This profile-testbed example describes the agentic boundaries for TenantCommerce Control.
It is not a repo-local production claim. The repository remains independent: it is not an AAIF project, not a Linux Foundation project, and not endorsed by either organization.
Tenant-scoped catalog edits, pricing changes, inventory changes, storefront publication, order operations, customer data access, and cross-tenant administrative actions.
| Actor | Responsibility |
|---|---|
| Tenant operator | Owns catalog, storefront, and order decisions for one tenant. |
| Platform admin | Manages shared policy, billing, and platform-level controls. |
| Commerce agent | Proposes catalog, support, pricing, and order workflow changes. |
| Commerce adapter | Connects to storefront, payment, inventory, and fulfillment systems. |
| Maintainer | Reviews tenancy, policy, and audit evidence. |
- Every action must carry tenant id and human operator context.
- Agents cannot cross tenant boundaries without platform-admin approval.
- Payment and customer data scopes must be separated from catalog-edit scopes.
- Provider credentials remain environment-owned and tenant-scoped where possible.
| Action | Boundary |
|---|---|
| read_catalog | Allowed inside one tenant scope. |
| propose_catalog_change | Draft only until approved by tenant operator. |
| publish_storefront | Requires human approval and preview evidence. |
| change_price | Requires policy check, approval, and audit event. |
| manage_order | Requires customer-impact classification and approval gate. |
- Before publishing storefront changes.
- Before price, discount, tax, shipping, or refund changes.
- Before accessing customer PII beyond operational need.
- Before cross-tenant analytics or administrative actions.
| Event | Minimum Evidence |
|---|---|
| tenant.context_loaded | tenant id, operator id, scope, timestamp |
| catalog.change_proposed | sku, change type, reason, risk class |
| storefront.publish_approved | approver, preview id, diff pointer |
| order.action_requested | order id, action type, customer impact |
| cross_tenant.access_denied | requester, attempted tenant, policy reason |
npm installto prove dependency resolution.npm run lintto prove static project health.npm run testfor tenant and policy checks when available.npm run buildto prove the application compiles.- Use sample tenants, products, and orders in public proof.
- Use PostgreSQL tenant tables before hosted-only commerce data stores.
- Keep payment processors behind adapters and use sandbox keys only.
- Use local queues for catalog publication and inventory sync tests.
- Keep storefront rendering portable across self-hosted and hosted deployments.
Add a repo-local docs/AGENTIC_BOUNDARY_MODEL.md after review and link it from agentic-readiness.json.