Multi-tenant systems break when one query misses tenant scope. A missing WHERE clause can leak data across customers.
Why It Breaks in String-Based Drivers
- Connection pools do not preserve session state across random checkouts.
- Setting tenant context and running query are usually separate operations.
- Raw SQL strings cannot carry security intent metadata.
QAIL Approach
QAIL uses typed AST queries, so tenant context is attached structurally to the query node with with_rls().
let ctx = RlsContext::tenant(tenant_id);
let q = Qail::get("bookings").with_rls(&ctx);
let rows = driver.query(&q).await?;
Tenant isolation should be structural, not a memory test for engineers.← Back to Blog