DAWShare White Paper

Secure, Versioned File Sharing Purpose-Built for Music Production

Version 1.3 · May 2026 · Computer Architechs International Corporation

1. The Problem

Music producers and audio engineers working in teams face a unique set of collaboration challenges that generic cloud storage tools were never designed to solve:

Large file sizes — A single DAW project routinely contains 500 MB to 5 GB of audio, samples, and session data. Uploading the entire project for every small change is impractical.
Version confusion — Teams pass files back and forth over email, messaging apps, or shared drives, leading to naming schemes like Song_FINAL_v3_ACTUALLY_FINAL.zip.
No conflict prevention — Two collaborators can edit the same project simultaneously with no way to know, resulting in lost work when one version overwrites the other.
Security gaps — Unreleased music is valuable intellectual property. Consumer cloud services store files unencrypted at rest and offer limited access controls.
No audit trail — When something goes wrong, there is no record of who uploaded what, when, or why.

DAWShare was built from the ground up to address these problems with a system that understands the specific structure and workflow of DAW projects.

2. The DAWShare Solution

DAWShare is a self-hosted file sharing and version control platform designed specifically for music production teams. It provides:

Capability	Description
Version Control	Every push creates an immutable version. Full history is preserved and any version can be restored.
Delta Sync	Only changed bytes transfer over the wire. A 2 GB project with a few tweaked audio files syncs in seconds.
Background Sync	Push operations run in the background after user confirmation; macOS delivers a success or failure notification on completion.
File-Level Deduplication	Identical files (samples, loops, stems) are stored once across all versions and projects in a collab.
Check-out / Check-in	A user can lock a project while editing, preventing others from pushing conflicting changes.
Encryption at Rest	All stored files are encrypted with AES-256 using per-collab keys derived via PBKDF2.
Audit Logging	Every sync, upload, download, and administrative action is recorded with timestamps and user attribution.
Automatic Backups	Before each pull overwrites local files, changed files are backed up to a timestamped folder.
Server-Side Mapping Recovery	Folder-to-project mappings are stored server-side and automatically recovered on new machines or data loss.
Smart Folder Setup	On first sync, the app offers to auto-create a local folder pre-named after the project, defaulting to the Logic Folder with the option to choose any location.
Moved Folder Detection	If a project folder has been moved or renamed, the app automatically locates it by scanning common music directories and sibling folders.
Restore Last Project	When the app launches, the browser reopens directly to the last project the user was working on.
Project Cover Art	Users can upload cover artwork (JPEG, PNG, GIF, WebP, SVG) for each project, displayed throughout the web UI.
Version Notes	Each push can include free-text session notes for context and searchability.
Project Finalization	Projects can be marked as final to prevent further changes. Finalization optionally records library placement metadata (library name, album, and streaming URL).

3. Architecture

+-----------------+ SSH Tunnel (port 8420) +-------------------+ | macOS Client | --------------------------------> | DAWShare Server | | (DAWShare.app) | rsync over SSH | (FastAPI/Python) | +-----------------+ +-------------------+ | +-----------------+ +-----+------+ | Windows Client | ---- SSH Tunnel ---------> | PostgreSQL | | (PowerShell) | | | +-----------------+ +-----+------+ | +-----------------+ +-----+------+ | Web Browser | ---- HTTPS (Nginx) ------> | Blob Storage| | (any platform) | | (encrypted) | +-----------------+ +-------------+

Server Stack

FastAPI async Python application with Jinja2 templates for the web UI
SQLAlchemy async ORM with PostgreSQL via asyncpg
Nginx reverse proxy with SSL termination (Let's Encrypt via certbot)
uvicorn ASGI server behind the reverse proxy

Client Architecture

macOS: Native .app bundle with AppleScript URL handler + bash sync engine
Windows: PowerShell sync script with batch file launcher and registry-based URL scheme
Web: Full-featured browser UI for project management, uploads, downloads, file browsing, and audio preview

Collab Model

Users are organized into Collabs (collaborative groups). Each collab has its own projects, storage quota, and encryption key. Users join collabs via invite codes and can be members of multiple collabs simultaneously. Collab owners can manage members and regenerate invite codes.

4. Security Model

We take security seriously because we know you take your music seriously. While balancing ease of use and flexibility, we also made sure that your music stays locked up and accessible only to you and your collaborators.

Secure Project Sync

Using tried and true secure technology with SSH, your projects sync directly with our servers over a secure tunnel via a local connection. The SSH tunnel creates a private, encrypted pathway between your computer and the DAWShare server — your data never travels over an unencrypted channel.

All SSH connections are non-interactive — the system uses key-based authentication with no passwords or manual intervention required. The installer generates an ed25519 SSH key pair on the user's device, registers the public key on the server, and configures macOS Keychain (or Windows Credential Manager) so the connection is fully automatic.

SSH Force-Command & Command Restriction

The server's SSH account uses a force-command wrapper that intercepts every incoming SSH connection. This wrapper:

Restricts allowed commands — only rsync --server commands are permitted. All other commands (shell access, SCP, SFTP, etc.) are rejected
Allows tunnel-only connections — connections with no command (port forwarding only) are held open for the SSH tunnel without granting shell access
Validates sync tokens — before executing any rsync command, the wrapper calls the server API to validate the sync token. Expired or invalid tokens are rejected
Enforces staging path isolation — the rsync destination path is resolved and validated to ensure it falls within the authorized staging directory. Path traversal attempts (e.g., ../../) are blocked

SSH Key Fingerprint Verification

Each user can register multiple SSH keys for multiple devices (e.g., studio desktop, laptop, home workstation). Every registered key's SHA-256 fingerprint is stored in the database and linked to the user's account. On each rsync connection, the server verifies that the connecting key belongs to the correct user:

When a key is registered, the server computes its fingerprint and writes the authorized_keys entry with an environment= prefix: environment="DAWSHARE_KEY_FP=SHA256:xxxx"
OpenSSH reads this prefix and automatically sets the DAWSHARE_KEY_FP environment variable when the user connects with that key (requires PermitUserEnvironment yes in the server's SSH configuration)
The force-command wrapper reads this environment variable and calls the server's /sync/verify-fingerprint API to confirm the fingerprint belongs to the same user who created the sync session
If the fingerprint does not match the session's user, the connection is rejected — preventing one user from using another user's sync token even if they somehow obtained it

Legacy keys registered before fingerprint tracking was introduced are allowed through with a logged warning, maintaining backward compatibility while encouraging re-registration.

SSH Key Protection

SSH keys are generated with the user's Login Key as the passphrase, providing file-level encryption of the private key on disk
On macOS, the passphrase is stored in Keychain via ssh-add --apple-use-keychain, enabling automatic unlocking without user interaction
The SSH config includes UseKeychain yes and AddKeysToAgent yes for seamless key management across reboots
Users can manage their registered keys (view, label, revoke) from the Profile page in the web interface

Login Rate Limiting

Web login attempts are rate-limited to 5 failures per 5-minute window per IP address to prevent brute-force attacks
Failed attempts are logged with IP address for security monitoring

Login Key

Your Login Key is your password. It is reported to you once and it is hashed on our servers so we don't know what the plain text Login Key is. This is used as your key to unlock access to sync your projects with our servers.

Login Keys are hashed with SHA-256 before storage — the plaintext key is shown only once at registration and cannot be recovered
One-time login tokens allow the desktop app to auto-login securely via the browser without exposing the Login Key in URLs
Invite-only registration prevents unauthorized signups — new users must have a valid platform invite code
The Login Key also serves as the SSH key passphrase, providing file-level encryption of the local SSH key

Two-Factor Authentication (2FA)

It is incredibly simple to register your web account with a free authenticator app like Microsoft^® or Google^® Authenticator. This helps to lock down your web account so only you have access. Whenever you login through the web you just enter the authenticator code on your phone and we know that it is you.

TOTP-based 2FA using standard authenticator apps (RFC 6238)
Recovery codes are provided at setup in case of device loss, each usable only once
Recovery codes are hashed with bcrypt before storage for additional security

Encryption at Rest

All projects are encrypted on our servers. When you upload or sync your files, they are immediately encrypted after the upload and processing is complete. This provides yet one more level of security to ensure your project files stay safe.

Files are encrypted using AES-256-CBC
Each collab has its own encryption key, derived from a per-collab secret via PBKDF2 with 100,000 iterations
Collab keys are themselves encrypted with a server master key
SSH tunnels provide encryption in transit between clients and the server

Antivirus & Upload Scanning

Every uploaded file is actively scanned for malware and viruses using ClamAV, an industry-standard open-source antivirus engine. Virus signature databases are automatically updated via the freshclam daemon to ensure protection against the latest known threats. This prevents the introduction of malicious content into shared projects and protects all collaborators who download or sync files.

In addition to antivirus scanning, uploaded archives pass through a structural security check that flags suspicious file types (executables, scripts, batch files) that would not normally appear in a DAW project.

Audit Trail

Every action is logged: syncs, uploads, downloads, project creation/deletion, check-outs, collab management, and user authentication events. Logs include user identity, timestamp, IP address, and action-specific details. Admins can view grouped audit logs filtered by collab, project, or user.

5. Deduplication & Storage

DAW projects are highly redundant. A typical Logic Pro project shares most of its audio files between versions — a 90-second vocal take doesn't change when the mix engineer adjusts EQ settings. DAWShare exploits this with file-level content-addressable deduplication:

Version 1 (push): 72 files, 319 MB -> 72 new blobs stored Version 2 (push): 72 files, 319 MB -> 4 new blobs (mix changes) Version 3 (push): 74 files, 351 MB -> 6 new blobs (new vocal take) Version 4 (push): 77 files, 392 MB -> 5 new blobs (mastering) Version 5 (push): 78 files, 426 MB -> 3 new blobs (final bounce) Total original: 1.5 GB across 5 versions Stored on server: 379 MB (75% space saved)

How It Works

On push, the server walks the synced file tree and computes a SHA-256 hash for each file
If a blob with that hash already exists in the collab's blob store, the file is linked (not stored again)
Only genuinely new or modified files are encrypted and written to blob storage
Each version records a manifest mapping relative paths to blob IDs
On pull, the manifest is used to reconstruct the full project tree from blobs

Storage quotas are enforced per-project (default 1 GB) and per-collab (default 10 GB), measured by actual bytes stored after deduplication.

6. Sync Protocol

The sync protocol is designed to minimize data transfer for large projects where only a few files change between versions:

Push Flow

Client requests a sync session from the server (POST /sync/session)
Server creates a staging directory and pre-populates it with the latest version's files (for delta comparison)
Client runs rsync from the local project folder to the staging directory — only changed bytes transfer
Client completes the session (POST /sync/session/{id}/complete)
Server walks the staging tree, deduplicates blobs, creates a new version, and cleans up staging

Pull Flow

Client requests a pull session; server reconstructs the requested version into a staging directory
Client runs rsync from the staging directory to the local folder with --backup to preserve overwritten files
Client completes the session

Sync Tokens

Each sync session generates a time-limited token (default 15 minutes) that authorizes the rsync SSH connection. An SSH force-command wrapper on the server validates the token and restricts rsync to the session's staging directory, preventing unauthorized file access.

7. Auto-Recovery & Resilience

DAWShare stores folder-to-project mappings both locally and on the server. If the local configuration is lost (new machine, reinstall, accidental deletion), the system recovers automatically:

Each local project folder is assigned a unique local_id (UUID) stored in a .dawshare marker file
On every sync completion, the client sends the local_id and folder path to the server
The server maintains a LocalProjectMapping table keyed by (user_id, local_id)
When the local projects file is missing, the client fetches all mappings from GET /me/project-mappings and rebuilds it for paths that still exist on disk
When a specific project's folder is not found locally, the client queries the server for the last known path and offers it to the user

Moved & Renamed Folder Detection

If the local project folder has been moved or renamed, the app automatically locates it before syncing rather than reporting an error. The search checks sibling directories of the last known path, as well as common music directories (~/Music/Logic, ~/Documents, ~/Desktop, ~/Music). When found, the user is shown a confirmation dialog before proceeding. The corrected path is then saved back to the server so subsequent syncs resolve correctly.

Smart Folder Setup

When a user syncs a project for the first time and no local folder exists, the app offers to create one automatically. A dialog pre-fills the folder name with the project name (editable), and offers two placement options: the user's Logic Folder (default) or a custom location chosen via the native folder picker. The folder picker includes a New Folder button so the user can create subdirectories without leaving the dialog.

Restore Last Project

When the desktop app launches and opens a browser window, it automatically navigates to the last project the user was viewing rather than the projects list. The last-visited project path is stored in localStorage and threaded through the auto-login URL so the redirect happens silently on every launch.

Local Backups

Before a pull overwrites local files, DAWShare automatically backs up changed files to a timestamped folder. Users can browse these backups directly from the project page in the web UI. Backups can be disabled per-user in profile settings.

8. Project Management & Organization

Cover Art

Each project can have a custom cover image uploaded via the web UI. Raster images (JPEG, PNG, GIF, WebP) are automatically resized and optimized for display. SVG files are stored as-is and rendered natively in the browser. Cover art is displayed on the project detail page, the projects list, and anywhere the project is referenced in the UI.

Version Notes

When pushing a new version, users can optionally add free-text session notes describing what changed. Notes are displayed alongside each version in the version history table and are searchable and filterable, making it easy to locate a specific session across a long history.

Project Metadata

Each project stores rich metadata editable from the web UI: musical key, BPM, DAW type, genre (with sub-genre), mood, and instrumentation tags. This metadata supports organization across large collabs and aids in locating projects by musical or technical criteria.

Project Finalization & Library Placement

Projects can be marked as final, locking them against further version uploads. Finalization is an intentional milestone action and optionally captures library placement metadata:

Library Name — the music library or publisher the track was placed with
Album Name — the specific album or compilation on the library
Album URL — a direct link to the album or track on the library's platform

The web UI provides autocomplete suggestions for library names and album names drawn from the user's placement history across all projects. Selecting a known library automatically populates the associated album dropdown and pre-fills the URL. Library metadata can be updated at any time after finalization without reopening the project. Finalized projects display a dedicated banner with a direct link to the placement.

Client Update Notifications

The server exposes a public GET /client-version endpoint that returns the current installer version, release date, and download URL. The desktop app checks this endpoint once per day and displays an in-app update dialog when a newer version is available. The web UI shows a dismissible top banner for the same purpose. Users can dismiss the banner per-version for up to 7 days.

9. Platform Support

Platform	Status	Components
Web (any browser)	Available	Full web UI: project management, upload/download, file browser, audio preview, admin panel
macOS	Available	Native .app with one-click installer, SSH tunnel, rsync sync, URL scheme handler
Windows	In Development	PowerShell sync client, installer, URL scheme handler (not yet tested)

Supported DAWs

DAWShare is DAW-agnostic. It works with any software that stores projects as files or folders, including Logic Pro, Ableton Live, Pro Tools, FL Studio, Cubase, Studio One, REAPER, GarageBand, Reason, and Bitwig Studio. It can also sync standalone audio folders (stems, bounces, multitracks).

macOS Installer

The macOS installer handles the complete setup process without requiring a web browser:

In-app registration — new users enter their invite code, username, and email directly in the installer. The account is created via the server API and the Login Key is displayed immediately
SSH key generation — an ed25519 key pair is generated with the Login Key as the passphrase
Keychain integration — the Login Key and SSH passphrase are stored in macOS Keychain for automatic access
SSH configuration — the installer writes the SSH config entry with tunnel port forwarding, UseKeychain yes, and AddKeysToAgent yes
Key registration — the public key is registered on the server with its fingerprint
App installation — DAWShare.app is copied to Applications with the dawshare:// URL scheme registered

10. Operations & Monitoring

Health Monitoring

A monitoring script runs on a configurable schedule (default: every 5 minutes) and checks system health:

Server availability — HTTP health endpoint polling with response code validation
NFS mount status — verifies the network storage mount is accessible
Database connectivity — confirms PostgreSQL is responding
Disk space — alerts when local disk falls below 2 GB or NFS storage falls below 10 GB

Alerts are delivered via desktop notifications, server-side alert API, and direct SMTP email fallback if the server is unreachable. A 30-minute cooldown prevents alert flooding.

Database Backups

Automated database backups follow a Grandfather-Father-Son (GFS) rotation strategy:

Daily — retained for 7 days
Weekly — Sunday backups retained for 28 days
Monthly — 1st-of-month backups retained for 365 days
Yearly — January 1st backups retained indefinitely

Backups are created via pg_dump and stored on the NFS mount. A pre-flight check verifies the mount is available before proceeding, and rotation only runs after a successful dump.

Storage Administration

Storage dashboard — per-collab disk usage breakdown with deduplication savings statistics
Garbage collection — admin tool to identify and remove orphaned blobs (file blobs with zero references). Supports dry-run mode for safety
DAW type auto-detection — uploaded projects are automatically classified by DAW format (Logic Pro, Ableton, Pro Tools, etc.) based on archive structure analysis

Email Notifications

Users can configure per-event email notification preferences from their Profile page:

New version uploaded — when a collaborator pushes a new version to a project
New project created — when a new project is added to a collab
Project check-out/check-in — when a collaborator locks or unlocks a project
New collab member — when someone joins a collab

Email Verification & Account Recovery

Email verification — users can verify their email address via a tokenized link (24-hour expiry). Verified emails are required for password reset functionality
Forgot key recovery — users with a verified email can request a new Login Key via email. The old key is invalidated immediately

Background Sync & Notifications

Push sync operations fork to a background process immediately after the user confirms. The browser tab can be closed and work can continue while the sync completes. On macOS, a system notification is delivered on success (Glass sound) or failure (Basso sound), with a direct link to the sync result. A real-time progress page is available for users who wish to monitor the operation.