Drop-in multi-tenancy for Node.js — from flat SaaS to deep enterprise hierarchies, in one library.
Every SaaS team starts with tenant_id on every table. It works until Month 6 (enterprise config), Month 12 (compliance audit), and Month 18 (data isolation). Stratum gives you all of it from day one — tenant hierarchy, config inheritance, permission delegation, three isolation strategies, ABAC, field-level encryption, audit logging, GDPR compliance, webhooks, and multi-region support.
npx @stratum-hq/create my-app # scaffold a new project
cd my-app && npm run dev # autoMigrate handles the restOr add to an existing project:
npm install @stratum-hq/lib pgconst stratum = new Stratum({ pool: new Pool(), autoMigrate: true });
await stratum.initialize();
const org = await stratum.createOrganization({ name: "Acme Corp", slug: "acme" });
await stratum.setConfig(org.id, "seat_limit", { value: 25 });| Repo | Description |
|---|---|
| Stratum | Core monorepo — 12 TypeScript packages, control plane, CLI, React components, docs site |
| stratum-python | Python SDK (auto-generated from OpenAPI) |
| stratum-go | Go SDK (auto-generated from OpenAPI) |
| Package | What it does |
|---|---|
@stratum-hq/lib |
Direct library — tenants, config, permissions, ABAC, audit, GDPR |
@stratum-hq/sdk |
HTTP client with LRU cache, Express/Fastify middleware |
@stratum-hq/nestjs |
NestJS integration — guard, @Tenant() decorator, DI module |
@stratum-hq/db-adapters |
PostgreSQL adapters — raw pg, Prisma, Sequelize, RLS, schema/DB isolation |
@stratum-hq/react |
React components — tenant tree, config editor, permission editor |
@stratum-hq/cli |
CLI — init, migrate, scaffold, doctor |
@stratum-hq/create |
Project scaffolding — npx @stratum-hq/create my-app |
@stratum-hq/control-plane |
Fastify v5 REST API with auth, scopes, OTel, Redis rate limiting |
@stratum-hq/core |
Shared types, Zod schemas, error classes |
- Tenant hierarchy — tree structure with ltree, up to 20 levels deep
- Config inheritance — values flow root to leaf, parents can lock keys
- Permission delegation — LOCKED / INHERITED / DELEGATED with cascade revocation
- ABAC — attribute-based access control with 9 operators, hierarchical policy inheritance
- Three isolation strategies — shared RLS, schema-per-tenant, database-per-tenant
- Field-level encryption — AES-256-GCM with key rotation
- Audit logging — every mutation with before/after state and actor identity
- GDPR compliance — data export (Article 20) and hard purge (Article 17)
- Webhooks — HMAC-signed lifecycle events with retry and dead-letter queue
- Multi-region — region CRUD with tenant migration
- 310+ tests — validated against real PostgreSQL 16
- Documentation — guides, API reference, package docs
- Landing Page — product overview
- npm — all published packages
- Contributing — setup, code style, PR guidelines
MIT