For enterprise

Semantic search across SharePoint, Drive, Jira and the cloud — without sending it all to a SaaS vendor.

Read-only credentials, isolated databases per source, encryption on the roadmap, no telemetry. StrataFS is the search layer your compliance team will actually approve.

The problem

Enterprise knowledge lives in SharePoint sites, OneDrive, Google Drive, Jira projects, S3 archives, and engineering laptops. Indexing all of it with a SaaS vendor means sending it all to a SaaS vendor — a long conversation with security, a longer conversation with legal, and a monthly bill that scales with corpus size.

StrataFS is the inverse. One open-source binary, deployed inside your perimeter, that speaks to all those sources with read-only credentials and keeps the index on your own disk.

What it indexes

SharePoint Online / OneDrive — Microsoft Graph delta API, scoped to a site or drive.
Google Drive — OAuth2 with drive.readonly scope, including native Docs export.
Jira — issues, descriptions, comments, attachments (via REST + Personal Access Token).
S3, GCS, Azure Blob — IAM/SP/key-based read-only access, prefix-scoped.
Local fileshares — SMB and NFS mounts treated as local sources.

Compliance posture

Read-only sources. StrataFS cannot modify, delete, or write to the systems it indexes. Permission failures don't degrade gracefully — they fail loudly.
No telemetry. The binary makes outbound calls only to the configured storage backends. No "phone home". No analytics.
Local embeddings. The default ONNX model runs on the indexing host. File content never leaves your perimeter.
Per-source isolation. Each source is a separate SQLite database. Revoking a source = deleting a file.
Audit trail. Every query, every index update is logged to a structured log file with source attribution.
Encryption (roadmap). SQLCipher-backed at-rest encryption is in active development.

Air-gapped deployments: StrataFS runs without any outbound connection once the embedding model is downloaded. Bundle the Docker image + the ONNX file, deploy inside the network, point at internal S3-compatible storage.

Deployment shapes

Per-user desktop: native installer, indexes their laptop + the corporate Drive folder they have access to.
Team sidecar: Docker container next to an internal agent that needs RAG context.
Departmental server: one VM, indexes the SharePoint site + Jira project the team owns. Read-only credentials means the blast radius of a compromise is "the index can be deleted".
Kubernetes: deployment + ConfigMap + PVC. The image is multi-arch and stateless apart from the volume.

Source-level access control

Today, sources are configured in config.toml — anyone with access to the binary can query any configured source. RBAC with source-level permissions is in active development and is the next major release item.

Procurement

StrataFS is MIT-licensed. No procurement to do — clone the repo, run the binary, you're in production. For organizations that need a commercial support agreement, contact stratafs@neullabs.com.

Bring all your enterprise knowledge under one search.

Read-only. Self-hosted. Compliance-friendly. MIT licensed.

Install StrataFS → Read the storage docs