zanith

studio / security · 01 — On-call surface

Built for Friday afternoons.

Four sub-tabs answer the four questions you ask when something looks off: who's blocking, what policies attach, who has too much access, and what every grantee can do.

overviewtablescatalogsecuritysqlLock graphRow-level securityRolesPermissions3 sessions · 1 blocker, 2 waitingrefreshed 8s agoPID 4231blockerapp_pool · 10.0.5.4CancelKillUPDATE users SET last_login = …PID 4290waitingops · admin@CancelKillDELETE FROM users WHERE id = …blocked by → PID 4231PID 4291waitingci_runnerCancelKillALTER TABLE users ADD COLUMN …blocked by → PID 4231
4 sub-tabscancel + kill PIDsRLS deny-all warningspermission matrixv0.2 · shipped

02 — Locks

See who's blocking whom.

The lock graph reads pg_locks + pg_stat_activity together. Blockers and waiters are highlighted, the chain is visible at a glance, and the action buttons live next to each PID.

blocking chain3 sessions · 1 blocker

Blocker

A session holding a lock that someone else wants. Highlighted in red.

Waiter

A session whose query is queued behind a blocker. Highlighted in amber.

Cancel · kill

Cancel sends pg_cancel_backend. Kill sends pg_terminate_backend. Both are one click.

03 — Row-level security

Deny-all is the failure case nobody catches.

RLS enabled with no policies = nobody can read the table (except the owner). Studio flags it. So is FORCED RLS, which applies even to the owner. The combinations that don't match what you intended are surfaced.

RLS state · per table1 flagged
tableRLSpoliciesstatus
usersON3OK
ordersON2OK
audit_logON0DENY-ALL
productsoff0RLS OFF
sessionsON4FORCED

audit_log has RLS enabled but zero policies. Effectively deny-all to anyone but the owner. Either add a policy or disable RLS — the current state usually means a migration that didn't finish.

04 — Roles + permissions

Who can do what, at a glance.

The permission matrix is a single grid: grantees on rows, tables on columns, privilege chips in the cells. Roles with bypass-rls or superuser are flagged separately — those are the ones to audit first.

permissions · grantee × table

granteeusersordersproductsaudit_log
app_pool
SIU
SIUD
S
SI
ops
SIUD
SIUD
SIUD
SIUD
ci_runner
S
S
SIU
analytics_ro
S
S
S
S

S=SELECT · I=INSERT · U=UPDATE · D=DELETE

roles · highlighted when risky

  • postgresloginsuperbypass-rls
  • opsloginbypass-rls
  • app_poollogin
  • ci_runnerlogin
  • analytics_rologin
05 — Sideways

Six doors. All open.

→ live

Back to Studio

Overview, contrast, eight surfaces.

/studio
→ live

Workspace level

Cross-database — every connection, activity, search.

/studio/workspace
→ live

Tables surface

Browse, edit, bulk operations, sensitive masking.

/studio/tables
→ live

SQL playground

Multi-tab editor, plans, watch, charts.

/studio/sql
→ live

Catalog

Views, sequences, triggers, functions.

/studio/catalog
→ live

Launch + auth

Three deployment modes.

/studio/launch