Tenant isolation

Use tenant checks when multiple customers share one app.

import { policy } from "@layeron/modules"

const appPolicy = policy({
  name: "app",
  rules: [{
    id: "same-tenant-can-write",
    effect: "allow",
    actions: ["record.write"],
    resources: ["record:*"],
    conditions: {
      tenant: "match",
    },
  }],
})

const decision = await appPolicy.evaluate({
  subject: {
    kind: "user",
    id: "user_1",
    tenantId: "tenant_1",
  },
  action: "record.write",
  resource: {
    type: "record",
    id: "record_123",
    tenantId: "tenant_1",
  },
  context: {
    tenantId: "tenant_1",
  },
})

This pattern is useful for SaaS apps, workspace apps, and team-scoped data.