OID — Architecture Compliance Report

Commit 06088df · Reviewed 2026-03-18 · Reviewer: architect-agent

NON-COMPLIANT

Checks Passed

7 / 8

Critical Deviations

High Deviations

Overall Status

FAIL

Architecture Diagram

graph TB subgraph clients["External Clients"] C1[Web App] C2[M2M Service] end subgraph oid["OID Service (oid schema)"] direction TB API[API Layer
src/api/] SVC[Service Layer
src/service/auth.rs] DOM[Domain Layer
src/domain/] REPO[Repository Layer
src/repository/] end subgraph infra["Infrastructure"] PG[(PostgreSQL 17
oid schema
RLS enabled)] RP[Redpanda
Event Bus] end C1 -->|"Authorization: Bearer JWT"| API C2 -->|"Client Credentials"| API API -->|"AuthenticatedUser extractor (oauth only)"| SVC API -.->|"⚠️ tenant_id from body (users/roles/clients)"| SVC SVC --> DOM SVC --> REPO REPO -->|"SQL queries
⚠️ app.tenant_id NOT SET"| PG API -->|"CloudEvents v1.0"| RP style oid fill:#1a2235,stroke:#4a90d9,color:#e2e8f0 style infra fill:#1a2235,stroke:#4a90d9,color:#e2e8f0 style clients fill:#1a2235,stroke:#4a90d9,color:#e2e8f0 style REPO fill:#742a2a,stroke:#fc8181,color:#e2e8f0 style API fill:#744210,stroke:#f6ad55,color:#e2e8f0

Check Results

1. Schema Isolation PASS

All queries target the oid schema only. No cross-schema references detected.

2. Inter-Service Comms PASS

No direct HTTP calls to other ODS services. All communication via Redpanda CloudEvents (6 event types).

3. Multi-Tenancy FAIL

RLS policies defined but never activated (app.tenant_id never set). tenant_id accepted from request body in mutation endpoints instead of JWT.

4. Directory Structure PASS

All required directories present: domain/, repository/, api/, events/. Extra service/ layer is acceptable.

5. No Hardcoded URLs PASS

No hardcoded ODS service URLs. JWT_ISSUER configurable via env var with default fallback.

6. Header Propagation PASS

N/A — service makes no outbound HTTP calls. Communication is event-only via Redpanda.

7. CloudEvents Compliance PASS

Full CloudEvents v1.0 compliance. All required fields present including tenantid extension and correlationid.

8. Error Handling PASS

Zero unwrap() in production code. Custom OidError enum. Correlation IDs in event logs.

Deviations

Severity	File	Issue
CRITICAL	src/repository/user_repo.rs src/repository/client_repo.rs (all repos)	`app.tenant_id` PostgreSQL session variable is never set before executing queries. All RLS policies use `current_setting('app.tenant_id', true)::UUID` as the filter, making them completely inactive. Tenant data isolation is enforced only at the application layer with no database-level guarantee.
HIGH	src/api/users.rs:69 create_user handler	Handler does not use `AuthenticatedUser` extractor. `tenant_id` is accepted directly from the JSON request body with no JWT authentication. Any caller can create users in any tenant.
HIGH	src/api/roles.rs:48 create_role handler	Handler does not use `AuthenticatedUser` extractor. `tenant_id` accepted from request body without JWT enforcement.
HIGH	src/api/clients.rs:92 create_client handler	Handler does not use `AuthenticatedUser` extractor. `tenant_id` accepted from request body without JWT enforcement.

Recommendation

Service is NON-COMPLIANT. Two categories of multi-tenancy violations must be resolved before promotion:

Activate RLS: Set SET LOCAL app.tenant_id = $tenant_id inside every database transaction (or use a connection wrapper/middleware). Without this, all RLS policies are dormant and data isolation depends solely on application-level filtering.
Enforce JWT on mutations: Add AuthenticatedUser extractor to create_user, create_role, and create_client handlers. Extract tenant_id from user.tenant_id (JWT claims) instead of the request body.