feat: drop built-in tenant column, make tenant a custom user attribute

Remove the `tenant` column from `proxy_user` so that tenant is managed
entirely through the ABAC attribute definition system. This eliminates
special-casing for tenant across the proxy, admin API, and UI.

- Add migration 055 to drop the tenant column
- Remove tenant from entity model, CLI args, DTOs, and auth flow
- Update policy hook to resolve tenant from user attributes
- Remove hardcoded tenant dummy from validate_expression
- Update integration tests to create tenant as a custom attribute
- Update admin-ui types, forms, list pages, and test factories
- Update docs and security vectors to reflect tenant as custom attribute

Author: jumpbetweenrows

CONTRIBUTING.md

@@ -126,7 +126,7 @@ The shared pool is safe for all authorized users of a datasource: Pool = "how to
 
 `PolicyHook` injects row filters and column transforms at the DataFusion logical plan level via `transform_up`. The filter is applied below the `TableScan` node — it cannot be bypassed by table aliases, CTEs, or subqueries, since DataFusion inlines those into the plan before transformation.
 
-Template variable substitution (`{user.tenant}`, etc.) uses parse-then-substitute: the filter expression is parsed into a `DataFusion Expr` tree first, then placeholder identifiers are replaced with typed `Expr::Literal` values. The user's tenant/username never passes through the SQL parser, preventing injection even if the value contains SQL syntax.
+Template variable substitution (`{user.username}`, `{user.id}`, custom attributes like `{user.tenant}`, etc.) uses parse-then-substitute: the filter expression is parsed into a `DataFusion Expr` tree first, then placeholder identifiers are replaced with typed `Expr::Literal` values. The user's values never pass through the SQL parser, preventing injection even if the value contains SQL syntax.
 
 ### Permissions Model
 
@@ -136,7 +136,7 @@ BetweenRows enforces a two-layer access control model:
 
 **Data plane** — controlled by two independent mechanisms:
 1. *Connection access* — `data_source_access` entries. A user can connect to a datasource via direct assignment, role membership (including inherited roles), or all-user scope. Being an admin does **not** automatically grant data plane access.
-2. *Query policy* — `PolicyHook` applies row filters, column masks, and column access controls per-query based on assigned policies (direct, role-based, or all-scoped). If the datasource `access_mode` is `"policy_required"`, tables with no matching permit policy return empty results. Policies can reference built-in identity fields (`{user.tenant}`, `{user.username}`, `{user.id}`) and custom user attributes (`{user.KEY}`) for attribute-based access control (ABAC). Optional decision functions (JavaScript/WASM) provide programmable policy gates.
+2. *Query policy* — `PolicyHook` applies row filters, column masks, and column access controls per-query based on assigned policies (direct, role-based, or all-scoped). If the datasource `access_mode` is `"policy_required"`, tables with no matching permit policy return empty results. Policies can reference built-in identity fields (`{user.username}`, `{user.id}`) and custom user attributes (`{user.KEY}`, e.g., `{user.tenant}`) for attribute-based access control (ABAC). Optional decision functions (JavaScript/WASM) provide programmable policy gates.
 
 See `docs/permission-system.md` for the full policy system user guide.
 
@@ -189,7 +189,7 @@ There is currently no automated performance regression suite. Meaningful regress
 All primary keys are UUIDs. The admin store uses SQLite by default (configurable via `DATABASE_URL`).
 
 ```
-proxy_user         (id UUID, username, password_hash, tenant, is_admin, is_active, …)
+proxy_user         (id UUID, username, password_hash, is_admin, is_active, attributes JSON, …)
 data_source        (id UUID, name, ds_type, config JSON, secure_config encrypted,
                     is_active, access_mode, last_sync_at, last_sync_result, …)
 data_source_access (id UUID, user_id?, role_id?, data_source_id, assignment_scope, …)

README.md

@@ -9,7 +9,7 @@ BetweenRows sits between your users and your data sources, applying security pol
 ## Why
 
 - **No application changes** — policies are enforced at the proxy layer, not in your app code
-- **Row-level filtering** — automatically filter rows based on user identity (tenant, role, department)
+- **Row-level filtering** — automatically filter rows based on user identity (role, department, tenant)
 - **Column masking** — mask sensitive columns (SSN, email, salary) with expressions, not views
 - **Column & table deny** — hide columns or entire tables from specific users or roles
 - **Full audit trail** — every query is logged with the original SQL, rewritten SQL, and policies applied
@@ -71,9 +71,9 @@ Open **http://localhost:5435** and log in with your admin credentials.
 
 1. **Add a data source** — Go to Data Sources → Create. Enter your data source connection details and test the connection.
 2. **Discover the schema** — Click "Discover Catalog" on your new data source. Select which schemas, tables, and columns to expose through the proxy.
-3. **Create a user** — Go to Users → Create. Set a username, password, and tenant.
+3. **Create a user** — Go to Users → Create. Set a username and password.
 4. **Grant access** — On the data source page, assign the user (or a role) access to the data source.
-5. **Create a policy** — Go to Policies → Create. For example, a `row_filter` policy with expression `tenant = {user.tenant}` to isolate rows by tenant.
+5. **Create a policy** — Go to Policies → Create. For example, a `row_filter` policy with expression `tenant = {user.tenant}` to isolate rows by tenant. (The `tenant` attribute must be defined as a custom attribute definition first.)
 6. **Assign the policy** — On the data source page, assign the policy to a user, role, or all users.
 7. **Connect through the proxy** — The user can now query through BetweenRows:
    ```bash
@@ -127,7 +127,7 @@ Key concepts:
 - **ABAC** — define custom user attributes (e.g., department, region, clearance level) and use them in policy expressions via `{user.<key>}` template variables
 - **Decision functions** — optional JavaScript functions compiled to WASM that gate policy evaluation based on arbitrary logic (time windows, multi-attribute conditions, external state)
 - **Assignment scopes** — policies can be assigned to individual users, roles, or all users on a data source
-- **Template variables** — `{user.tenant}`, `{user.username}`, `{user.id}`, and custom attributes are substituted at query time, making policies dynamic per user
+- **Template variables** — `{user.username}`, `{user.id}` (built-in), and custom attributes like `{user.tenant}`, `{user.region}` are substituted at query time, making policies dynamic per user
 - **Access modes** — data sources can be set to `open` (all tables accessible by default) or `policy_required` (tables are hidden unless a `column_allow` policy grants access)
 - **Deny wins** — deny policies are evaluated before permit policies and cannot be overridden
 - **Visibility follows access** — denied columns and tables are removed from the user's schema at connection time, so they don't appear in client tools like TablePlus or DBeaver
@@ -157,11 +157,11 @@ Create users without the UI — useful for scripting and automation. If you're l
 
 ```bash
 # Docker
-docker exec -it <container> proxy user create --username alice --password secret --tenant acme
-docker exec -it <container> proxy user create --username rescue --password secret --tenant default --admin
+docker exec -it <container> proxy user create --username alice --password secret
+docker exec -it <container> proxy user create --username rescue --password secret --admin
 
 # From source
-cargo run -p proxy -- user create --username alice --password secret --tenant acme
+cargo run -p proxy -- user create --username alice --password secret
 ```
 
 ## Roadmap

admin-ui/src/api/users.test.ts

@@ -78,7 +78,7 @@ describe('createUser', () => {
   it('POSTs payload to /users', async () => {
     const user = makeUser()
     mockClient.post.mockResolvedValue({ data: user })
-    const payload = { username: 'newuser', password: 'pw', tenant: 'acme', is_admin: false }
+    const payload = { username: 'newuser', password: 'pw', is_admin: false }
     const result = await createUser(payload)
     expect(mockClient.post).toHaveBeenCalledWith('/users', payload)
     expect(result).toEqual(user)
@@ -89,7 +89,7 @@ describe('updateUser', () => {
   it('PUTs payload to /users/:id', async () => {
     const user = makeUser()
     mockClient.put.mockResolvedValue({ data: user })
-    const payload = { tenant: 'new-tenant', is_admin: true }
+    const payload = { is_admin: true }
     const result = await updateUser('u-1', payload)
     expect(mockClient.put).toHaveBeenCalledWith('/users/u-1', payload)
     expect(result).toEqual(user)

admin-ui/src/components/DecisionFunctionModal.tsx

@@ -49,7 +49,6 @@ function buildCtxCompletions(evaluateContext: EvaluateContext, configStr: string
   const items = [
     { label: 'ctx.session.user.id', type: 'variable' as const, detail: 'UUID' },
     { label: 'ctx.session.user.username', type: 'variable' as const },
-    { label: 'ctx.session.user.tenant', type: 'variable' as const },
     { label: 'ctx.session.user.roles', type: 'variable' as const, detail: 'string[]' },
     { label: 'ctx.session.time.now', type: 'variable' as const, detail: 'ISO 8601 timestamp' },
     { label: 'ctx.session.time.hour', type: 'variable' as const, detail: '0-23' },
@@ -359,7 +358,6 @@ export function DecisionFunctionModal({
             user: {
               id: currentUser?.id ?? '00000000-0000-0000-0000-000000000000',
               username: currentUser?.username ?? 'testuser',
-              tenant: currentUser?.tenant ?? 'default',
               roles: ['analyst'],
               ...testAttrs, // flattened — matches build_user_object() in context.rs
             },

admin-ui/src/components/ExpressionEditor.test.tsx

@@ -29,22 +29,22 @@ describe('ExpressionEditor', () => {
       <ExpressionEditor
         value=""
         onChange={() => {}}
-        placeholder="organization_id = {user.tenant}"
+        placeholder="organization_id = {user.username}"
         templateItems={[]}
       />,
     )
-    expect(screen.getByPlaceholderText('organization_id = {user.tenant}')).toBeTruthy()
+    expect(screen.getByPlaceholderText('organization_id = {user.username}')).toBeTruthy()
   })
 
   it('renders with initial value', () => {
     renderWithProviders(
       <ExpressionEditor
-        value="tenant = {user.tenant}"
+        value="owner = {user.username}"
         onChange={() => {}}
         templateItems={[]}
       />,
     )
-    expect(screen.getByDisplayValue('tenant = {user.tenant}')).toBeTruthy()
+    expect(screen.getByDisplayValue('owner = {user.username}')).toBeTruthy()
   })
 
   it('calls onChange when value changes', () => {

admin-ui/src/components/ExpressionEditor.tsx

@@ -17,7 +17,6 @@ interface ExpressionEditorProps {
 }
 
 const BUILTIN_VARS = [
-  { label: '{user.tenant}', detail: 'string', apply: '{user.tenant}' },
   { label: '{user.username}', detail: 'string', apply: '{user.username}' },
   { label: '{user.id}', detail: 'string', apply: '{user.id}' },
 ]

admin-ui/src/components/PolicyForm.tsx

@@ -612,7 +612,7 @@ export function PolicyForm({ initial, onSubmit, submitLabel, isSubmitting, error
             <ExpressionEditor
               value={filterExpression}
               onChange={setFilterExpression}
-              placeholder="organization_id = {user.tenant}"
+              placeholder="department = {user.department}"
               templateItems={templateItems}
               onValidate={(expr) => validateExpression(expr, false)}
             />

admin-ui/src/components/UserAssignmentPanel.test.tsx

@@ -24,8 +24,8 @@ const mockListUsers = listUsers as ReturnType<typeof vi.fn>
 beforeEach(() => vi.clearAllMocks())
 
 describe('UserAssignmentPanel', () => {
-  const alice = makeUser({ id: 'u-alice', username: 'alice', tenant: 'acme' })
-  const bob = makeUser({ id: 'u-bob', username: 'bob', tenant: 'acme', is_admin: true })
+  const alice = makeUser({ id: 'u-alice', username: 'alice' })
+  const bob = makeUser({ id: 'u-bob', username: 'bob', is_admin: true })
 
   it('renders loading state initially', () => {
     mockListUsers.mockReturnValue(new Promise(() => {}))

admin-ui/src/components/UserAssignmentPanel.tsx

@@ -94,7 +94,6 @@ export function UserAssignmentPanel({ datasourceId }: UserAssignmentPanelProps)
               />
               <div className="flex-1 min-w-0">
                 <span className="text-sm font-medium text-gray-900">{user.username}</span>
-                <span className="text-xs text-gray-500 ml-2">{user.tenant}</span>
               </div>
               {user.is_admin && (
                 <span className="text-xs bg-purple-100 text-purple-700 rounded-full px-2 py-0.5 font-medium">

admin-ui/src/components/UserForm.test.tsx

@@ -15,9 +15,9 @@ describe('UserForm – create mode', () => {
     const { container } = renderWithProviders(
       <UserForm mode="create" onSubmit={vi.fn()} onCancel={vi.fn()} />,
     )
-    // create mode: textboxes are [username, tenant, email, display_name]
+    // create mode: textboxes are [username, email, display_name]
     const textboxes = screen.getAllByRole('textbox')
-    expect(textboxes.length).toBeGreaterThanOrEqual(2) // at least username + tenant
+    expect(textboxes.length).toBeGreaterThanOrEqual(1) // at least username
     expect(getPasswordInput(container)).toBeTruthy()
     expect(screen.getByRole('button', { name: /create user/i })).toBeInTheDocument()
   })
@@ -38,11 +38,10 @@ describe('UserForm – create mode', () => {
       <UserForm mode="create" onSubmit={onSubmit} onCancel={vi.fn()} />,
     )
 
-    // create mode textboxes: [0]=username, [1]=tenant, [2]=email, [3]=displayName
+    // create mode textboxes: [0]=username, [1]=email, [2]=displayName
     const textboxes = screen.getAllByRole('textbox')
     await user.type(textboxes[0], 'alice')   // username
     await user.type(getPasswordInput(container), 'Test@123!') // password
-    await user.type(textboxes[1], 'acme')   // tenant
 
     // Submit via button
     await user.click(screen.getByRole('button', { name: /create user/i }))
@@ -51,7 +50,6 @@ describe('UserForm – create mode', () => {
       expect.objectContaining({
         username: 'alice',
         password: 'Test@123!',
-        tenant: 'acme',
         is_admin: false,
       }),
     )
@@ -73,14 +71,14 @@ describe('UserForm – edit mode', () => {
     const { container } = renderWithProviders(
       <UserForm
         mode="edit"
-        initialValues={{ username: 'bob', tenant: 'acme', is_admin: false, is_active: true }}
+        initialValues={{ username: 'bob', is_admin: false, is_active: true }}
         onSubmit={vi.fn()}
         onCancel={vi.fn()}
       />,
     )
     // In edit mode, no password field
     expect(getPasswordInput(container)).toBeNull()
-    // In edit mode, the username textbox is NOT rendered; textboxes are [tenant, email, displayName]
+    // In edit mode, the username textbox is NOT rendered; textboxes are [email, displayName]
     const textboxes = screen.getAllByRole('textbox')
     // No input should have the username value in edit mode (username is not shown)
     expect(textboxes.some((t) => (t as HTMLInputElement).value === 'bob')).toBe(false)
@@ -90,7 +88,7 @@ describe('UserForm – edit mode', () => {
     renderWithProviders(
       <UserForm
         mode="edit"
-        initialValues={{ tenant: 'acme', is_active: true }}
+        initialValues={{ is_active: true }}
         onSubmit={vi.fn()}
         onCancel={vi.fn()}
       />,
@@ -106,7 +104,7 @@ describe('UserForm – edit mode', () => {
     const { container } = renderWithProviders(
       <UserForm
         mode="edit"
-        initialValues={{ tenant: 'acme', is_admin: false, is_active: true }}
+        initialValues={{ is_admin: false, is_active: true }}
         onSubmit={onSubmit}
         onCancel={vi.fn()}
       />,