ArchPilotExecutable architecture guardrails

Search docs

Docs search

Validation rule

Back to Rule Catalog
AP-TEN-003Tenant Isolation

Cross-tenant access risk

Flags flows that may combine or expose data across tenant boundaries.

warningviolationNo auto-fix

How to fix

  1. Constrain the flow to one tenant.
  2. Add explicit administrative authorization for cross-tenant operations.
  3. Document and test any intentional global access path.

What it means

A workflow appears capable of reading, writing, or joining records from multiple tenants without explicit approval.

Why it matters

Cross-tenant access is one of the highest-impact risks in shared Cloud systems.

Common causes

  • A global lookup is used in a tenant-scoped endpoint.
  • A join crosses organization boundaries.
  • Admin tooling reuses tenant-scoped code without clear safeguards.

Example bad pattern

A repository activity query aggregates all organizations for a member-scoped dashboard.

Example good pattern

The dashboard query scopes activity to the active organization unless an audited admin path is used.

Related files/config

  • apps/api/src
  • apps/web/app/api
  • packages/db/prisma/schema.prisma

Related CLI commands

  • archpilot validate
  • archpilot validate --ci

Related docs

Rule CatalogTenant IsolationAuthorization
AP-TEN-003 - Cross-tenant access risk | ArchPilot Docs