AshAge.DataLayer.Verifiers.ValidateMultitenancyAttr (AshAge v1.0.1)

Copy Markdown View Source

Raises a Spark.Error.DslError at compile verification when a resource using :attribute multitenancy lists the multitenancy attribute in age do skip [...] end (build-blocking under --warnings-as-errors — Spark emits verifier errors as compiler diagnostics).

If the discriminator is skipped, ash_age never writes it as a graph property, so the tenant filter Ash core injects on reads silently matches nothing — a fail-open isolation hole with no runtime signal. This verifier turns that into a verifier error. It is additive to Ash's own ValidateMultitenancy (which checks the attribute exists); this closes only the skip-list hole.

It also enforces two age do rls_guc "..." end invariants. rls_guc requires :attribute multitenancy — RLS scopes rows by a tenant property, whereas :context (graph-per-tenant) is already physical isolation — so it errors on a :context resource. And rls_guc is incompatible with global? true: a global (tenantless) read sets no GUC, so RLS would hide all rows; that combination is rejected rather than silently returning an empty result.

Finally, it rejects an :attribute multitenancy discriminator whose type is binary-storage-typed, since the tenant filter is a plaintext comparator across the vertex filter, edge $tenant scoping, traverse per-hop scoping, and RLS text-cast paths, and a binary (tag-encoded) discriminator would scope those paths inconsistently.