Security: Implement Cross-Tenant Data Isolation Enforcement with Automated Tests

[Smartdevs17]

Context

Multi-tenant systems risk data leakage between tenants if isolation is not rigorously enforced.

Current Limitation/Problem

Tenant isolation relies on correct query implementation. There is no automated enforcement or testing that prevents one tenant from accessing another tenants data.

Expected Outcome

A cross-tenant data isolation audit framework that automatically tests all API endpoints and database queries for tenant boundary violations, with CI enforcement.

Acceptance Criteria

• Define tenant context propagation (header-based: X-Merchant-ID)
• Middleware that validates tenant context on every request
• Automated test suite: for each endpoint, attempt to access another tenants data
• Database-level: verify all queries include tenant_id filter (row-level security)
• PostgreSQL Row-Level Security (RLS) as defense-in-depth
• Prisma middleware automatically appends tenant_id filter
• CI gate: any test showing cross-tenant access fails the build
• Audit: cross-tenant access attempts logged for security review
• Admin: super-admin can bypass tenant isolation (with audit)

Technical Scope

• backend/src/middleware/tenant-isolation.ts - tenant context middleware
• Prisma middleware for automatic tenant scoping
• PostgreSQL RLS policies on all tenant-scoped tables
• backend/tests/security/cross-tenant.spec.ts - isolation test suite
• CI workflow for isolation tests
• Edge cases: admin users, service-to-service calls, data migration scripts