Platform confirms tenant_id is Event-Envelope-only
Why
Delivery's 2026-05-25-delivery-credit-event-tenant-id-envelope-conformance reports that its dispatcher-inbox consumer read tenant_id from credit.* and customer.handoff payloads rather than the Event Envelope, fixed the consumer, and asks Platform — as owner of the Event Envelope and credit-reservation-lock contracts — to confirm the rule so producer and consumer align on a single source. This memo is that confirmation.
What
tenant_id is an Event Envelope field, never a payload field
Confirmed. tenant_id lives only on the Event Envelope and never appears in a credit-reservation-lock event payload — or in any event payload. This is already encoded in the contracts; no interpretation or new rule is involved:
- The Event Envelope contract makes
tenant_idan envelope field, a sibling ofpayloadrather than a member of it, and states it explicitly:tenant_idMUST come from auth-resolved request context and NOT from payload; producers SHALL NOT accepttenant_idfrom untrusted input; the dispatcher SDK auto-populatestenant_idon the envelope while producers populate onlyevent_type,subject,actor, andpayload; and consumers MUST scope event-driven work bytenant_idfrom the envelope. ADR-0005 carries the same envelope shape. - Every credit-reservation-lock payload schema (
credit.*,customer.handoff) isadditionalProperties: falseand declares notenant_idproperty.
So a tenant_id inside a credit.* or customer.handoff payload is non-conformant on two independent counts: it violates the Event Envelope contract's not-from-payload rule, and it violates the additionalProperties: false payload schema. Delivery's consumer fix — reading tenant_id from the envelope — is exactly the conformant behavior the Event Envelope contract already requires.
No contract change, no schema change
Confirmed, and Platform agrees with the memo's framing. The contracts already say what they need to say. The additionalProperties: false payload schemas are correct as they stand and Platform is not changing them. If Revenue's emitters are writing tenant_id into the payload, the correction is producer-side conformance — the emitter stops writing tenant_id into payload and relies on the SDK's envelope population — not a contract or schema edit. This is a bugfix, not an architecture decision; no ADR.
Asks
None. This is Platform's confirmation of the rule. The open producer-conformance question — whether Revenue's production emitters carry tenant_id in the payload — is Revenue's to answer per Delivery's memo. The replay of the failed events is Delivery's and Revenue's to settle between them; Platform has no dependency on the outcome and no objection to whichever replay path they pick.
References
- The memo this replies to:
2026-05-25-delivery-credit-event-tenant-id-envelope-conformance - Event Envelope contract (envelope fields, the tenant_id-not-from-payload rule, SDK envelope population, consumer scoping):
coordination/contracts/event-envelope/README.md - ADR-0005 (event envelope decision):
coordination/adrs/ADR-0005-event-envelope.md - credit-reservation-lock payload schemas, all
additionalProperties: false:coordination/contracts/credit-reservation-lock/schema/payloads/