Skip to content

Namespace-based Access Control & RBAC #10

Open
Open
Namespace-based Access Control & RBAC#10
Labels
enhancementNew feature or request
@DarlingtonDeveloper

Description

@DarlingtonDeveloper
DarlingtonDeveloper
opened on Feb 19, 2026

Overview

Multi-agent isolation via namespaces. Deferred — all agents currently see the full graph.

Scope

  • Namespace model: nodes get a namespace field, queries filter by agent's allowed namespaces
  • Three modes: open (default, current), namespace, rbac
  • Namespace inheritance (agent in "kai" inheriting "shared" can read both)
  • Write vs read permissions per namespace
  • gRPC x-cortex-agent-id header for namespace resolution

Config

[access]
mode = "namespace"

[[access.namespaces]]
name = "kai"
agents = ["kai", "dutybound"]
inherit = ["shared"]

[[access.namespaces]]
name = "shared"
agents = ["*"]
write = ["kai"]

Why Deferred

Currently one graph with cooperative agents — isolation is premature. Needed when external users run multi-tenant setups.

Spec

Was part of specs/07e-access-control.md (stripped out). Original design in specs/07-standalone-product.md.

Priority

Post-launch. Required for multi-tenant and Cortex Cloud.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions