Ory Keto ReBAC Policy & Relation Tuple Architecture

backend/internal/bootstrap/bootstrap.go

@@ -39,6 +39,7 @@ func migrateSchemas(db *gorm.DB) error {
 		&domain.IdentityProviderConfig{},
 		&domain.ClientSecret{},
 		&domain.ClientConsent{},
+		&domain.KetoOutbox{},
 		// &domain.RelyingParty{}, // Removed: SSOT is Hydra + Keto
 	)
 }

backend/internal/bootstrap/keto_sync.go

@@ -23,7 +23,7 @@ func SyncKetoRelations(db *gorm.DB, keto service.KetoService) error {
 	slog.Info("Syncing tenants to Keto", "count", len(tenants))
 	for _, t := range tenants {
 		if t.ParentID != nil {
-			_ = keto.CreateRelation(ctx, "Tenant", t.ID, "parent", *t.ParentID)
+			_ = keto.CreateRelation(ctx, "Tenant", t.ID, "parents", "Tenant:"+*t.ParentID)
 		}
 	}
 
@@ -36,14 +36,14 @@ func SyncKetoRelations(db *gorm.DB, keto service.KetoService) error {
 	for _, u := range users {
 		// Membership
 		if u.TenantID != nil {
-			_ = keto.CreateRelation(ctx, "Tenant", *u.TenantID, "members", u.ID)
+			_ = keto.CreateRelation(ctx, "Tenant", *u.TenantID, "members", "User:"+u.ID)
 		}
 
 		// Roles
 		if u.Role == domain.RoleSuperAdmin {
-			_ = keto.CreateRelation(ctx, "System", "global", "super_admins", u.ID)
+			_ = keto.CreateRelation(ctx, "System", "global", "super_admins", "User:"+u.ID)
 		} else if u.Role == domain.RoleTenantAdmin && u.TenantID != nil {
-			_ = keto.CreateRelation(ctx, "Tenant", *u.TenantID, "admins", u.ID)
+			_ = keto.CreateRelation(ctx, "Tenant", *u.TenantID, "admins", "User:"+u.ID)
 		}
 	}
 

backend/internal/bootstrap/tenant_seed.go

@@ -31,7 +31,8 @@ func SeedTenants(db *gorm.DB) error {
 	slog.Info("[Bootstrap] Seeding initial tenants...")
 	repo := repository.NewTenantRepository(db)
 	userRepo := repository.NewUserRepository(db)
-	svc := service.NewTenantService(repo, userRepo)
+	outboxRepo := repository.NewKetoOutboxRepository(db)
+	svc := service.NewTenantService(repo, userRepo, outboxRepo)
 	ctx := context.Background()
 
 	for _, config := range defaultTenants {