docs: formalize tenant portal authorization boundary

Author: beyondnetPeru

docs/architecture/adrs/0071-auth-graph-engine.es.md

@@ -8,6 +8,7 @@
 - [ADR-0061: Execution Context Accessor](./0061-execution-context-accessor.md)
 - [ADR-0068: Alcance del Sistema de Feature Flags](./0068-feature-flag-system-scope.md)
 - [ADR-0072: Resolución Dinámica del Método de Autenticación](./0072-dynamic-auth-method-resolution.es.md)
+- [ADR-0077: Frontera de Autorizacion para Gestion del Portal del Tenant](./0077-tenant-portal-management-authorization-boundary.es.md)
 
 ---
 

docs/architecture/adrs/0071-auth-graph-engine.md

@@ -8,6 +8,7 @@
 - [ADR-0061: Execution Context Accessor](./0061-execution-context-accessor.md)
 - [ADR-0068: Feature Flag System Scope](./0068-feature-flag-system-scope.md)
 - [ADR-0070: Dynamic Auth Method Resolution](./0070-dynamic-auth-method-resolution.md)
+- [ADR-0077: Tenant Portal Management Authorization Boundary](./0077-tenant-portal-management-authorization-boundary.md)
 
 ---
 

docs/architecture/adrs/0072-dynamic-auth-method-resolution.es.md

@@ -6,6 +6,7 @@
 **Relacionados:**
 - [ADR-0071: Motor del Grafo de Autorización](./0071-auth-graph-engine.es.md)
 - [ADR-0054: Aislamiento de Shell Libraries](./0054-shell-library-isolation.md)
+- [ADR-0077: Frontera de Autorizacion para Gestion del Portal del Tenant](./0077-tenant-portal-management-authorization-boundary.es.md)
 
 ---
 

docs/architecture/adrs/0072-dynamic-auth-method-resolution.md

@@ -6,6 +6,7 @@
 **Related:**
 - [ADR-0071: Auth Graph Engine](./0071-auth-graph-engine.md)
 - [ADR-0054: Shell Library Isolation](./0054-shell-library-isolation.md)
+- [ADR-0077: Tenant Portal Management Authorization Boundary](./0077-tenant-portal-management-authorization-boundary.md)
 
 ---
 

docs/architecture/adrs/0077-tenant-portal-management-authorization-boundary.es.md

@@ -0,0 +1,168 @@
+# ADR-0077: Frontera de Autorizacion para Gestion del Portal del Tenant y Politica de Scope
+
+**Estado:** Accepted  
+**Fecha:** 2026-06-02  
+**Decision Owner:** Architecture  
+**Relacionados:**
+- [ADR-0071: Motor de Grafo de Autorizacion](./0071-auth-graph-engine.es.md)
+- [ADR-0072: Resolucion Dinamica del Metodo de Autenticacion](./0072-dynamic-auth-method-resolution.es.md)
+- [ADR-0060: Estrategia de AOP para Concerns Transversales](./0060-aop-cross-cutting-concern-strategy.es.md)
+- [ADR-0075: Bandeja de Aprobacion de Onboarding y Autorizacion por Alcance](./0075-onboarding-approval-inbox-and-scope-based-authorization.es.md)
+
+---
+
+## Contexto
+
+UMS debe soportar dos responsabilidades de autorizacion distintas que pueden confundirse facilmente si se implementan con el mismo mecanismo:
+
+| Flujo | Proposito | Regla rectora |
+|---|---|---|
+| Gestion del portal | Un usuario del tenant inicia sesion en el portal de UMS para ver o administrar sus propios datos permitidos | Debe autorizarse por scope de tenant, roles, permisos y `Tenant.IsManagementOwner` |
+| API publica externa | Un cliente downstream se autentica contra la API publica de autenticacion | Debe respetar el metodo de autenticacion configurado del tenant y el grafo de autorizacion |
+
+Historicamente, el AOP transversal ha parecido un lugar conveniente para imponer checks de acceso porque ya esta unido a los command handlers. Esa es la frontera equivocada para una decision de seguridad. La autorizacion es critica para el negocio, debe permanecer explicita y debe ser facil de inspeccionar en tests y code reviews.
+
+Por eso el flujo del portal necesita una frontera interna de gestion separada del flujo de autenticacion de la API publica. La frontera de gestion debe ser consciente del tenant, leer el flag de propiedad del tenant desde el modelo de dominio y evitar que cualquier tenant opere fuera de su scope.
+
+---
+
+## Decision
+
+UMS tratara la autorizacion de gestion del portal como una politica explicita de aplicacion, no como una preocupacion de AOP.
+
+| Area de Decision | Eleccion |
+|---|---|
+| Scope del portal | Introducir `AuthAccessScope.PortalManagement` para el acceso al portal y `AuthAccessScope.ExternalApi` para la API publica de autenticacion. |
+| Regla de gestion interna | Usar `ITenantScopePolicy` para validar propiedad del tenant y scope antes de ejecutar comandos mutantes del portal. |
+| Propiedad del tenant | Usar `Tenant.IsManagementOwner` como el flag autoritativo que habilita acciones de gestion interna para un tenant. |
+| Autenticacion API externa | Mantener `IAuthMethodResolver.ResolveAsync(tenantId, scope)` como el resolvedor explicito para la API publica de autenticacion. |
+| Uso de AOP | Reservar AOP para logging, tracing, enrichment de auditoria y otros concerns transversales. Nunca usarlo como frontera principal de autorizacion. |
+| Scope de consultas | Permitir que los query handlers usen la policy para resolver el scope visible, pero mantener la autorizacion de escritura explicita en el boundary del comando. |
+
+---
+
+## Modelo de Arquitectura
+
+```mermaid
+flowchart TB
+  subgraph Presentation["Presentation"]
+    P1["AuthEndpoints"]
+    P2["ClientAuthEndpoints"]
+    P3["Endpoints de gestion"]
+    P4["GraphQL / Middleware"]
+  end
+
+  subgraph Application["Application"]
+    A1["AuthMethodResolverService"]
+    A2["TenantScopePolicy"]
+    A3["Command handlers"]
+    A4["Query handlers"]
+    A5["Aspectos AOP de logging"]
+  end
+
+  subgraph Domain["Domain"]
+    D1["Tenant"]
+    D2["AuthAccessScope"]
+    D3["AuthorizationGraph"]
+    D4["Invariantes de negocio"]
+  end
+
+  subgraph Infrastructure["Infrastructure"]
+    I1["TenantRepository"]
+    I2["Proveedores de configuracion"]
+    I3["Seeders / migraciones"]
+  end
+
+  P1 --> A1
+  P2 --> A1
+  P3 --> A2
+  P3 --> A3
+  P4 --> A4
+  A1 --> D2
+  A2 --> D1
+  A3 --> D1
+  A4 --> D1
+  A1 --> I2
+  A2 --> I1
+  I1 --> D1
+  I2 --> A1
+  A5 -. solo concern transversal .-> A3
+  A5 -. solo concern transversal .-> A4
+  A3 --> D3
+```
+
+```mermaid
+sequenceDiagram
+  participant User as Usuario del portal
+  participant Portal as Portal UMS
+  participant Handler as Command handler
+  participant Policy as TenantScopePolicy
+  participant Tenant as Agregado Tenant
+
+  User->>Portal: Inicia sesion en el portal de UMS
+  Portal->>Handler: AuthenticateUserCommand(PortalManagement)
+  Handler-->>Portal: Sesion + grafo
+
+  User->>Portal: Crea o modifica un recurso del tenant
+  Portal->>Handler: Comando mutante
+  Handler->>Policy: EnsureManagementOwnerScopeAsync(tenantId)
+  Policy->>Tenant: Cargar el tenant e inspeccionar IsManagementOwner
+  Tenant-->>Policy: true / false
+  Policy-->>Handler: Permitido / denegado
+  Handler-->>Portal: Resultado
+```
+
+---
+
+## Por Que Esta Decision
+
+1. Mantiene las decisiones de seguridad explicitas en la capa de aplicacion.
+2. Evita convertir AOP en un motor de autorizacion oculto.
+3. Alinea la gestion del portal con la propiedad del tenant en vez de mezclarla con el flujo publico de resolucion de IDP.
+4. Preserva la testabilidad porque las decisiones de scope pueden cubrirse con pruebas unitarias directas.
+5. Mantiene intacto el flujo de la API externa para clientes downstream.
+6. Reduce el riesgo de que el acceso al portal y la autenticacion externa se influyan accidentalmente.
+
+---
+
+## Alternativas Consideradas
+
+| Alternativa | Decision | Motivo |
+|---|---|---|
+| Hacer cumplir el acceso al tenant en aspectos AOP | Rechazada | Las reglas de seguridad quedarian implicitas y mas dificiles de auditar. |
+| Hacer cumplir el acceso al tenant solo en middleware | Rechazada | Middleware es demasiado temprano y demasiado grueso para varias reglas de negocio. |
+| Mezclar la gestion del portal y la autenticacion externa en un solo flujo | Rechazada | Los dos casos de uso tienen fronteras de confianza y reglas de negocio distintas. |
+| Guardar la capacidad de gestion fuera de `Tenant` | Rechazada | La propiedad del tenant debe ser la fuente de verdad para el scope de gestion interna. |
+
+---
+
+## Consecuencias
+
+### Positivas
+
+- Las reglas de acceso del portal son faciles de encontrar en la capa de aplicacion.
+- Las pruebas de autorizacion siguen siendo enfocadas y legibles.
+- La propiedad de gestion del tenant es visible en el modelo de dominio.
+- La API externa sigue respetando la configuracion de IDP especifica del tenant.
+
+### Compromisos
+
+- Algunos handlers deben llamar explicitamente a la policy en vez de depender de un interceptor global.
+- La base de codigo necesita disciplina para mantener AOP limitado a concerns transversales.
+- Un tenant marcado como management owner sigue requiriendo checks de rol y permiso para cada operacion.
+
+---
+
+## Notas de Implementacion
+
+| Area | Guia |
+|---|---|
+| Commands | Los comandos mutantes del portal deben validar `ITenantScopePolicy` antes de cualquier escritura. |
+| Queries | Los query handlers pueden usar la policy para resolver el scope visible, pero nunca para saltarse la autorizacion. |
+| Auth | Usar `AuthAccessScope.PortalManagement` para el login del portal y `AuthAccessScope.ExternalApi` para la API publica de autenticacion. |
+| Domain | Mantener `Tenant.IsManagementOwner` como la fuente de verdad para la capacidad de gestion interna. |
+| AOP | Usar `LoggerAspect` y aspectos relacionados solo para instrumentacion, no para conceder acceso. |
+| Trazabilidad | Enlazar este ADR desde historias funcionales y documentacion de dominio que hablen de gestion del portal del tenant. |
+
+---
+

docs/architecture/adrs/0077-tenant-portal-management-authorization-boundary.md

@@ -0,0 +1,168 @@
+# ADR-0077: Tenant Portal Management Authorization Boundary and Scope Policy
+
+**Status:** Accepted  
+**Date:** 2026-06-02  
+**Decision Owner:** Architecture  
+**Related:**
+- [ADR-0071: Auth Graph Engine](./0071-auth-graph-engine.md)
+- [ADR-0072: Dynamic Auth Method Resolution](./0072-dynamic-auth-method-resolution.md)
+- [ADR-0060: AOP Cross-Cutting Concern Strategy](./0060-aop-cross-cutting-concern-strategy.md)
+- [ADR-0075: Onboarding Approval Inbox and Scope-Based Authorization](./0075-onboarding-approval-inbox-and-scope-based-authorization.md)
+
+---
+
+## Context
+
+UMS must support two different authorization responsibilities that are easy to confuse if they are implemented with the same mechanism:
+
+| Flow | Purpose | Governing rule |
+|---|---|---|
+| Portal management | A tenant user signs into the UMS portal to view or manage their own allowed data | Must be authorized by tenant scope, roles, permissions, and `Tenant.IsManagementOwner` |
+| Public external API | A downstream client authenticates against the public auth API | Must honor the tenant's configured auth method and the auth graph |
+
+Historically, cross-cutting AOP was a tempting place to enforce access checks because it is already attached to command handlers. That would be the wrong boundary for a security decision. Authorization is business-critical, must remain explicit, and must be easy to inspect in tests and code reviews.
+
+The portal flow therefore needs an internal management boundary that is separate from the external API authentication flow. The management boundary must be tenant-aware, read the tenant ownership flag from the domain model, and prevent any tenant from operating outside its scope.
+
+---
+
+## Decision
+
+UMS will treat portal management authorization as an explicit application policy, not as an AOP concern.
+
+| Decision Area | Choice |
+|---|---|
+| Portal scope | Introduce `AuthAccessScope.PortalManagement` for portal access and `AuthAccessScope.ExternalApi` for the public auth API. |
+| Internal management rule | Use `ITenantScopePolicy` to validate tenant ownership and scope before executing mutating portal commands. |
+| Tenant ownership | Use `Tenant.IsManagementOwner` as the authoritative flag that enables internal management actions for a tenant. |
+| External API auth | Keep `IAuthMethodResolver.ResolveAsync(tenantId, scope)` as the explicit resolver for the public authentication API. |
+| AOP usage | Reserve AOP for logging, tracing, audit enrichment, and other cross-cutting concerns. Never use it as the primary authorization boundary. |
+| Query scope | Allow query handlers to use the policy for scope resolution, but keep write authorization explicit at the command boundary. |
+
+---
+
+## Architecture Model
+
+```mermaid
+flowchart TB
+  subgraph Presentation["Presentation"]
+    P1["AuthEndpoints"]
+    P2["ClientAuthEndpoints"]
+    P3["Management endpoints"]
+    P4["GraphQL / Middleware"]
+  end
+
+  subgraph Application["Application"]
+    A1["AuthMethodResolverService"]
+    A2["TenantScopePolicy"]
+    A3["Command handlers"]
+    A4["Query handlers"]
+    A5["AOP logging aspects"]
+  end
+
+  subgraph Domain["Domain"]
+    D1["Tenant"]
+    D2["AuthAccessScope"]
+    D3["AuthorizationGraph"]
+    D4["Business invariants"]
+  end
+
+  subgraph Infrastructure["Infrastructure"]
+    I1["TenantRepository"]
+    I2["Configuration providers"]
+    I3["Seeders / migrations"]
+  end
+
+  P1 --> A1
+  P2 --> A1
+  P3 --> A2
+  P3 --> A3
+  P4 --> A4
+  A1 --> D2
+  A2 --> D1
+  A3 --> D1
+  A4 --> D1
+  A1 --> I2
+  A2 --> I1
+  I1 --> D1
+  I2 --> A1
+  A5 -. cross-cutting only .-> A3
+  A5 -. cross-cutting only .-> A4
+  A3 --> D3
+```
+
+```mermaid
+sequenceDiagram
+  participant User as Portal user
+  participant Portal as UMS portal
+  participant Handler as Command handler
+  participant Policy as TenantScopePolicy
+  participant Tenant as Tenant aggregate
+
+  User->>Portal: Sign in to the UMS portal
+  Portal->>Handler: AuthenticateUserCommand(PortalManagement)
+  Handler-->>Portal: Session + graph
+
+  User->>Portal: Create or update tenant-owned resource
+  Portal->>Handler: Mutating command
+  Handler->>Policy: EnsureManagementOwnerScopeAsync(tenantId)
+  Policy->>Tenant: Load tenant and inspect IsManagementOwner
+  Tenant-->>Policy: true / false
+  Policy-->>Handler: Allowed / denied
+  Handler-->>Portal: Result
+```
+
+---
+
+## Why This Decision
+
+1. It keeps security decisions explicit in the application layer.
+2. It avoids turning AOP into a hidden authorization engine.
+3. It aligns portal management with tenant ownership rather than with the public IDP resolution path.
+4. It preserves testability because scope decisions can be covered with direct unit tests.
+5. It keeps the external API flow fully intact for downstream clients.
+6. It reduces the chance that portal access and external authentication will accidentally influence each other.
+
+---
+
+## Alternatives Considered
+
+| Alternative | Decision | Reason |
+|---|---|---|
+| Enforce tenant access in AOP aspects | Rejected | Security rules would become implicit and harder to audit. |
+| Enforce tenant access only in middleware | Rejected | Middleware is too early and too coarse for many business rules. |
+| Merge portal management and external API auth into one flow | Rejected | The two use cases have different trust boundaries and different business rules. |
+| Store management access outside `Tenant` | Rejected | Tenant ownership must be the source of truth for internal management scope. |
+
+---
+
+## Consequences
+
+### Positive
+
+- Portal access rules are easy to find in the application layer.
+- Authorization tests remain focused and readable.
+- Tenant management ownership is visible in the domain model.
+- The external API still honors tenant-specific IDP configuration.
+
+### Trade-offs
+
+- Some handlers must explicitly call the policy instead of relying on a global interceptor.
+- The codebase needs discipline to keep AOP limited to cross-cutting concerns.
+- A tenant marked as management owner still requires role and permission checks for each operation.
+
+---
+
+## Implementation Notes
+
+| Area | Guidance |
+|---|---|
+| Commands | Mutating portal commands must validate `ITenantScopePolicy` before any write occurs. |
+| Queries | Query handlers may use the policy to resolve the visible scope, but never to bypass authorization. |
+| Auth | Use `AuthAccessScope.PortalManagement` for portal login and `AuthAccessScope.ExternalApi` for the public auth API. |
+| Domain | Keep `Tenant.IsManagementOwner` as the source of truth for internal management capability. |
+| AOP | Use `LoggerAspect` and related aspects only for instrumentation, not for granting access. |
+| Traceability | Link this ADR from functional stories and domain documentation that talk about tenant portal management. |
+
+---
+

docs/architecture/adrs/index.md

@@ -56,14 +56,16 @@ UMS is a satellite repository of `evolith_arch32`. The parent repository defines
 | [ADR-0073](./0073-ums-sdk-multi-runtime.md) | UMS SDK — Multi-Runtime Client Integration Surface (.NET / TypeScript / NestJS) | Accepted |
 | [ADR-0074](./0074-auth-graph-schema-versioning.md) | Auth Graph Schema Versioning Policy | Accepted |
 | [ADR-0075](./0075-onboarding-approval-inbox-and-scope-based-authorization.md) | Onboarding Approval Inbox and Scope-Based Authorization | Accepted |
+| [ADR-0076](./0076-utc-dates-timezone-language-resolution.md) | UTC Dates, Timezone and Language Resolution | Accepted |
+| [ADR-0077](./0077-tenant-portal-management-authorization-boundary.md) | Tenant Portal Management Authorization Boundary and Scope Policy | Accepted |
 
 > **Evolith candidate** - ADR has zero UMS-specific dependencies and is proposed for extraction to the Evolith parent architecture baseline.
 
 ---
 
 ## Bilingual Coverage (R-01 Compliance)
 
-All ADRs (0050-0070) now have Spanish translations:
+All ADRs (0050-0077) now have Spanish translations:
 
 | ADR | Spanish | ADR | Spanish |
 |-----|---------|-----|---------|
@@ -80,6 +82,9 @@ All ADRs (0050-0070) now have Spanish translations:
 | 0060 | ✅ | 0072 | ✅ |
 | —    | — | 0073 | ✅ |
 | —    | — | 0074 | ✅ |
+| —    | — | 0075 | ✅ |
+| —    | — | 0076 | ✅ |
+| —    | — | 0077 | ✅ |
 
 ---