` with TLS enabled.
+3. Run `pwsh ./validate-tenant-isolation.ps1 -BaseUrl https://localhost:8443`.
+4. Review the output and the audit endpoints.
+
+## Expected Validation Outcomes
+- admin login succeeds
+- tenant provisioning succeeds
+- tenant A can query `tenant_tenant_a`
+- tenant A is denied against `tenant_tenant_b`
+- security audit endpoints show login/connect/denied events
+
+## Notes
+- The sample uses REST for readability. The same tenant model applies to gRPC and WebSocket/Binary paths.
+- Replace example secrets and certificate paths before any non-local use.
+- Keep database-per-tenant as the default recommendation. Shared-database mode remains optional.

Examples/Server/SharpCoreDB.MultiTenantSaaSSample/appsettings.multitenant.sample.json

@@ -0,0 +1,85 @@
+{
+  "Server": {
+    "ServerName": "SharpCoreDB Multi-Tenant SaaS Sample v1.6.0",
+    "BindAddress": "0.0.0.0",
+    "GrpcPort": 5001,
+    "HttpsApiPort": 8443,
+    "DefaultDatabase": "master",
+    "Databases": [
+      {
+        "Name": "master",
+        "DatabasePath": "./data/master.db",
+        "StorageMode": "SingleFile",
+        "IsSystemDatabase": true,
+        "ConnectionPoolSize": 20
+      }
+    ],
+    "Security": {
+      "TlsEnabled": true,
+      "TlsCertificatePath": "./certs/server.pfx",
+      "TlsPrivateKeyPath": null,
+      "JwtSecretKey": "replace-with-a-real-32-char-secret-minimum",
+      "JwtExpirationHours": 24,
+      "Users": [
+        {
+          "Username": "admin",
+          "PasswordHash": "240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9",
+          "Role": "admin",
+          "TenantId": "platform",
+          "AllowedDatabases": [ "master", "*" ],
+          "ScopeVersion": "1"
+        },
+        {
+          "Username": "tenant-a-reader",
+          "PasswordHash": "240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9",
+          "Role": "reader",
+          "TenantId": "tenant-a",
+          "AllowedDatabases": [ "tenant_tenant_a" ],
+          "ScopeVersion": "1"
+        },
+        {
+          "Username": "tenant-b-reader",
+          "PasswordHash": "240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9",
+          "Role": "reader",
+          "TenantId": "tenant-b",
+          "AllowedDatabases": [ "tenant_tenant_b" ],
+          "ScopeVersion": "1"
+        }
+      ],
+      "TenantEncryption": {
+        "Enabled": true,
+        "RequireDedicatedTenantKey": true,
+        "DefaultProvider": "configuration",
+        "KeyMaterialByReference": {
+          "tenant-a-key": "tenant-a-master-password",
+          "tenant-b-key": "tenant-b-master-password"
+        },
+        "DefaultKeyReferenceByTenant": {
+          "tenant-a": "tenant-a-key",
+          "tenant-b": "tenant-b-key"
+        }
+      }
+    },
+    "TenantQuotas": {
+      "Enabled": true,
+      "DefaultMaxActiveSessions": 10,
+      "DefaultMaxRequestsPerSecond": 100,
+      "DefaultMaxStorageMb": 512,
+      "DefaultMaxBatchSize": 200,
+      "PlanDefaults": {
+        "starter": {
+          "MaxActiveSessions": 5,
+          "MaxRequestsPerSecond": 50,
+          "MaxStorageMb": 256,
+          "MaxBatchSize": 100
+        },
+        "pro": {
+          "MaxActiveSessions": 25,
+          "MaxRequestsPerSecond": 250,
+          "MaxStorageMb": 2048,
+          "MaxBatchSize": 500
+        }
+      }
+    }
+  }
+}

Examples/Server/SharpCoreDB.MultiTenantSaaSSample/tenant-onboarding.http

@@ -0,0 +1,44 @@
+@baseUrl = https://localhost:8443
+@adminUser = admin
+@adminPassword = admin123
+
+### Login as platform admin
+POST {{baseUrl}}/api/v1/auth/login
+Content-Type: application/json
+
+{
+  "username": "{{adminUser}}",
+  "password": "{{adminPassword}}"
+}
+
+> {% client.global.set("adminToken", response.body.token); %}
+
+### Create tenant A
+POST {{baseUrl}}/api/v1/tenants
+Authorization: Bearer {{adminToken}}
+Content-Type: application/json
+
+{
+  "tenantKey": "tenant-a",
+  "displayName": "Tenant A",
+  "databasePath": "./data/tenant-a.db",
+  "planTier": "starter",
+  "encryptionKeyReference": "tenant-a-key"
+}
+
+### Create tenant B
+POST {{baseUrl}}/api/v1/tenants
+Authorization: Bearer {{adminToken}}
+Content-Type: application/json
+
+{
+  "tenantKey": "tenant-b",
+  "displayName": "Tenant B",
+  "databasePath": "./data/tenant-b.db",
+  "planTier": "starter",
+  "encryptionKeyReference": "tenant-b-key"
+}
+
+### Review tenant security audit
+GET {{baseUrl}}/api/v1/tenant-security/audit?maxCount=50
+Authorization: Bearer {{adminToken}}

Examples/Server/SharpCoreDB.MultiTenantSaaSSample/validate-tenant-isolation.ps1

@@ -0,0 +1,79 @@
+param(
+    [string]$BaseUrl = "https://localhost:8443",
+    [string]$AdminUser = "admin",
+    [string]$AdminPassword = "admin123",
+    [string]$TenantAUser = "tenant-a-reader",
+    [string]$TenantAPassword = "admin123",
+    [string]$TenantBUser = "tenant-b-reader",
+    [string]$TenantBPassword = "admin123"
+)
+
+$ErrorActionPreference = 'Stop'
+
+function Invoke-JsonPost {
+    param(
+        [string]$Url,
+        [object]$Body,
+        [string]$Token
+    )
+
+    $headers = @{}
+    if ($Token) {
+        $headers['Authorization'] = "Bearer $Token"
+    }
+
+    Invoke-RestMethod -Method Post -Uri $Url -Headers $headers -ContentType 'application/json' -Body ($Body | ConvertTo-Json -Depth 10) -SkipCertificateCheck
+}
+
+function Get-Token {
+    param([string]$Username, [string]$Password)
+
+    (Invoke-JsonPost -Url "$BaseUrl/api/v1/auth/login" -Body @{
+        username = $Username
+        password = $Password
+    }).token
+}
+
+Write-Host "[1/5] Admin login"
+$adminToken = Get-Token -Username $AdminUser -Password $AdminPassword
+
+Write-Host "[2/5] Provision tenant A and B"
+Invoke-JsonPost -Url "$BaseUrl/api/v1/tenants" -Token $adminToken -Body @{
+    tenantKey = 'tenant-a'
+    displayName = 'Tenant A'
+    databasePath = './data/tenant-a.db'
+    planTier = 'starter'
+    encryptionKeyReference = 'tenant-a-key'
+} | Out-Null
+
+Invoke-JsonPost -Url "$BaseUrl/api/v1/tenants" -Token $adminToken -Body @{
+    tenantKey = 'tenant-b'
+    displayName = 'Tenant B'
+    databasePath = './data/tenant-b.db'
+    planTier = 'starter'
+    encryptionKeyReference = 'tenant-b-key'
+} | Out-Null
+
+Write-Host "[3/5] Tenant A login"
+$tenantAToken = Get-Token -Username $TenantAUser -Password $TenantAPassword
+
+Write-Host "[4/5] Same-tenant access should succeed"
+Invoke-JsonPost -Url "$BaseUrl/api/v1/query" -Token $tenantAToken -Body @{
+    database = 'tenant_tenant_a'
+    sql = 'SELECT 1 AS ok'
+} | Out-Null
+
+Write-Host "[5/5] Cross-tenant access should be denied"
+try {
+    Invoke-JsonPost -Url "$BaseUrl/api/v1/query" -Token $tenantAToken -Body @{
+        database = 'tenant_tenant_b'
+        sql = 'SELECT 1 AS should_fail'
+    } | Out-Null
+
+    throw 'Isolation validation failed: cross-tenant query unexpectedly succeeded.'
+}
+catch {
+    Write-Host 'Cross-tenant denial confirmed.'
+}
+
+Write-Host 'Tenant isolation validation completed successfully.'

README.md

@@ -54,6 +54,11 @@ SharpCoreDB now includes a dedicated **advanced graph analytics and GraphRAG pac
 
 **See documentation:** `docs/INDEX.md`
 
+**Multi-tenant SaaS reference:** `docs/server/MULTITENANT_SAAS_REFERENCE_v1.6.0.md`  
+**Threat model:** `docs/server/MULTITENANT_THREAT_MODEL_v1.6.0.md`  
+**Operations runbook:** `docs/server/MULTITENANT_OPERATIONS_RUNBOOK_v1.6.0.md`  
+**Reference sample:** `Examples/Server/SharpCoreDB.MultiTenantSaaSSample/`
+
 ### ✅ Previously Known Limitation — Resolved
 
 - `SingleFileDatabase.ExecuteCompiled` with parameterized plans previously hung due to an infinite loop in the SQL lexer (`?` parameter placeholder). Fixed: FastSqlLexer, EnhancedSqlParser, QueryCompiler. Full `IAsyncDisposable` lifecycle also implemented.

docs/server/MULTITENANT_OPERATIONS_RUNBOOK_v1.6.0.md

@@ -0,0 +1,52 @@
+# SharpCoreDB Server Multi-Tenant Operations Runbook v1.6.0
+
+## Scope
+Operational guidance for tenant lifecycle, encryption, quotas, auditing, and incident response.
+
+## Daily Operations
+- review `GET /api/v1/tenant-security/audit`
+- review `GET /api/v1/tenant-access/audit`
+- monitor quota throttle metrics
+- monitor tenant provisioning failures
+
+## Tenant Onboarding
+1. verify quota tier and encryption key reference
+2. provision tenant database through tenant API
+3. validate tenant-scoped login
+4. run isolation validation script
+5. archive onboarding evidence in operations logs
+
+## Key Rotation
+1. resolve new tenant key reference
+2. call tenant key rotation endpoint
+3. verify rotation completion event
+4. validate post-rotation connectivity
+
+## Quota Tuning
+1. inspect effective quota policy
+2. update tenant-specific overrides when justified
+3. re-check throttle metrics after change
+
+## Audit Retention
+- in-memory stores are bounded and intended for operational diagnostics
+- attach custom sinks for SIEM/archive retention
+- keep exported security events immutable
+
+## Backup and Restore Notes
+- back up `master` together with all tenant databases
+- preserve tenant catalog consistency during restore
+- verify encryption key references are available before reattaching tenant databases
+
+## Incident Response
+### Cross-tenant access suspicion
+1. pull recent security audit events
+2. pull recent access audit events
+3. identify tenant/database/principal involved
+4. rotate credentials or revoke grants
+5. validate isolation again before reopening access
+
+### Provisioning failure
+1. inspect lifecycle events
+2. inspect server logs for key/quota/auth failures
+3. verify tenant database mapping consistency in `master`
+4. retry only with a new idempotency key after root cause is understood