id: T012
name: PlasmaVMC tenancy + persistence hardening
status: complete
goal: Scope VM CRUD by org/project and persist VM state so restarts are safe
priority: P0
owner: peerA (strategy) + peerB (implementation)
created: 2025-12-08

context: |
  T011 delivered functional KvmBackend + gRPC VmService but uses shared in-memory DashMap.
  Today get/list expose cross-tenant visibility and state is lost on server restart.
  ChainFire is the intended durable store; use it (or a stub) to survive restarts.

acceptance:
  - VmService list/get enforce org_id + project_id scoping; no cross-tenant leaks
  - VM + handle metadata persisted (ChainFire or stub) and reloaded on server start
  - Basic grpcurl or integration smoke proves lifecycle and scoping with KVM env

steps:
  - step: S1
    action: Tenant-scoped maps and API filters
    priority: P0
    status: complete
    owner: peerB
    notes: |
      Key VM/handle storage by (org_id, project_id, vm_id) and gate list/get on requester context.
      Ensure existing KVM backend handles remain compatible.
    deliverables:
      - list/get filtered by org/project
      - cross-tenant access returns NOT_FOUND or permission error

  - step: S2
    action: Persist VM + handle state
    priority: P0
    status: complete
    owner: peerB
    notes: |
      Use ChainFire client (preferred) or disk stub to persist VM metadata/handles on CRUD.
      Load persisted state on server startup to allow status/stop/kill after restart.
    deliverables:
      - persistence layer with minimal schema
      - startup load path exercised

  - step: S3
    action: gRPC smoke (env-gated)
    priority: P1
    status: complete
    owner: peerB
    notes: |
      grpcurl (or integration test) that creates/starts/status/stops VM using KVM env.
      Verify tenant scoping behavior via filter or multi-tenant scenario when feasible.
    deliverables:
      - script or #[ignore] test proving lifecycle works via gRPC

blockers: []

evidence:
  - cmd: cd plasmavmc && cargo test -p plasmavmc-server
  - cmd: cd plasmavmc && cargo test -p plasmavmc-server -- --ignored
  - path: plasmavmc/crates/plasmavmc-server/src/vm_service.rs
  - path: plasmavmc/crates/plasmavmc-server/tests/grpc_smoke.rs

notes: |
  Primary risks: tenancy leakage, state loss on restart. This task hardens server ahead of wider use.