ArchPilotExecutable architecture guardrails

Search docs

Docs search

Validation rule

Back to Rule Catalog
AP-TEN-001Tenant Isolation

Missing tenant context propagation

Flags request or workflow paths where tenant context is not clearly propagated.

warningviolationNo auto-fix

How to fix

  1. Pass tenant context through service and repository method signatures.
  2. Use explicit scoped inputs for tenant-sensitive work.
  3. Add tests that prove the tenant context reaches data access.

What it means

A tenant-scoped operation appears to lose organization, tenant, or workspace context before data access.

Why it matters

Tenant context must flow through the stack so every downstream decision can enforce isolation.

Common causes

  • A service method omits organizationId.
  • Context is read globally instead of passed explicitly.
  • A background job lacks tenant metadata.

Example bad pattern

createRepository(input) writes repository data without organizationId in the service call.

Example good pattern

createRepository({ organizationId, ...input }) carries the tenant scope through the workflow.

Related files/config

  • apps/api/src
  • apps/web/app/api
  • packages/db/prisma/schema.prisma

Related CLI commands

  • archpilot validate
  • archpilot validate --ci

Related docs

Rule CatalogTenant IsolationData / Query Risk
AP-TEN-001 - Missing tenant context propagation | ArchPilot Docs