Skip to main content

Tenancy & Row-Level Security

Every tenant-scoped table enforces isolation at the Postgres layer:

ALTER TABLE identity.organisations ENABLE ROW LEVEL SECURITY;
CREATE POLICY tenant_isolation ON identity.organisations
  USING (tenant_id = current_setting('app.tenant_id', true)::uuid);

Each request sets app.tenant_id inside a transaction before any tenant-scoped query runs. The tenant-scoped Prisma client in @constellation-platform/db does this automatically when you use withTenantAuth on your API route.

Route wrapping rule

In the catalog and directory apps, every withAuth(...) must be paired with withTenantAuth(...). Enforced by npm run check:routes in CI.

Escape hatch: add // @route-wrap: skip <reason> directly above the route handler only when it provably does not touch tenant data (e.g. health checks).

Stub — full reference (policy patterns, cross-tenant admin paths, RLS testing) to be migrated in a follow-up PR.