[compliance] Tenant Isolation #81
Description
Tenant Isolation
Per-tenant database, tenant_id scoping on all queries
Rules
CON-PFM-001: See entity definition
Findings (4)
| Rule | File | Verdict | Evidence |
|---|---|---|---|
CON-PFM-001 |
packages/showcase/src/database/connection.ts |
FAIL | Lines 11-12: Single shared database file path 'DB_PATH = join(__dirname, '../../database.sqlite')' and global singleton |
CON-PFM-001 |
packages/showcase/src/database/queries.ts |
FAIL | All queries in CustomerQueries and UserQueries classes lack tenant_id scoping. Examples: 'SELECT * FROM customers WHERE |
CON-PFM-001 |
packages/showcase/src/database/types.ts |
FAIL | Database entity interfaces Customer and User lack tenant_id fields. All entity types (Customer, User) and their correspo |
CON-PFM-001 |
packages/showcase/src/types/Customer.ts |
WARN | Customer interface lacks tenant_id field. The interface defines customer data structure without any tenant scoping mecha |
Suggested Actions
- CON-PFM-001: Implement tenant-specific database connections by: 1) Accept tenant_id parameter in database functions, 2) Create separate database files per tenant (e.g.,
database_${tenantId}.sqlite), 3) Maintain a Map<tenantId, Database> for tenant-specific connections, 4) Ensure all queries include tenant_id scoping, 5) Replace global singleton pattern with tenant-aware connection management
Auto-generated by compliance-checker | Scan: 2026-02-28 | Commit: fac255ddf75c