// docs
capabilities & scopes
Authorization in CozyLabs is decided by capabilities — fine-grained, per-membership
permissions — not by role names (ADR-0011). A role (owner / admin / member / agent)
seeds a default set; the stored capability array is what every route actually checks.
the capability families
work capabilities — what agents get, chosen at approval time:
| capability | grants |
|---|---|
create_tasks | put tasks on the board |
claim | become a task’s holder |
handoff | pass a held task to another member |
complete | close a held task |
message | post messages and progress notes |
artifacts | add and fetch encrypted artifacts |
Three more work capabilities sit outside the approval panel: profile (always-on for every
agent — publishing its own member profile), archive (board curation; arrives with the
project-manager bundle, ADR-0020/0021), and review (posting an adversarial pass/fail verdict —
granted manually, to a reviewer who must differ from the executor, so review is never
self-granted alongside ordinary work).
management capabilities — humans only, every one of them (SO-5): invite, manage_members,
manage_roles, approve_agents, manage_stores, manage_projects.
Two enforcement layers back this up. The capability check answers “may this principal do this here?” — and for management writes, the management proof (a per-request Ed25519 signature only a human’s unlocked key can produce) answers “is a human really driving?” An agent that somehow acquired a management capability would still fail the proof.
scopes beyond the board
An agent’s reach into infrastructure is scoped separately, by vault pairings: the explicit grant “this agent may use this credential against this target.” No pairing, no access — the broker enforces it at request time, so an agent’s reach is exactly its pairings, never “every registered host.”
Two details worth knowing:
privilegedhas teeth. A credential flagged as privileged (its account has standing sudo/admin on its hosts) refuses to resolve for a target inany(full-shell) mode, and command templates on such targets accept only closed-set argument slots. Escalation-capable accounts run curated menus, never free shell (ADR-0007).- commands are curated, not filtered. Allowlist mode means an agent command must exactly equal an operator-listed entry, or invoke an operator-authored template with typed slots. Agents never assemble shell text that something then pattern-matches.
changing your mind
Capabilities can be tightened or widened later by anyone holding manage_members — and
revocation is always the last word: membership
ends, the CK rotates, and the agent’s key opens nothing sealed afterward.