Why metadata matters
In a content-addressed file cloud, the database is not just UI state. It defines users, credentials, layout nodes, node files, manifests, chunks, refresh tokens, download tokens, share tokens, and server settings. If that metadata is silently changed, encrypted storage alone is not enough.
Protected row signatures
Cotton writes integrity shadow columns for protected entities through descriptors rather than scattered ad-hoc serialization. Security-sensitive reads can verify that the canonical row data still matches its signature.
- Users and passkey credentials can be covered.
- Refresh, download, and share tokens can be covered.
- Nodes, node files, manifests, manifest chunks, chunks, and server settings can be covered.
Master-key relationship
The signature material is derived from master-key-protected material, so row integrity belongs to the same security boundary as storage encryption and database backup protection.
Bridge rollout
For existing databases, a bridge rollout can sign legacy unsigned rows while warning administrators that the rollout is not finished. Invalid signatures remain integrity failures; unsigned historical rows get a controlled migration path.
What this catches
Row signatures are meant to catch unauthorized or accidental metadata changes at read boundaries: token edits, credential tampering, server setting changes, node/file relationship mutation, or storage reference corruption.
What it does not replace
Database row signing does not replace backups, PostgreSQL access control, least-privilege deployment, storage consistency checks, or a real external security audit. It raises the bar and makes invisible tampering harder to ignore.
Signed surfaces
The proof is in the protected surfaces: users, passkey credentials, refresh/download/share tokens, server settings, nodes, node files, manifests, manifest chunks, and chunks can be signed and verified at security-sensitive read boundaries.
Protect the map, not only bytes
A file cloud cannot protect only blob bytes while leaving the map to those bytes easy to mutate silently. Cotton treats storage metadata as part of the security model.
Integrity is not secrecy
Integrity signatures are detection and hardening, not magic database secrecy. Operators still need sane PostgreSQL permissions, backups, key custody, storage checks, and deployment hardening.