WIP - multitenant initial work

backend/src/models/account.model.ts

@@ -0,0 +1,23 @@
+import { BaseModel } from './base.model';
+
+export class Account extends BaseModel {
+  static tableName = 'accounts';
+
+  id!: string;
+  name!: string;
+  website?: string;
+  phone?: string;
+  industry?: string;
+  ownerId?: string;
+
+  static relationMappings = {
+    owner: {
+      relation: BaseModel.BelongsToOneRelation,
+      modelClass: 'user.model',
+      join: {
+        from: 'accounts.ownerId',
+        to: 'users.id',
+      },
+    },
+  };
+}

backend/src/models/app-page.model.ts

@@ -0,0 +1,24 @@
+import { BaseModel } from './base.model';
+
+export class AppPage extends BaseModel {
+  static tableName = 'app_pages';
+
+  id!: string;
+  appId!: string;
+  slug!: string;
+  label!: string;
+  type!: string;
+  objectApiName?: string;
+  displayOrder!: number;
+
+  static relationMappings = {
+    app: {
+      relation: BaseModel.BelongsToOneRelation,
+      modelClass: 'app.model',
+      join: {
+        from: 'app_pages.appId',
+        to: 'apps.id',
+      },
+    },
+  };
+}

backend/src/models/app.model.ts

@@ -0,0 +1,22 @@
+import { BaseModel } from './base.model';
+
+export class App extends BaseModel {
+  static tableName = 'apps';
+
+  id!: string;
+  slug!: string;
+  label!: string;
+  description?: string;
+  displayOrder!: number;
+
+  static relationMappings = {
+    pages: {
+      relation: BaseModel.HasManyRelation,
+      modelClass: 'app-page.model',
+      join: {
+        from: 'apps.id',
+        to: 'app_pages.appId',
+      },
+    },
+  };
+}

backend/src/models/base.model.ts

@@ -0,0 +1,16 @@
+import { Model, ModelOptions, QueryContext } from 'objection';
+
+export class BaseModel extends Model {
+  id: string;
+  createdAt: Date;
+  updatedAt: Date;
+
+  $beforeInsert(queryContext: QueryContext) {
+    this.createdAt = new Date();
+    this.updatedAt = new Date();
+  }
+
+  $beforeUpdate(opt: ModelOptions, queryContext: QueryContext) {
+    this.updatedAt = new Date();
+  }
+}

backend/src/models/field-definition.model.ts

@@ -0,0 +1,33 @@
+import { BaseModel } from './base.model';
+
+export class FieldDefinition extends BaseModel {
+  static tableName = 'field_definitions';
+
+  id!: string;
+  objectDefinitionId!: string;
+  apiName!: string;
+  label!: string;
+  type!: string;
+  length?: number;
+  precision?: number;
+  scale?: number;
+  referenceObject?: string;
+  defaultValue?: string;
+  description?: string;
+  isRequired!: boolean;
+  isUnique!: boolean;
+  isSystem!: boolean;
+  isCustom!: boolean;
+  displayOrder!: number;
+
+  static relationMappings = {
+    objectDefinition: {
+      relation: BaseModel.BelongsToOneRelation,
+      modelClass: 'object-definition.model',
+      join: {
+        from: 'field_definitions.objectDefinitionId',
+        to: 'object_definitions.id',
+      },
+    },
+  };
+}

backend/src/models/object-definition.model.ts

@@ -0,0 +1,46 @@
+import { BaseModel } from './base.model';
+
+export class ObjectDefinition extends BaseModel {
+  static tableName = 'object_definitions';
+
+  id: string;
+  apiName: string;
+  label: string;
+  pluralLabel?: string;
+  description?: string;
+  isSystem: boolean;
+  isCustom: boolean;
+  createdAt: Date;
+  updatedAt: Date;
+
+  static get jsonSchema() {
+    return {
+      type: 'object',
+      required: ['apiName', 'label'],
+      properties: {
+        id: { type: 'string' },
+        apiName: { type: 'string' },
+        label: { type: 'string' },
+        pluralLabel: { type: 'string' },
+        description: { type: 'string' },
+        isSystem: { type: 'boolean' },
+        isCustom: { type: 'boolean' },
+      },
+    };
+  }
+
+  static get relationMappings() {
+    const { FieldDefinition } = require('./field-definition.model');
+
+    return {
+      fields: {
+        relation: BaseModel.HasManyRelation,
+        modelClass: FieldDefinition,
+        join: {
+          from: 'object_definitions.id',
+          to: 'field_definitions.objectDefinitionId',
+        },
+      },
+    };
+  }
+}

backend/src/models/permission.model.ts

@@ -0,0 +1,25 @@
+import { BaseModel } from './base.model';
+
+export class Permission extends BaseModel {
+  static tableName = 'permissions';
+
+  id!: string;
+  name!: string;
+  guardName!: string;
+  description?: string;
+
+  static relationMappings = {
+    roles: {
+      relation: BaseModel.ManyToManyRelation,
+      modelClass: 'role.model',
+      join: {
+        from: 'permissions.id',
+        through: {
+          from: 'role_permissions.permissionId',
+          to: 'role_permissions.roleId',
+        },
+        to: 'roles.id',
+      },
+    },
+  };
+}

backend/src/models/role-permission.model.ts

@@ -0,0 +1,28 @@
+import { BaseModel } from './base.model';
+
+export class RolePermission extends BaseModel {
+  static tableName = 'role_permissions';
+
+  id!: string;
+  roleId!: string;
+  permissionId!: string;
+
+  static relationMappings = {
+    role: {
+      relation: BaseModel.BelongsToOneRelation,
+      modelClass: 'role.model',
+      join: {
+        from: 'role_permissions.roleId',
+        to: 'roles.id',
+      },
+    },
+    permission: {
+      relation: BaseModel.BelongsToOneRelation,
+      modelClass: 'permission.model',
+      join: {
+        from: 'role_permissions.permissionId',
+        to: 'permissions.id',
+      },
+    },
+  };
+}

backend/src/models/role.model.ts

@@ -0,0 +1,66 @@
+import { BaseModel } from './base.model';
+
+export class Role extends BaseModel {
+  static tableName = 'roles';
+
+  id: string;
+  name: string;
+  guardName: string;
+  description?: string;
+  createdAt: Date;
+  updatedAt: Date;
+
+  static get jsonSchema() {
+    return {
+      type: 'object',
+      required: ['name'],
+      properties: {
+        id: { type: 'string' },
+        name: { type: 'string' },
+        guardName: { type: 'string' },
+        description: { type: 'string' },
+      },
+    };
+  }
+
+  static get relationMappings() {
+    const { RolePermission } = require('./role-permission.model');
+    const { Permission } = require('./permission.model');
+    const { User } = require('./user.model');
+
+    return {
+      rolePermissions: {
+        relation: BaseModel.HasManyRelation,
+        modelClass: RolePermission,
+        join: {
+          from: 'roles.id',
+          to: 'role_permissions.roleId',
+        },
+      },
+      permissions: {
+        relation: BaseModel.ManyToManyRelation,
+        modelClass: Permission,
+        join: {
+          from: 'roles.id',
+          through: {
+            from: 'role_permissions.roleId',
+            to: 'role_permissions.permissionId',
+          },
+          to: 'permissions.id',
+        },
+      },
+      users: {
+        relation: BaseModel.ManyToManyRelation,
+        modelClass: User,
+        join: {
+          from: 'roles.id',
+          through: {
+            from: 'user_roles.roleId',
+            to: 'user_roles.userId',
+          },
+          to: 'users.id',
+        },
+      },
+    };
+  }
+}

backend/src/models/user-role.model.ts

@@ -0,0 +1,28 @@
+import { BaseModel } from './base.model';
+
+export class UserRole extends BaseModel {
+  static tableName = 'user_roles';
+
+  id!: string;
+  userId!: string;
+  roleId!: string;
+
+  static relationMappings = {
+    user: {
+      relation: BaseModel.BelongsToOneRelation,
+      modelClass: 'user.model',
+      join: {
+        from: 'user_roles.userId',
+        to: 'users.id',
+      },
+    },
+    role: {
+      relation: BaseModel.BelongsToOneRelation,
+      modelClass: 'role.model',
+      join: {
+        from: 'user_roles.roleId',
+        to: 'roles.id',
+      },
+    },
+  };
+}

backend/src/models/user.model.ts

@@ -0,0 +1,57 @@
+import { BaseModel } from './base.model';
+
+export class User extends BaseModel {
+  static tableName = 'users';
+
+  id: string;
+  email: string;
+  password: string;
+  firstName?: string;
+  lastName?: string;
+  isActive: boolean;
+  createdAt: Date;
+  updatedAt: Date;
+
+  static get jsonSchema() {
+    return {
+      type: 'object',
+      required: ['email', 'password'],
+      properties: {
+        id: { type: 'string' },
+        email: { type: 'string', format: 'email' },
+        password: { type: 'string' },
+        firstName: { type: 'string' },
+        lastName: { type: 'string' },
+        isActive: { type: 'boolean' },
+      },
+    };
+  }
+
+  static get relationMappings() {
+    const { UserRole } = require('./user-role.model');
+    const { Role } = require('./role.model');
+
+    return {
+      userRoles: {
+        relation: BaseModel.HasManyRelation,
+        modelClass: UserRole,
+        join: {
+          from: 'users.id',
+          to: 'user_roles.userId',
+        },
+      },
+      roles: {
+        relation: BaseModel.ManyToManyRelation,
+        modelClass: Role,
+        join: {
+          from: 'users.id',
+          through: {
+            from: 'user_roles.userId',
+            to: 'user_roles.roleId',
+          },
+          to: 'roles.id',
+        },
+      },
+    };
+  }
+}

backend/src/object/object.module.ts

@@ -2,10 +2,13 @@ import { Module } from '@nestjs/common';
 import { ObjectService } from './object.service';
 import { RuntimeObjectController } from './runtime-object.controller';
 import { SetupObjectController } from './setup-object.controller';
+import { SchemaManagementService } from './schema-management.service';
+import { TenantModule } from '../tenant/tenant.module';
 
 @Module({
-  providers: [ObjectService],
+  imports: [TenantModule],
+  providers: [ObjectService, SchemaManagementService],
   controllers: [RuntimeObjectController, SetupObjectController],
-  exports: [ObjectService],
+  exports: [ObjectService, SchemaManagementService],
 })
 export class ObjectModule {}

backend/src/object/schema-management.service.ts

@@ -0,0 +1,216 @@
+import { Injectable, Logger } from '@nestjs/common';
+import { Knex } from 'knex';
+import { ObjectDefinition } from '../models/object-definition.model';
+import { FieldDefinition } from '../models/field-definition.model';
+
+@Injectable()
+export class SchemaManagementService {
+  private readonly logger = new Logger(SchemaManagementService.name);
+
+  /**
+   * Create a physical table for an object definition
+   */
+  async createObjectTable(
+    knex: Knex,
+    objectDefinition: ObjectDefinition,
+    fields: FieldDefinition[],
+  ) {
+    const tableName = this.getTableName(objectDefinition.apiName);
+
+    // Check if table already exists
+    const exists = await knex.schema.hasTable(tableName);
+    if (exists) {
+      throw new Error(`Table ${tableName} already exists`);
+    }
+
+    await knex.schema.createTable(tableName, (table) => {
+      // Standard fields
+      table.uuid('id').primary().defaultTo(knex.raw('(UUID())'));
+      table.timestamps(true, true);
+
+      // Custom fields from field definitions
+      for (const field of fields) {
+        this.addFieldToTable(table, field);
+      }
+    });
+
+    this.logger.log(`Created table: ${tableName}`);
+  }
+
+  /**
+   * Add a new field to an existing object table
+   */
+  async addFieldToTable(
+    knex: Knex,
+    objectApiName: string,
+    field: FieldDefinition,
+  ) {
+    const tableName = this.getTableName(objectApiName);
+
+    await knex.schema.alterTable(tableName, (table) => {
+      this.addFieldToTable(table, field);
+    });
+
+    this.logger.log(`Added field ${field.apiName} to table ${tableName}`);
+  }
+
+  /**
+   * Remove a field from an existing object table
+   */
+  async removeFieldFromTable(
+    knex: Knex,
+    objectApiName: string,
+    fieldApiName: string,
+  ) {
+    const tableName = this.getTableName(objectApiName);
+
+    await knex.schema.alterTable(tableName, (table) => {
+      table.dropColumn(fieldApiName);
+    });
+
+    this.logger.log(`Removed field ${fieldApiName} from table ${tableName}`);
+  }
+
+  /**
+   * Drop an object table
+   */
+  async dropObjectTable(knex: Knex, objectApiName: string) {
+    const tableName = this.getTableName(objectApiName);
+
+    await knex.schema.dropTableIfExists(tableName);
+
+    this.logger.log(`Dropped table: ${tableName}`);
+  }
+
+  /**
+   * Add a field column to a table builder
+   */
+  private addFieldToTable(
+    table: Knex.CreateTableBuilder | Knex.AlterTableBuilder,
+    field: FieldDefinition,
+  ) {
+    const columnName = field.apiName;
+
+    let column: Knex.ColumnBuilder;
+
+    switch (field.type) {
+      case 'String':
+        column = table.string(columnName, field.length || 255);
+        break;
+
+      case 'Text':
+        column = table.text(columnName);
+        break;
+
+      case 'Number':
+        if (field.scale && field.scale > 0) {
+          column = table.decimal(
+            columnName,
+            field.precision || 10,
+            field.scale,
+          );
+        } else {
+          column = table.integer(columnName);
+        }
+        break;
+
+      case 'Boolean':
+        column = table.boolean(columnName).defaultTo(false);
+        break;
+
+      case 'Date':
+        column = table.date(columnName);
+        break;
+
+      case 'DateTime':
+        column = table.datetime(columnName);
+        break;
+
+      case 'Reference':
+        column = table.uuid(columnName);
+        if (field.referenceObject) {
+          const refTableName = this.getTableName(field.referenceObject);
+          column.references('id').inTable(refTableName).onDelete('SET NULL');
+        }
+        break;
+
+      case 'Email':
+        column = table.string(columnName, 255);
+        break;
+
+      case 'Phone':
+        column = table.string(columnName, 50);
+        break;
+
+      case 'Url':
+        column = table.string(columnName, 255);
+        break;
+
+      case 'Json':
+        column = table.json(columnName);
+        break;
+
+      default:
+        throw new Error(`Unsupported field type: ${field.type}`);
+    }
+
+    if (field.isRequired) {
+      column.notNullable();
+    } else {
+      column.nullable();
+    }
+
+    if (field.isUnique) {
+      column.unique();
+    }
+
+    if (field.defaultValue) {
+      column.defaultTo(field.defaultValue);
+    }
+
+    return column;
+  }
+
+  /**
+   * Convert object API name to table name (convert to snake_case, pluralize)
+   */
+  private getTableName(apiName: string): string {
+    // Convert PascalCase to snake_case
+    const snakeCase = apiName
+      .replace(/([A-Z])/g, '_$1')
+      .toLowerCase()
+      .replace(/^_/, '');
+
+    // Simple pluralization (append 's' if not already plural)
+    // In production, use a proper pluralization library
+    return snakeCase.endsWith('s') ? snakeCase : `${snakeCase}s`;
+  }
+
+  /**
+   * Validate field definition before creating column
+   */
+  validateFieldDefinition(field: FieldDefinition) {
+    if (!field.apiName || !field.label || !field.type) {
+      throw new Error('Field must have apiName, label, and type');
+    }
+
+    // Validate field name (alphanumeric + underscore, starts with letter)
+    if (!/^[a-zA-Z][a-zA-Z0-9_]*$/.test(field.apiName)) {
+      throw new Error(`Invalid field name: ${field.apiName}`);
+    }
+
+    // Validate reference field has referenceObject
+    if (field.type === 'Reference' && !field.referenceObject) {
+      throw new Error('Reference field must specify referenceObject');
+    }
+
+    // Validate numeric fields
+    if (field.type === 'Number') {
+      if (field.scale && field.scale > 0 && !field.precision) {
+        throw new Error('Decimal fields must specify precision');
+      }
+    }
+
+    return true;
+  }
+}

backend/src/prisma/central-prisma.service.ts

@@ -0,0 +1,16 @@
+import { PrismaClient as CentralPrismaClient } from '.prisma/central';
+
+let centralPrisma: CentralPrismaClient;
+
+export function getCentralPrisma(): CentralPrismaClient {
+  if (!centralPrisma) {
+    centralPrisma = new CentralPrismaClient();
+  }
+  return centralPrisma;
+}
+
+export async function disconnectCentral() {
+  if (centralPrisma) {
+    await centralPrisma.$disconnect();
+  }
+}

backend/src/tenant/tenant-database.service.ts

@@ -0,0 +1,124 @@
+import { Injectable, Logger } from '@nestjs/common';
+import { Knex, knex } from 'knex';
+import { getCentralPrisma } from '../prisma/central-prisma.service';
+import * as crypto from 'crypto';
+
+@Injectable()
+export class TenantDatabaseService {
+  private readonly logger = new Logger(TenantDatabaseService.name);
+  private tenantConnections: Map<string, Knex> = new Map();
+
+  async getTenantKnex(tenantId: string): Promise<Knex> {
+    if (this.tenantConnections.has(tenantId)) {
+      return this.tenantConnections.get(tenantId);
+    }
+
+    const centralPrisma = getCentralPrisma();
+    const tenant = await centralPrisma.tenant.findUnique({
+      where: { id: tenantId },
+    });
+
+    if (!tenant) {
+      throw new Error(`Tenant ${tenantId} not found`);
+    }
+
+    if (tenant.status !== 'active') {
+      throw new Error(`Tenant ${tenantId} is not active`);
+    }
+
+    // Decrypt password
+    const decryptedPassword = this.decryptPassword(tenant.dbPassword);
+
+    const tenantKnex = knex({
+      client: 'mysql2',
+      connection: {
+        host: tenant.dbHost,
+        port: tenant.dbPort,
+        user: tenant.dbUsername,
+        password: decryptedPassword,
+        database: tenant.dbName,
+      },
+      pool: {
+        min: 2,
+        max: 10,
+      },
+    });
+
+    // Test connection
+    try {
+      await tenantKnex.raw('SELECT 1');
+      this.logger.log(`Connected to tenant database: ${tenant.dbName}`);
+    } catch (error) {
+      this.logger.error(
+        `Failed to connect to tenant database: ${tenant.dbName}`,
+        error,
+      );
+      throw error;
+    }
+
+    this.tenantConnections.set(tenantId, tenantKnex);
+    return tenantKnex;
+  }
+
+  async getTenantByDomain(domain: string): Promise<any> {
+    const centralPrisma = getCentralPrisma();
+    const domainRecord = await centralPrisma.domain.findUnique({
+      where: { domain },
+      include: { tenant: true },
+    });
+
+    if (!domainRecord) {
+      throw new Error(`Domain ${domain} not found`);
+    }
+
+    if (domainRecord.tenant.status !== 'active') {
+      throw new Error(`Tenant for domain ${domain} is not active`);
+    }
+
+    return domainRecord.tenant;
+  }
+
+  async disconnectTenant(tenantId: string) {
+    const connection = this.tenantConnections.get(tenantId);
+    if (connection) {
+      await connection.destroy();
+      this.tenantConnections.delete(tenantId);
+      this.logger.log(`Disconnected tenant: ${tenantId}`);
+    }
+  }
+
+  removeTenantConnection(tenantId: string) {
+    this.tenantConnections.delete(tenantId);
+    this.logger.log(`Removed tenant connection from cache: ${tenantId}`);
+  }
+
+  async disconnectAll() {
+    for (const [tenantId, connection] of this.tenantConnections.entries()) {
+      await connection.destroy();
+    }
+    this.tenantConnections.clear();
+    this.logger.log('Disconnected all tenant connections');
+  }
+
+  encryptPassword(password: string): string {
+    const algorithm = 'aes-256-cbc';
+    const key = Buffer.from(process.env.ENCRYPTION_KEY, 'hex');
+    const iv = crypto.randomBytes(16);
+    const cipher = crypto.createCipheriv(algorithm, key, iv);
+    let encrypted = cipher.update(password, 'utf8', 'hex');
+    encrypted += cipher.final('hex');
+    return iv.toString('hex') + ':' + encrypted;
+  }
+
+  private decryptPassword(encryptedPassword: string): string {
+    const algorithm = 'aes-256-cbc';
+    const key = Buffer.from(process.env.ENCRYPTION_KEY, 'hex');
+    const parts = encryptedPassword.split(':');
+    const iv = Buffer.from(parts[0], 'hex');
+    const encrypted = parts[1];
+    const decipher = crypto.createDecipheriv(algorithm, key, iv);
+    let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+    decrypted += decipher.final('utf8');
+    return decrypted;
+  }
+}

backend/src/tenant/tenant-provisioning.controller.ts

@@ -0,0 +1,36 @@
+import {
+  Controller,
+  Post,
+  Delete,
+  Body,
+  Param,
+  UseGuards,
+} from '@nestjs/common';
+import { TenantProvisioningService } from './tenant-provisioning.service';
+
+@Controller('setup/tenants')
+export class TenantProvisioningController {
+  constructor(
+    private readonly provisioningService: TenantProvisioningService,
+  ) {}
+
+  @Post()
+  async createTenant(
+    @Body()
+    data: {
+      name: string;
+      slug: string;
+      primaryDomain: string;
+      dbHost?: string;
+      dbPort?: number;
+    },
+  ) {
+    return this.provisioningService.provisionTenant(data);
+  }
+
+  @Delete(':tenantId')
+  async deleteTenant(@Param('tenantId') tenantId: string) {
+    await this.provisioningService.deprovisionTenant(tenantId);
+    return { success: true };
+  }
+}

backend/src/tenant/tenant-provisioning.service.ts

@@ -0,0 +1,342 @@
+import { Injectable, Logger } from '@nestjs/common';
+import { TenantDatabaseService } from './tenant-database.service';
+import * as knex from 'knex';
+import * as crypto from 'crypto';
+import { getCentralPrisma } from '../prisma/central-prisma.service';
+
+@Injectable()
+export class TenantProvisioningService {
+  private readonly logger = new Logger(TenantProvisioningService.name);
+
+  constructor(private readonly tenantDbService: TenantDatabaseService) {}
+
+  /**
+   * Provision a new tenant with database and default data
+   */
+  async provisionTenant(data: {
+    name: string;
+    slug: string;
+    primaryDomain: string;
+    dbHost?: string;
+    dbPort?: number;
+  }) {
+    const dbHost = data.dbHost || process.env.DB_HOST || 'platform-db';
+    const dbPort = data.dbPort || parseInt(process.env.DB_PORT || '3306');
+    const dbName = `tenant_${data.slug}`;
+    const dbUsername = `tenant_${data.slug}_user`;
+    const dbPassword = this.generateSecurePassword();
+
+    this.logger.log(`Provisioning tenant: ${data.name} (${data.slug})`);
+
+    try {
+      // Step 1: Create MySQL database and user
+      await this.createTenantDatabase(
+        dbHost,
+        dbPort,
+        dbName,
+        dbUsername,
+        dbPassword,
+      );
+
+      // Step 2: Run migrations on new tenant database
+      await this.runTenantMigrations(
+        dbHost,
+        dbPort,
+        dbName,
+        dbUsername,
+        dbPassword,
+      );
+
+      // Step 3: Store tenant info in central database
+      const centralPrisma = getCentralPrisma();
+      const tenant = await centralPrisma.tenant.create({
+        data: {
+          name: data.name,
+          slug: data.slug,
+          dbHost,
+          dbPort,
+          dbName,
+          dbUsername,
+          dbPassword: this.tenantDbService.encryptPassword(dbPassword),
+          status: 'active',
+          domains: {
+            create: {
+              domain: data.primaryDomain,
+              isPrimary: true,
+            },
+          },
+        },
+        include: {
+          domains: true,
+        },
+      });
+
+      this.logger.log(`Tenant provisioned successfully: ${tenant.id}`);
+
+      // Step 4: Seed default data (admin user, default roles, etc.)
+      await this.seedDefaultData(tenant.id);
+
+      return {
+        tenantId: tenant.id,
+        dbName,
+        dbUsername,
+        dbPassword, // Return for initial setup, should be stored securely
+      };
+    } catch (error) {
+      this.logger.error(`Failed to provision tenant: ${data.slug}`, error);
+      // Attempt cleanup
+      await this.rollbackProvisioning(dbHost, dbPort, dbName, dbUsername).catch(
+        (cleanupError) => {
+          this.logger.error(
+            'Failed to cleanup after provisioning error',
+            cleanupError,
+          );
+        },
+      );
+      throw error;
+    }
+  }
+
+  /**
+   * Create MySQL database and user
+   */
+  private async createTenantDatabase(
+    host: string,
+    port: number,
+    dbName: string,
+    username: string,
+    password: string,
+  ) {
+    // Connect as root to create database and user
+    const rootKnex = knex.default({
+      client: 'mysql2',
+      connection: {
+        host,
+        port,
+        user: process.env.DB_ROOT_USER || 'root',
+        password: process.env.DB_ROOT_PASSWORD || 'root',
+      },
+    });
+
+    try {
+      // Create database
+      await rootKnex.raw(
+        `CREATE DATABASE IF NOT EXISTS \`${dbName}\` CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci`,
+      );
+      this.logger.log(`Database created: ${dbName}`);
+
+      // Create user and grant privileges
+      await rootKnex.raw(
+        `CREATE USER IF NOT EXISTS '${username}'@'%' IDENTIFIED BY '${password}'`,
+      );
+      await rootKnex.raw(
+        `GRANT ALL PRIVILEGES ON \`${dbName}\`.* TO '${username}'@'%'`,
+      );
+      await rootKnex.raw('FLUSH PRIVILEGES');
+      this.logger.log(`User created: ${username}`);
+    } finally {
+      await rootKnex.destroy();
+    }
+  }
+
+  /**
+   * Run Knex migrations on tenant database
+   */
+  private async runTenantMigrations(
+    host: string,
+    port: number,
+    dbName: string,
+    username: string,
+    password: string,
+  ) {
+    const tenantKnex = knex.default({
+      client: 'mysql2',
+      connection: {
+        host,
+        port,
+        database: dbName,
+        user: username,
+        password,
+      },
+      migrations: {
+        directory: './migrations/tenant',
+        tableName: 'knex_migrations',
+      },
+    });
+
+    try {
+      await tenantKnex.migrate.latest();
+      this.logger.log(`Migrations completed for database: ${dbName}`);
+    } finally {
+      await tenantKnex.destroy();
+    }
+  }
+
+  /**
+   * Seed default data for new tenant
+   */
+  private async seedDefaultData(tenantId: string) {
+    const tenantKnex = await this.tenantDbService.getTenantKnex(tenantId);
+
+    try {
+      // Create default roles
+      const [adminRoleId] = await tenantKnex('roles').insert({
+        id: tenantKnex.raw('(UUID())'),
+        name: 'Admin',
+        guardName: 'api',
+        description: 'Full system administrator access',
+        created_at: tenantKnex.fn.now(),
+        updated_at: tenantKnex.fn.now(),
+      });
+
+      const [userRoleId] = await tenantKnex('roles').insert({
+        id: tenantKnex.raw('(UUID())'),
+        name: 'User',
+        guardName: 'api',
+        description: 'Standard user access',
+        created_at: tenantKnex.fn.now(),
+        updated_at: tenantKnex.fn.now(),
+      });
+
+      // Create default permissions
+      const permissions = [
+        { name: 'manage_users', description: 'Manage users' },
+        { name: 'manage_roles', description: 'Manage roles and permissions' },
+        { name: 'manage_apps', description: 'Manage applications' },
+        { name: 'manage_objects', description: 'Manage object definitions' },
+        { name: 'view_data', description: 'View data' },
+        { name: 'create_data', description: 'Create data' },
+        { name: 'edit_data', description: 'Edit data' },
+        { name: 'delete_data', description: 'Delete data' },
+      ];
+
+      for (const perm of permissions) {
+        await tenantKnex('permissions').insert({
+          id: tenantKnex.raw('(UUID())'),
+          name: perm.name,
+          guardName: 'api',
+          description: perm.description,
+          created_at: tenantKnex.fn.now(),
+          updated_at: tenantKnex.fn.now(),
+        });
+      }
+
+      // Grant all permissions to Admin role
+      const allPermissions = await tenantKnex('permissions').select('id');
+      for (const perm of allPermissions) {
+        await tenantKnex('role_permissions').insert({
+          id: tenantKnex.raw('(UUID())'),
+          roleId: adminRoleId,
+          permissionId: perm.id,
+          created_at: tenantKnex.fn.now(),
+          updated_at: tenantKnex.fn.now(),
+        });
+      }
+
+      // Grant view/create/edit permissions to User role
+      const userPermissions = await tenantKnex('permissions')
+        .whereIn('name', ['view_data', 'create_data', 'edit_data'])
+        .select('id');
+      for (const perm of userPermissions) {
+        await tenantKnex('role_permissions').insert({
+          id: tenantKnex.raw('(UUID())'),
+          roleId: userRoleId,
+          permissionId: perm.id,
+          created_at: tenantKnex.fn.now(),
+          updated_at: tenantKnex.fn.now(),
+        });
+      }
+
+      this.logger.log(`Default data seeded for tenant: ${tenantId}`);
+    } catch (error) {
+      this.logger.error(
+        `Failed to seed default data for tenant: ${tenantId}`,
+        error,
+      );
+      throw error;
+    }
+  }
+
+  /**
+   * Rollback provisioning in case of error
+   */
+  private async rollbackProvisioning(
+    host: string,
+    port: number,
+    dbName: string,
+    username: string,
+  ) {
+    const rootKnex = knex.default({
+      client: 'mysql2',
+      connection: {
+        host,
+        port,
+        user: process.env.DB_ROOT_USER || 'root',
+        password: process.env.DB_ROOT_PASSWORD || 'root',
+      },
+    });
+
+    try {
+      await rootKnex.raw(`DROP DATABASE IF EXISTS \`${dbName}\``);
+      await rootKnex.raw(`DROP USER IF EXISTS '${username}'@'%'`);
+      this.logger.log(`Rolled back provisioning for database: ${dbName}`);
+    } finally {
+      await rootKnex.destroy();
+    }
+  }
+
+  /**
+   * Generate secure random password
+   */
+  private generateSecurePassword(): string {
+    return crypto.randomBytes(32).toString('base64').slice(0, 32);
+  }
+
+  /**
+   * Deprovision a tenant (delete database and central record)
+   */
+  async deprovisionTenant(tenantId: string) {
+    const centralPrisma = getCentralPrisma();
+    const tenant = await centralPrisma.tenant.findUnique({
+      where: { id: tenantId },
+    });
+
+    if (!tenant) {
+      throw new Error(`Tenant not found: ${tenantId}`);
+    }
+
+    try {
+      // Delete tenant database
+      const rootKnex = knex.default({
+        client: 'mysql2',
+        connection: {
+          host: tenant.dbHost,
+          port: tenant.dbPort,
+          user: process.env.DB_ROOT_USER || 'root',
+          password: process.env.DB_ROOT_PASSWORD || 'root',
+        },
+      });
+
+      try {
+        await rootKnex.raw(`DROP DATABASE IF EXISTS \`${tenant.dbName}\``);
+        await rootKnex.raw(`DROP USER IF EXISTS '${tenant.dbUsername}'@'%'`);
+        this.logger.log(`Database deleted: ${tenant.dbName}`);
+      } finally {
+        await rootKnex.destroy();
+      }
+
+      // Delete tenant from central database
+      await centralPrisma.tenant.delete({
+        where: { id: tenantId },
+      });
+
+      // Remove from connection cache
+      this.tenantDbService.removeTenantConnection(tenantId);
+
+      this.logger.log(`Tenant deprovisioned: ${tenantId}`);
+    } catch (error) {
+      this.logger.error(`Failed to deprovision tenant: ${tenantId}`, error);
+      throw error;
+    }
+  }
+}

backend/src/tenant/tenant.middleware.ts

@@ -1,16 +1,64 @@
-import { Injectable, NestMiddleware } from '@nestjs/common';
+import { Injectable, NestMiddleware, Logger } from '@nestjs/common';
 import { FastifyRequest, FastifyReply } from 'fastify';
+import { TenantDatabaseService } from './tenant-database.service';
 
 @Injectable()
 export class TenantMiddleware implements NestMiddleware {
-  use(req: FastifyRequest['raw'], res: FastifyReply['raw'], next: () => void) {
-    const tenantId = req.headers['x-tenant-id'] as string;
-    
-    if (tenantId) {
-      // Attach tenantId to request object
-      (req as any).tenantId = tenantId;
+  private readonly logger = new Logger(TenantMiddleware.name);
+
+  constructor(private readonly tenantDbService: TenantDatabaseService) {}
+
+  async use(
+    req: FastifyRequest['raw'],
+    res: FastifyReply['raw'],
+    next: () => void,
+  ) {
+    try {
+      // Extract subdomain from hostname
+      const host = req.headers.host || '';
+      const hostname = host.split(':')[0]; // Remove port if present
+      const parts = hostname.split('.');
+
+      // For local development, accept x-tenant-id header as fallback
+      let tenantId = req.headers['x-tenant-id'] as string;
+      let subdomain: string | null = null;
+
+      // Extract subdomain (e.g., "acme" from "acme.routebox.co")
+      if (parts.length > 2) {
+        subdomain = parts[0];
+        // Ignore www subdomain
+        if (subdomain === 'www') {
+          subdomain = null;
+        }
+      }
+
+      // Get tenant by subdomain if available
+      if (subdomain) {
+        const tenant = await this.tenantDbService.getTenantByDomain(subdomain);
+        if (tenant) {
+          tenantId = tenant.id;
+          this.logger.log(
+            `Tenant identified: ${tenant.name} (${tenant.id}) from subdomain: ${subdomain}`,
+          );
+        } else {
+          this.logger.warn(`No tenant found for subdomain: ${subdomain}`);
+        }
+      }
+
+      if (tenantId) {
+        // Attach tenant info to request object
+        (req as any).tenantId = tenantId;
+        if (subdomain) {
+          (req as any).subdomain = subdomain;
+        }
+      } else {
+        this.logger.warn(`No tenant identified from host: ${hostname}`);
+      }
+
+      next();
+    } catch (error) {
+      this.logger.error('Error in tenant middleware', error);
+      next();
     }
-    
-    next();
   }
 }

backend/src/tenant/tenant.module.ts

@@ -1,7 +1,20 @@
 import { Module, NestModule, MiddlewareConsumer } from '@nestjs/common';
 import { TenantMiddleware } from './tenant.middleware';
+import { TenantDatabaseService } from './tenant-database.service';
+import { TenantProvisioningService } from './tenant-provisioning.service';
+import { TenantProvisioningController } from './tenant-provisioning.controller';
+import { PrismaModule } from '../prisma/prisma.module';
 
-@Module({})
+@Module({
+  imports: [PrismaModule],
+  controllers: [TenantProvisioningController],
+  providers: [
+    TenantDatabaseService,
+    TenantProvisioningService,
+    TenantMiddleware,
+  ],
+  exports: [TenantDatabaseService, TenantProvisioningService],
+})
 export class TenantModule implements NestModule {
   configure(consumer: MiddlewareConsumer) {
     consumer.apply(TenantMiddleware).forRoutes('*');