Multi-Tenant Design

EnergyAS is a shared protocol, but each watcher operates in complete isolation. No watcher can interfere with another's data, projects, or attesters.

Tenant Hierarchy

EnergyRegistry (single instance per network)
├── Watcher 1: "Solar Co" (owner: 0xAlice)
│   ├── Project 1: "Farm A" (generator)
│   │   ├── Attester: 0xIoTDevice1
│   │   └── Attester: 0xAlice (manual backup)
│   └── Project 2: "Farm B" (generator)
│       └── (inherits watcher-wide attester: 0xAuditor)
│
└── Watcher 2: "Wind Co" (owner: 0xBob)
    └── Project 3: "Turbine Park" (generator)
        └── Attester: 0xIoTDevice2

Isolation Guarantees

Watcher A's attesters cannot attest to Watcher B's projects
Watcher A's owner cannot register projects under Watcher B
Watcher A's owner cannot add attesters to Watcher B's projects
Energy accumulators are tracked separately per project and per watcher
Revocations on one project do not affect other projects

All isolation is enforced at the EVM level — it is not possible to bypass these checks, even with direct contract calls.

Roles & Permissions

Contract Owner (deployer)
  → Authorize/deauthorize resolvers
  → Pause/unpause resolver
  → Cannot manage watchers or projects

Energy Type Admin (separate from owner, transferable)
  → Register and remove energy source types

Watcher Owner (wallet that called registerWatcher)
  → Register/deregister projects
  → Add/remove attesters (per-project and watcher-wide)
  → Transfer projects between watchers
  → Transfer watcher ownership
  → Set project metadata URIs

Attester (whitelisted wallet)
  → Submit energy attestations for authorized projects
  → Revoke own attestations

Anyone
  → Register a new watcher
  → Read all public data (totals, project info, etc.)

Note

Warning: For production deployments, use a multisig (e.g., Gnosis Safe) as the watcher owner instead of an EOA. This prevents key loss from disabling watcher management.