e3756ac1d1
Phase G: every Operation now carries (TenantID, ActorUserID, ActorEmail) stamped at opStore.Create from the request scope. The bell SSE stream filters per event against the caller's scope before emitting (closes the cross-tenant leak — non-super-admin users no longer see other tenants' ops). Get / Cancel / Stream-one return 404 (not 403) when the caller can't see the op so existence isn't probable across tenants. List endpoint uses op.TenantID directly (covers in-flight ops with no Argo App yet); legacy ops with empty tenant fall back to the Argo lookup so the upgrade is seamless. Delete leak: cascade-delete failure used to fail the whole flow, stranding the Gitea overlay repo + DNS A record. Now: cascade fails → escalate to ForceDeleteApplication (strip finalizers) → continue to repo + DNS cleanup. Both fail only when ArgoCD itself is unreachable. Caught when odoo16v2 left tenant-havari/instance- odoo16v2 orphaned across the smoke test. Tests + build green.
admin-platform-v3
Tower platform Helm chart