Altien tears out the database's built-in safety net
Altien moved this fork off a hosted database platform and onto its own Postgres, and in doing so handed every access decision to the application layer.
The original Mike leaned on Supabase - a hosted database service that enforces who-can-see-what right inside the database itself, plus automatic account setup when someone signs up. Altien stripped all of that out. User identity now comes from Microsoft Entra, the corporate login system many firms already run, and the rebuilt schema also adds the plumbing for multiple client organisations and per-provider AI keys.
The trade-off is stated plainly in Altien's own notes: with the database's row-level guard rails gone, nothing stops one tenant's data leaking into another's at the database level. The only thing standing in the way is the backend's own permission checks. That's a deliberate, defensible choice for a corporate-identity setup - but it concentrates all the trust in one place.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?