Skip to content

AGENT-PERMISSIONS — Per-Agent Permission Matrix

Status: live · Version: 1.0.0 · Camada: 8

Purpose

Fine-grained access control per agent: which data tiers, which tools, which skills, which resources. Defaults are restrictive (Principle 9 — Default Deny on Cross-System).

Permission record format

agent_id: backend-python-specialist
permissions:
  data_tiers_allowed: [0, 1, 2]              # not Tier 3 by default
  data_tiers_with_capsule_grant: [3]          # may touch Tier 3 if capsule explicitly grants
  tools_allowed: [read_file, edit_file, write_file, run_command, query_skill_catalog, invoke_skill]
  tools_forbidden: [http_get, http_post, git_push]
  skills_allowed_default: [from preferred_skills list]
  resource_locks_allowed: [src/**, tests/**, migrations/**]
  resource_locks_forbidden: [docs/explanation/**]
  external_apis_allowed: []                   # explicit allowlist
  may_delegate_to: [code-writer-worker, file-operator-worker, test-runner-worker]
last_reviewed: '2026-05-23'
reviewed_by: security-orch

Default permission set per layer

Layer Default tiers Default tools Notes
L1 Cortex 0, 1 observability, skill catalog no filesystem, no shell
L2 Domain orch 0, 1, 2 + capsule write no FS writes
L3 Task orch 0, 1, 2 + memory write no direct skill invocation
L4 Specialist 0, 1, 2 (+3 with capsule grant) + FS + shell + skills domain-scoped
L5 Worker per worker capability single-purpose atomic

Grant mechanisms

  1. Default — from registry by layer
  2. Per-capsule grant — capsule.constraints declares; valid for that capsule only
  3. Standing grant — ADR-approved; entry in this matrix; reviewed quarterly

Auditing

Every access to Tier 2 / Tier 3 data emits an audit event (Rule 24). The audit chain is: 

agent_id + data_tier + capsule_id + lawful_basis_ref + timestamp + resource_id

Tamper-evident; appended to AUDIT-LOG.

Permission changes

  • Standing grants: require ADR + security-orch approval
  • Per-capsule grants: orchestrator emits; tracked in capsule metadata
  • Default changes: PRD-level decision; cascading review of all agents

Failure modes

Mode Action
Agent attempts unauthorized access HALT; INCIDENT; tampered audit if missed
Permission too coarse (agent A can read all Tier 2 but only needs one row) Refactor to per-resource scope
Permission too narrow (agent legit blocked) Per-capsule grant OR ADR for standing
Quarterly review skipped Permissions stale; risk grows; warn at 100d

Cross-references

  • DATA-CLASSIFICATION (sibling) — tier definitions
  • TOOL-REGISTRY (C9 spec) — what each tool can do
  • AGENT-MANIFEST (C4 template) — per-agent doc that references this matrix
  • AUDIT-LOG (sibling) — where access is recorded
  • _agents-registry.yaml — agent registry