feat: add @multiTenant transformer for tenant isolation

[watilde]

Description of changes

Add @multiTenant GraphQL transformer directive for automatic tenant-level data isolation in multi-tenant applications.

The transformer:

• Adds a required tenant field (default: tenantId) to types
• Injects tenant ID from JWT claims into create/update mutations
• Filters queries by tenant ID using GSI
• Validates tenant ownership in update/delete operations
• Supports custom tenantField and tenantIdClaim parameters

CDK / CloudFormation Parameters Changed

None. This transformer uses existing AppSync resolver and DynamoDB GSI patterns.

Issue #, if available

Primary Issues

• Support better multi-tenancy with @tenant transformer amplify-cli#3654
• @auth Combining Owner/Groups rules for Multi-Tenant Apps #449
• Support multi-tenant #1090

Related Issues - amplify-cli

• https://github.com/aws-amplify/amplify-cli/issues/5102
• Multi-tenancy with Amplify @auth GraphQL transformer amplify-cli#1216
• Datastore and Multi-tenancy with combo keys amplify-cli#6225
• Adding support for multi-tenancy using third-party authentication providers amplify-cli#3101
• https://github.com/aws-amplify/amplify-cli/issues/5514

Related Issues - amplify-category-api

• RFC - @auth directive improvements #455
• @auth rule requiring multiple group membership #28
• Dynamic group auth cannot share a field with an index #61

Related Issues - amplify-js

• DataStore: support for multi-tenant apps with sharing? amplify-js#5119
• Cognito + Appsync : No support for Multi tenancy  amplify-js#10190

Related Issues - amplify-backend

• RBAC setup using dynamic groups amplify-backend#2927
• Gen 2 + RDS postgres - How to do tenant isolation with the list command amplify-backend#2815
• support multiple SAML providers amplify-backend#1808

Description of how you validated changes

• Unit tests: 32 tests passing (transformer logic, VTL generation, schema augmentation)
• Integration tests: Validates end-to-end transformation with @model directive
• E2E tests: Full AppSync API deployment with tenant isolation scenarios
• Manual testing: Verified GSI creation and resolver tenant filtering

Checklist

• PR description included
• yarn test passes
• E2E test run linked
• Tests are changed or added
• Relevant documentation is changed or added (and PR referenced)
• New AWS SDK calls or CloudFormation actions have been added to relevant test and service IAM policies
• Any CDK or CloudFormation parameter changes are called out explicitly

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.