Self-hosted docs
Permissioning Boundaries
Role-scoped permissions keep sensitive tools and actions inside explicit boundaries.
Role-aware tool access
Define which roles can invoke which tool classes, and enforce those checks inline during agent execution.
- Example: Developer role can only access sandbox tools and routes
- Example: Team role can manage production routes with approval workflows
- Example: Enterprise role has full access with audit logging requirements
- Request: POST /v1/permissions/check {role: "developer", tool: "export_data", route: "prod-payment"}
- Response: {allowed: false, reason: "role_restriction", required_role: "team"}
- API Reference: See [Permission Check](/docs/api#permission-check) for full contract details
Escalation and review
Denied actions can trigger structured human review workflows with complete incident evidence attached.
- Example: Failed tool invocation creates incident with full context
- Example: Review workflow includes runtime traces, policy verdicts, provider status
- Example: Approval decisions logged with timestamps and reviewer identity
- Request: POST /v1/reviews/create {incident_id: "inc-123", reviewer: "alice@company.com", decision: "approve"}
- Response: {review_id: "rev-456", status: "approved", timestamp: "2024-03-15T14:30:00Z"}
- API Reference: See [Review Creation](/docs/api#review-creation) for full contract details
Permission inheritance
Hierarchical permission models with workspace and team-level overrides.
- Example: Workspace-level permissions override global defaults
- Example: Team-specific tool access with audit trails
- Example: Temporary permission escalation with time limits
- Request: POST /v1/permissions/workspace {workspace_id: "prod-ai", role: "developer", tool_access: ["sandbox_only"]}
- Response: {permission_id: "perm-789", workspace_id: "prod-ai", effective_permissions: ["read_only", "sandbox_execution"]}