Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements

- Add comprehensive database migrations (001-024) for schema evolution
- Enhance API schema with expanded type definitions and resolvers
- Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth
- Implement new services: AI optimization, billing, blockchain, compliance, marketplace
- Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage)
- Update Crossplane provider with enhanced VM management capabilities
- Add comprehensive test suite for API endpoints and services
- Update frontend components with improved GraphQL subscriptions and real-time updates
- Enhance security configurations and headers (CSP, CORS, etc.)
- Update documentation and configuration files
- Add new CI/CD workflows and validation scripts
- Implement design system improvements and UI enhancements

gitops/base/namespaces/tenants.yaml

@@ -0,0 +1,95 @@
+# Tenant Namespaces Template
+# More granular than Azure with custom resource limits per tenant tier
+# NOTE: This is a template file. Placeholders (TENANT_ID_PLACEHOLDER, TENANT_TIER_PLACEHOLDER)
+# should be replaced by automation when creating actual tenant namespaces.
+# Use the tenant namespace automation script or controller to process this template.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tenant-template
+  labels:
+    name: tenant-template
+    tenant-id: "TENANT_ID_PLACEHOLDER"  # Replace with actual tenant ID
+    tenant-tier: "TENANT_TIER_PLACEHOLDER"  # Replace with actual tier (FREE, STANDARD, ENTERPRISE, SOVEREIGN)
+    managed-by: sankofa-phoenix
+---
+# Resource Quota - More granular than Azure
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: tenant-quota
+  namespace: tenant-template
+spec:
+  hard:
+    requests.cpu: "100"  # Adjust based on tenant tier
+    requests.memory: 512Gi
+    limits.cpu: "200"
+    limits.memory: 1Ti
+    persistentvolumeclaims: "50"
+    services.loadbalancers: "10"
+    services.nodeports: "20"
+    count/deployments.apps: "100"
+    count/statefulsets.apps: "50"
+---
+# Limit Range - Per-container limits
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: tenant-limits
+  namespace: tenant-template
+spec:
+  limits:
+  - default:
+      cpu: "2"
+      memory: 4Gi
+    defaultRequest:
+      cpu: "500m"
+      memory: 1Gi
+    type: Container
+  - max:
+      cpu: "8"
+      memory: 16Gi
+    min:
+      cpu: "100m"
+      memory: 128Mi
+    type: Container
+---
+# Network Policy - Tenant isolation
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: tenant-isolation
+  namespace: tenant-template
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          tenant-id: "TENANT_ID_PLACEHOLDER"
+    - namespaceSelector:
+        matchLabels:
+          name: system
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          tenant-id: "TENANT_ID_PLACEHOLDER"
+    - namespaceSelector:
+        matchLabels:
+          name: system
+    - namespaceSelector:
+        matchLabels:
+          name: monitoring
+  egress:
+  - to: []  # Allow DNS and external
+    ports:
+    - protocol: UDP
+      port: 53
+    - protocol: TCP
+      port: 443
+

gitops/base/rbac/tenant-rbac.yaml

@@ -0,0 +1,97 @@
+# Tenant RBAC - More granular than Azure RBAC
+# Fine-grained permissions beyond Azure's role-based access
+
+# Tenant Owner Role - Full control over tenant
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tenant-owner
+  namespace: tenant-template
+rules:
+- apiGroups: [""]
+  resources: ["*"]
+  verbs: ["*"]
+- apiGroups: ["apps"]
+  resources: ["*"]
+  verbs: ["*"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["*"]
+  verbs: ["*"]
+---
+# Tenant Admin Role - Administrative access
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tenant-admin
+  namespace: tenant-template
+rules:
+- apiGroups: [""]
+  resources: ["pods", "services", "configmaps", "secrets", "persistentvolumeclaims"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["apps"]
+  resources: ["deployments", "statefulsets", "daemonsets"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["networkpolicies", "ingresses"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+# Tenant User Role - Standard access
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tenant-user
+  namespace: tenant-template
+rules:
+- apiGroups: [""]
+  resources: ["pods", "services", "configmaps"]
+  verbs: ["get", "list", "watch", "create", "update", "patch"]
+- apiGroups: ["apps"]
+  resources: ["deployments", "statefulsets"]
+  verbs: ["get", "list", "watch", "create", "update", "patch"]
+---
+# Tenant Viewer Role - Read-only access
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tenant-viewer
+  namespace: tenant-template
+rules:
+- apiGroups: [""]
+  resources: ["*"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["apps"]
+  resources: ["*"]
+  verbs: ["get", "list", "watch"]
+---
+# Tenant Billing Admin Role - Billing management
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tenant-billing-admin
+  namespace: tenant-template
+rules:
+- apiGroups: [""]
+  resources: ["pods", "services"]
+  verbs: ["get", "list", "watch"]  # Read-only for billing calculations
+- apiGroups: ["apps"]
+  resources: ["deployments", "statefulsets"]
+  verbs: ["get", "list", "watch"]
+---
+# RoleBinding Template
+# This would be created per tenant user
+# NOTE: This is a template file. USER_EMAIL_PLACEHOLDER should be replaced with actual user email
+# when creating RoleBindings. Use the tenant RBAC automation script or controller to process this template.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tenant-user-binding-template
+  namespace: tenant-template
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: tenant-user  # Change based on user role (tenant-owner, tenant-admin, tenant-user, tenant-viewer, tenant-billing-admin)
+subjects:
+- kind: User
+  name: "USER_EMAIL_PLACEHOLDER"  # Replace with actual user email (e.g., user@example.com)
+  apiGroup: rbac.authorization.k8s.io
+