Skip to content

Design access_scope declaration strategy for extensions #25

Description

@Esity

Context

With the identity scope enforcement work (PR #24, legion-apollo #35, lex-knowledge #15, lex-microsoft_teams #16), we now have:

  • Identity always derived from Legion::Identity::Process on writes
  • requesting_principal_id auto-injected on reads for filtering
  • access_scope: 'private' hardcoded in lex-microsoft_teams

Problem

There's no standard way for extensions to declare what access_scope their data should have. Currently each extension must manually pass access_scope: 'private' on every ingest call. This doesn't scale as more extensions write user-specific data.

Design questions

  1. Extension-level default — Should extensions declare default_access_scope :private in their class definition, with all writes from that extension defaulting to private unless overridden?

  2. Per-write override — Some extensions have mixed content (e.g., Teams shared channels = team scope, 1:1 chats = private). Do we need per-write granularity on top of the extension default?

  3. Both — Extension declares a default, individual writes can override (e.g., :private default for Teams, :team override for shared channel content).

  4. Source-based registry — A mapping of source_channel or source_agent to default scope, maintained centrally.

Affected repos

  • lex-apollo (persistence layer, would enforce/apply defaults)
  • legion-apollo (client API, could accept scope from extension metadata)
  • All extensions that write to Apollo (lex-microsoft_teams, lex-knowledge, legion-llm, etc.)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions