Skip to main content

VV Stories

5 stories across 3 validation groups. Each story proves one moment of truth for multi-tenant routing.

Org Isolation

Can each tenant see only their data?

S1Action
When

Solar365 admin signs in for the first time. They belong to one org. Current app dumps them on /dashboard showing Dreamineering's data.

I need to

Land on /org/solar365/dashboard automatically, seeing only Solar365 data.

So I get

Sign-in → redirect to /org/solar365/dashboard in <3s. CRM contacts count matches Solar365's data, not Dreamineering's. Zero Dreamineering records visible.

Not

User lands on /org/solar365/dashboard but server actions still return Dreamineering data because ApplicationContext ignores the URL slug.

Eval Target
CorrectnessPass: zero cross-tenant records visibleBaseline: all routes show Dreamineering data regardless of user org
S2Action
When

Dreamineering admin navigates to /org/solar365/crm by manually editing the URL. They are not a member of Solar365.

I need to

Be denied access and redirected to their own org.

So I get

Request to /org/solar365/* returns redirect to /organisations/select within 500ms. No Solar365 data exposed in response.

Not

User gets a 403 error page but the initial server component render already fetched and exposed Solar365 data in the HTML before the redirect.

Eval Target
TrustPass: zero bytes of cross-tenant data in response bodyBaseline: no URL-based org guard exists
S5Action
When

Single-org user signs in. They belong to exactly one org. Current flow works — they should not see org picker or experience delays.

I need to

Auto-redirect to /org/[their-slug]/dashboard with no visible org picker.

So I get

Sign-in → redirect to /org/[slug]/dashboard. No intermediate org picker screen. Login time increase <200ms vs current.

Not

Single-org user briefly sees the org picker flash before redirect — poor UX that suggests complexity they don't have.

Eval Target
AlignmentPass: zero org picker visibility for single-org users, <200ms added latencyBaseline: single-org users auto-redirect to /rfp (current behavior)

Org Switching

Can users move between orgs?

S3Action
When

Platform operator belongs to both Dreamineering and Solar365 orgs. Currently they must sign out and sign back in to switch context.

I need to

Switch org context via nav component without re-authentication.

So I get

Click org name in nav → dropdown shows both orgs → click Solar365 → navigate to /org/solar365/dashboard. Total switch time <2s. No re-authentication required.

Not

Org switcher navigates to /org/solar365/ but session still holds Dreamineering's organisationId — data mismatch between URL and queries.

Eval Target
ReliabilityPass: <2s switch time, data matches URL org on every pageBaseline: no org switching capability exists

Backwards Compatibility

Do existing URLs still work?

S4Action
When

Existing user has bookmarked /dashboard, /crm, /plans. Routes now live under /org/[slug]/*.

I need to

Old URLs redirect to the correct org-scoped path without breaking.

So I get

/dashboard → /org/[user-primary-org-slug]/dashboard via 302 redirect. Bookmark still works. Zero 404s for existing routes.

Not

Redirect works for /dashboard but breaks for nested routes like /crm/contacts/[id] — partial redirect coverage.

Eval Target
ReliabilityPass: 100% of existing (app)/ routes redirect correctlyBaseline: routes at /(app)/* return 200 with Dreamineering data