Skip to main content

Phase 1 Realignment

The client response confirms the platform foundation while expanding the Phase 1 planning surface.

Implemented foundation remains valid:

  • Multi-tenant SaaS control plane.
  • FastAPI API service and Next.js console.
  • Postgres + RLS tenant isolation.
  • NATS JetStream behind the EventBus seam.
  • Worker-service async processing.
  • OIDC/AuthContext and local Keycloak profile.
  • WebhookAdapter and SecretProvider seams.
  • KubernetesSecretProvider.
  • Asset storage/read model and minimal heartbeat ingestion.

Phase 1 planning now explicitly includes:

  • Agent enrollment and future mTLS device identity.
  • SCIM 2.0.
  • OneProtect internal ticketing.
  • Active/passive discovery authorization contracts.
  • Auditor export, watermarking, export hash, and redaction controls.
  • SOC 2, HIPAA, and GLBA starter policy catalog.
  • AWS primary production architecture decisions.
  • macOS agent scope and Intune mobile posture connector, contract-designed in ADR-0017.
  • Remote SSH management contracts before runtime implementation, accepted in ADR-0016.

Important boundary correction:

OneProtect is a multi-tenant MSSP SaaS platform. Agents and connectors run inside tenant environments. There is no OneProtect campus/network discovery domain.

Source docs:

  • docs/client-response/phase1-architectural-response-summary.md
  • docs/architecture/bounded-contexts.md
  • docs/planning/phase1-milestone-plan-draft.md
  • docs/adr/README.md