Skip to content

feat(security): multi-tenancy isolation and demo mode#90

Merged
NicholaiVogel merged 1 commit intomainfrom
feat/multi-tenancy-demo
Feb 16, 2026
Merged

feat(security): multi-tenancy isolation and demo mode#90
NicholaiVogel merged 1 commit intomainfrom
feat/multi-tenancy-demo

Conversation

@NicholaiVogel
Copy link
Copy Markdown
Contributor

@NicholaiVogel NicholaiVogel commented Feb 16, 2026

Summary

  • Org-scoped data isolation across all server actions -- every query that touches user-facing data is now filtered by the requesting user's organization
  • Read-only demo mode with mutation guards on all write endpoints, strict sameSite cookie, and demo UI components
  • Security audit fixes: cross-org leaks in dashboard queries, channel access, mentionable user search, and admin usage queries
  • Multi-tenancy architecture documentation

What changed

Critical security fixes:

  • executeDashboardQueries now filters all 9 query types by org (was returning global data)
  • getChannel and joinChannel verify channel belongs to user's org
  • searchMentionableUsers derives org from session instead of accepting client parameter
  • getConversationUsage always scopes to user ID (admin path was leaking cross-org data)

Demo mutation guards added to:

  • dashboards (save, delete)
  • plugins (install, uninstall, toggle)
  • themes (save, delete)
  • mcp-keys (create, revoke, delete)
  • agent conversations (save, delete)

Infrastructure:

  • Organizations table, members, org switcher component
  • /demo route with strict sameSite cookie
  • Demo banner, CTA dialog, and gate components
  • Migration scripts for org data and demo seed
  • tsconfig excludes scripts/ (fixes build failure from bun:sqlite types)

Test plan

  • Visit /demo, confirm read-only -- mutations show DEMO_READ_ONLY error
  • Verify no cross-org data in dashboard custom queries
  • Verify channel access blocked across org boundaries
  • bun run build passes
  • npx tsc --noEmit clean (only pre-existing bun:sqlite in scripts/)

@NicholaiVogel
feat(security): add multi-tenancy isolation and demo mode
9698428 
Add org-scoped data isolation across all server actions to
prevent cross-org data leakage. Add read-only demo mode with
mutation guards on all write endpoints.

Multi-tenancy:
- org filter on executeDashboardQueries (all query types)
- org boundary checks on getChannel, joinChannel
- searchMentionableUsers derives org from session
- getConversationUsage scoped to user, not org-wide for admins
- organizations table, members, org switcher component

Demo mode:
- /demo route sets strict sameSite cookie
- isDemoUser guards on all mutation server actions
- demo banner, CTA dialog, and gate components
- seed script for demo org data

Also: exclude scripts/ from tsconfig (fixes build), add
multi-tenancy architecture documentation.
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages bot commented Feb 16, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 compass 9698428 Feb 16 2026, 05:04 AM

@NicholaiVogel NicholaiVogel merged commit ad2f0c0 into main Feb 16, 2026
7 of 10 checks passed
@NicholaiVogel NicholaiVogel deleted the feat/multi-tenancy-demo branch February 16, 2026 05:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@NicholaiVogel