Tenant isolation is enforced by PostgreSQL Row-Level Security. TheDocumentation Index
Fetch the complete documentation index at: https://docs.medera.info/llms.txt
Use this file to discover all available pages before exploring further.
setTenantContext middleware runs SET LOCAL app.current_organization_id = '<org_id>' on every request; RLS policies on every tenant-scoped table reject rows where the org ID does not match.
Coverage migrations
| Migration | Tables |
|---|---|
| 044 | Multi-tenant enhancements |
| 080 | Event store |
| 113 | Agent workflow tables (4 tables) |
| 124 | Missing RLS policies (13 tables) |
| 125 | Complete RLS coverage (42 tables) + developer_api_keys |
| 154 | Standardized RLS on 12 tables (M138–M153) — 4-policy has_tenant_access() |
| 158 | FORCE ROW LEVEL SECURITY completeness sweep |
Standard policy model
Every tenant-scoped table has 4 policies (tenant_select, tenant_insert, tenant_update, tenant_delete) all using the helper has_tenant_access(organization_id).
Background worker safety
The workflow engine acquires a connection viaexecuteInOrgScope(), which opens a transaction and runs SET LOCAL app.current_organization_id = '<org_id>' before any reads or writes. Queries inherit the tenant scope automatically.