Static-analysis tests for tenant-isolation bugs
We mentioned this in passing earlier; here's the full mechanism.
Every routes/*.routes.ts file in the SwyDex backend goes through a static-analysis test that checks for unscoped Prisma queries. Specifically:
- Every
findFirst({ where: { id: ... } })must referencetenantIdorreq.tenant!within a 40-line window. - Every
update({ where: { id: ... } })must reference a tenant scope OR be preceded (within 50 lines) by afindFirstthat does. - Routes with mutating verbs (POST/PATCH/DELETE) must reference
req.tenant!at least once.
The test maintains an allowlist for files that are legitimately cross-tenant — public market data, admin surfaces, webhook receivers (which authenticate via HMAC, not session). Adding a file to the allowlist requires a code-review approval. Removing one is automatic.
Is this a perfect check? No. It can miss dynamic-query patterns and it doesn't protect against the genuinely creative bugs. But it's caught three real issues during code review since we shipped it, all of them where someone was iterating fast on a feature and forgot the tenant filter.
The full test is backend/src/routes/tenant-isolation.test.ts. We'll open-source the pattern when we have time to extract it cleanly.