> ## Documentation Index
> Fetch the complete documentation index at: https://docs.medera.info/llms.txt
> Use this file to discover all available pages before exploring further.

# Row-Level Security

> Tenant isolation at the database layer

Tenant isolation is enforced by managed Postgres Row-Level Security. The `setTenantContext` middleware runs `SET LOCAL app.current_organization_id = '<org_id>'` on every request; RLS policies on every tenant-scoped table reject rows where the org ID does not match.

## Coverage migrations

| Migration | Tables                                                           |
| :-------- | :--------------------------------------------------------------- |
| 044       | Multi-tenant enhancements                                        |
| 080       | Event store                                                      |
| 113       | Agent workflow tables (4 tables)                                 |
| 124       | Missing RLS policies (13 tables)                                 |
| 125       | Complete RLS coverage (42 tables) + `developer_api_keys`         |
| 154       | Standardized RLS on 12 tables (–) — 4-policy `has_tenant_access` |
| 158       | FORCE ROW LEVEL SECURITY completeness sweep                      |

## Standard policy model

Every tenant-scoped table has 4 policies (`tenant_select`, `tenant_insert`, `tenant_update`, `tenant_delete`) all using the helper `has_tenant_access(organization_id)`.

## Background worker safety

The workflow engine acquires a connection via `executeInOrgScope`, which opens a transaction and runs `SET LOCAL app.current_organization_id = '<org_id>'` before any reads or writes.

Queries inherit the tenant scope automatically.
