Safe scope switching in multi-tenant developer tools
Why Authdog CLI clears descendant selections when organization or tenant context changes.
Authdog Engineering
Persisted context makes developer tools fast, but nested context can become invalid when a parent selection changes. A project belongs to a tenant. An environment belongs to a project. Keeping either one after switching to another tenant creates a state that never existed on the server.
Authdog CLI treats scope as a hierarchy, not a bag of unrelated IDs.
Model descendants explicitly
The persisted session can include:
organization
tenant
project
environmentEach level constrains the levels below it. The CLI applies that relationship whenever a selection changes.
Choosing a different organization clears tenant, project, and environment. Choosing a different tenant clears project and environment. Choosing a project clears any previously selected environment.
Prevent stale combinations
Without cascade clearing, a session could claim:
- organization from account A
- tenant from organization B
- project from an older tenant
- environment from an unrelated project
Even when APIs reject that combination, presenting it in local status creates confusion. Worse, client code might accidentally use one stale identifier before another request corrects the state.
Clearing descendants at the moment a parent changes gives the local session one valid interpretation.
Filter tenant choices by organization
Organization selection also changes what the tenant picker displays. Authdog CLI filters merged tenant data against the active organization and avoids showing unrelated tenants in that scoped view.
If an account has no organizations, /browse can proceed directly to all available tenants. The rule adapts to account shape without weakening organization boundaries when they exist.
Make clearing visible
Users can inspect the resulting path with /status. /tenant displays the current tenant, while /tenant clear deliberately removes tenant scope and its descendants.
Explicit status and explicit clearing matter in interactive tools. Hidden context is difficult to debug; visible context gives users a chance to catch mistakes before acting.
General lesson
Any developer tool that persists hierarchical cloud resources should encode parent-child invalidation centrally. Do not rely on every screen or command to remember which IDs have become stale.
Scope safety starts with a small invariant: when a parent changes, no descendant survives without being selected again.