CI/CD Multi-Group Implementation Plan

Multi-Tenant Pipeline Infrastructure with Agent-Based Execution

Plan Complete Project: cicd-multi Created: 2026-01-30 Phases: 6 | Tasks: 29

Plan Overview

6
Phases
29
Tasks
5
Agents
6
Parallel Groups
4
Decisions Required

This implementation plan transforms the single-group CI/CD infrastructure into a multi-tenant system supporting isolated groups (administrators, developers). The plan was synthesized from three AI perspectives (Claude, Gemini, Codex) with peer review feedback incorporated.

Agent Workload Distribution

2
PM
2
Architect
6
Security
10
Developer
9
QA

Phase Breakdown

Phase 0: Discovery & Security Design Sequential → Parallel A
  • PM 0.1 Inventory Current CI/CD Infrastructure SEQ
  • Security 0.2 Threat Modeling for Multi-Tenant Boundaries A
  • Architect 0.3 System Architecture Design A
Phase 1: Shared Infrastructure Foundation Sequential → Parallel B → Sequential
  • Developer 1.1 Create Shared Skills Directory SEQ
  • Security 1.2 Update Admin Runner Configuration B
  • Developer 1.3 Create Administrator Symlinks B
  • QA 1.4 Create Skeleton CI Pipeline B
  • QA 1.5 Validate Administrator Workflow SEQ
Phase 2: Core Implementation Parallel C → Sequential
  • Developer 2.1 Pipeline Library Design & Implementation C
  • Security 2.2 Keycloak Group Mapper Configuration C
  • Security 2.3 Create Per-Group GitLab Tokens C
  • Developer 2.4 Dashboard JWT Group Extraction SEQ
Phase 3: Integration & Testing Sequential → Parallel D
  • Developer 3.1 Dashboard Multi-Tenant Integration SEQ
  • QA 3.2 Pipeline Testing with Administrators D
  • Developer 3.3 Label Replication to Developers Group D
  • Security 3.4 Secrets Access Audit D
Phase 4: Developer Environment Setup Sequential → Parallel E
  • Security 4.1 Register Dev Runner SEQ
  • Developer 4.2 Dashboard Deployment E
  • Developer 4.3 Bootstrap websurfinmurf Environment E
  • QA 4.4 Create Test Project in Developers Group E
Phase 5: Validation & Finalization Parallel F → Sequential
  • QA 5.1 Dashboard Isolation Test F
  • QA 5.2 Runner Isolation Test F
  • QA 5.3 Pipeline Config Selection Test F
  • QA 5.4 Failure Isolation Test SEQ
  • QA 5.5 Finalize GitLab CI Pipeline SEQ

Timeline Visualization

Phase 0
SEQ
A
Phase 1
SEQ
B
SEQ
Phase 2
C
SEQ
Phase 3
SEQ
D
Phase 4
SEQ
E
Phase 5
F
SEQ

Dependency Graph

graph TD subgraph "Phase 0: Discovery" T0.1[0.1 Inventory] --> T0.2[0.2 Threat Model] T0.1 --> T0.3[0.3 Architecture] end subgraph "Phase 1: Foundation" T1.1[1.1 Shared Skills] T1.2[1.2 Runner Config] T1.3[1.3 Symlinks] T1.4[1.4 Skeleton CI] T1.5[1.5 Validate] end subgraph "Phase 2: Implementation" T2.1[2.1 Pipeline Lib] T2.2[2.2 Keycloak] T2.3[2.3 Tokens] T2.4[2.4 JWT] end subgraph "Phase 3: Integration" T3.1[3.1 Dashboard] T3.2[3.2 Test Pipeline] T3.3[3.3 Labels] T3.4[3.4 Audit] end subgraph "Phase 4: Dev Setup" T4.1[4.1 Dev Runner] T4.2[4.2 Deploy] T4.3[4.3 websurfinmurf] T4.4[4.4 Test Project] end subgraph "Phase 5: Validation" T5.1[5.1 Dashboard Test] T5.2[5.2 Runner Test] T5.3[5.3 Config Test] T5.4[5.4 Failure Test] T5.5[5.5 Final CI] end T0.2 --> T1.1 T0.3 --> T1.1 T1.1 --> T1.2 T1.1 --> T1.3 T1.1 --> T1.4 T1.2 --> T1.5 T1.3 --> T1.5 T1.4 --> T1.5 T1.5 --> T2.1 T1.5 --> T2.2 T1.5 --> T2.3 T2.2 --> T2.4 T2.1 --> T3.2 T2.1 --> T3.3 T2.4 --> T3.1 T2.3 --> T3.1 T2.3 --> T3.4 T3.2 --> T4.1 T3.1 --> T4.2 T4.1 --> T4.3 T4.1 --> T4.4 T4.2 --> T5.1 T4.3 --> T5.1 T4.4 --> T5.2 T4.4 --> T5.3 T5.1 --> T5.4 T5.2 --> T5.4 T5.3 --> T5.4 T5.4 --> T5.5

Decisions Required

ID Decision Options Impact Blocks
D1 Dashboard framework Next.js (current), Remix, SvelteKit Development approach Phase 2: Task 2.4
D2 Token rotation strategy Manual, Automated via vault, GitLab native Ongoing maintenance Phase 3: Task 3.4
D3 Second developer user websurfinmurf only, add more users Phase 4 scope Phase 4: Task 4.3
D4 Additional group support 2 groups now, design for N groups Architecture scalability Phase 0: Task 0.3

Success Criteria

Test Expected Result
Administrator logs into dashboardSees only administrators/* projects
websurfinmurf logs into dashboardSees only developers/* projects
Admin job submittedPicked up by admin-runner only
Dev job submittedPicked up by dev-runner only
Security scan (admin)Blocking (fails pipeline if issues)
Security scan (dev)Advisory (pipeline continues)
Break developers/cicdadministrators/cicd unaffected
View Milestones Solution Details