- Rewrite rls.ts with withTenant()/withBypassRLS() using parameterized
set_config() in interactive Prisma transactions (no SQL injection)
- Add FORCE ROW LEVEL SECURITY on all 15 tenant-scoped tables
- Add __bypass__ sentinel and WITH CHECK clauses to every RLS policy
- Explicitly DISABLE RLS on tenants, tenant_hostnames, sessions
- Wrap all API route and page loader queries in withTenant()
- Wrap validateSession() in withBypassRLS() (joins RLS-protected users)
- Keep existing tenantId where-clause filters as optimization layer
- Add postgresql-client to Dockerfile and auto-apply RLS via entrypoint
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
DNS is the gatekeeper — if a request arrives, it was pointed
here intentionally. Every new hostname gets its own tenant
automatically, no manual setup or seeding required.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Rename project from "kanban" to "pounce"
- Update landing page: "Pounce on your tasks"
- Replace navbar icon with cat paw
- Update seed hostname to pounce.catrenelle.com
- Write proper README with setup instructions
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>