{"success":true,"data":{"module":"mupza_tenant_branch_scope_guard_preview_v1","previewRoute":"/tenant-branch-scope-guard","mockApiRoute":"/api/mock/restaurant-os/tenant-branch-scope-guard","mode":"local_read_only_static_preview","policy":{"denyByDefault":true,"realBackendAuthorizationMiddlewareCreated":false,"realDatabaseConnected":false,"realTenantDataCreated":false,"realBranchDataCreated":false,"realPermissionGrantsCreated":false,"authBypassAdded":false,"productionTouched":false,"stagingTouched":false,"sshUsed":false,"dockerUsed":false,"secretsTouched":false,"envFilesChanged":false,"veloraCrmTouched":false},"summary":{"exampleCount":10,"allowedCount":1,"deniedCount":9,"auditedCount":10,"redactionLevels":["none","branch-summary","tenant-safe-summary","full-redaction"]},"examples":[{"id":"same-tenant-restaurant-branch-order-read-allowed","title":"Same tenant + same restaurant + same branch order read: allowed","tenantId":"tenant_az_demo_food_group","restaurantId":"restaurant_baku_central","branchId":"branch_fountain_square","actorRole":"manager","requestedResource":"order:branch_fountain_square:ORD-1001","resourceType":"order","expectedDecision":"allow","reason":"Actor, order and request context share the same tenantId, restaurantId and branchId for a read-only order lookup.","auditRequired":true,"redactionLevel":"none"},{"id":"same-tenant-restaurant-different-branch-order-read-denied","title":"Same tenant + same restaurant + different branch order read: denied","tenantId":"tenant_az_demo_food_group","restaurantId":"restaurant_baku_central","branchId":"branch_fountain_square","actorRole":"cashier","requestedResource":"order:branch_seaside:ORD-2002","resourceType":"order","expectedDecision":"deny","reason":"Cross-branch order reads are denied unless an explicit branch grant exists; this preview intentionally has no grant.","auditRequired":true,"redactionLevel":"branch-summary"},{"id":"same-tenant-different-restaurant-branch-access-denied","title":"Same tenant + different restaurant branch access: denied","tenantId":"tenant_az_demo_food_group","restaurantId":"restaurant_baku_central","branchId":"branch_fountain_square","actorRole":"admin","requestedResource":"restaurant:restaurant_ganja_grill/branch:branch_nizami","resourceType":"restaurant-branch","expectedDecision":"deny","reason":"Restaurant boundary changed inside the same tenant, so branch details are denied without a restaurant-level assignment.","auditRequired":true,"redactionLevel":"tenant-safe-summary"},{"id":"different-tenant-access-denied","title":"Different tenant access: denied","tenantId":"tenant_az_demo_food_group","restaurantId":"restaurant_baku_central","branchId":"branch_fountain_square","actorRole":"owner","requestedResource":"tenant:tenant_private_competitor/restaurant:restaurant_old_city/orders","resourceType":"order","expectedDecision":"deny","reason":"Cross-tenant access is always denied in this preview and returns full redaction to prevent tenant data leakage.","auditRequired":true,"redactionLevel":"full-redaction"},{"id":"pos-device-from-wrong-branch-denied","title":"POS device from wrong branch: denied","tenantId":"tenant_az_demo_food_group","restaurantId":"restaurant_baku_central","branchId":"branch_fountain_square","actorRole":"pos-device","requestedResource":"pos-device:POS-SEASIDE-02/session:branch_seaside","resourceType":"pos-device-session","expectedDecision":"deny","reason":"A POS device registered to another branch cannot open a session for this branch context.","auditRequired":true,"redactionLevel":"branch-summary"},{"id":"waiter-assigned-to-wrong-branch-table-denied","title":"Waiter assigned to wrong branch/table: denied","tenantId":"tenant_az_demo_food_group","restaurantId":"restaurant_baku_central","branchId":"branch_fountain_square","actorRole":"waiter","requestedResource":"table:branch_seaside:T12","resourceType":"waiter-table-assignment","expectedDecision":"deny","reason":"Waiter table assignment is scoped to one branch; wrong branch or table assignments are denied by default.","auditRequired":true,"redactionLevel":"branch-summary"},{"id":"kitchen-station-from-wrong-branch-denied","title":"Kitchen station from wrong branch: denied","tenantId":"tenant_az_demo_food_group","restaurantId":"restaurant_baku_central","branchId":"branch_fountain_square","actorRole":"kitchen","requestedResource":"kitchen-station:branch_seaside:grill/ticket:KOT-3003","resourceType":"kitchen-station-ticket","expectedDecision":"deny","reason":"Kitchen tickets stay within the issuing branch so stations cannot view tickets from another branch.","auditRequired":true,"redactionLevel":"branch-summary"},{"id":"courier-assigned-to-wrong-branch-delivery-denied","title":"Courier assigned to wrong branch delivery: denied","tenantId":"tenant_az_demo_food_group","restaurantId":"restaurant_baku_central","branchId":"branch_fountain_square","actorRole":"courier","requestedResource":"delivery:branch_seaside:DEL-4004","resourceType":"delivery-assignment","expectedDecision":"deny","reason":"Courier delivery assignment belongs to a different branch, so address and customer details stay redacted.","auditRequired":true,"redactionLevel":"full-redaction"},{"id":"reports-export-across-branches-without-explicit-grant-denied","title":"Reports export across branches without explicit grant: denied","tenantId":"tenant_az_demo_food_group","restaurantId":"restaurant_baku_central","branchId":"branch_fountain_square","actorRole":"reporting","requestedResource":"reports:restaurant_baku_central:all-branches:sales-export","resourceType":"reports-export","expectedDecision":"deny","reason":"Cross-branch reports export is denied because this preview creates no explicit multi-branch reporting grant.","auditRequired":true,"redactionLevel":"tenant-safe-summary"},{"id":"tenant-domain-route-mismatch-denied","title":"Tenant domain route mismatch: denied","tenantId":"tenant_az_demo_food_group","restaurantId":"restaurant_baku_central","branchId":"branch_fountain_square","actorRole":"domain-router","requestedResource":"host:orders.other-tenant.example.invalid/path:/branch_fountain_square/menu","resourceType":"tenant-domain-route","expectedDecision":"deny","reason":"Domain tenant resolution does not match the route tenantId, so the request is denied before branch data is shown.","auditRequired":true,"redactionLevel":"full-redaction"}]}}