Back to news
Engineering8 min read

Fail-closed tenancy, end to end

A tour of the middleware, GUCs, and RLS policies that make a missing tenant context a hard rejection instead of a silent default.

The cheapest tenant leak is the one that never compiles. Our middleware refuses any request that cannot prove its tenant, and the database refuses any query that runs without the tenant GUC set.

We never COALESCE an unset GUC to a default tenant — that pattern quietly turns a configuration mistake into a cross-tenant read. Instead, an unset context raises, the request fails closed, and an alert fires.

Row-level security is FORCED on every tenant table, the application role carries no BYPASSRLS, and every INSERT stamps its tenant_id. The result is defense in depth where each layer assumes the others might fail.

Ship governed AI workflows sooner

Start with a single building block or stand up the whole platform. Tenant isolation and security come standard — extend the rest at your pace.

No credit card required to explore the platform.