URL as the sole source of truth for active tenant

See the full design document in documents/work/2026-04-17-tenant-url-source-of-truth/spec.md and the accompanying ADR-0003.

Problem

A request's active tenant currently has four coupled sources: URL header, cookie, JWT claim, and profile column. The Node layer prefers URL; RLS prefers JWT. They can disagree, and when they do, data from one tenant can bleed into a page scoped to another. The 2026-04-16 prefetch incident was the headline failure; cross-device drift is a silent second failure mode caused by auth.users.raw_app_meta_data.active_tenant_id being a shared row.

Solution

URL is the sole authorization input for tenant. JWT claim, profile column, and "active" cookie are deleted or demoted. The database reads the URL-derived tenant via a PostgREST db-pre-request hook that pins a transaction-local GUC. get_active_tenant_id() returns the GUC, no fallback.

APIs pass the tenant explicitly via URL path (/api/v1/t/<slug>/...) or tenant-embedded API keys (amble_<slug>_<random>). MCP uses OAuth 2.1 with tenant pinned in the token's audience claim (per MCP spec 2025-06-18).

Acceptance highlights

• Two-tab test: user in tenants A and B opens /t/a and /t/b — each tab stays in its own tenant across any sequence of actions.
• Cross-device test: user signed into tenant A on laptop and tenant B on phone — switching on one device does not affect the other.
• /api/tenants/switch route is deleted. Tenant switcher becomes <Link>.
• profiles.active_tenant_id column is dropped.
• auth.users.raw_app_meta_data.active_tenant_id is no longer written by any code path.
• pgTAP test covers private.set_tenant_context() happy path and deny path.

See the full spec for all acceptance criteria and the four-step rollout plan.

Supersedes

jwt-tenant-remove-profile-fallback.mdx — that spec removes only the profile fallback but keeps JWT as the runtime source. This one removes both.