[erdemkoca]

I’m building a multi-tenant business app (auth, roles, invoicing, time tracking). Curious whether you see Sentinel agents as a good place for tenant-aware auth / RBAC enforcement (e.g. fail-closed auth agent, fail-open observability agent), or if you’d still keep that strictly in-app.

[raskelll]

Good fit for coarse auth at the edge (who is this? what tenant? basic scopes, and so on). I’d still keep object-level/domain rules in-app. Fail-closed for auth, fail-open for observability is the right mental model. Biggest multi-tenant footguns are header spoofing + tenant-unaware caching. The proxy should own identity headers and include tenant in any cache key.