Skip to main content

Tenant Isolation / Postgres RLS

Postgres + RLS is the canonical runtime persistence path.

Pattern:

tenant_id = app_current_tenant_id()

Application code sets tenant context per request or worker transaction. Missing tenant context fails closed.

Rules:

  • Every tenant-owned table has tenant_id.
  • Do not rely only on application-level filters.
  • Runtime uses the app role, not the migration/admin role.
  • SQLite is explicit local convenience only.
  • Compliance control definitions are global reference rows; tenant_control_status is tenant-owned and covered by RLS.

Verification:

make test-postgres
make test-postgres-runtime