Summary
Add RLS as defense-in-depth on all module tables. Even if credential isolation is bypassed, RLS prevents cross-app data access.
Scope
Platform runs after module install SQL:
-- Add app_id column (auto-populated from session variable)
ALTER TABLE media_items ADD COLUMN app_id TEXT NOT NULL DEFAULT current_setting('ms.app_id');
-- Enable RLS
ALTER TABLE media_items ENABLE ROW LEVEL SECURITY;
ALTER TABLE media_items FORCE ROW LEVEL SECURITY;
-- Default deny
CREATE POLICY deny_all ON media_items USING (false);
-- Allow current app only
CREATE POLICY app_isolation ON media_items
USING (app_id = current_setting('ms.app_id'));
SDK sets ms.app_id per connection (already implemented in db.AcquireScoped).
Gotchas
- Every table needs a policy — missing policy = no rows visible (safe default with FORCE)
- Index
app_id on every table for query performance
ms.app_id must be configured as a GUC in Aurora parameter group
- 5-15% query planning overhead — monitor with EXPLAIN ANALYZE
Blocked by
Summary
Add RLS as defense-in-depth on all module tables. Even if credential isolation is bypassed, RLS prevents cross-app data access.
Scope
Platform runs after module install SQL:
SDK sets
ms.app_idper connection (already implemented indb.AcquireScoped).Gotchas
app_idon every table for query performancems.app_idmust be configured as a GUC in Aurora parameter groupBlocked by
ms.app_idGUC