setTenantContext middleware runs SET LOCAL app.current_organization_id = '<org_id>' on every request; RLS policies on every tenant-scoped table reject rows where the org ID does not match.
Coverage migrations
Standard policy model
Every tenant-scoped table has 4 policies (tenant_select, tenant_insert, tenant_update, tenant_delete) all using the helper has_tenant_access(organization_id).
Background worker safety
The workflow engine acquires a connection viaexecuteInOrgScope, which opens a transaction and runs SET LOCAL app.current_organization_id = '<org_id>' before any reads or writes.
Queries inherit the tenant scope automatically.