Access control
Permissions
Who can do what. Several controls are already enforced on every call; the unified permission editor is still to come.
Enforced today
- live Delegations — per-agent, per-action grants with optional expiry. Grant, test, and revoke them from each agent's page.
- live Scope & tier checks at the gate — every inbound arrival is checked against the gate's required scopes and minimum trust tier before it gets in (see the Arrivals page).
- live Path rules at the workspace ingress — workspace calls are matched against per-agent path rules before they reach the workspace.
- live Per-agent suspend — suspending an agent (or a connected service's kill switch) blocks its calls immediately.
Coming
A single permission evaluator that composes the rules below and decides every proxied call. The data model ships today; the evaluator and its controls arrive in a later release.
- coming User × action grants
- coming Role-based grants
- coming Hard denies (admin pins)
- coming Per-agent overrides
- coming Pinned/required permissions