Multi-tenancy and row-level safety

Scope

This document defines the mandatory tenant isolation model across API, domain, and storage access.

Invariants

• Every request must resolve exactly one tenant context.
• Every data operation must include tenant predicates.
• Background jobs must carry explicit tenant identity.
• Cross-tenant reads and writes are rejected by default.

Failure Modes

• Missing tenant predicate in a resolver or repository path.
• Service-layer methods called without scoped tenant context.
• Batch jobs that aggregate across tenants unintentionally.

Out of Scope

• Internal database schema details.
• Specific RLS policy SQL definitions.
• Customer-specific isolation exceptions.