Multi-tenancy that flows

Hierarchical tenant trees with config inheritance, permission delegation, and three isolation strategies. Built for MSSP, MSP, and SaaS platform architectures.

Get Started GitHub

npm install @stratum-hq/lib

tenant hierarchy

AcmeSec                    ← root tenant
├── NorthStar MSP             ← reseller
│   ├── client-alpha
│   │   ├── team-eng
│   │   └── team-ops
│   └── client-beta
└── Apex Partners
    ├── client-gamma
    └── client-delta

max_users: 1000 inherited root → all children

data_region: locked children cannot override

Built for hierarchical tenant architectures

Every feature maps to a real problem in multi-tenant SaaS — not a marketing checklist.

Tenant Hierarchy

Tree-structured tenants backed by PostgreSQL ltree. Advisory locks prevent race conditions during concurrent writes. Supports up to 20 levels deep with O(1) ancestor lookups.

Config Inheritance

Values flow root to leaf automatically. Children inherit, override, or are blocked by locked keys. Batch updates with partial success — one bad key doesn't abort the whole transaction.

Three Isolation Strategies

Shared tables with RLS, schema-per-tenant, or database-per-tenant. Choose per tenant. Mix strategies in a single deployment as your compliance requirements evolve.

isolation model

shared RLS row_security = on · lowest cost

schema search_path = tenant_slug

database separate PG instance

stratum.setIsolation(tenantId, "schema")
// switch strategies without data migration

Permission Delegation

LOCKED, INHERITED, or DELEGATED modes. Cascade, soft, or permanent revocation. Fine-grained control at every node of the tree.

Field Encryption + GDPR

AES-256-GCM for sensitive values at rest. Data export (Article 20) and hard purge (Article 17). Consent tracking with audit trail.

Audit + Observability

Every mutation logged with actor identity. Optional OpenTelemetry tracing. Redis-backed rate limiting and webhook delivery with dead-letter queue.

Five lines to a working hierarchy

Connect a Postgres pool, create tenants with parent references, and config resolves automatically up the tree. No migrations to hand-write, no join tables to manage.

setup.ts

import { Pool } from "pg";
import { Stratum } from "@stratum-hq/lib";

const stratum = new Stratum({ pool: new Pool() });

// Create a hierarchy
const root = await stratum.createTenant({ name: "AcmeSec", slug: "acmesec" });
const msp  = await stratum.createTenant({ name: "NorthStar", parent_id: root.id });

// Config inherits automatically
await stratum.setConfig(root.id, "max_users", { value: 1000, locked: false });
const config = await stratum.resolveConfig(msp.id);
// → max_users: 1000, inherited: true, source: "acmesec"

8 packages. Pick what you need.

All published to npm under @stratum-hq/*

@stratum-hq/core	Types, Zod schemas, error classes required	npm →
@stratum-hq/lib	Direct library — tenants, config, permissions, audit, GDPR start here	npm →
@stratum-hq/control-plane	Fastify v5 REST API with auth, scopes, OpenTelemetry	npm →
@stratum-hq/sdk	HTTP client, LRU cache, Express/Fastify middleware, tenant impersonation	npm →
@stratum-hq/db-adapters	PostgreSQL — raw pg, Prisma, RLS, schema isolation	npm →
@stratum-hq/react	Tenant tree, config editor, inheritance visualizer, permission editor	npm →
@stratum-hq/cli	Project init, migrate, scaffold, doctor	npm →
@stratum-hq/demo	Full MSSP dashboard — dark mode, CRUD, webhooks, RLS isolation	gh →