Isolated database branches. Every PR. Zero PII.

stem-cli
Open DashboardView on GitHub
v1.0 / Beta
ISOLATED DB BRANCHESREADY IN ~28 SECONDSZERO PII EXPOSUREGDPR · HIPAA · SOC 2 ALIGNEDAURORA POSTGRESQLAURORA DSQLCOPY-ON-WRITE CLONES~$0.11 / DAY PER CLONEAUTO-DESTROY ON MERGE
01 / The Problem

YOUR PROD DATA IS LEAKING

Hover any entry to see what your reviewers see

SHARED CREDS

Every dev on your team has prod DB access. All of them. Always.

exposed:postgres://admin:pr0d-s3cret@prod-db:5432

PII EXPOSURE

Real emails. Real cards. In a PR open to 12 contractors.

exposed:jane.doe@gmail.com · 4242 4242 4242 4242

AUDIT RISK

GDPR. HIPAA. SOC 2. One leak during a PR review. You fail.

exposed:SSN 545-87-1123 visible in PR #841 diff

SLOW REVIEWS

"Works on my machine" is not a test environment. It's a liability.

exposed:staging is 47 days behind production

STEM redacts all of it — before the clone ever exists

02 / Pipeline

SCROLL TO RUN THE PIPELINE

01

PR OPENED

Webhook fires. Workflow queued against the warm pool.

02

CLONE READY IN 28s

Aurora copy-on-write. Full schema, shared storage, zero copy.

03

PII ANONYMIZED

Strict masking profile applied before the endpoint is exposed.

stem-ci · run #841
0%
› webhook received: pull_request.opened #841
› repo: acme/checkout-service · base: main
› stem-ci queued · priority: warm-pool
$ stem branch create --pr 841
aurora: copy-on-write clone from prod-cluster-7
storage shared · 0 bytes copied · 28s elapsed
endpoint: pr-841.clone.stem.dev ........ READY
$ stem anonymize --profile strict
users.email ............ masked (sha-faker)
users.ssn .............. nulled
payments.card_number ... tokenized
✓ branch live · 0 rows of real PII · posting to PR
awaiting scroll input
03 / Proof

STEM IN ACTION

01 / SPEED

CLONED IN 28 SECONDS

Aurora copy-on-write clones spin up before your CI finishes installing dependencies.

02 / PRIVACY

ZERO PII EXPOSED

Emails, cards, names — masked automatically. Real schema, fake secrets.

03 / AUTOMATION

EVERY PULL REQUEST

No tickets. No DBA approvals. Open a PR and the branch is already waiting for you.

03.1 / RECEIPT

NOT A MOCKUP

STEM bot comment posted on GitHub PR #8

stem-ci posted this 28 seconds after the PR was opened

04 / Trust

WHAT YOUR BRANCHES ACTUALLY SEE

masking inspector
columnbranch valueusers.emailu_8f2a@masked.stemjane.doe@gmail.comusers.full_nameVesper AldrinJane Allison Doeusers.ssnNULL545-87-1123payments.cardtok_9Xa4 ····4242 4242 4242 4242orders.address14 Synthetic Way221B Baker St, London
profile: strict✓ safe for review

compliance alignment

  • GDPR Art. 32 — pseudonymisationALIGNED
  • HIPAA §164.514 — de-identificationALIGNED
  • SOC 2 — least-privilege accessBY DESIGN
  • PCI DSS — cardholder data isolationBY DESIGN
  • Audit log — every branch state changeENABLED
0smedian clone time
0rows of real PII served
0%branches auto-destroyed on merge
05 / Infrastructure

BUILT ON AWS

AWS

Aurora PostgreSQL

Copy-on-write clones. Row-level isolation. Enterprise-grade consistency.

AWS

Aurora DSQL

Globally consistent metadata. Serverless scaling. No cold starts.