docs: add tenant CA cert management to CLAUDE.md and HOWTO.md

- TenantCaCertEntity, TenantCaCertRepository, TenantCaCertService - TenantPortalController CA endpoints - V013 migration - Tenant portal API reference updated Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 19:36:51 +02:00
parent dd30ee77d4
commit 82f62ca0ff
2 changed files with 9 additions and 1 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -38,7 +38,7 @@ Agent-server protocol is defined in `cameleer3/cameleer3-common/PROTOCOL.md`. Th

 **portal/** — Tenant admin portal (org-scoped)
 - `TenantPortalService.java` — customer-facing: dashboard (health from server), license, SSO connectors, team, settings, server restart
- `TenantPortalController.java` — REST at `/api/tenant/*` (org-scoped)
+- `TenantPortalController.java` — REST at `/api/tenant/*` (org-scoped, includes CA cert management at `/api/tenant/ca`)

 **provisioning/** — Pluggable tenant provisioning
 - `TenantProvisioner.java` — pluggable interface (like server's RuntimeOrchestrator)
@@ -54,6 +54,9 @@ Agent-server protocol is defined in `cameleer3/cameleer3-common/PROTOCOL.md`. Th
 - `CertificateController.java` — REST at `/api/vendor/certificates` (platform:admin required)
 - `CertificateEntity.java` — JPA entity (status: ACTIVE/STAGED/ARCHIVED, subject, fingerprint, etc.)
 - `CertificateStartupListener.java` — seeds DB from filesystem on boot (for bootstrap-generated certs)
+- `TenantCaCertEntity.java` — JPA entity for per-tenant CA certs (PEM stored in DB, multiple per tenant)
+- `TenantCaCertRepository.java` — queries by tenant, status, all active across tenants
+- `TenantCaCertService.java` — stage/activate/delete tenant CAs, rebuilds aggregated `ca.pem` on changes

 **license/** — License management
 - `LicenseEntity.java` — JPA entity (id, tenant_id, tier, features JSONB, limits JSONB, expires_at)
@@ -280,6 +283,7 @@ PostgreSQL (Flyway): `src/main/resources/db/migration/`
 - V010 — cleanup of migrated tables
 - V011 — add provisioning fields (server_endpoint, provision_error)
 - V012 — certificates table + tenants.ca_applied_at
+- V013 — tenant_ca_certs (per-tenant CA certificates with PEM storage)

 ## Related Conventions