Skip to main content
Tenant isolation is enforced by managed Postgres Row-Level Security. The setTenantContext middleware runs SET LOCAL app.current_organization_id = '<org_id>' on every request; RLS policies on every tenant-scoped table reject rows where the org ID does not match.

Coverage migrations

Standard policy model

Every tenant-scoped table has 4 policies (tenant_select, tenant_insert, tenant_update, tenant_delete) all using the helper has_tenant_access(organization_id).

Background worker safety

The workflow engine acquires a connection via executeInOrgScope, which opens a transaction and runs SET LOCAL app.current_organization_id = '<org_id>' before any reads or writes. Queries inherit the tenant scope automatically.