Multi-Tenant Command Scope Audit Report
Task: H.12.1 - Audit All Commands for Project/Team/Tenant Gaps
Date: 2026-02-08
Author: Claude (Opus 4.6)
Data Source: gap-matrix.json (366 commands classified)
Executive Summary
Audited 366 commands across the CODITECT framework. 25 commands (6.8%) have scope gaps requiring enhancement for proper multi-tenant operation. All gaps are at the project level (no tenant-level gaps identified beyond the 2 commands already tenant-scoped).
Key Finding: The framework is already well-architected for single-project use (76.2% project-scoped). The gaps are concentrated in commands that touch shared databases or perform git operations without explicit project routing.
Scope Distribution
| Scope Level | Count | Percentage |
|---|---|---|
| Global | 52 | 14.2% |
| Machine | 13 | 3.6% |
| Session | 20 | 5.5% |
| Project | 279 | 76.2% |
| Tenant | 2 | 0.5% |
| Total | 366 | 100% |
Scope Hierarchy
Tenant (2) License management
Project (279) Most commands - project-scoped by design
Machine (13) Installation, config, env management
Session (20) Context, handoff, session lifecycle
Global (52) Stateless utilities, analyzers
Gap Analysis: 25 Commands Requiring Enhancement
Gap Categories
| Category | Count | Description |
|---|---|---|
DB-touching without --project | 8 | Query/write to shared DBs without project filter |
| Git operations without project routing | 12 | Git push/pull/sync without project-specific remote |
| Log operations without project scoping | 5 | Log output/search without project boundaries |
Priority Ranking (H.12.1.5)
Tier 1: High Impact, Low Effort (Quick Wins)
These commands touch shared databases and need a simple --project filter parameter.
| # | Command | Gap | Impact | Effort | Fix |
|---|---|---|---|---|---|
| 1 | session-status | DB query unscoped | High | Low | Add WHERE project_id = ? filter |
| 2 | session-conflicts | DB query unscoped | High | Low | Add project filter to conflict detection |
| 3 | summaries | DB query unscoped | High | Low | Scope summary queries by project |
| 4 | trajectory | DB query unscoped | High | Low | Add project filter to trajectory data |
Estimated Total Effort: 2-3 hours Multi-Tenant Risk: Data leakage between projects in shared database queries
Tier 2: High Impact, Medium Effort
These commands perform significant operations that cross project boundaries.
| # | Command | Gap | Impact | Effort | Fix |
|---|---|---|---|---|---|
| 5 | sync-logs | Git push to single repo | High | Medium | Project-specific repo routing (H.12.2) |
| 6 | db-backup | Backs up all project data | High | Medium | Add --project flag for scoped backup |
| 7 | commit | No project-specific hooks | High | Medium | Project-aware commit routing |
| 8 | git-sync | Single remote assumption | High | Medium | Multi-remote project routing |
| 9 | session-log-codex | Logs unscoped | High | Low | Add project path scoping |
Estimated Total Effort: 6-8 hours Multi-Tenant Risk: Customer data mixed in shared repos, backups crossing project boundaries
Tier 3: Medium Impact, Low-Medium Effort
These commands would benefit from project awareness but don't pose immediate data isolation risks.
| # | Command | Gap | Impact | Effort | Fix |
|---|---|---|---|---|---|
| 10 | bi | DB query unscoped | Medium | Low | Add project filter |
| 11 | component-activate | DB write unscoped | Medium | Low | Add project context to activation |
| 12 | plugin | DB operations unscoped | Medium | Low | Scope plugin registry by project |
| 13 | search-scripts | Results unscoped | Medium | Low | Filter results by project |
| 14 | quality-gate | Git checks unscoped | Medium | Medium | Project-aware gate checks |
| 15 | weekly-digest | Data aggregation unscoped | Medium | Medium | Scope digest to project |
| 16 | update | Git operations unscoped | Medium | Medium | Project-aware update routing |
| 17 | update-plan | Git operations unscoped | Medium | Medium | Project-scoped plan updates |
| 18 | project-plan-update | Git operations unscoped | Medium | Medium | Project-scoped plan updates |
Estimated Total Effort: 6-8 hours
Tier 4: Low Impact, Low Effort
These commands have minor scope gaps with low multi-tenant risk.
| # | Command | Gap | Impact | Effort | Fix |
|---|---|---|---|---|---|
| 19 | markdown-cleanup | File operations unscoped | Low | Low | Path-based project scoping |
| 20 | pilot | Log output unscoped | Low | Low | Already project-specific in nature |
| 21 | alias | Git operations | Low | Low | Minor git scoping |
| 22 | audit-trail | Git operations | Low | Low | Project-scoped trail |
| 23 | component-lifecycle | Git operations | Low | Medium | Project-aware lifecycle |
| 24 | lowercase-migration | File operations | Low | Low | Path-based scoping |
| 25 | submodule-init | Git operations | Low | Medium | Project-scoped submodule config |
Estimated Total Effort: 3-4 hours
Implementation Roadmap
Phase 1: Database Query Isolation (Tier 1) - Week 1
- Add
--projectparameter tosession-status,session-conflicts,summaries,trajectory - Pattern: Use
discover_project()fromscripts/core/paths.pyas default - All DB queries get
WHERE project_id = ?clause
Phase 2: Git Operation Routing (Tier 2) - Week 2-3
- Implement
config/session-log-repos.jsonfor repo routing (H.12.2) - Add project-aware remote detection to
git-sync,commit,sync-logs - Create
db-backup --projectflag
Phase 3: Secondary Enhancements (Tier 3) - Week 3-4
- Add project context to
component-activate,plugin,bi - Scope
quality-gate,weekly-digest,updateoperations - Pattern: Inherit from ADR-159 multi-tenant command architecture
Phase 4: Cleanup (Tier 4) - Opportunistic
- Address low-impact gaps during related feature work
- No dedicated sprint needed
Commands Already Well-Scoped (No Action Needed)
341 of 366 commands (93.2%) require no changes:
- 279 project-scoped: Already operate within project boundaries
- 52 global: Stateless utilities (
explain,translate,uuid, etc.) - 13 machine-scoped: Installation/config (
onboard,verify-installation, etc.) - 20 session-scoped: Context/session lifecycle (
cx,continue,handoff, etc.) - 2 tenant-scoped: License management (
license-activate,license-status)
Minus the 25 identified gaps.
Risk Assessment
| Risk | Severity | Mitigation |
|---|---|---|
| Data leakage via DB queries | High | Tier 1 fixes (add project filters) |
| Customer code in shared repos | High | Tier 2 fixes (project repo routing) |
| Mixed backup data | Medium | db-backup --project flag |
| Incorrect analytics | Medium | Scope bi, summaries, trajectory |
| Noisy log output | Low | Tier 3/4 scoping |
Recommendations
- Immediate (P1): Fix Tier 1 database query isolation - 4 commands, ~2 hours
- Short-term (P2): Implement H.12.2 (sync-logs routing) and H.12.3 (ADR-159) to establish the architectural pattern
- Medium-term (P2): Apply ADR-159 pattern to Tier 2-3 commands
- Ongoing: Address Tier 4 opportunistically during related feature work
- Standard: All new commands MUST declare scope level in frontmatter and follow ADR-159
Data Files
| File | Description |
|---|---|
gap-matrix.json | Full classification data (366 commands, 25 gaps) |
COMMAND-SCOPE-AUDIT.md | This report |
Total Estimated Effort: 17-23 hours across all tiers Critical Path: Tier 1 (2-3 hrs) + ADR-159 (3-4 hrs) = 5-7 hours for core multi-tenant safety