Tenancy & Authentication
db-per-firm
Each tenant is one database: one self-contained directory under <root>/dbs/<name>/ holding its catalog, delta log and segments. The firm lifecycle is filesystem-simple — move, archive or delete a directory.
There is no internal cluster. Horizontal scale is firm→node routing, external and manual: put heavy firms on their own nodes, point their connection strings there.
Authentication
users.json at the root maps each user to a SCRAM-SHA-256 verifier (salt, iterations, stored key — never the password) and to exactly one database:
- pg-wire authenticates with SCRAM-SHA-256; the connection is refused unless the requested database is the user's own. That wall is the entire authorization model — no roles, no grants.
- HTTP uses basic auth against the same verifiers and routes the user to its own database.
- ILP carries no credentials by design; an ILP listener is bound to one database at startup (
-ilp-db) and should be firewalled to the devices that feed it.
TLS on pg-wire is optional (-tls-cert/-tls-key); clients that ask for SSL get a polite N when it is off.