Data Model¶
Target Architecture — Final-State Design
The logical model below describes how the platform's aggregate roots relate. Physical storage choices are detailed in Storage. Every entity is tenant-scoped; tenantId is a mandatory column and isolation boundary on every table.
The Runtime & Cloud Platform's data model is centred on the environment as the unit of isolation and the service as the unit of live inventory. Deployments, configurations, and scaling policies attach to these, and a RuntimeTenantBinding enforces multi-tenancy across all of them.
Logical Model¶
- A RuntimeEnvironment is provisioned once and hosts many RuntimeService instances.
- A RuntimeDeployment targets one environment and produces/updates many services.
- A RuntimeConfiguration version applies to an environment (and is referenced by deployments).
- A ScalingPolicy governs exactly one service.
- A RuntimeTenantBinding binds a tenant to an environment with an isolation model and quota.
Entity-Relationship Diagram¶
erDiagram
RuntimeEnvironment ||--o{ RuntimeService : hosts
RuntimeEnvironment ||--o{ RuntimeDeployment : targets
RuntimeEnvironment ||--o{ RuntimeConfiguration : scopes
RuntimeEnvironment ||--o{ RuntimeTenantBinding : binds
RuntimeDeployment ||--o{ RuntimeService : produces
RuntimeConfiguration ||--o{ RuntimeDeployment : appliedBy
RuntimeService ||--|| ScalingPolicy : governedBy
RuntimeEnvironment {
string environmentId PK
string tenantId
string projectId
string name
string stage
string region
string status
string pulumiStackRef
string isolationModel
}
RuntimeService {
string serviceId PK
string tenantId
string environmentId FK
string moduleId
string componentType
string image
string version
string computeTarget
int replicas
string status
}
RuntimeDeployment {
string deploymentId PK
string tenantId
string environmentId FK
string releaseRef
string strategy
string status
string configurationId FK
string previousDeploymentId
}
RuntimeConfiguration {
string configurationId PK
string tenantId
string environmentId FK
int version
string status
string checksum
}
ScalingPolicy {
string scalingPolicyId PK
string tenantId
string environmentId
string serviceId FK
string metric
int minReplicas
int maxReplicas
int targetUtilizationPercent
}Retention¶
| Data | Retention | Rationale |
|---|---|---|
| RuntimeEnvironment / RuntimeService (active) | Lifetime of the environment | System of record for live runtime |
| RuntimeService (retired) | 90 days after retirement | Post-incident forensics and lineage |
| RuntimeDeployment history | 1 year | Rollback targets and audit |
| RuntimeConfiguration versions | 1 year (all versions) | Reproducibility and rollback |
| HealthCheckResult (detail) | 30 days in SQL, telemetry per App Insights policy | Operational troubleshooting |
| RuntimeDriftFinding | 1 year (resolved), indefinite (open) | Compliance and trend analysis |
| Deployment step logs (Blob) | 90 days, then cool tier | Cost-managed long-term audit |
Retention is enforced by scheduled cleanup in the RuntimeInventoryWorker and via Azure Blob lifecycle policies; nothing tenant-scoped is purged before its retention window without a governance exception.
Multi-Tenancy¶
Multi-tenancy is enforced through RuntimeTenantBinding, which is consulted on every read and write:
- Isolation models —
silo(dedicated environment),pool(shared environment, partitioned data/quota),shared(shared environment and data with row-leveltenantIdfilters). - Enforcement —
tenantIdis a mandatory predicate on every query (viaConnectSoft.Extensions.Saas.*); compute placement, network partition, and data partition derive from the binding. - Quotas —
RuntimeTenantBinding.quotacaps compute, storage, and throughput per tenant and feeds scaling bounds. - No cross-tenant reads — services never resolve another tenant's environments, services, or secrets; the binding is the authoritative boundary.
erDiagram
RuntimeTenantBinding ||--|| RuntimeEnvironment : isolates
RuntimeTenantBinding {
string tenantBindingId PK
string tenantId
string environmentId FK
string isolationModel
string quota
string networkPartition
string dataPartition
string status
}