Skip to content

Reference: Admin database ownership

For the full ownership map see Reference: Database ownership. This page is the admin lens: which stores an admin reads, which they write, and through which path.

Stores admin needs to read

StoreWhat admin needsHow
auth-state.json principals[]Principal fleet, suspension statusauth.principal.list, auth.principal.get
auth-state.json spaces[]Space fleet, ownership(target) auth.admin.spaces.list; today: state-file
auth-state.json publicNamespaces[]Namespace claims, conflict resolutionauth.namespace.list per principal
auth-state.json hostLinks[]Device fleetauth.hostLink.list per principal; (target) cross-principal
auth-state.json revokedSessions[]Currently revoked sessionsstate file
<host-home>/runtimes/*.jsonLocal Host runtime recordsfilesystem; or host.control runtimes.list
<host-home>/host.status.jsonSupervisor statushost.control status
<host-home>/logs/runtimes/*.logOperational logstail

Stores admin writes to (today)

StoreWhyPath
host.jsonConfiguration changes, secret rotationedit + Host restart
auth-state.json (suspending)No suspend op existsdirect edit
auth-state.json (NATS account rotation)No rotate op existsdirect edit
<host-home>/runtimes/*.jsonManual runtime declarationhost.control runtimes.declare (preferred) or edit

Direct state-file editing requires hivecast stop to avoid concurrent writes. Always backup first.

Stores admin writes to (target via ops)

When the admin op family lands:

OpUnderlying store
auth.admin.principal.suspendauth-state.json principals[].status
auth.admin.space.suspendauth-state.json spaces[].status
auth.admin.space.transferauth-state.json spaces[].ownerPrincipalId
auth.admin.role.assignauth-state.json principals[].role (target field)
auth.admin.hostLinks.bulkRevokeatomic revoke loop with one NATS hub reload
system.devices.admin.bulkRevokewraps the above

Stores admin should NOT read directly

  • Per-Device <host-home>/credentials/ — these contain plaintext NATS user JWTs and heartbeat tokens. Devices, not the platform admin, manage these.
  • Inference credentials — Factotum-only on each Device. Platform admin has no business reading them.
  • User content — packages a user installs, conversations they had, etc. The platform does not own this.

Backup-and-restore from admin perspective

bash
# Daily backup script (target: system service)
sudo tar czf /backups/hivecast-$(date +%Y%m%d).tar.gz \
  --exclude=logs --exclude=node_modules \
  /var/lib/hivecast/host-home/

# Encrypt
gpg --encrypt --recipient admin@hivecast.ai \
  /backups/hivecast-$(date +%Y%m%d).tar.gz

# Off-site (target: S3 with retention)

Restore:

bash
hivecast stop
gpg --decrypt /backups/hivecast-<date>.tar.gz.gpg | tar xz -C /
hivecast start

This restores everything: principals, Spaces, Host Links, runtime records, credentials, packages, logs.

Sensitive content

auth-state.json is the most sensitive single file:

  • Principal NATS account seeds in credentials[].value for credentialType: 'nats-account'.
  • Heartbeat token hashes (low risk; HMAC, not plaintext).
  • Pending Google OAuth states with PKCE verifiers (low risk; short TTL).
  • Revoked-session jti list (audit interest).

Operational rule: never copy auth-state.json to a less-secure environment. Mask the credentials[] array if sharing for debugging.

Admin-write audit (target)

Every admin write should produce an audit event. Today, manual edits leave no trace beyond the file modification timestamp. Target.

See also

Source: projects/matrix-3/packages/system-auth/src/host-auth.ts for HostAuthStateStore. projects/matrix-3/packages/host-service/src/host-state-store.ts.