Issues / #107
Multi-tenant starter tier (single shared land for free/starter orgs)
open
feature
Priority: medium
Project: nimsforest
Reporter:
3 May 2026 19:59
Description
## Goal
Move starter-tier orgs onto a shared multi-tenant land so onboarding is instant (no Hetzner provisioning wait) and free orgs cost near zero. Pro tier still graduates to a dedicated land. Depends on the bootstrap automation issue landing first.
## Scope
1. **Tenant-scoped forest runtime.** Single forest on shared land hosts multiple org tenants, isolated by NATS account namespacing. Tenant identity propagates through Wind subjects (`org.{slug}.tap.>`) and Soil keys (`org.{slug}.catalog.>`).
2. **Tenant-scoped bedrock.** Organize git repos and Productize state partitioned per tenant: separate git repos under `/var/lib/organize/{org-slug}/` (or namespaced storage). No cross-tenant filesystem access.
3. **Hub-hosted starter services.** Move stateless services (nimregistry, skills, admin UI, agentcodex pool) from per-org to hub. Per-tenant config is just a row, not a container.
4. **Tenant routing in mycelium proxy.** Single myceliumproxy instance on shared land, routes requests by tenant token. Drops the per-org myceliumproxy container.
5. **DNS routing.** `{slug}.starter.mynimsforest.com` (or similar) routes to shared land instead of per-org IP. landregistry maps slug to land assignment (shared vs dedicated).
6. **Tenant lifecycle on shared land.** Create/suspend/delete a tenant without touching any other tenant or restarting the forest. New endpoint: `POST /api/tenants` on shared land.
7. **Graduation path.** Starter to Pro upgrade exports tenant state from shared land, provisions dedicated land, imports state. One-time migration; documented runbook.
## Out of Scope
- Pro tier changes (continues to use dedicated land)
- Custom domains for starter orgs (only generated subdomains)
- Bedrock backup/restore tooling beyond what graduation needs
## Acceptance
- Free signup via nimsforestecommerce returns a working forest URL within seconds (no Hetzner wait)
- Two starter orgs on the same land cannot read each other's organize data, productize state, or NATS subjects
- Starter to Pro graduation tested end-to-end with no data loss
- Documented in runbooks (shared-land tenancy model, graduation procedure)
## Depends On
Bootstrap automation issue (single API endpoint + auto NATS account + token vending) must land first.
## Affected Repos
nimsforest2, landregistry, mycelium, land, landconfigregistry, nimsforestorganize, nimsforestproductize, nimsforestecommerce
Move starter-tier orgs onto a shared multi-tenant land so onboarding is instant (no Hetzner provisioning wait) and free orgs cost near zero. Pro tier still graduates to a dedicated land. Depends on the bootstrap automation issue landing first.
## Scope
1. **Tenant-scoped forest runtime.** Single forest on shared land hosts multiple org tenants, isolated by NATS account namespacing. Tenant identity propagates through Wind subjects (`org.{slug}.tap.>`) and Soil keys (`org.{slug}.catalog.>`).
2. **Tenant-scoped bedrock.** Organize git repos and Productize state partitioned per tenant: separate git repos under `/var/lib/organize/{org-slug}/` (or namespaced storage). No cross-tenant filesystem access.
3. **Hub-hosted starter services.** Move stateless services (nimregistry, skills, admin UI, agentcodex pool) from per-org to hub. Per-tenant config is just a row, not a container.
4. **Tenant routing in mycelium proxy.** Single myceliumproxy instance on shared land, routes requests by tenant token. Drops the per-org myceliumproxy container.
5. **DNS routing.** `{slug}.starter.mynimsforest.com` (or similar) routes to shared land instead of per-org IP. landregistry maps slug to land assignment (shared vs dedicated).
6. **Tenant lifecycle on shared land.** Create/suspend/delete a tenant without touching any other tenant or restarting the forest. New endpoint: `POST /api/tenants` on shared land.
7. **Graduation path.** Starter to Pro upgrade exports tenant state from shared land, provisions dedicated land, imports state. One-time migration; documented runbook.
## Out of Scope
- Pro tier changes (continues to use dedicated land)
- Custom domains for starter orgs (only generated subdomains)
- Bedrock backup/restore tooling beyond what graduation needs
## Acceptance
- Free signup via nimsforestecommerce returns a working forest URL within seconds (no Hetzner wait)
- Two starter orgs on the same land cannot read each other's organize data, productize state, or NATS subjects
- Starter to Pro graduation tested end-to-end with no data loss
- Documented in runbooks (shared-land tenancy model, graduation procedure)
## Depends On
Bootstrap automation issue (single API endpoint + auto NATS account + token vending) must land first.
## Affected Repos
nimsforest2, landregistry, mycelium, land, landconfigregistry, nimsforestorganize, nimsforestproductize, nimsforestecommerce