OID — Architecture Compliance Report

Checks Failed

Warnings

Checks Passed

Total Checks

Architecture Diagram — Current State

Ctrl/Cmd + wheel to zoom · drag to pan · double-click to fit · ⛶ opens full-size

8 Architecture Checks

1 Schema Isolation

FAIL

All 11 migrations create tables without the oid. schema prefix. No search_path=oid in the connection string or migration files. Tables land in the public schema instead of the oid schema.

Affected: tenants users roles clients auth_codes refresh_tokens

Fix

Add SET search_path = oid; to each migration, or prefix all tables with oid.table_name. Add ?options=-csearch_path%3Doid to DATABASE_URL.

2 Inter-Service Communication

PASS

No direct HTTP calls to other ODS services detected. Communicates only via PostgreSQL (persistence) and Redpanda via rdkafka (events). No reqwest, hyper, or HTTP client imports found.

3 Multi-Tenancy

WARN

Mostly correct. tenant_id from JWT claims. RLS on all business tables. tenant_id column on all business tables. CloudEvents include tenantid extension.

Warnings: (a) user_roles uses USING (true) RLS — no tenant filtering. (b) token.issued event uses Uuid::nil() for tenant_id.

Fix

Add tenant_id to user_roles with proper RLS policy. Pass actual tenant to token.issued event factory.

4 Directory Structure

FAIL

Required directories exist. Domain layer correctly isolated. Violation: business logic in API layer. tenants, users, clients, roles handlers call repositories directly and invoke domain constructors (Tenant::new, User::new, Client::create) without a service layer. AuthService only covers OAuth flows.

Fix

Create TenantService, UserService, ClientService. API handlers: parse input, call service, serialize response. Nothing more.

5 No Hardcoded URLs

WARN

JWT_ISSUER correctly read from env var. However src/main.rs:47 provides a hardcoded fallback "https://oid.agirdigital.com" via unwrap_or_else, silently misconfiguring production when the env var is missing.

Fix

Replace with .expect("JWT_ISSUER must be set") to force explicit config.

6 Header Propagation

PASS

Not applicable. OID is the identity provider, not a consumer of other ODS services. No outbound HTTP calls exist. Rule satisfied by absence — correct by design.

7 CloudEvents Compliance

PASS

CloudEvent struct has all required v1.0 fields: specversion ("1.0"), type, source ("oid"), id, time, tenantid extension, datacontenttype, correlationid. Six event factories: tenant.created, user.created, client.created, token.issued, login.succeeded, login.failed.

8 Error Handling

FAIL

(1) Correlation ID absent from all error logs in API handlers (tenants.rs:94, users.rs:119, clients.rs:140, auth.rs:48, oauth.rs:168). Architecture requires correlation_id in every error log.

(2) unwrap() in production — InMemoryProducer Mutex locks at producer.rs:152,157,172 are reachable at runtime in dev mode.

Fix

Middleware to extract X-Correlation-Id; add to all tracing::error!. Replace .unwrap() with .expect("lock poisoned").

14 Deviations

#	Rule	File	Line	Description
1	Schema Isolation	`migrations/001_create_tenants.sql`	5	Table `tenants` created without `oid.` schema prefix
2	Schema Isolation	`migrations/003_create_users.sql`	2	Table `users` created without `oid.` schema prefix
3	Schema Isolation	`.env.example`	7	DATABASE_URL missing `search_path=oid` connection parameter
4	Schema Isolation	`migrations/004–011`	—	All remaining migrations missing schema prefix (roles, clients, auth_codes, refresh_tokens)
5	Directory Structure	`src/api/tenants.rs`	65	`Tenant::new(dto)` domain operation called directly in API handler
6	Directory Structure	`src/api/tenants.rs`	75	`repo.create()` called directly from handler, bypassing service layer
7	Directory Structure	`src/api/users.rs`	—	User creation, update, and role assignment logic embedded in API handlers
8	Directory Structure	`src/api/clients.rs`	—	Client creation logic (`Client::create()` + repo) in API handler
9	Hardcoded URLs	`src/main.rs`	47	Hardcoded fallback `"https://oid.agirdigital.com"` when JWT_ISSUER unset
10	Error Handling	`src/api/tenants.rs`	94	Error log missing `correlation_id` field
11	Error Handling	`src/api/users.rs`	119	Error log missing `correlation_id` field
12	Error Handling	`src/api/auth.rs`	48	Error log missing `correlation_id` field
13	Error Handling	`src/events/producer.rs`	152, 157, 172	`.unwrap()` on Mutex lock in production `InMemoryProducer`
14	Multi-Tenancy	`migrations/005_enable_rls_users_roles.sql`	37	`user_roles` RLS uses `USING (true)` — no tenant isolation enforced

Priority Fixes

HIGH
Schema isolation — add SET search_path = oid; to all 11 migration files or use explicit oid.table_name everywhere. Add ?options=-csearch_path%3Doid to DATABASE_URL in .env.example and deployment config.
HIGH
Service layer for CRUD — extract business logic from src/api/tenants.rs, users.rs, clients.rs, roles.rs into TenantService, UserService, ClientService. API handlers should only parse and serialize.
HIGH
Correlation ID in error logs — add actix_web middleware to extract X-Correlation-Id request header. Include correlation_id = %id in all tracing::error! calls across all API handlers.
MEDIUM
Multi-tenancy: user_roles RLS — add tenant_id column to user_roles and update RLS to USING (tenant_id = current_setting('app.tenant_id', true)::UUID). Also fix token.issued to pass actual tenant_id.
LOW
Hardcoded JWT issuer fallback — replace unwrap_or_else in src/main.rs:47 with .expect("JWT_ISSUER env var must be set").