Files
Sankofa/docs/phoenix/OPERATING_MODEL.md
defiQUG 33d50fb91e
Some checks failed
API CI / API Lint (push) Successful in 47s
API CI / API Type Check (push) Failing after 47s
API CI / API Test (push) Successful in 1m0s
API CI / API Build (push) Failing after 50s
API CI / Build Docker Image (push) Has been skipped
Build Crossplane Provider / build (push) Failing after 5m51s
CD Pipeline / Deploy to Staging (push) Failing after 29s
CI Pipeline / Lint and Type Check (push) Failing after 36s
CI Pipeline / Build (push) Has been skipped
CI Pipeline / Test Backend (push) Failing after 1m33s
CI Pipeline / Test Frontend (push) Failing after 30s
CI Pipeline / Security Scan (push) Failing after 1m16s
Crossplane Provider CI / Go Test (push) Failing after 3m23s
Crossplane Provider CI / Go Lint (push) Failing after 7m27s
Crossplane Provider CI / Go Build (push) Failing after 3m27s
Deploy to Staging / Deploy to Staging (push) Failing after 30s
Portal CI / Portal Lint (push) Failing after 21s
Portal CI / Portal Type Check (push) Failing after 21s
Portal CI / Portal Test (push) Failing after 21s
Portal CI / Portal Build (push) Failing after 22s
Test Suite / frontend-tests (push) Failing after 30s
Test Suite / api-tests (push) Failing after 49s
Test Suite / blockchain-tests (push) Failing after 30s
Type Check / type-check (map[directory:. name:root]) (push) Failing after 23s
Type Check / type-check (map[directory:api name:api]) (push) Failing after 21s
Type Check / type-check (map[directory:portal name:portal]) (push) Failing after 19s
Validate Configuration Files / validate (push) Failing after 1m52s
CD Pipeline / Deploy to Production (push) Has been skipped
chore: consolidate local WIP (repo cleanup 20260707)
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-07-07 09:41:34 -07:00

1402 lines
44 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Phoenix Operating Model
**Sankofa Phoenix Cloud Services — Enterprise-Grade Operating Model for Sovereign Governments**
---
## Executive Summary
**Phoenix (Sankofa Cloud Services)** is a competing cloud services offering purpose-built to service **international and multi-national Sovereign Governments** and their contractors. Phoenix competes directly with Azure, AWS, and other cloud service providers while offering superior capabilities for sovereign deployments.
This operating model separates **commercial governance**, **technical tenancy**, and **content/devops control** while enabling clean interoperability across distributed, multi-region deployments. The model is designed to support:
- **International and multi-national sovereign governments** requiring multi-region landing zones
- **Decentralized architecture** supporting distributed sovereignty
- **Clouds for sovereignty** with regional data residency and compliance
- **Enterprise-scale multi-tenancy** superior to Azure and AWS
This document is suitable for:
- Architecture decks
- Product specifications
- Client-facing enterprise offering memos
- Implementation guides
---
## Core Management Layers (Separation of Concerns)
Phoenix is structured around **five orthogonal but linked control planes**, each with its own hierarchy and access model. Planes reference each other through IDs—not shared control.
### The Five Control Planes
1. **Commercial Plane** *Who pays*
2. **Tenancy Plane** *Who owns domains & identity*
3. **Subscription Plane** *What is provisioned*
4. **Environment Plane** *Where workloads run*
5. **Content & DevOps Plane** *What is built, governed, and deployed*
### Design Principles
- **Orthogonal Design**: Each plane operates independently
- **ID-Based References**: Planes reference each other through IDs, not shared control
- **Separation of Concerns**: Commercial, technical, and content concerns are separated
- **Clean Interoperability**: Planes interoperate cleanly without tight coupling
---
## I. Commercial Plane — Clients (Billing Profiles)
**Purpose:** Financial ownership, invoicing, entitlements, and contractual scope.
### Entity: Client (Billing Profile)
A **Client** represents a legal entity that contracts with Phoenix for cloud services. It is the financial and contractual boundary for billing and invoicing.
#### Attributes
- **Legal Entity**: Legal name, registration number, jurisdiction
- **Contract & MSA**: Master Service Agreement, contract terms, SLAs
- **Invoicing Configuration**: Invoice format, frequency, currency, payment terms
- **Payment Instruments**: Credit cards, bank accounts, purchase orders
- **Cost Centers / Departments**: Internal cost allocation structure
- **Usage Aggregation & Chargeback**: Aggregation of usage across all tenants, chargeback to internal departments
#### Entity Schema
```graphql
type Client {
id: ID!
name: String!
legalEntity: LegalEntity!
contract: Contract
msa: MSA
invoicingConfig: InvoicingConfig!
paymentInstruments: [PaymentInstrument!]!
costCenters: [CostCenter!]!
tenants: [Tenant!]!
usageAggregation: UsageAggregation
chargebackRules: [ChargebackRule!]!
createdAt: DateTime!
updatedAt: DateTime!
metadata: JSON
}
type LegalEntity {
name: String!
registrationNumber: String
jurisdiction: String!
taxId: String
address: Address!
}
type Contract {
id: ID!
client: Client!
startDate: DateTime!
endDate: DateTime
terms: String!
sla: SLA!
status: ContractStatus!
}
type InvoicingConfig {
format: InvoiceFormat!
frequency: InvoiceFrequency!
currency: String!
paymentTerms: String!
billingAddress: Address!
emailRecipients: [String!]!
}
enum InvoiceFormat {
PDF
XML
JSON
}
enum InvoiceFrequency {
MONTHLY
QUARTERLY
ANNUAL
}
```
### Key Rules
1. **A Client can own multiple Tenants**
- Rationale: A single legal entity (e.g., a government agency) may operate multiple domains/identities
- Example: A defense contractor may have separate tenants for classified and unclassified work
- Enforcement: Database foreign key constraint (Tenant.clientId → Client.id)
2. **A Tenant cannot span multiple Clients**
- Rationale: Billing and contractual boundaries must be clear
- Example: A tenant cannot be shared between two different government agencies
- Enforcement: Database constraint (Tenant.clientId is NOT NULL and UNIQUE per tenant)
3. **Billing is never tied directly to environments or repos**
- Rationale: Billing operates at Client/Subscription level, not at operational level
- Example: Costs are aggregated at Subscription level, not per environment or Git repository
- Enforcement: Billing APIs only accept Client or Subscription IDs, not Environment or Content IDs
### Relationship to Existing Billing System
The existing Phoenix billing system (documented in `docs/tenants/BILLING_GUIDE.md`) currently tracks billing at the Tenant level. The new operating model introduces Client as the billing boundary:
- **Migration Path**: Existing tenants will be assigned to a default Client (or Clients can be created and tenants assigned)
- **Billing Aggregation**: Client-level billing aggregates costs from all associated Tenants and Subscriptions
- **Backward Compatibility**: Tenant-level billing queries remain available but aggregate to Client level
### Multi-National Client Structures
For international sovereign governments:
- **Single Client, Multiple Tenants**: One Client (the government) with multiple Tenants per nation/region
- **Multiple Clients, Coordinated Tenants**: Separate Clients per nation with coordinated Tenant structures
- **Federated Billing**: Cross-border billing aggregation while maintaining sovereignty
---
## II. Tenancy Plane — Tenants (Domains)
**Purpose:** Identity, domain ownership, trust boundaries, and security isolation.
### Entity: Tenant
A **Tenant** represents an identity and domain boundary. It is the security blast-radius boundary and owns all identity, domain, and security configuration.
#### Attributes
- **Primary Domain(s)**: One or more domains owned by the tenant (e.g., `agency.gov`, `agency.sankofa.nexus`)
- **Identity Provider**: SSO configuration (Entra, Okta, Keycloak, etc.)
- **Global RBAC Namespace**: Root namespace for all RBAC within the tenant
- **Data Residency / Sovereignty Flags**: Regional data residency requirements, sovereignty flags
- **Compliance Profile**: Compliance requirements (ISO, SOC, HIPAA, government-specific standards)
- **Multi-Region Support**: Whether tenant spans multiple regions
- **Regional Data Residency Requirements**: Per-region data residency rules
- **Cross-Border Governance Settings**: Governance rules for cross-border operations
#### Entity Schema
```graphql
type Tenant {
id: ID!
name: String!
primaryDomains: [String!]!
identityProvider: IdentityProvider!
rbacNamespace: String!
dataResidencyFlags: [DataResidencyFlag!]!
complianceProfile: ComplianceProfile!
client: Client!
subscriptions: [Subscription!]!
environments: [Environment!]!
regions: [Region!]!
keycloakRealmId: String
multiRegionEnabled: Boolean!
regionalDataResidency: [RegionalDataResidency!]!
crossBorderGovernance: CrossBorderGovernance
createdAt: DateTime!
updatedAt: DateTime!
metadata: JSON
}
type IdentityProvider {
type: IdentityProviderType!
config: JSON!
ssoEnabled: Boolean!
mfaRequired: Boolean!
}
enum IdentityProviderType {
KEYCLOAK
AZURE_AD
OKTA
GOOGLE_WORKSPACE
CUSTOM_SAML
CUSTOM_OIDC
}
type ComplianceProfile {
standards: [ComplianceStandard!]!
certifications: [Certification!]!
auditRequirements: [AuditRequirement!]!
}
enum ComplianceStandard {
ISO_27001
ISO_27017
ISO_27018
SOC_2
SOC_3
HIPAA
PCI_DSS
GDPR
CCPA
FEDRAMP
ITAR
CUSTOM
}
type DataResidencyFlag {
region: Region!
requirement: DataResidencyRequirement!
enforcement: DataResidencyEnforcement!
}
enum DataResidencyRequirement {
REQUIRED
PREFERRED
PROHIBITED
}
enum DataResidencyEnforcement {
HARD
SOFT
ADVISORY
}
```
### Key Rules
1. **One Tenant → many Subscriptions**
- Rationale: A tenant can have multiple service subscriptions
- Example: A tenant may have separate subscriptions for compute, data, and AI services
- Enforcement: Database foreign key (Subscription.tenantId → Tenant.id)
2. **One Tenant → many Environments**
- Rationale: Environments are scoped to tenants for security isolation
- Example: A tenant may have DEV, STAGING, and PROD environments
- Enforcement: Environment belongs to Subscription, which belongs to Tenant
3. **Tenant is the security blast-radius boundary**
- Rationale: Security incidents are contained within tenant boundaries
- Example: A compromised tenant cannot access another tenant's resources
- Enforcement: Network isolation, RBAC namespace isolation, data isolation
### Relationship to Existing Tenant Management
The existing Phoenix tenant management (documented in `docs/tenants/TENANT_MANAGEMENT.md`) aligns with this model:
- **Tenant Tiers**: FREE, STANDARD, ENTERPRISE, SOVEREIGN map to Subscription types
- **Keycloak Integration**: Each tenant gets a Keycloak realm (when `KEYCLOAK_MULTI_REALM=true`)
- **Custom Domains**: Tenant primary domains support custom domain configuration
- **Quotas**: Tenant quotas map to Subscription quotas and limits
### Keycloak Realm Mapping
- **One Tenant = One Keycloak Realm**: Each tenant has its own Keycloak realm for complete identity isolation
- **Realm Name**: Typically matches Tenant ID or primary domain
- **Federated Identity**: Tenants can federate with external identity providers (Entra, Okta, etc.)
### Multi-National Tenant Structures
For international sovereign governments:
- **Per-Nation Tenants**: Separate tenant per nation with coordinated governance
- **Federated Tenants**: Tenants that share identity federation but maintain isolation
- **Cross-Border Tenants**: Tenants that span multiple nations with regional data residency
---
## III. Subscription Plane — Subscriptions
**Purpose:** Logical containers for services, quotas, and spend.
### Entity: Subscription
A **Subscription** represents a service bundle provisioned to a tenant. It defines what services are available, quotas, limits, and cost tracking.
#### Attributes
- **Service Bundles**: Compute, data, AI, storage, networking, etc.
- **Quotas & Limits**: Resource quotas, rate limits, capacity limits
- **Cost Tracking**: Cost aggregation, budget tracking, spending alerts
- **Policy Packs**: Security policies, networking policies, data access policies
- **Feature Entitlements**: Enabled features, beta features, premium features
- **Multi-Region Subscriptions**: Whether subscription spans multiple regions
#### Entity Schema
```graphql
type Subscription {
id: ID!
name: String!
tenant: Tenant!
client: Client!
type: SubscriptionType!
serviceBundles: [ServiceBundle!]!
quotas: Quotas
limits: Limits
costTracking: CostTracking!
policyPacks: [PolicyPack!]!
featureEntitlements: [FeatureEntitlement!]!
environments: [Environment!]!
regions: [Region!]!
createdAt: DateTime!
updatedAt: DateTime!
metadata: JSON
}
enum SubscriptionType {
SHARED_PLATFORM
PRODUCT
SANDBOX
INNOVATION
}
type ServiceBundle {
service: ServiceType!
enabled: Boolean!
quotas: ServiceQuotas
limits: ServiceLimits
}
enum ServiceType {
COMPUTE
STORAGE
NETWORKING
DATABASE
AI_ML
ANALYTICS
SECURITY
MONITORING
BACKUP
}
type Quotas {
compute: ComputeQuotas
storage: StorageQuotas
network: NetworkQuotas
custom: JSON
}
type ComputeQuotas {
vcpu: Int
memory: Int # GB
instances: Int
gpu: Int
}
type PolicyPack {
name: String!
type: PolicyPackType!
policies: [Policy!]!
enforcement: PolicyEnforcement!
}
enum PolicyPackType {
SECURITY
NETWORKING
DATA_ACCESS
COMPLIANCE
CUSTOM
}
enum PolicyEnforcement {
HARD
SOFT
ADVISORY
}
```
### Subscription Types
1. **Shared Platform Subscription**
- Purpose: Shared infrastructure and platform services
- Use Cases: Common platform services, shared networking, centralized monitoring
- Characteristics: Shared resources, cost-efficient, managed by platform team
2. **Product Subscriptions**
- Purpose: Dedicated resources for specific products or applications
- Use Cases: Production workloads, customer-facing applications
- Characteristics: Dedicated resources, higher quotas, production SLAs
3. **Sandbox / Innovation Subscriptions**
- Purpose: Experimental and development environments
- Use Cases: Proof of concepts, experimentation, learning
- Characteristics: Lower quotas, relaxed policies, cost-optimized
### Key Rules
1. **Subscriptions live inside a Tenant**
- Rationale: Subscriptions inherit tenant identity and security boundaries
- Example: All subscriptions for a tenant share the same identity provider
- Enforcement: Database foreign key (Subscription.tenantId → Tenant.id, NOT NULL)
2. **Subscriptions are mapped to one Client billing profile**
- Rationale: Billing aggregation happens at Client level
- Example: All subscription costs for a tenant roll up to the tenant's Client
- Enforcement: Subscription.clientId → Client.id (via Tenant.clientId)
### Multi-Region Subscription Patterns
- **Regional Subscriptions**: Separate subscription per region for regional data residency
- **Global Subscriptions**: Single subscription spanning multiple regions
- **Hybrid Subscriptions**: Mix of regional and global services
---
## IV. Environment Plane — Environments
**Purpose:** Operational isolation for lifecycle stages.
### Entity: Environment
An **Environment** represents a lifecycle stage where workloads run. It provides network isolation, data isolation, and deployment policies.
#### Attributes
- **Network Isolation**: Network boundaries, firewall rules, network policies
- **Data Isolation**: Data boundaries, encryption, access controls
- **Deployment Policies**: Deployment rules, approval workflows, promotion policies
- **Runtime Secrets**: Secrets management, key rotation, access controls
- **Compliance Overlays**: Compliance requirements specific to environment
- **Regional Scope**: Region where environment is deployed
#### Entity Schema
```graphql
type Environment {
id: ID!
name: String!
type: EnvironmentType!
subscription: Subscription!
networkIsolation: NetworkIsolation!
dataIsolation: DataIsolation!
deploymentPolicies: [DeploymentPolicy!]!
runtimeSecrets: [Secret!]!
complianceOverlays: [ComplianceOverlay!]!
region: Region
promotionFlow: PromotionFlow
createdAt: DateTime!
updatedAt: DateTime!
metadata: JSON
}
enum EnvironmentType {
DEV
INT
UAT
STAGING
PROD
REGULATED
SOVEREIGN
AIR_GAPPED
}
type NetworkIsolation {
vpcId: String
subnetIds: [String!]!
firewallRules: [FirewallRule!]!
networkPolicies: [NetworkPolicy!]!
allowedConnections: [NetworkConnection!]!
}
type DataIsolation {
encryptionAtRest: Boolean!
encryptionInTransit: Boolean!
accessControls: [AccessControl!]!
dataBoundaries: [DataBoundary!]!
}
type DeploymentPolicy {
name: String!
type: DeploymentPolicyType!
rules: [DeploymentRule!]!
approvalRequired: Boolean!
approvers: [String!]!
}
enum DeploymentPolicyType {
AUTOMATED
MANUAL_APPROVAL
POLICY_DRIVEN
SCHEDULED
}
type PromotionFlow {
fromEnvironment: Environment
toEnvironment: Environment!
policies: [PromotionPolicy!]!
approvalRequired: Boolean!
automated: Boolean!
}
```
### Environment Types
#### Standard Environments
1. **DEV** (Development)
- Purpose: Developer workstations and development workloads
- Characteristics: Relaxed policies, high developer access, cost-optimized
- Access: Developers, DevOps engineers
2. **INT** (Integration)
- Purpose: Integration testing and component testing
- Characteristics: Moderate policies, limited access, test data
- Access: QA engineers, integration testers
3. **UAT** (User Acceptance Testing)
- Purpose: User acceptance testing and validation
- Characteristics: Production-like policies, business user access, production-like data
- Access: Business users, QA engineers
4. **STAGING**
- Purpose: Pre-production validation and final testing
- Characteristics: Production-equivalent policies, limited access, production data copies
- Access: Release managers, senior engineers
5. **PROD** (Production)
- Purpose: Production workloads serving end users
- Characteristics: Strictest policies, minimal access, production data
- Access: Operators, on-call engineers (read-only for most)
#### Specialized Environments
6. **REGULATED**
- Purpose: Regulated workloads requiring specific compliance
- Characteristics: Enhanced compliance overlays, audit logging, restricted access
- Use Cases: Healthcare (HIPAA), Finance (PCI-DSS), Government (FedRAMP)
7. **SOVEREIGN**
- Purpose: Sovereign workloads requiring data residency
- Characteristics: Regional data residency, sovereignty flags, cross-border restrictions
- Use Cases: Government data, national security, sovereign cloud deployments
8. **AIR-GAPPED**
- Purpose: Classified workloads with no external connectivity
- Characteristics: Complete network isolation, no internet access, physical security
- Use Cases: Classified government systems, critical infrastructure
### Key Rules
1. **Environments belong to Subscriptions**
- Rationale: Environments inherit subscription quotas and policies
- Example: PROD environment uses Product Subscription quotas
- Enforcement: Database foreign key (Environment.subscriptionId → Subscription.id, NOT NULL)
2. **Promotion flows are policy-driven, not manual**
- Rationale: Automated, auditable promotion reduces human error
- Example: Code promotion from DEV → STAGING → PROD follows defined policies
- Enforcement: PromotionFlow policies are enforced by CI/CD pipelines
3. **PROD access is always the most restricted**
- Rationale: Production environments require highest security
- Example: PROD requires MFA, approval workflows, and audit logging
- Enforcement: RBAC policies enforce stricter access controls for PROD environments
### Multi-Region Environment Patterns
- **Regional Environments**: Separate environment per region for data residency
- **Global Environments**: Single environment spanning multiple regions
- **Hybrid Environments**: Mix of regional and global components
---
## V. Content & DevOps Plane (Separate but Integrated)
**Purpose:** What is built, governed, and deployed—separate from billing and tenancy.
This plane is intentionally **not** embedded into billing or tenancy. It operates independently but integrates with the other planes through IDs.
### A. Enterprise Content Management Hierarchy
#### Entity Model
```
Enterprise
└── Portfolio
└── Product / Program
└── Application / Service
└── Component / Module
```
#### Entity Schema
```graphql
type Enterprise {
id: ID!
name: String!
portfolios: [Portfolio!]!
ownership: Ownership!
governance: Governance!
createdAt: DateTime!
updatedAt: DateTime!
metadata: JSON
}
type Portfolio {
id: ID!
name: String!
enterprise: Enterprise!
products: [Product!]!
ownership: Ownership!
governance: Governance!
createdAt: DateTime!
updatedAt: DateTime!
metadata: JSON
}
type Product {
id: ID!
name: String!
portfolio: Portfolio!
applications: [Application!]!
ownership: Ownership!
governance: Governance!
createdAt: DateTime!
updatedAt: DateTime!
metadata: JSON
}
type Application {
id: ID!
name: String!
product: Product!
components: [Component!]!
gitRepos: [GitRepo!]!
ownership: Ownership!
governance: Governance!
createdAt: DateTime!
updatedAt: DateTime!
metadata: JSON
}
type Component {
id: ID!
name: String!
application: Application!
contentType: ContentType!
content: Content!
ownership: Ownership!
governance: Governance!
version: String!
lineage: [LineageEntry!]!
createdAt: DateTime!
updatedAt: DateTime!
metadata: JSON
}
enum ContentType {
SOURCE_CODE
IAC
PIPELINE
CONFIG_TEMPLATE
DOCUMENTATION
DATA_SCHEMA
AI_MODEL
PROMPT
}
type Ownership {
owner: String!
team: String
department: String
contact: String
}
type Governance {
approvalWorkflows: [ApprovalWorkflow!]!
complianceTags: [ComplianceTag!]!
accessControls: [AccessControl!]!
retentionPolicies: [RetentionPolicy!]!
}
type ApprovalWorkflow {
name: String!
steps: [ApprovalStep!]!
required: Boolean!
}
type ApprovalStep {
approver: String!
role: String!
timeout: Int
}
```
#### Content Types
1. **Source Code**: Application source code, libraries, dependencies
2. **IaC (Infrastructure as Code)**: Terraform, Pulumi, Bicep, CloudFormation
3. **Pipelines**: CI/CD pipeline definitions, workflow configurations
4. **Configuration Templates**: Environment configs, deployment templates
5. **Documentation**: Technical docs, runbooks, architecture diagrams
6. **Data Schemas**: Database schemas, data models, API schemas
7. **AI Models / Prompts**: ML models, AI prompts, training data
#### Governance
- **Ownership at Each Level**: Clear ownership from Enterprise to Component
- **Approval Workflows**: Required approvals for changes at each level
- **Compliance Tagging**: Compliance tags for regulatory requirements
- **Versioning & Lineage**: Complete version history and lineage tracking
### B. Git & DevOps Integration Model
#### Git Structure
**Enterprise Git Organization**:
- Repositories mapped to **Product / Service** level
- Branch strategy enforced by policy
- Protected branches for regulated environments
- Multi-region Git repository patterns
**Repository Mapping**:
```
Enterprise Git Org
├── portfolio-1/
│ ├── product-a/
│ │ ├── application-1/ (repo)
│ │ └── application-2/ (repo)
│ └── product-b/
│ └── application-3/ (repo)
└── portfolio-2/
└── product-c/
└── application-4/ (repo)
```
**Branch Strategy**:
- **main/master**: Production-ready code
- **develop**: Integration branch
- **feature/***: Feature branches
- **release/***: Release branches
- **hotfix/***: Production hotfixes
**Protected Branches**:
- **PROD environments**: Require approval, no direct pushes
- **REGULATED environments**: Additional compliance checks
- **SOVEREIGN environments**: Regional approval requirements
#### CI/CD Integration
**Environment-Aware Pipelines**:
- Pipelines detect target environment from branch or configuration
- Environment-specific policies are applied automatically
- Deployment requires explicit environment selection
**Deployment Requirements**:
1. **Subscription Authorization**: Pipeline verifies subscription has required services
2. **Environment Approval**: Automated or manual approval based on environment type
3. **Policy Validation**: Security, compliance, and governance policies are validated
**GitOps for Infrastructure**:
- Infrastructure changes via Git commits
- ArgoCD syncs Git state to infrastructure
- Crossplane provisions infrastructure resources
- Integration with existing ArgoCD infrastructure (see `gitops/README.md`)
#### Promotion Flow
**Standard Promotion Flow**:
```
Code Commit
CI (Test, Scan, Build)
Artifact Registry
Environment Promotion (Policy-Driven)
Subscription Deployment
```
**Policy-Driven Promotion**:
- **Automated**: DEV → INT → UAT (automated if tests pass)
- **Approval Required**: UAT → STAGING (requires approval)
- **Strict Approval**: STAGING → PROD (requires multiple approvals, compliance checks)
**Critical Principle**:
> **Git never directly deploys to PROD without environment + subscription authorization.**
**Enforcement**:
- CI/CD pipelines check environment type
- PROD deployments require:
- Subscription authorization
- Environment approval workflow
- Policy validation (security, compliance)
- Audit logging
**Multi-Region Promotion**:
- Regional promotion flows for data residency
- Cross-region promotion with governance approval
- Sovereign promotion with regional compliance checks
---
## VI. Hierarchical Access Model (RBAC)
### Access Roles by Plane
#### 1. Commercial Access
- **Finance Admin**: Full access to Client billing, invoicing, payment instruments
- **Billing Viewer**: Read-only access to billing and cost data
- **Cost Center Owner**: Access to specific cost center data and chargeback
#### 2. Tenant Access
- **Tenant Owner**: Full control over tenant, identity, domains, subscriptions
- **Security Admin**: Security configuration, compliance, audit access
- **Identity Admin**: Identity provider configuration, user management
- **Compliance Officer**: Compliance configuration, audit, reporting
#### 3. Subscription Access
- **Subscription Owner**: Full control over subscription, quotas, policies
- **Platform Admin**: Platform services administration
- **Service Operator**: Service-specific operations
- **Read-only Auditor**: Read-only access for auditing
#### 4. Environment Access
- **Environment Owner**: Full control over environment configuration
- **Release Manager**: Promotion approval, release management
- **Operator**: Runtime operations, monitoring, troubleshooting
- **Observer**: Read-only access for monitoring
#### 5. Content & DevOps Access
- **Enterprise Architect**: Enterprise-level architecture decisions
- **Portfolio Lead**: Portfolio-level governance and decisions
- **Product Owner**: Product-level decisions and priorities
- **Dev Lead**: Development team leadership
- **Contributor**: Code contribution, development
- **Reviewer**: Code review, approval
- **Release Approver**: Release approval for production
### Cross-Plane Access
**Default Rule**: **No role crosses planes by default.**
**Explicit Delegation Required**:
- Cross-plane access must be explicitly granted
- Delegation is audited and logged
- Delegation can be time-limited or permanent
**Delegation Mechanisms**:
- **Role Delegation**: Grant role from one plane to user in another plane
- **Temporary Access**: Time-limited cross-plane access
- **Escalation**: Emergency escalation procedures
### Multi-Region RBAC
- **Regional Roles**: Roles scoped to specific regions
- **Cross-Region Roles**: Roles that span multiple regions (requires approval)
- **Federated RBAC**: RBAC across federated tenants
### Integration with Keycloak
- **Keycloak Roles**: Phoenix roles map to Keycloak roles
- **Realm-Level Roles**: Tenant-specific roles in Keycloak realm
- **Federated Roles**: Roles from federated identity providers
---
## VII. Key Rules and Constraints
### Commercial Plane Rules
1. **A Client can own multiple Tenants**
- Rationale: Single legal entity may operate multiple domains/identities
- Enforcement: Database foreign key (Tenant.clientId → Client.id)
2. **A Tenant cannot span multiple Clients**
- Rationale: Billing and contractual boundaries must be clear
- Enforcement: Database constraint (Tenant.clientId is NOT NULL and UNIQUE per tenant)
3. **Billing is never tied directly to environments or repos**
- Rationale: Billing operates at Client/Subscription level
- Enforcement: Billing APIs only accept Client or Subscription IDs
### Tenancy Plane Rules
4. **One Tenant → many Subscriptions**
- Rationale: Tenant can have multiple service subscriptions
- Enforcement: Database foreign key (Subscription.tenantId → Tenant.id)
5. **One Tenant → many Environments**
- Rationale: Environments are scoped to tenants for security
- Enforcement: Environment belongs to Subscription, which belongs to Tenant
6. **Tenant is the security blast-radius boundary**
- Rationale: Security incidents contained within tenant
- Enforcement: Network isolation, RBAC namespace isolation, data isolation
### Subscription Plane Rules
7. **Subscriptions live inside a Tenant**
- Rationale: Subscriptions inherit tenant identity and security
- Enforcement: Database foreign key (Subscription.tenantId → Tenant.id, NOT NULL)
8. **Subscriptions are mapped to one Client billing profile**
- Rationale: Billing aggregation at Client level
- Enforcement: Subscription.clientId → Client.id (via Tenant.clientId)
### Environment Plane Rules
9. **Environments belong to Subscriptions**
- Rationale: Environments inherit subscription quotas and policies
- Enforcement: Database foreign key (Environment.subscriptionId → Subscription.id, NOT NULL)
10. **Promotion flows are policy-driven, not manual**
- Rationale: Automated, auditable promotion reduces error
- Enforcement: PromotionFlow policies enforced by CI/CD pipelines
11. **PROD access is always the most restricted**
- Rationale: Production requires highest security
- Enforcement: RBAC policies enforce stricter access for PROD
### Content & DevOps Plane Rules
12. **Git never directly deploys to PROD without environment + subscription authorization**
- Rationale: Production deployments require explicit authorization
- Enforcement: CI/CD pipelines check environment type and require approvals
13. **Content hierarchy ownership is required at each level**
- Rationale: Clear ownership enables governance
- Enforcement: Ownership fields are required in entity schemas
### Cross-Plane Rules
14. **No role crosses planes by default**
- Rationale: Separation of concerns requires explicit cross-plane access
- Enforcement: RBAC system enforces plane boundaries
15. **Cross-plane access requires explicit delegation**
- Rationale: Auditability and security require explicit delegation
- Enforcement: Delegation must be recorded and audited
### Violation Handling
- **Prevention**: Database constraints prevent invalid relationships
- **Detection**: Audit logs detect policy violations
- **Response**: Automated alerts and manual review for violations
- **Remediation**: Automated remediation where possible, manual intervention required for critical violations
---
## VIII. Multi-Region and Multi-National Capabilities
### Sovereign Cloud Deployments
**Per-Region/Nation Sovereign Clouds**:
- Each region/nation can have its own sovereign cloud deployment
- Complete data residency and sovereignty per region
- Regional compliance and governance
### Cross-Region Governance
**Federated Governance**:
- Governance policies can span multiple regions
- Cross-region coordination for multi-national operations
- Regional autonomy with coordinated governance
### Multi-National Tenant Structures
**Per-Nation Tenants**:
- Separate tenant per nation with coordinated governance
- Federated identity across nations
- Cross-border data sharing with governance
### Regional Data Residency
**Data Residency Enforcement**:
- Hard enforcement: Data cannot leave region
- Soft enforcement: Data preferred in region, warnings if outside
- Advisory: Recommendations for data placement
### Landing Zone Patterns
**Regional Landing Zones**:
- Landing zone per region for sovereign deployments
- Cross-region connectivity for coordination
- Regional compliance per landing zone
---
## IX. Decentralized Architecture
### How Decentralization Enables Sovereignty
**Distributed Control**:
- Control planes can be deployed per region
- Regional autonomy with coordinated governance
- No single point of control
**Sovereignty Benefits**:
- Complete control over regional infrastructure
- Data sovereignty per region
- Regulatory compliance per region
### Distributed Control Planes
**Regional Control Planes**:
- Each region can have its own control plane deployment
- Coordinated but not centralized
- Eventual consistency across regions
### Cross-Region Coordination
**Coordination Mechanisms**:
- Event-driven coordination
- API-based coordination
- Governance-based coordination
**Conflict Resolution**:
- Regional autonomy with escalation
- Governance policies for conflict resolution
- Audit trails for coordination decisions
### Federated Identity and Governance
**Federated Identity**:
- Identity federation across regions
- SSO across regions with regional control
- Multi-national identity coordination
**Federated Governance**:
- Governance policies can be federated
- Regional governance with coordination
- Cross-border governance patterns
---
## X. Integration with Existing Infrastructure
### Entity Mapping to Existing Systems
#### Proxmox Infrastructure
**Mapping**:
- **Region** → Proxmox Site
- **Cluster** → Proxmox Cluster
- **Node** → Proxmox Node
- **VM** → Proxmox VM
**Integration**:
- Environments map to Proxmox resource pools
- Subscriptions map to Proxmox quotas
- Tenants map to Proxmox access controls
#### Kubernetes Clusters
**Mapping**:
- **Environment** → Kubernetes Namespace
- **Subscription** → Kubernetes ResourceQuota
- **Tenant** → Kubernetes RBAC namespace
**Integration**:
- Environments deploy to Kubernetes namespaces
- Subscriptions enforce Kubernetes resource quotas
- Tenants enforce Kubernetes RBAC boundaries
#### Cloudflare Tunnels and Zero Trust
**Mapping**:
- **Tenant** → Cloudflare Access Policy
- **Environment** → Cloudflare Tunnel Configuration
- **Region** → Cloudflare Tunnel Endpoint
**Integration**:
- Tenant identity maps to Cloudflare Access policies
- Environments use Cloudflare tunnels for connectivity
- Regions map to Cloudflare tunnel endpoints
#### Keycloak Realms
**Mapping**:
- **Tenant** → Keycloak Realm (1:1)
- **Identity Provider** → Keycloak Identity Provider
- **RBAC Roles** → Keycloak Roles
**Integration**:
- Each tenant gets a Keycloak realm
- Tenant identity provider maps to Keycloak identity provider
- Phoenix RBAC roles map to Keycloak roles
#### ArgoCD Applications
**Mapping**:
- **Application** → ArgoCD Application
- **Environment** → ArgoCD Target Environment
- **Subscription** → ArgoCD Resource Quota
**Integration**:
- Applications deploy via ArgoCD
- Environments map to ArgoCD target environments
- Subscriptions enforce ArgoCD resource quotas
#### Crossplane Resources
**Mapping**:
- **Subscription** → Crossplane Composite Resource
- **Environment** → Crossplane Claim
- **Infrastructure** → Crossplane Managed Resources
**Integration**:
- Subscriptions provision infrastructure via Crossplane
- Environments create Crossplane claims
- Infrastructure resources managed by Crossplane
#### Monitoring and Observability
**Mapping**:
- **Tenant** → Monitoring Namespace
- **Environment** → Monitoring Labels
- **Subscription** → Cost Metrics
**Integration**:
- Monitoring scoped by tenant and environment
- Cost metrics aggregated by subscription
- Alerts configured per environment
### Resource Model Mapping
**Existing Model** (from `docs/architecture/data-model.md`):
```
Region → Site → Cluster → Node → VM/Pod/Service
```
**Operating Model Mapping**:
- **Region**: Maps to Phoenix Region (with Tenant/Subscription context)
- **Site**: Maps to Landing Zone or Environment
- **Cluster**: Maps to Subscription service bundle
- **Node**: Maps to Environment resources
- **VM/Pod/Service**: Maps to Environment workloads
### API Integration Points
**Control Plane APIs**:
- Commercial Plane API: Client and billing operations
- Tenancy Plane API: Tenant and identity operations
- Subscription Plane API: Subscription and quota operations
- Environment Plane API: Environment and deployment operations
- Content & DevOps Plane API: Content and Git operations
**Integration APIs**:
- Proxmox API integration
- Kubernetes API integration
- Cloudflare API integration
- Keycloak API integration
- ArgoCD API integration
- Crossplane API integration
---
## XI. Use Cases for Sovereign Governments
### Use Case 1: Multi-National Defense Contractor
**Scenario**: Defense contractor with classified and unclassified workloads across multiple nations.
**Entity Mapping**:
- **Client**: Defense contractor (single Client)
- **Tenants**:
- Tenant 1: Classified workloads (US)
- Tenant 2: Unclassified workloads (US)
- Tenant 3: Classified workloads (EU)
- Tenant 4: Unclassified workloads (EU)
- **Subscriptions**:
- Classified Subscription (AIR-GAPPED environments)
- Unclassified Subscription (REGULATED environments)
- **Environments**:
- AIR-GAPPED PROD (classified)
- REGULATED PROD (unclassified)
- **Landing Zones**: Separate landing zones per nation
**Compliance**: ITAR, FedRAMP, regional data residency
### Use Case 2: International Healthcare Agency
**Scenario**: Healthcare agency operating across multiple countries with HIPAA requirements.
**Entity Mapping**:
- **Client**: Healthcare agency (single Client)
- **Tenants**:
- Tenant per country (for data residency)
- **Subscriptions**:
- Healthcare Subscription (HIPAA-compliant)
- **Environments**:
- REGULATED PROD (HIPAA)
- REGULATED STAGING (HIPAA)
- **Landing Zones**: Per-country landing zones
**Compliance**: HIPAA, GDPR, regional healthcare regulations
### Use Case 3: Cross-Border Financial Regulator
**Scenario**: Financial regulator coordinating across multiple nations.
**Entity Mapping**:
- **Clients**: One Client per nation (coordinated)
- **Tenants**:
- Tenant per nation (federated)
- **Subscriptions**:
- Regulatory Subscription (cross-border)
- **Environments**:
- REGULATED PROD (financial regulations)
- **Landing Zones**: Per-nation landing zones with cross-border connectivity
**Compliance**: Financial regulations per nation, cross-border coordination
### Use Case 4: Multi-Region Public Sector Agency
**Scenario**: Public sector agency with operations across multiple regions.
**Entity Mapping**:
- **Client**: Public sector agency (single Client)
- **Tenants**:
- Tenant per region (for regional autonomy)
- **Subscriptions**:
- Public Sector Subscription
- **Environments**:
- PROD (public services)
- STAGING (pre-production)
- **Landing Zones**: Per-region landing zones
**Compliance**: Government regulations, regional data residency
### Use Case 5: Air-Gapped Deployment Per Nation
**Scenario**: Classified government system with complete isolation per nation.
**Entity Mapping**:
- **Client**: Government (one per nation)
- **Tenants**:
- Single tenant per nation (complete isolation)
- **Subscriptions**:
- Classified Subscription
- **Environments**:
- AIR-GAPPED PROD (no external connectivity)
- **Landing Zones**: Air-gapped landing zone per nation
**Compliance**: Classified systems, national security regulations
---
## XII. Glossary
### Core Entities
- **Client (Billing Profile)**: Legal entity that contracts with Phoenix for cloud services. Financial and contractual boundary.
- **Tenant**: Identity and domain boundary. Security blast-radius. Owns identity, domain, and security configuration.
- **Subscription**: Logical container for services, quotas, and spend. Defines what services are available.
- **Environment**: Lifecycle stage where workloads run. Provides network isolation, data isolation, and deployment policies.
- **Landing Zone**: Regional deployment pattern for sovereign cloud deployments.
### Control Planes
- **Commercial Plane**: Financial ownership, invoicing, entitlements, contractual scope.
- **Tenancy Plane**: Identity, domain ownership, trust boundaries, security isolation.
- **Subscription Plane**: Logical containers for services, quotas, and spend.
- **Environment Plane**: Operational isolation for lifecycle stages.
- **Content & DevOps Plane**: What is built, governed, and deployed.
### Environment Types
- **DEV**: Development environment
- **INT**: Integration testing environment
- **UAT**: User acceptance testing environment
- **STAGING**: Pre-production validation environment
- **PROD**: Production environment
- **REGULATED**: Regulated workloads requiring specific compliance
- **SOVEREIGN**: Sovereign workloads requiring data residency
- **AIR-GAPPED**: Classified workloads with no external connectivity
### Subscription Types
- **Shared Platform Subscription**: Shared infrastructure and platform services
- **Product Subscription**: Dedicated resources for specific products
- **Sandbox Subscription**: Experimental and development environments
- **Innovation Subscription**: Innovation and learning environments
### Multi-Region Terminology
- **Sovereign Cloud**: Cloud deployment with complete regional control and data residency
- **Landing Zone**: Regional deployment pattern for sovereign deployments
- **Cross-Region Governance**: Governance policies spanning multiple regions
- **Regional Data Residency**: Requirement that data remains in specific region
- **Federated Identity**: Identity federation across regions or tenants
### Decentralized Architecture Terminology
- **Distributed Control Plane**: Control plane deployed per region
- **Federated Governance**: Governance policies federated across regions
- **Eventual Consistency**: Data consistency achieved over time across regions
- **Regional Autonomy**: Regional control with coordinated governance
### Comparison to Azure/AWS
- **Azure AD Tenant** → **Phoenix Tenant**
- **Azure Subscription** → **Phoenix Subscription**
- **Azure Resource Group** → **Phoenix Environment**
- **AWS Organization** → **Phoenix Client/Tenant**
- **AWS Account** → **Phoenix Subscription**
- **AWS Region** → **Phoenix Region/Landing Zone**
---
## XIII. Why This Works for Phoenix / Sankofa
This operating model provides:
1. **Enterprise-Scale Client Separation**: Support for large multi-tenant deployments
2. **Strong Security & Sovereignty Boundaries**: Tenant as security blast-radius, regional sovereignty
3. **Clean DevOps Velocity**: Content & DevOps separate from billing/tenancy
4. **Clear Monetization and Cost Attribution**: Client-level billing with subscription aggregation
5. **Regulator-Friendly Audit Trails**: Complete governance and compliance logging
6. **Future Readiness**: Sovereign, regulated, and AI workloads supported
7. **Multi-Region Native**: Designed for international/multi-national sovereign governments
8. **Decentralized Architecture**: Supports distributed governance and sovereignty
### Alignment with Industry Standards
- **Azure / AWS / GCP Mental Models**: Familiar concepts with Phoenix enhancements
- **Regulated Banking & Public-Sector Frameworks**: Compliance-ready architecture
- **Multi-Tenant SaaS at Scale**: Enterprise-grade multi-tenancy
- **Sovereign Cloud Requirements**: Regional sovereignty and data residency
### Competitive Advantages
- **Superior Multi-Tenancy**: Better than Azure with finer-grained control
- **Superior Billing**: Per-second granularity vs Azure's hourly
- **Sovereign Identity**: Keycloak-based, no Azure dependencies
- **Multi-Region Native**: Built for international/multi-national deployments
- **Decentralized Architecture**: Supports distributed sovereignty
- **Landing Zone Patterns**: Sovereign cloud deployments per region
---
## References
### Related Phoenix Documentation
- **[Architecture Diagrams](./OPERATING_MODEL_DIAGRAMS.md)** - Visual diagrams of the operating model
- **[Cloud Provider Mapping](./CLOUD_PROVIDER_MAPPING.md)** - Azure/AWS mapping and competitive analysis
- **[MVP Control Plane](./MVP_CONTROL_PLANE.md)** - Minimum viable product specification
- **[Multi-Region Landing Zones](./MULTI_REGION_LANDING_ZONES.md)** - Landing zone patterns and deployment
- **[Migration Guide](./MIGRATION_GUIDE.md)** - Migration from existing systems and cloud providers
- **[Product Specification](./PRODUCT_SPEC.md)** - Client-facing product specification
### Existing Documentation (Tenant-Based Model)
> **Note**: The following documents describe the current tenant-based model. See [Migration Guide](./MIGRATION_GUIDE.md) for migration to the new operating model.
- **[Tenant Management](../tenants/TENANT_MANAGEMENT.md)** - Current multi-tenant operations guide
- **[Billing Guide](../tenants/BILLING_GUIDE.md)** - Current billing and cost management
- **[Identity Setup](../tenants/IDENTITY_SETUP.md)** - Current Keycloak configuration
### Architecture Documentation
- **[Data Model](../architecture/data-model.md)** - GraphQL schema and data model
- **[GitOps Infrastructure](../../gitops/README.md)** - GitOps infrastructure
- **[Architecture Diagrams](../architecture/README.md)** - System architecture diagrams
---
**Last Updated**: 2025-01-09
**Version**: 1.0
**Status**: Comprehensive Operating Model Documentation