Context
With the identity scope enforcement work (PR #24, legion-apollo #35, lex-knowledge #15, lex-microsoft_teams #16), we now have:
- Identity always derived from
Legion::Identity::Process on writes
requesting_principal_id auto-injected on reads for filtering
access_scope: 'private' hardcoded in lex-microsoft_teams
Problem
There's no standard way for extensions to declare what access_scope their data should have. Currently each extension must manually pass access_scope: 'private' on every ingest call. This doesn't scale as more extensions write user-specific data.
Design questions
-
Extension-level default — Should extensions declare default_access_scope :private in their class definition, with all writes from that extension defaulting to private unless overridden?
-
Per-write override — Some extensions have mixed content (e.g., Teams shared channels = team scope, 1:1 chats = private). Do we need per-write granularity on top of the extension default?
-
Both — Extension declares a default, individual writes can override (e.g., :private default for Teams, :team override for shared channel content).
-
Source-based registry — A mapping of source_channel or source_agent to default scope, maintained centrally.
Affected repos
- lex-apollo (persistence layer, would enforce/apply defaults)
- legion-apollo (client API, could accept scope from extension metadata)
- All extensions that write to Apollo (lex-microsoft_teams, lex-knowledge, legion-llm, etc.)
Context
With the identity scope enforcement work (PR #24, legion-apollo #35, lex-knowledge #15, lex-microsoft_teams #16), we now have:
Legion::Identity::Processon writesrequesting_principal_idauto-injected on reads for filteringaccess_scope: 'private'hardcoded in lex-microsoft_teamsProblem
There's no standard way for extensions to declare what
access_scopetheir data should have. Currently each extension must manually passaccess_scope: 'private'on every ingest call. This doesn't scale as more extensions write user-specific data.Design questions
Extension-level default — Should extensions declare
default_access_scope :privatein their class definition, with all writes from that extension defaulting to private unless overridden?Per-write override — Some extensions have mixed content (e.g., Teams shared channels = team scope, 1:1 chats = private). Do we need per-write granularity on top of the extension default?
Both — Extension declares a default, individual writes can override (e.g.,
:privatedefault for Teams,:teamoverride for shared channel content).Source-based registry — A mapping of
source_channelorsource_agentto default scope, maintained centrally.Affected repos