Workspaces
A workspace is the top-level isolation unit in Orstrum Cloud. All graph data — repos, nodes, edges, exports, and summaries — belongs to exactly one workspace. Members can only see their own workspace's data.
Every user who signs in is assigned a workspace. Workspaces have a URL-safe slug
(e.g. acme-corp) shown in the dashboard.
Roles
Each membership carries a role — owner, admin, or
member — surfaced in the JWT's workspace_role claim.
workspace_id only, with no
workspace_role check. Any member of a workspace can currently read and
push its graph data. The role labels above describe the intended model, not an enforced boundary.
Isolation
Workspace isolation is enforced by Postgres Row-Level Security — not application-level filtering. Even with a valid JWT, a user can only read rows that belong to a workspace they are a member of. There is no application bug that can leak another workspace's data.
The workspace ID is embedded in the JWT at sign-in time by a Custom Access Token Hook running server-side. It cannot be spoofed by the client.