Postgres Row-Level Security
Every tenant-scoped table enforces tenant_id at the database layer. Our application connects as a non-superuser role that cannot bypass RLS. Cross-tenant access requires defeating four independent layers — and is blocked by automated tests.