Ask2DoAsk2Do
Get started

Cloud-hosted sidecar

Ask2Do can run in two modes. Self-hosted means our binary runs on your server and your DB credentials never leave your infrastructure. Cloud-hosted — this page — means we host the sidecar against your DSN. You hand us an encrypted connection string in /settings; our cloud sidecar pool connects to your DB on your behalf.

When cloud-hosted is the right choice

Pick cloud-hosted when you don't have a server to put a binary on, or when running one would be more friction than the privacy benefit is worth. The common cases:

  • Managed-DB stacks — Supabase, Neon, AWS RDS, PlanetScale. Your DB is internet-reachable; the value of running a local sidecar is much lower because your DSN already crosses the public internet on every query.
  • Serverless backends — Vercel, Cloudflare Workers, Lambda. There's no long-lived process to attach a sidecar to, so you'd need to provision one anyway.
  • Evaluating the product — you want a working panel in 10 minutes, not 30. Switch to self-hosted later by flipping the deployment mode in /settings.

Required DB role permissions

Create a dedicated DB role for Ask2Do. The minimum grants depend on whether you want the assistant to be able to write under approval (the default) or stay strictly read-only:

sql
-- Run as a superuser once. Replace ask2do_role + your_db.
CREATE ROLE ask2do_role WITH LOGIN PASSWORD '...';
GRANT CONNECT ON DATABASE your_db TO ask2do_role;
GRANT USAGE ON SCHEMA public TO ask2do_role;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO ask2do_role;
GRANT INSERT ON public.ask2do_audit TO ask2do_role;  -- created on first connect
-- For SELECT-only setups, grant SELECT on the tables you want exposed.

The cloud-hosted sidecar opens at most 3 connections per tenant, so a small max_connections ceiling on your DB is fine. Connections are reused across requests and held open for the lifetime of the tenant's active period; the reconciler drains them on DSN rotation.

DSN format examples

Paste the DSN your DB provider gives you into the cloud-sidecar panel at /settings. The shapes we recognise:

bash
# Supabase (default settings)
postgres://postgres.<ref>:[YOUR-PASSWORD]@aws-0-<region>.pooler.supabase.com:6543/postgres

# Neon
postgres://<user>:<password>@<endpoint>.neon.tech/<dbname>?sslmode=require

# AWS RDS Postgres
postgres://<user>:<password>@<endpoint>.rds.amazonaws.com:5432/<dbname>?sslmode=require

# Generic Postgres
postgres://<user>:<password>@<host>:5432/<dbname>?sslmode=require

DSN rotation flow

To rotate the password (or move to a different DB entirely): paste the new DSN in /settings, click Test to confirm we can connect with the new credentials, then click Save. The cloud sidecar reconciles within 30 seconds — old connections drain, new ones come up. Expect a brief in-flight failure window during the swap: any query mid-flight gets terminated cleanly with a connection error, and the widget retries automatically. Customers concerned about zero-downtime rotation should contact support — we can stage a graceful overlap.

Privacy posture

Cloud-hosted is more convenient than self-hosted, but the privacy boundary is different. Specifically:

  • What we hold: the encrypted DSN at rest, sealed with NaCl secretbox. The 32-byte key lives in our cloud's env; we can rotate it without re-asking you for the DSN.
  • Plaintext DSN exposure: exists only in the cloud-sidecar process memory while a connection is active. Never on disk, never in logs.
  • Audit log: still writes to your database (the ask2do_audit table), never ours. Even in cloud-hosted mode, the durable record of every approved write stays on infrastructure you own.
  • What we never log: raw DSN, query rows, or column values. Operational logs include tenant id, query type, latency, and outcome only.
  • If the threat model demands maximum privacy: self-hosted is the right choice — your DB credentials literally never reach our network. See Install the sidecar.

Troubleshooting

Status stuck on Pending

The cloud-sidecar reconciler hasn't picked up the new DSN yet. Wait 30 seconds; if still pending, contact support.

Status Failing connection refused

DSN host:port is unreachable from our cloud network. Verify the DB is internet-reachable; whitelist our egress IP if needed (contact support for the current address).

Status Failing password authentication failed

The DSN password is wrong. Re-paste DSN in /settings after confirming credentials with psql locally.

Status Failing EnsureTable failed

DB role lacks CREATE TABLE on schema public. Grant CREATE to the role for first run, or create the ask2do_audit table manually using a privileged role — see the audit log docs.

Switching modes later

Deployment mode is a per-tenant setting you can change at any time from /settings. Switching from cloud-hosted to self-hosted retires our copy of the encrypted DSN; switching the other way prompts you to paste a fresh one.