Multi-Tenant Isolation
Layerr is built from the ground up as a multi-tenant system. Every workspace is a fully isolated tenant with its own data, configuration, providers, and security boundaries.
Isolation Layers
Section titled “Isolation Layers”| Layer | Mechanism | Key File |
|---|---|---|
| Database | Row-level security + workspaceId column | security/tenancy/ |
| Runtime | Tenant context injection | security/tenancy/context.ts |
| Cache | Namespace-scoped cache keys | security/tenancy/cache.ts |
| Logs | WorkspaceId tagging | security/gateway/audit.ts |
| Network | Workspace-specific API keys | security/gateway/middleware.ts |
| Secrets | Encrypted per-workspace storage | security/secrets/store.ts |
Database Isolation
Section titled “Database Isolation”Every database table has a workspaceId column. All queries are automatically scoped:
// All database queries include WHERE workspaceId = ?SELECT * FROM traces WHERE workspaceId = 'my-project';Context Injection
Section titled “Context Injection”The tenancy context system (security/tenancy/context.ts) ensures:
- Request-time injection: Each request carries a
TenantContextextracted from the API key - Downward propagation: Context flows through the entire execution pipeline
- Automatic validation: Every data access validates tenant scope
interface TenantContext { workspaceId: string; workspaceSlug: string; permissions: Permission[]; entitlements: Entitlement[]; region: string; tier: 'free' | 'standard' | 'enterprise';}Cache Isolation
Section titled “Cache Isolation”Cache keys are prefixed with workspace identifiers:
workspace:{slug}:provider:healthworkspace:{slug}:strategy:cacheworkspace:{slug}:intelligence:patternsSecurity Boundaries
Section titled “Security Boundaries”| Boundary | Enforcement |
|---|---|
| Workspace data | Can only access own traces, configs, providers |
| Provider secrets | API keys are encrypted and never exposed cross-tenant |
| Billing | Costs attributed per-workspace, no cross-charging |
| Rate limits | Per-workspace, independent of other tenants |
Diagnostics
Section titled “Diagnostics”The tenancy diagnostics module (security/tenancy/diagnostics.ts) provides:
- Cross-tenant access detection: Alerts if any query lacks workspaceId filter
- Isolation verification: Periodic checks that tenant boundaries are intact
- Audit trails: Complete log of who accessed what workspace data
File Reference
Section titled “File Reference”| File | Purpose |
|---|---|
security/tenancy/context.ts | Tenant context extraction and propagation |
security/tenancy/cache.ts | Tenant-scoped caching |
security/tenancy/diagnostics.ts | Isolation verification and diagnostics |
security/tenancy/index.ts | Tenant isolation middleware |
security/workspaces/resolver.ts | Workspace resolution from API keys |
security/workspaces/guards.ts | Workspace access guards |
security/gateway/audit.ts | Access audit logging |
Compliance
Section titled “Compliance”| Regulation | Layerr Support |
|---|---|
| GDPR | EU data residency, right to deletion, audit trails |
| SOC 2 | Access controls, audit logging, encryption |
| HIPAA | PHI detection in guardrails, encrypted storage |