Tenant Service — Sync Contract
Status: populated Owner: TBD Last updated: 2026-04-18 Companion: Service Template · 16 Offline/Sync
1. Per-aggregate conflict policy
| Aggregate | Conflict policy | Rationale |
|---|---|---|
| Tenant | server_authoritative | Lifecycle transitions are platform-admin operations; no client-side mutations. |
| TenantConfiguration | server_authoritative | Config is set by admins; no offline client mutation. |
| HierarchyNode | server_authoritative | Org structure is admin-governed; changes are infrequent and must be centrally coordinated. |
| UserProfile | server_authoritative | Profile updates are admin-initiated; clinical users do not edit their own profile offline. |
| OrgMembership | server_authoritative | Membership assignment is an administrative act. |
| RoleAssignment | server_authoritative | Role changes are privileged operations. |
| AccessPolicy | server_authoritative | Policy definitions are platform-admin governed. |
2. Offline client access
tenant-service data is not directly synced to offline clients. Downstream services (patient-chart, document) hold their own cached copies of the data they need (e.g., the user's effective permissions at a node). The authorization evaluate() endpoint requires connectivity.
The identity-service GET /api/v1/me/access-context result is the cacheable summary that offline clients may store locally for UI gating purposes. It does not authorize write operations while offline.
3. Event-driven propagation
All authoritative mutations emit domain events via the transactional outbox. Downstream consumers maintain their own projections. Stale projections are acceptable within NATS JetStream delivery guarantees (at-least-once, ordered per subject).