Security & Access

Nanosync ships a complete enterprise-security surface: per-org tenancy (org → workspace → project), local + OIDC + SAML login, custom roles with fine-grained (verb, resource) permissions, scoped API tokens, encrypted-at-rest secrets, and a pluggable audit subsystem.

Auth is opt-in via --auth-mode=enabled. The default none keeps existing single-binary dev workflows working unchanged — useful for laptop development, CI pipelines, and trusted-network deployments where you don’t need user accounts.


When to enable auth

Turn on --auth-mode=enabled when any of the following is true:

Stay on --auth-mode=none when:


Architecture at a glance

                  org


              workspaces


                projects   ← pipelines, connections, runs scoped here

A default org/workspace/project is seeded by migration; you don’t need to create the tree by hand to get started.

Roles are bound to a subject (user or service account) at one of these scopes. A binding at the workspace level applies to every project inside it (containment, not hierarchy).

Sessions are server-side opaque IDs in a nanosync_session cookie — no JWTs, so revocation is instant. API tokens look like ns_<prefix>_<secret>; only the sha256(secret) is stored.



Feature summary

CapabilityStatus
Local password login (argon2id)✅ Available
OIDC SSO (Okta, Google, Azure AD, Auth0…)✅ Available
SAML 2.0 SSO✅ Available
Custom roles + role bindings✅ Available
Scoped API tokens with traceable usage✅ Available
AES-256-GCM at-rest encryption (versioned frame)✅ Available
Audit log — local NDJSON file sink✅ Available
Audit log — OTLP (Splunk / Datadog / Honeycomb)✅ Available
Audit log — S3 / GCS object storage sink⏳ v1.1
Org → workspace → project tenancy✅ Available
Project-scoped resource isolation (writes + reads)✅ Available
First-run admin bootstrap✅ Available
SCIM 2.0 user provisioning⏳ v2
ABAC / attribute conditions on bindings⏳ v2
4-eyes approval workflows⏳ v2
CMEK / customer-managed KMS keys⏳ v2
Dynamic field masking by role⏳ v2

The schema and code seams for the v2 features are already in place — they’re deferred for scope, not for technical debt.