Security model

What leaves your machine

orstrum push transmits: file relative paths, export names and signatures, import specifiers, the names of imported symbols, and LLM-generated purpose text. It does not transmit any source code — not even a single line.

A compromised cloud instance exposes an architectural map of your codebase. It cannot be used to reconstruct or read your source code.

Row-Level Security

Every table in the cloud schema has Postgres Row-Level Security enabled. RLS policies extract workspace_id from the JWT claim and scope every query automatically — there is no application-layer filter to forget or misconfigure.

The workspace_id claim is set server-side by a Custom Access Token Hook at sign-in time. It cannot be spoofed by the client.

API keys

  • Keys are stored as SHA-256 hashes only. The raw key is displayed once at creation and is never stored or recoverable.
  • Keys are scoped to a single workspace by the RLS policies.
  • Revoked keys have a revoked_at timestamp and are rejected at the API layer.

Supabase auth

  • The service role key never reaches the client. Client sessions use the anon key plus a user JWT.
  • GitHub OAuth tokens are held by Supabase Auth; Orstrum application code never sees them.
  • Workspace creation goes through a security definer RPC (public.create_workspace()) that inserts the workspace and first owner membership atomically — direct client inserts into workspaces are blocked by RLS.
Orstrum's cloud never receives your raw source. The CLI sends only the structured graph — file paths, export signatures, import edges, and purpose summaries — so there is no codebase copy on our servers to leak, subpoena, or breach.