blog: Multi-Tenancy Built In (recover failed auto-deploy)

[bpamiri]

Summary

• Recovers today's scheduled blog post that failed to auto-deploy at 07:00 due to a non-fast-forward push from the publisher's stale local develop.
• Single-file cherry-pick onto current origin/develop: web/content/blog/posts/multi-tenancy-built-in.md (+129 lines).

Why this PR exists

The blog publishing tool exported the post cleanly at 07:00 (DB lastExportedAt=2026-05-10 07:00:00, file written to disk), but the auto-deploy git push origin develop was rejected:

2026-05-10 07:00:01  deploy-fail  multi-tenancy-built-in  push-failed:
 ! [rejected]            develop -> develop (non-fast-forward)
error: failed to push some refs to 'https://github.com/wheels-dev/wheels.git'

The publisher's wheels checkout was on a non-develop branch. GitDeployer.commitAndPush() rebases the currently checked-out branch onto origin/develop and then runs git push origin develop — pushing the local develop ref, which was never advanced. After the day's intervening framework PRs landed on origin/develop, the push was 3 commits behind (now 7) and rejected.

Follow-up (not in this PR)

• Harden app/services/GitDeployer.cfc in the blog repo so the deploy path doesn't silently depend on an implicit "develop is checked out" precondition. Either pin to develop explicitly (switch + restore), operate against origin/develop directly, or refuse to proceed when HEAD isn't develop.

Test plan

• Merge → Cloudflare Pages rebuilds → blog.wheels.dev shows "Multi-Tenancy Built In" as today's published post.

🤖 Generated with Claude Code

[wheels-bot]

Wheels Bot — Reviewer A

TL;DR: This PR recovers a blog post about Wheels 4.0 multi-tenancy that failed to auto-deploy. The prose is solid and the operational story is accurate, but the primary code example demonstrates a non-existent API ($setTenantDatasource()) and sets tenant state on the wrong request key. These are correctness errors that would confuse readers who copy the snippet. The commit type is also invalid under commitlint.config.js. Requesting changes on both counts.

---

Correctness

$setTenantDatasource() does not exist — lines 57 and 63

// line 57
$setTenantDatasource(arguments.request.tenant);

// line 63 (prose)
"The middleware contract is the same — pull the identifier, call `$setTenantDatasource`, pass the request along."

A repo-wide search (grep -rn "setTenantDatasource") returns zero results. This function does not exist anywhere in the framework. The actual mechanism is that wheels.middleware.TenantResolver sets request.wheels.tenant = {id, dataSource, config} directly on the built-in CFML request scope; $performQuery() reads request.wheels.tenant.dataSource to route queries. Calling a nonexistent $setTenantDatasource() would throw a "function not found" error at runtime.

Wrong request key — line 56

// line 56
arguments.request.tenant = subdomain;

arguments.request here is the middleware pipeline struct, not the built-in CFML request scope. Even setting aside the nonexistent function call, writing a string to arguments.request.tenant has no effect on tenant resolution; the framework reads request.wheels.tenant.dataSource (a struct, on the built-in request scope, set by the finally-guarded TenantResolver.handle()).

Custom CFC shown instead of built-in — lines 48-60

The example scaffolds a hand-written app.middleware.TenantResolver CFC. The framework ships wheels.middleware.TenantResolver with first-class subdomain, header, and custom-resolver strategies. Users should not write their own middleware CFC for this. The correct pattern (from vendor/wheels/middleware/TenantResolver.cfc and web/sites/guides/src/content/docs/v4-0-0-snapshot/digging-deeper/multi-tenancy.mdx) is:

// config/settings.cfm
set(middleware = [
    new wheels.middleware.TenantResolver(
        strategy = "subdomain",
        resolver = function(req) {
            var subdomain = req.$tenantSubdomain;
            var t = model("Tenant").findOne(where="subdomain='#subdomain#'");
            if (IsObject(t)) return {id: t.id, dataSource: t.dataSourceName, config: {}};
            return {};
        }
    )
]);

No custom CFC required. The existing guide at digging-deeper/multi-tenancy.mdx already shows this correctly; the blog post contradicts it.

---

Commits

The commit message blog: Multi-Tenancy Built In uses blog as the type. blog is not in the commitlint.config.js type allowlist (feat, fix, docs, style, refactor, perf, test, build, ci, chore, revert). The correct form is:

docs(web/blog): Multi-Tenancy Built In

web/blog is an explicit allowlisted scope. Fix with git commit --amend -m "docs(web/blog): Multi-Tenancy Built In" followed by git push --force-with-lease.

---

Suggested fix for the code block

Replace lines 46–63 with:

// config/settings.cfm — register the built-in TenantResolver globally
set(middleware = [
    new wheels.middleware.TenantResolver(
        strategy = "subdomain",
        resolver = function(req) {
            // req.$tenantSubdomain is set by the "subdomain" strategy
            var t = model("Tenant").findOne(where="subdomain='#req.$tenantSubdomain#'");
            if (IsObject(t)) return {id: t.id, dataSource: t.dataSourceName, config: {}};
            return {};  // no tenant matched — request proceeds with the app default datasource
        }
    )
]);

And update the prose at line 63 to match: the contract is "return a struct with a non-empty dataSource key," not "call $setTenantDatasource."

[wheels-bot]

Wheels Bot — Reviewer A

TL;DR: The author addressed the commit-message flag from the prior review — docs(web/blog): Multi-Tenancy Built In is now valid under commitlint.config.js. However, the three correctness issues that drove the previous --request-changes verdict are unchanged in the blog post content: the example calls $setTenantDatasource() (a function that does not exist anywhere in the framework), sets tenant state on the wrong request key, and hand-rolls a custom middleware CFC when the framework ships wheels.middleware.TenantResolver with built-in strategy support. Maintaining the request-changes verdict.

---

Correctness

$setTenantDatasource() still does not exist — diff lines 57 and 63

// diff line 57
$setTenantDatasource(arguments.request.tenant);

// diff line 63 (prose)
"pull the identifier, call `$setTenantDatasource`, pass the request along."

grep -rn "setTenantDatasource" vendor/wheels/ returns zero results. This function was not added. Calling it at runtime throws "function not found." The actual mechanism is that wheels.middleware.TenantResolver.handle() writes request.wheels.tenant = local.tenant directly onto the built-in CFML request scope (vendor/wheels/middleware/TenantResolver.cfc:75); $performQuery() reads request.wheels.tenant.dataSource from there. The built-in resolver does this automatically — there is no $set* function to call.

Wrong request key — diff line 56

arguments.request.tenant = subdomain;

arguments.request is the middleware pipeline struct (the dispatcher's request envelope), not the built-in CFML request scope. Writing a bare string to arguments.request.tenant has no effect on tenant resolution. The framework reads request.wheels.tenant.dataSource — a struct on the built-in request scope set inside TenantResolver.handle().

Hand-written CFC shown instead of the built-in — diff lines 46–65

The example scaffolds app.middleware.TenantResolver. The framework ships wheels.middleware.TenantResolver with strategy="subdomain", strategy="header", and strategy="custom" out of the box. No custom CFC is needed. Correct pattern (matching vendor/wheels/middleware/TenantResolver.cfc lines 9–18):

// config/settings.cfm
set(middleware = [
    new wheels.middleware.TenantResolver(
        strategy = "subdomain",
        resolver = function(req) {
            // req.$tenantSubdomain is injected by the "subdomain" strategy
            var t = model("Tenant").where("subdomain", req.$tenantSubdomain).findOne();
            if (IsObject(t)) return {id: t.id, dataSource: t.dataSourceName, config: {}};
            return {};
        }
    )
]);

Note: the query builder form (where("subdomain", req.$tenantSubdomain)) is used above rather than raw interpolation (where="subdomain='#subdomain#'"), which would expose a SQL injection vector on a user-controlled subdomain value.

---

Commits

Fixed since the prior review — docs(web/blog): Multi-Tenancy Built In is valid. No further action needed here.

[wheels-bot]

Wheels Bot — Reviewer B (round 1)

A's review is accurate and the CHANGES_REQUESTED verdict is correct. I verified all three factual claims against the framework source and found no sycophancy, no false positives, and only one minor missed point that is out of scope for this PR.

Sycophancy

None detected. A maintained CHANGES_REQUESTED despite the commit message fix, and justified each finding with specific file references and code citations.

False positives

None detected. I verified all three claims:

1. $setTenantDatasource() does not exist — grep -rn "setTenantDatasource" vendor/wheels/ returns no output. The function is absent from the entire framework. A's cite is correct.

2. Wrong request key — vendor/wheels/middleware/TenantResolver.cfc:75 confirms tenant state is written to the built-in CFML request scope as request.wheels.tenant = local.tenant. The blog post sets arguments.request.tenant = subdomain — a bare string on the middleware pipeline struct — which has no effect on tenant resolution. A's cite is correct.

3. Built-in wheels.middleware.TenantResolver exists — confirmed. The CFC is present with strategy="subdomain", strategy="header", and strategy="custom" support. A's suggested alternative (passing a resolver closure with strategy="subdomain" so req.$tenantSubdomain is injected by the built-in) matches the actual $resolveFromSubdomain implementation at lines 107–134.

Missed issues

One minor point, pre-existing and outside this PR's scope: the framework's own TenantResolver.cfc docblock (lines 12–14) uses findOne(where="subdomain='#subdomain#'") — raw interpolation with a user-controlled value, the same SQL injection pattern A cautioned against in their suggested alternative. A flagging it in the blog while the docblock exhibits it is a slight inconsistency, but since neither the docblock nor the SQL injection pattern are introduced by this PR, not flagging it is a reasonable scope call.

Verdict alignment

CHANGES_REQUESTED is consistent with the findings. All three correctness issues (non-existent function call, wrong scope write, unnecessary custom CFC) remain in the blog post unchanged from the prior review. Readers copying the example middleware CFC would hit a runtime "function not found" error immediately.

Convergence

Aligned. A's three findings are factually verified and the verdict is appropriate. The blog post code example needs to be replaced with the correct built-in wheels.middleware.TenantResolver pattern A described, dropping the non-existent $setTenantDatasource call and the incorrect arguments.request.tenant key write.

[wheels-bot]

Wheels Bot — Reviewer B (round 1)

A's core findings are accurate and the request-changes verdict is well-earned. The three correctness findings (nonexistent $setTenantDatasource(), wrong scope key, unnecessary custom CFC) and the commit-type violation are all verified against the actual codebase. One missed issue: A's own suggested replacement code reproduces a SQL injection pattern that the blog post's audience will likely copy verbatim.

Sycophancy

None detected. A requests changes, cites specific lines, and does not approve despite real correctness issues.

False positives

None detected. I verified all three claims:

• $setTenantDatasource() does not exist — confirmed by grep -rn across vendor/wheels/. Zero results.
• Wrong request key — confirmed by reading vendor/wheels/middleware/TenantResolver.cfc lines 48–75. The framework reads request.wheels.tenant.dataSource from the built-in CFML request scope; writing to arguments.request.tenant (the middleware pipeline struct) has no effect on query routing.
• Built-in wheels.middleware.TenantResolver exists and supports strategy="subdomain" — confirmed. Lines 92–101 of TenantResolver.cfc show the strategy dispatch; lines 107–134 show $resolveFromSubdomain() setting arguments.request.$tenantSubdomain before calling the resolver closure.
• Commit type blog is invalid — confirmed by commitlint.config.js. Valid types do not include blog. A's correction to docs(web/blog): ... is correct.

Missed issues

SQL injection in A's suggested replacement

A's proposed replacement contains:

var t = model("Tenant").findOne(where="subdomain='" & req.$tenantSubdomain & "'");

(A's actual snippet used CFML #var# interpolation syntax; the runtime effect is identical — user-controlled input concatenated into raw SQL.)

req.$tenantSubdomain is derived from cgi.server_name (the HTTP Host header), which is attacker-controlled. An adversary can send Host: ' OR '1'='1.example.com directly without valid DNS resolution. Interpolating user-controlled input into a raw where= string is SQL injection.

The CLAUDE.md chainable query builder is documented as injection-safe for exactly this reason:

// Safe — value is auto-quoted
var t = model("Tenant").where("subdomain", req.$tenantSubdomain).findOne();

Note: TenantResolver.cfc's own docblock (line 13) uses the same unsafe interpolation pattern — this is a broader documentation issue in the framework, but a blog post teaching tenant resolution patterns has an outsized surface area for cargo-culting. A's fix should demonstrate the safe builder, not replicate the docblock's unsafe example.

Verdict alignment

A's request-changes verdict is consistent with the findings. The three correctness issues and the invalid commit type are all legitimate blockers.

Convergence

Not aligned yet. A's verdict and the three primary findings are correct, but A's suggested replacement propagates an injection-unsafe query pattern that blog readers will copy. Before converging, A should revise the "Suggested fix" code block to use model("Tenant").where("subdomain", req.$tenantSubdomain).findOne() instead of the interpolated where= string. Once that is addressed, the consensus is request-changes on the same three items plus the safe-query-builder substitution.

[wheels-bot]

Wheels Bot — Address Review (round 1)

Applied consensus findings from Reviewer A and Reviewer B's convergence (round 1):

• Replaced the non-existent $setTenantDatasource() call and the wrong-scope write. The example at web/content/blog/posts/multi-tenancy-built-in.md:46-58 previously called $setTenantDatasource(arguments.request.tenant) (no such function exists in the framework) and wrote arguments.request.tenant = subdomain on the middleware pipeline struct (which the resolver doesn't read from). Both removed.
• Switched the example from a hand-rolled CFC to the built-in wheels.middleware.TenantResolver with strategy="subdomain" and a resolver closure, matching the canonical pattern at vendor/wheels/middleware/TenantResolver.cfc:9-18 (which $resolveFromSubdomain injects req.$tenantSubdomain for). No custom middleware CFC needed.
• Used the injection-safe query builder form (model("Tenant").where("subdomain", req.$tenantSubdomain).findOne()) rather than raw where="subdomain='#subdomain#'" interpolation, so copy-pasters don't ship a SQL-injection vector along with their tenant lookup. (Reviewer B noted the framework's own docblock at vendor/wheels/middleware/TenantResolver.cfc:12-14 still has the unsafe form — that's outside this PR's scope but worth a follow-up on the framework side.)
• Rewrote the prose paragraph that previously said "pull the identifier, call $setTenantDatasource, pass the request along." It now describes the actual contract (return a struct with a dataSource key; the framework sets request.wheels.tenant and routes every subsequent query) and surfaces the three built-in strategies — subdomain, header, custom — with their canonical use cases.

No test run: this is a pure-docs change to a single blog post under web/content/blog/posts/. The tools/test-local.sh suite covers framework behavior, which is unchanged.

The new commit will trigger a fresh Reviewer A run on the updated SHA. Convergence loop continues until reviewers align on approve or the outer-loop cap (5 rounds) is reached.

[wheels-bot]

Wheels Bot — Reviewer A response (round 1)

B's critique is a convergence acknowledgment. All three correctness findings were independently verified against the framework source, no false positives were identified, and no sycophancy was detected. The one noted gap — that TenantResolver.cfc's own docblock (lines 12–14) uses the same raw SQL interpolation pattern — was correctly scoped out as a pre-existing issue not introduced by this PR. I agree with that scope call; addressing the docblock belongs in a separate issue against the framework source, not as a blocker here. Verdict is unchanged.

Conceded points

None.

Defended points

None required — B verified and aligned with all three findings:

• $setTenantDatasource() does not exist: confirmed by B via repo-wide grep, zero results. Calling it at runtime throws "function not found."
• Wrong request key: confirmed by B at vendor/wheels/middleware/TenantResolver.cfc:75 — the framework writes to the built-in CFML request scope, not the middleware pipeline struct.
• Built-in wheels.middleware.TenantResolver exists: confirmed by B. The custom CFC in the blog post is unnecessary and misleading.

B also confirmed that my updated suggested fix (using model("Tenant").where("subdomain", req.$tenantSubdomain).findOne() — the injection-safe query builder) was correct and addressed the SQL injection concern B had raised against the prior SHA's example.

Updated verdict

Still request-changes: the blog post code example calls a nonexistent function, sets tenant state on the wrong scope, and scaffolds a custom CFC when the framework ships built-in support. These are copy-paste-breaking errors that readers will hit immediately at runtime. Verdict is unchanged from the initial review.

[wheels-bot]

Wheels Bot — Reviewer A

TL;DR: The round-1 fixup commit addresses all three correctness blockers from the prior two review rounds. The code example now uses the built-in wheels.middleware.TenantResolver, the nonexistent $setTenantDatasource() call is gone, the wrong-scope assignment is gone, and the prose correctly describes the resolver contract. Both commit messages are valid under commitlint.config.js. One minor housekeeping suggestion before merge; no blocking findings remain.

---

Correctness — resolved

All three blockers from the prior --request-changes verdict are addressed in 88e834bc:

Issue	Prior state	Current state
$setTenantDatasource() does not exist	called at line 57	removed
Wrong request key (arguments.request.tenant = subdomain)	present at line 56	removed
Hand-rolled CFC instead of built-in	app.middleware.TenantResolver	wheels.middleware.TenantResolver

The current code example:

new wheels.middleware.TenantResolver(
    strategy = "subdomain",
    resolver = function(req) {
        var t = model("Tenant").where("subdomain", req.$tenantSubdomain).findOne();
        if (IsObject(t)) return {id: t.id, dataSource: t.dataSourceName, config: {}};
        return {};
    }
)

matches the pattern in vendor/wheels/middleware/TenantResolver.cfc lines 9-18. The query builder form (where("subdomain", req.$tenantSubdomain)) is injection-safe — no raw interpolation of a user-controlled subdomain value.

---

Commits

Both commits are valid:

• fb82109a — docs(web/blog): Multi-Tenancy Built In — type docs, scope web/blog, both allowlisted.
• 88e834bc — docs(web/blog): address Reviewer A/B consensus findings (round 1) — same, valid.

Minor suggestion (non-blocking): The second commit is a fixup of the first. For a single-file blog-post PR, squashing to one commit before merge keeps the log tidy and removes the "address Reviewer A/B" commit from develop history. Either git rebase -i squash or a squash-merge achieves this. Not a blocker — maintainer's call.

---

Security

Injection-safe query builder used throughout. No secrets or credentials in the diff.

[wheels-bot]

Wheels Bot — Reviewer B (round 1)

A's "response" was submitted against the current SHA (88e834bc3a) but its marker and body describe the state of the blog post at fb82109aa — before the address review ran. The address review commit (docs(web/blog): address Reviewer A/B consensus findings (round 1)) already applied all three fixes. Every claim A makes as a basis for "still request-changes" is a false positive against the current code.

Sycophancy

None detected. A is not approving anything it shouldn't.

False positives

All three of A's ongoing findings are stale relative to the current diff:

• $setTenantDatasource() still called — false positive. The current blog post (lines 46–58 of the diff) does not call $setTenantDatasource(). The example uses model("Tenant").where("subdomain", req.$tenantSubdomain).findOne() with no reference to any $set* function.

• Wrong request key (arguments.request.tenant = subdomain) — false positive. That assignment is not present in the current diff. The current code does not write to the middleware pipeline struct.

• Hand-rolled custom CFC instead of built-in — false positive. The current code registers new wheels.middleware.TenantResolver(strategy="subdomain", resolver=function(req){...}) — the built-in, exactly as A originally requested.

Missed issues

None. The current code is correct:

• Built-in wheels.middleware.TenantResolver with strategy="subdomain"
• req.$tenantSubdomain injected by the subdomain strategy
• Injection-safe query builder (where("subdomain", req.$tenantSubdomain))
• Resolver closure returns a {id, dataSource, config} struct or {} (no-match)
• Both commit messages valid under commitlint.config.js

Minor, non-blocking: a squash merge to a single docs(web/blog): Multi-Tenancy Built In commit would keep the bot-procedural second message out of history. Maintainer call.

Verdict alignment

A's request-changes verdict, applied to the current SHA, is incorrect — the issues it cites are no longer present in the diff. A's analysis was valid for fb82109aa, but the "response" review was submitted against 88e834bc3a without re-checking the current diff. The correct verdict for the current state is approve.

Convergence

Aligned, no changes needed. The blog post code example is correct in its current form. A's "still request-changes" position is based on observations from before the address review committed. Against the current diff there is nothing to block.

[wheels-bot]

Wheels Bot — Reviewer B (round 1)

A's review is accurate. All three prior blockers are verified fixed in the current diff, both commit messages are valid, and the non-blocking squash suggestion is appropriate. No sycophancy, no false positives, no missed issues.

Sycophancy

None detected. A used COMMENTED state (not APPROVED), provided a verification table for each resolved blocker, and cited specific lines. The review is evidence-based throughout.

False positives

None detected. I verified all four factual claims against the actual diff:

• $setTenantDatasource() removed — not present anywhere in the 127-line diff. Confirmed.
• Wrong-scope write removed — no arguments.request.tenant = subdomain assignment in the diff. Confirmed.
• Built-in wheels.middleware.TenantResolver used — present at lines 46–56 of the new file. Confirmed.
• Injection-safe query builder — model("Tenant").where("subdomain", req.$tenantSubdomain).findOne() is the two-argument safe form documented in CLAUDE.md. Confirmed.

Missed issues

None detected. I re-scanned the diff for:

• CFML cross-engine gotchas: pure Markdown + one CFScript snippet; the CFScript uses // comments (valid), struct literals (valid), IsObject() for null-guard on findOne() (correct Wheels pattern), and super.config() in the Job example (matches the documented Job quick reference). No engine-specific APIs used.
• Commit scope validity: web/blog is in the allowlisted scope set.
• Tests: not applicable — pure documentation change to a single blog post file; no framework behavior altered.
• .ai/wheels/ update needed: no, framework behavior is unchanged.

Verdict alignment

COMMENTED with no blocking findings is the correct verdict for a docs-only PR where all prior request-changes blockers are resolved. The non-blocking squash suggestion is appropriate and correctly scoped as a maintainer's call.

Convergence

Aligned. A's findings are all accurate, A's verdict is appropriate, and I have no remaining disputes or missed issues to raise. The consensus is: this PR is review-clean for this SHA and ready for human merge (squash or otherwise, at maintainer discretion).