Tenant RLS Rules

FATAL Constraints

• NEVER create an RLS policy without first executing ALTER TABLE ... ENABLE ROW LEVEL SECURITY. HALT if RLS is not enabled on the target table.
• NEVER extract tenant_id from a user-supplied parameter. The ONLY permitted source is auth.jwt() -> 'app_metadata' ->> 'tenant_id'.
• NEVER grant any RLS policy to the anon role on tenant-scoped tables.
• NEVER use USING (true) or WITH CHECK (true) on any tenant-scoped table.
• MUST NOT create policies on tables lacking a tenant_id column. HALT and report the missing column.
• MUST NOT combine tenant isolation policies with SECURITY DEFINER functions that bypass RLS unless the function explicitly sets SET search_path and re-checks tenant_id.

Mandatory Behaviors

• MUST scope every policy to the authenticated role exclusively.
• MUST create exactly four policies per table: SELECT, INSERT, UPDATE, DELETE.
• MUST cast the extracted JWT claim to match the tenant_id column type (e.g., ::uuid).
• MUST verify policy creation by querying pg_policies after every CREATE POLICY statement.
• MUST wrap all policy creation statements in a single migration file.
• MUST name policies with a tenant_ prefix followed by the operation (e.g., tenant_select, tenant_insert).
• MUST confirm custom-access-token-hook is deployed before executing any phase.