Amplify-cli: How to create a custom directive for multi-tenancy with a pipeline resolver?

Which Category is your question related to?
Creating a custom directive / transformer

What AWS Services are you utilizing?
Amplify + AppSync

Provide additional details e.g. code snippets
I'm building a multi-tenant app and I'm generally avoiding Cognito Groups for all its limitations. I'd like to create a custom directive @tenant which checks to see if a user has a Membership with the tenantId listed on the resource. Effectively, any @model with an @tenant would have to have a tenantId property set. I think this is a good fit for Pipeline Resolvers.

@tenant would effectively transform the @model resolver into a Pipeline Resolver that would first check that the user belonged to the Tenant listed on the Post and error out before resolving any CRUDL request.

I'm not sure if this is the best approach to this. I know some changes are in the works for the @auth directive. But even if that rolls out soon and answers all my concerns about multi-tenancy auth...it would be nice to understand Custom Resolvers / Transformers better. The current documentation is minimal and sort of just goes over pseudo code for how to implement one.

Thanks for any insight you can provide!

Simplified schema details:

enum MemberType {
  NORMAL
  ADMIN
}

type Membership @model {
  id: ID!
  username: String!
  displayName: String!
  type: MemberType!
  tenant: Tenant! @connection(name: "TenantMemberships")
}

type Tenant @model {
  id: ID!
  name: String!
  memberships: [Membership!]! @connection(name: "TenantMemberships")
}

type Post @model @tenant {
  id: ID!
  tenantId: String!
  title: String!
  content: String!
  author: String!
}