What's new
- Tenant hardening:
conversation_label_linksnow has a directworkspace_idderived from its parent conversation and label. - Parent-match enforcement: new foreign keys require the link row's workspace to match both the conversation and the label, preventing cross-workspace label links at the database boundary.
- Future-write guard: a SECURITY DEFINER trigger derives
workspace_idwhen omitted and rejects mismatched parent pairs or supplied workspace values. - Preflight evidence: BORD-732 documents the live aggregate preflight: 17,292 existing links, zero missing parents, and zero cross-workspace parent pairs before enforcement.
Why
This continues the DB hardening program's inherited/link-table slice after campaign_mm_metrics. Direct tenant keys make future RLS policies and indexes simpler and safer than relying only on parent subqueries.
Out of scope
- No RLS policy rewrite in this slice; existing policies remain in place while the direct tenant invariant is established.
- No changes to contact tag links yet; that larger table remains a dedicated follow-up slice.