docs: add Phase 6 multi-tenancy plan to roadmap

- Row-level isolation architecture - Per-tenant Entra + Graph credentials - License-gated premium feature - Deferred until SIEM export and alerting are production-tested
chore: bump version to 1.6.4
2026-04-22 13:49:56 +02:00 · 2026-04-22 12:16:32 +02:00 · 2026-04-22 12:16:20 +02:00 · 2026-04-22 12:02:28 +02:00 · 2026-04-22 12:02:11 +02:00
5 changed files with 40 additions and 15 deletions
--- a/.env.example
+++ b/.env.example
@@ -56,7 +56,7 @@ LLM_API_VERSION=
 REDIS_URL=redis://localhost:6379/0

 # UI default page size (number of events shown per page)
-DEFAULT_PAGE_SIZE=25
+DEFAULT_PAGE_SIZE=24

 # Optional: privacy / access control
 # Hide entire services from users without PRIVACY_SERVICE_ROLES
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -72,3 +72,32 @@ Goal: add AI-powered analysis and external tool integration.
 ## Completed in this PR
 All Phase 5 items marked done were implemented in v1.3.0–v1.5.0.
 Redis caching + async queue implemented in v1.6.0, switched to Valkey.
+UI polish (topbar, footer, clickable pills) in v1.6.1–v1.6.4.
+
+---
+
+## Phase 6: Multi-Tenancy (Premium) ⏸️
+Goal: allow MSPs to manage multiple client tenants from a single deployment.
+
+Status: **Planned — not started**. Architecture designed, pending validation of core features (SIEM export, alerting) in production first.
+
+### Architecture
+- Row-level isolation: `tenant_id` field on every MongoDB document
+- Each tenant has their own Microsoft Entra tenant + app registration credentials
+- Auth: user's JWT `tid` claim maps to tenant config automatically
+- Super-admin role for MSP staff to access all tenants
+
+### Implementation phases
+- **Phase 6.1** (2–3 days): Tenant model & registry, tenant-aware data layer, per-tenant Graph API auth
+- **Phase 6.2** (1 day): Tenant-scoped API routes, tenant-specific config endpoints
+- **Phase 6.3** (2 days): Frontend tenant switcher, tenant name display, admin page
+- **Phase 6.4** (1 day): License gating — signed JWT `LICENSE_KEY` gates multi-tenant mode
+
+### Licensing model
+- Single-tenant: remains MIT/free
+- Multi-tenant: premium feature requiring a signed license key
+- License key is a JWT with claims: `plan`, `max_tenants`, `exp`, `features`
+- Offline license generation tool included
+
+### Effort estimate
+~7–9 days total. Deferred until SIEM export and alerting are battle-tested.
--- a/2
+++ b/2
@@ -1 +1 @@
-1.6.2
+1.6.4
--- a/backend/config.py
+++ b/backend/config.py
@@ -61,7 +61,7 @@ class Settings(BaseSettings):
    REDIS_URL: str = "redis://localhost:6379/0"

    # UI defaults
-    DEFAULT_PAGE_SIZE: int = 25
+    DEFAULT_PAGE_SIZE: int = 24


 _settings = Settings()
--- a/backend/frontend/index.html
+++ b/backend/frontend/index.html
@@ -4,7 +4,7 @@
  <meta charset="UTF-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  <title>Admin Operations Center</title>
-  <link rel="stylesheet" href="/style.css?v=10" />
+  <link rel="stylesheet" href="/style.css?v=12" />
  <script defer src="https://cdn.jsdelivr.net/npm/alpinejs@3.x.x/dist/cdn.min.js"></script>
  <script src="https://alcdn.msauth.net/browser/2.37.0/js/msal-browser.min.js" crossorigin="anonymous"></script>
 </head>
@@ -305,7 +305,7 @@
        accessToken: null,
        authScopes: [],
        filters: {
-          actor: '', selectedServices: [], search: '', operation: '', result: '', start: '', end: '', limit: 25, includeTags: '', excludeTags: '',
+          actor: '', selectedServices: [], search: '', operation: '', result: '', start: '', end: '', limit: 24, includeTags: '', excludeTags: '',
        },
        options: { actors: [], services: [], operations: [], results: [] },
        savedSearches: [],
@@ -398,6 +398,8 @@
              this.aiFeaturesEnabled = featBody.ai_features_enabled !== false;
              if (featBody.default_page_size) {
                this.filters.limit = featBody.default_page_size;
+              } else {
+                this.filters.limit = 24;
              }
            } else {
              this.aiFeaturesEnabled = true;
@@ -567,9 +569,8 @@

            const saved = localStorage.getItem('aoc_filters');
            if (!saved && this.options.services.length) {
-              // Default: exclude noisy high-volume services
-              const noisy = ['Exchange', 'SharePoint', 'Teams'];
-              this.filters.selectedServices = this.options.services.filter((s) => !noisy.includes(s));
+              // Default: show all services (privacy controls handle exclusions server-side)
+              this.filters.selectedServices = [...this.options.services];
            } else if (saved) {
              try {
                const parsed = JSON.parse(saved);
@@ -663,8 +664,7 @@
        },

        clearFilters() {
-          const noisy = ['Exchange', 'SharePoint', 'Teams'];
-          this.filters = { actor: '', selectedServices: this.options.services.filter((s) => !noisy.includes(s)), search: '', operation: '', result: '', start: '', end: '', limit: 25, includeTags: '', excludeTags: '' };
+          this.filters = { actor: '', selectedServices: [...this.options.services], search: '', operation: '', result: '', start: '', end: '', limit: 24, includeTags: '', excludeTags: '' };
          this.saveFilters();
          this.resetPagination();
          this.loadEvents();
@@ -672,11 +672,7 @@

        filterByService(service) {
          if (!service) return;
-          if (!this.filters.selectedServices.includes(service)) {
-            this.filters.selectedServices = [service];
-          } else {
-            this.filters.selectedServices = this.filters.selectedServices.filter((s) => s !== service);
-          }
+          this.filters.selectedServices = [service];
          this.saveFilters();
          this.resetPagination();
          this.loadEvents();
Author	SHA1	Message	Date
Tomas Kracmar	a220494bcf	docs: add Phase 6 multi-tenancy plan to roadmap All checks were successful CI / lint-and-test (push) Successful in 43s Details - Row-level isolation architecture - Per-tenant Entra + Graph credentials - License-gated premium feature - Deferred until SIEM export and alerting are production-tested	2026-04-22 13:49:56 +02:00
Tomas Kracmar	5bda1dd616	chore: bump version to 1.6.4 All checks were successful CI / lint-and-test (push) Successful in 25s Details Release / build-and-push (push) Successful in 1m29s Details	2026-04-22 12:16:32 +02:00
Tomas Kracmar	3e333291c6	fix: revert to single-click service filter, show all services by default, page size 24 - Revert +/- buttons on service pills back to single-click = filter only this service - Remove default exclusion of Exchange/SharePoint/Teams (privacy controls handle this server-side) - Change default page size from 25 to 24 (divisible by 3 for the 3-column grid) - Update DEFAULT_PAGE_SIZE config default to 24	2026-04-22 12:16:20 +02:00
Tomas Kracmar	aa62528862	chore: bump version to 1.6.3 All checks were successful CI / lint-and-test (push) Successful in 35s Details Release / build-and-push (push) Successful in 1m47s Details	2026-04-22 12:02:28 +02:00
Tomas Kracmar	ac155d8843	feat: +/- buttons on service pills for additive/subtractive filtering - Replace single-click service pill filter with explicit +/− buttons - '+' adds the service to the current filter (keeps other selections) - '−' removes the service from the current filter - Result pills keep toggle click behavior - Add .pill__action styles for small inline buttons	2026-04-22 12:02:11 +02:00
@@ -1 +1 @@
 .6.2
 .6.4