Tenancy & data isolation
Row-Level Security (RLS) on every table across all 13 tenant schemas (public, vip, lld, produce, rehearse, staffing, sales, budget, suppliers, dispatch, spaces, logistics, intelligence, shared, platform). RLS policies match organization_id against the caller's JWT claim via current_user_org_id() — cross-tenant reads and writes are blocked at the database, not just the API. The browser anon-key client returns zero rows from every multi-tenant schema. Every server-side query is filtered by organization_id, verified by an org-scoping CI lint covering all 13 schemas. New tables require RLS in the same migration (CI guardrail).
PROOF →JWT-backed RLS via current_user_org_id() · anon SELECT revoked · org-scoping CI lint