Fail-closed tenancy, end to end
A tour of the middleware, GUCs, and RLS policies that make a missing tenant context a hard rejection instead of a silent default.
The cheapest tenant leak is the one that never compiles. Our middleware refuses any request that cannot prove its tenant, and the database refuses any query that runs without the tenant GUC set.
We never COALESCE an unset GUC to a default tenant — that pattern quietly turns a configuration mistake into a cross-tenant read. Instead, an unset context raises, the request fails closed, and an alert fires.
Row-level security is FORCED on every tenant table, the application role carries no BYPASSRLS, and every INSERT stamps its tenant_id. The result is defense in depth where each layer assumes the others might fail.