Workspaces

A workspace is the top-level isolation unit in Orstrum Cloud. All graph data — repos, nodes, edges, exports, and summaries — belongs to exactly one workspace. Members can only see their own workspace's data.

Every user who signs in is assigned a workspace. Workspaces have a URL-safe slug (e.g. acme-corp) shown in the dashboard.

Roles

Each membership carries a role — owner, admin, or member — surfaced in the JWT's workspace_role claim.

owner
The user who created the workspace. Intended for full administrative control.
admin
Intended for elevated management (invites, API keys).
member
Intended for read/query access to the shared graph.
Role-based permissions are not yet enforced. Access control today is per-workspace: every Row-Level Security policy scopes rows by workspace_id only, with no workspace_role check. Any member of a workspace can currently read and push its graph data. The role labels above describe the intended model, not an enforced boundary.

Isolation

Workspace isolation is enforced by Postgres Row-Level Security — not application-level filtering. Even with a valid JWT, a user can only read rows that belong to a workspace they are a member of. There is no application bug that can leak another workspace's data.

The workspace ID is embedded in the JWT at sign-in time by a Custom Access Token Hook running server-side. It cannot be spoofed by the client.