Tenant Isolation

Preventing cross-tenant data leaks is the #1 security priority for any SaaS. ContractSpec employs "Defense in Depth" to ensure safety.

Layer 1: RLS Middleware

The primary defense is the Prisma middleware that rewrites queries to include WHERE tenantId = ?. This protects against developer error (forgetting to filter).

Layer 2: Isolation Validator

For high-security environments, you can use the IsolationValidator in your test suite to verify that every query generated by your operations actually includes the tenant ID.

import { IsolationValidator } from '@lssm/lib.multi-tenancy/isolation';

test('findUser query is isolated', () => {
  const isValid = IsolationValidator.validateQuery(
    'User',
    'findFirst',
    args,
    'tenant-123'
  );
  expect(isValid).toBe(true);
});

Layer 3: Policy Engine

The Policy Decision Point (PDP) verifies that the authenticated user actually belongs to the requested tenant before any operation logic runs.