Relational model: design and migrate a multi-tenant schema

Design a multi-tenant B2B marketplace schema in Postgres (workspaces, users, products, orders, order_items, tags) where every key, type, and constraint is justified by a query pattern; enforce tenant isolation with Row-Level Security; then perform a zero-downtime breaking change with expand-then-contract — all as runnable migration files.

• Model the core entities with surrogate primary keys (BIGSERIAL or UUIDv7) and protect every business-natural key (workspace slug, user email, product SKU) with a UNIQUE NOT NULL constraint. Write a one-line justification per table for the key choice.
• Normalize to 3NF: no transitive or partial-key dependencies. In particular, do not store customer_city on orders or product_name on order_items — extract them. Capture the unit price on order_items as a point-in-time snapshot and explain why that is correct denormalization, not a 3NF violation.
• Pick the narrowest correct type for every column: NUMERIC or BIGINT-cents for money (never REAL), TIMESTAMPTZ for moments (never TIMESTAMP), TEXT for strings, and JSONB only where the data is genuinely heterogeneous. Declare fixed-width columns widest-first to minimize alignment padding.
• Make a deliberate JSONB-vs-side-table call for product tags and for per-product variable metadata: tags as a tags catalogue plus a product_tags join table with composite PK and FKs and an index on tag_id; long-tail supplier metadata as JSONB. Write down which queries each choice supports and which it sacrifices.
• Add referential integrity end to end: FKs with explicit ON DELETE per relationship (RESTRICT for workspaces/users with orders, CASCADE for order_items under an order), CHECK constraints for invariants (rating in 1..5, quantity greater than 0, status in an allowed set), and named constraints for readable errors.
• Enforce tenant isolation in depth: a workspace_id NOT NULL on every tenanted table, an RLS policy filtering by current_setting('app.current_workspace_id'), plus a description of the CI lint that would require workspace_id in every WHERE clause as the second layer.
• Perform a zero-downtime rename of one column (for example users.user_name to users.display_name) using expand-then-contract: add nullable, dual-write, batched backfill, switch reads, parity check, drop — delivered as ordered migration files with a parity-validation query that returns zero mismatched rows.
• Load a realistic data volume (at least ~1M rows in the largest table via a generator) and capture EXPLAIN ANALYZE for the three hottest queries (list a workspace's recent orders, list products with a given tag, per-tag product counts) showing index scans, not sequential scans.

• A schema.sql plus ordered migration files that apply cleanly on an empty Postgres and recreate the full schema, including all constraints, indexes, the RLS policy, and the expand-then-contract migration.
• A one-page design rationale mapping every non-obvious decision (each surrogate key, each FK ON DELETE choice, the JSONB-vs-side-table tag call, the unit-price snapshot) to the query pattern or failure mode it defends against.
• EXPLAIN ANALYZE output for the three hot queries demonstrating index scans on the FK and tag columns at ~1M rows — captured, not assumed — plus a demonstration that RLS returns only the current workspace's rows when app.current_workspace_id is set.
• Proof the expand-then-contract migration runs against the populated table with the parity query returning zero mismatches and no reader breaking during the transition (old column still readable until the contract step).