1  # Multi-Tenant Architecture: Identity Separation
 2  
 3  > **Infrastructure — Machine vs User Identity**
 4  > *Source: MULTI_TENANT_ARCHITECTURE.md*
 5  
 6  ---
 7  
 8  ## 1. The Separation Principle
 9  
10  Early P2P systems conflated the *device* with the *user*. If you lost your laptop, you lost your identity. Abzu decouples these concepts to enable household deployments and account portability.
11  
12  ### 1.1 Two Identity Types
13  
14  | Feature | Machine Identity | User Identity |
15  | ------- | ---------------- | ------------- |
16  | **Role** | Infrastructure / Routing | Social / Application |
17  | **Key Persistence** | Tied to hardware | Portable (Exportable) |
18  | **Public Visibility** | Visible in DHT/Mesh | Encrypted, Selective |
19  | **Responsibility** | Packet forwarding, storage | Signing messages |
20  
21  **Core Invariant**: A node has **1** Machine Identity but **N** User Identities.
22  
23  ---
24  
25  ## 2. Account Management
26  
27  The `AccountManager` handles the lifecycle of user identities hosted on the node.
28  
29  ### 2.1 Account Types
30  
31  Abzu implements a Unix-like permission model for the home:
32  
33  1. **Admin**: Full control. Can create/delete accounts. Can inspect Child activity (if configured).
34  2. **Adult**: Sovereign account. Equal authority to Admin but cannot manage other users.
35  3. **Child**: Constrained account.
36      - **Keys**: Derived from parental seed (optionally).
37      - **Oversight**: Admin (Parent) can decrypt messages via capability escrow.
38  4. **Guest**: Ephemeral access.
39      - **Relay Only**: The node acts as an encrypted dumb pipe.
40      - **No Storage**: Messages are not stored on the node's disk in plaintext.
41      - **Private**: The node *cannot* read Guest traffic.
42  
43  ### 2.2 Security Isolation
44  
45  Each account has its own encrypted storage fault (`AccountStorage`). Even the node operator cannot read an Adult user's messages without the user's password.
46  
47  ---
48  
49  ## 3. Portability
50  
51  Accounts are "Mandatory Portable".
52  
53  ```rust
54  struct AccountExport {
55      keypair: EncryptedKeypair,  // Protected by passphrase
56      mailbox: Vec<u8>,           // Encrypted message blob
57      contacts: Vec<u8>,          // Social graph
58  }
59  ```
60  
61  **Scenario**:
62  
63  1. User starts on a Raspberry Pi at home.
64  2. Travels with a laptop (acting as a Guest on hotel wifi).
65  3. Imports identity to a cloud VPS.
66  4. All messages and contacts transfer seamlessly.
67  
68  ---
69  
70  ## 4. Rate Limiting Strategy
71  
72  Multi-tenancy requires tiered rate limiting to prevent "Tragedy of the Commons":
73  
74  - **Per-Account Limit**: Prevents one chatty user from hogging the node's bandwidth.
75  - **Per-Node Limit**: Protects the machine identity from being blacklisted by the mesh for spamming.