AZ Azerbaijan / AZN
MUPZA OperatorOwner accountMU
M
MUPZAOSRestaurant OS command
Tenant/Branch Scope Guard Preview v1

Tenant/Branch Scope Guard

Safe read-only Restaurant SaaS preview showing how deny-by-default tenantId, restaurantId and branchId checks prevent cross-tenant, cross-restaurant and cross-branch data leakage. This page creates no backend middleware, tenant data, branch data, grants or auth bypass.

10Scope examples covered.
1Allowed same-branch read example.
9Denied leakage examples.
10Examples requiring audit evidence.

Allowed and denied examples

Same tenant + same restaurant + same branch order read: allowedtenantId: tenant_az_demo_food_grouprestaurantId: restaurant_baku_centralbranchId: branch_fountain_squareactor role: managerrequested resource: order:branch_fountain_square:ORD-1001expected decision: allowreason: Actor, order and request context share the same tenantId, restaurantId and branchId for a read-only order lookup.auditRequired: trueredactionLevel: none
Alloworder
Same tenant + same restaurant + different branch order read: deniedtenantId: tenant_az_demo_food_grouprestaurantId: restaurant_baku_centralbranchId: branch_fountain_squareactor role: cashierrequested resource: order:branch_seaside:ORD-2002expected decision: denyreason: Cross-branch order reads are denied unless an explicit branch grant exists; this preview intentionally has no grant.auditRequired: trueredactionLevel: branch-summary
Denyorder
Same tenant + different restaurant branch access: deniedtenantId: tenant_az_demo_food_grouprestaurantId: restaurant_baku_centralbranchId: branch_fountain_squareactor role: adminrequested resource: restaurant:restaurant_ganja_grill/branch:branch_nizamiexpected decision: denyreason: Restaurant boundary changed inside the same tenant, so branch details are denied without a restaurant-level assignment.auditRequired: trueredactionLevel: tenant-safe-summary
Denyrestaurant-branch
Different tenant access: deniedtenantId: tenant_az_demo_food_grouprestaurantId: restaurant_baku_centralbranchId: branch_fountain_squareactor role: ownerrequested resource: tenant:tenant_private_competitor/restaurant:restaurant_old_city/ordersexpected decision: denyreason: Cross-tenant access is always denied in this preview and returns full redaction to prevent tenant data leakage.auditRequired: trueredactionLevel: full-redaction
Denyorder
POS device from wrong branch: deniedtenantId: tenant_az_demo_food_grouprestaurantId: restaurant_baku_centralbranchId: branch_fountain_squareactor role: pos-devicerequested resource: pos-device:POS-SEASIDE-02/session:branch_seasideexpected decision: denyreason: A POS device registered to another branch cannot open a session for this branch context.auditRequired: trueredactionLevel: branch-summary
Denypos-device-session
Waiter assigned to wrong branch/table: deniedtenantId: tenant_az_demo_food_grouprestaurantId: restaurant_baku_centralbranchId: branch_fountain_squareactor role: waiterrequested resource: table:branch_seaside:T12expected decision: denyreason: Waiter table assignment is scoped to one branch; wrong branch or table assignments are denied by default.auditRequired: trueredactionLevel: branch-summary
Denywaiter-table-assignment
Kitchen station from wrong branch: deniedtenantId: tenant_az_demo_food_grouprestaurantId: restaurant_baku_centralbranchId: branch_fountain_squareactor role: kitchenrequested resource: kitchen-station:branch_seaside:grill/ticket:KOT-3003expected decision: denyreason: Kitchen tickets stay within the issuing branch so stations cannot view tickets from another branch.auditRequired: trueredactionLevel: branch-summary
Denykitchen-station-ticket
Courier assigned to wrong branch delivery: deniedtenantId: tenant_az_demo_food_grouprestaurantId: restaurant_baku_centralbranchId: branch_fountain_squareactor role: courierrequested resource: delivery:branch_seaside:DEL-4004expected decision: denyreason: Courier delivery assignment belongs to a different branch, so address and customer details stay redacted.auditRequired: trueredactionLevel: full-redaction
Denydelivery-assignment
Reports export across branches without explicit grant: deniedtenantId: tenant_az_demo_food_grouprestaurantId: restaurant_baku_centralbranchId: branch_fountain_squareactor role: reportingrequested resource: reports:restaurant_baku_central:all-branches:sales-exportexpected decision: denyreason: Cross-branch reports export is denied because this preview creates no explicit multi-branch reporting grant.auditRequired: trueredactionLevel: tenant-safe-summary
Denyreports-export
Tenant domain route mismatch: deniedtenantId: tenant_az_demo_food_grouprestaurantId: restaurant_baku_centralbranchId: branch_fountain_squareactor role: domain-routerrequested resource: host:orders.other-tenant.example.invalid/path:/branch_fountain_square/menuexpected decision: denyreason: Domain tenant resolution does not match the route tenantId, so the request is denied before branch data is shown.auditRequired: trueredactionLevel: full-redaction
Denytenant-domain-route

Deny-by-default local policy

denyByDefaultUnknown, cross-tenant, cross-restaurant and cross-branch requests deny unless a documented local preview grant exists.
true
Cross-tenant dataDifferent tenant access returns full redaction and never exposes another tenant payload.
denied
Cross-branch dataDifferent branch orders, devices, tables, stations, deliveries and exports are denied without explicit grant.
denied

Safety boundaries

No real backend authorization middlewareTyped local library and mock route only.
false
No real database connectionAll examples are static synthetic preview records.
false
No real tenant, branch or permission grantPreview data is local and non-operational.
false
No secrets or env filesNo credential or local environment file is read or changed.
safe