feat: Ipad app features and Dream Weaver for Velocity WebOS

backend/auth/dependencies.py

@@ -29,6 +29,10 @@ ROLE_HIERARCHY = {
     "ADMIN": 3,
 }
 
+
+def default_tenant_id() -> str:
+    return os.getenv("VELOCITY_DEFAULT_TENANT_ID", "tenant_velocity").strip() or "tenant_velocity"
+
 # ── Password hashing ──────────────────────────────────────────────────────────
 
 pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
@@ -57,12 +61,14 @@ JWT_ALGORITHM = "HS256"
 JWT_EXPIRE_HOURS = 8
 
 
-def create_access_token(user_id: str, role: str) -> str:
+def create_access_token(user_id: str, role: str, tenant_id: Optional[str] = None) -> str:
     expire = datetime.now(timezone.utc) + timedelta(hours=JWT_EXPIRE_HOURS)
     normalized_role = role.strip().upper()
+    normalized_tenant = (tenant_id or default_tenant_id()).strip() or default_tenant_id()
     payload = {
         "sub": user_id,
         "role": normalized_role,
+        "tenant_id": normalized_tenant,
         "exp": expire,
         "iat": datetime.now(timezone.utc),
     }
@@ -75,6 +81,7 @@ def create_access_token(user_id: str, role: str) -> str:
 class UserPrincipal:
     user_id: str
     role: str
+    tenant_id: str = default_tenant_id()
 
     @property
     def role_level(self) -> int:
@@ -112,7 +119,11 @@ def get_current_user(
             headers={"WWW-Authenticate": "Bearer"},
         ) from exc
 
-    return UserPrincipal(user_id=payload["sub"], role=str(payload["role"]).strip().upper())
+    return UserPrincipal(
+        user_id=payload["sub"],
+        role=str(payload["role"]).strip().upper(),
+        tenant_id=str(payload.get("tenant_id") or default_tenant_id()).strip() or default_tenant_id(),
+    )
 
 
 # ── Dependency factory: role gate ─────────────────────────────────────────────