Tab · Build
Scope contracts
No agent acts outside its lane. K4.F.2 splits every actor's authority into read, write, and action scopes — bounded per tenant and per account — and K4.F.3 layers multi-approver holds on top so a cross-tenant action waits for every named approver before it lands.
Where to find it
- Source:
lib/identity/scope-contract.mjs(read + write + action shapes) - Policy:
lib/actions/policy.mjs::decideAction— denies anything outside scope - API:
GET /api/scope/contracts?actor=<id> - Sidebar: Build → Scope contracts
What it does for you
An agent only writes where it's allowed.Each actor (human, agent, cron, webhook, service) gets a scope contract at creation. A write outside its declared tenant + account is denied before the verb even reaches its dry-run.
Cross-tenant writes need every approver.When an action would cross a residency boundary, K4.F.3's
computeCrossScopeHolds emits one hold per crossed boundary, each carrying the foreign requiredApproverScope — the action waits until every required approver signs off.The unified actor model makes it audit-clean.K4.F.1's unified actor registry means every action is attributed to a real principal with a known scope — the audit log answers "who did this and were they allowed?" without joining six tables.