Bind to 127.0.0.1
Studio binds to localhost by default. Use --host only when you mean it.
studio / launch
Three deployment shapes, each a flag away — and the unsafe ones are opt-in, never the default. Localhost bind, bearer tokens, read-only, audited.
you, on localhost
everything
the team, shared
writes, confirm-gated
anyone with the link
reads only
02 — Mode boundaries
Reads are universal. Writes are gated by mode. Staff can mutate but every write triggers a typed confirm. Viewers cannot mutate at all.
| Capability | dev | staff | viewer |
|---|---|---|---|
| Browse rows | yes | yes | yes |
| Run SELECT in SQL | yes | yes | yes |
| Edit / insert / delete rows | yes | with confirm | no |
| Run DDL (alter / drop) | yes | with confirm | no |
| Apply migrations | yes | with confirm | no |
| Restore artifacts | yes | with confirm | no |
| Manage connections | yes | yes | no |
{ active: false → true }
{ revoked: true }
{ +1 row }
read-only · refused
{ role → viewer }
Audit
Every mutation, captured. Actor, IP, method, path, result, and the row-level diff — one line per write.
NDJSON on disk. Append-only, one JSON object per line. Tail it, grep it, ship it to your SIEM.
Refusals logged too. A read-only viewer's blocked PATCH lands in the log as a 403 — not silently dropped.
04 — Hardening
Every dangerous capability is off until you turn it on with a flag. The safe path is the path of least resistance.
Studio binds to localhost by default. Use --host only when you mean it.
Admin or read-only token required for any non-localhost bind. No token, no service.
GETs plus probe / explain / refresh only. Nothing that mutates.
NDJSON to disk. Every write request captured with actor, IP, and diff.
Tag a connection 'prod' and every mutation needs a typed confirmation.
Tokens are checked per request. Rotate freely — there's no logout flow to manage.
The other half of launch — RLS, roles, and the permission matrix.
/studio/securityWhat a read-only viewer sees — browse, masked secrets, no writes.
/studio/tablesViewers can run SELECTs here — nothing that mutates gets through.
/studio/sqlThe schema's objects — read-only, copyable definitions.
/studio/catalogPer-connection prod tags and read-only flags live up here.
/studio/workspaceThe system, the contrast, the bundled architecture.
/studio