Architecture Reference

Platform Architecture

Organization + Workspace + Human + Platform + Session

OrganizationAcme Inc — top-level billing, membership, shared resources

members|billing|org integrations

Org-level Integrations— shared across all workspaces

GitHub Stripe

WorkspaceEngineering (default) — scoped container for agents, permissions, memory

agents|trust profiles|workspace integrations

Human

Connects integrations, grants permissions, spawns sessions, approves escalations

connectsconfiguresobserves

PlatformInfrastructure that makes trust safe to extend

credential store|gateway|audit log|memory store

Integration Store

Org + workspace credentials

Slack #engineeringworkspace

GitHuborg

Stripeorg

Emailnot connected

Inherits org integrations + workspace-level

injects into

Platform Gateway

Every action flows through here — the single enforcement point

Permission enforcement

Checks session permissions against namespace:verb:resource on every request

Credential injection

Retrieves real tokens from store, injects into outbound requests

Audit logging

Every request logged with session, permission used, cost, duration

Real-time revocation

Permissions can be revoked mid-session — takes effect on next request

oc do slack:sendpermission checkcredential injectapi.slack.comaudit logresponse

spawns intoenforces for

SessionAgent's runtime — calls gateway, never external APIs directly

task|permissions|budget|memory scope

Action

Something I can do (via gateway)

Three types:

Integration

slack:send

Compute

summarize

Paid

web-scrape

Discovered by intent via oc find

gated by

Permission

What I'm allowed to do

namespace:verb:resource

slack:send:#engineering

github:read:acme/api/*

github:merge:* (approve)

Enforced at gateway, not client-side

Trust Escalation

New— scoped, approval for writes

Established— broad read, familiar writes

Trusted— wide, gates on high-risk only

logs to

recalls from

MemoryWhat I know, with time and confidence

persists across sessions (stored platform-side)

Fact

Something true (may become stale)

"Deploy target is Vercel"
confidence: 90% · 2w ago

Episode

Something that happened (immutable)

"Mar 15: Deploy failed,
DB migration missing"

Procedure

How to do something (learned)

"Run e2e tests before
deploy" · confidence: 85%

Scope hierarchy:org:acme>workspace:engineering>project:acme/api>user:louis>session:sess_abc

Sub-Session— same gateway, narrower permissions, scoped budget

Task: "Check for SQL injection"

Permission: github:read:acme/api/pulls/456

Budget: $0.50 max · 60s timeout

Routes through same gateway.
Gateway knows sub-session has narrower scope.
Trust chain only narrows, never widens.

Trust is the default. The gateway is the verification infrastructure.

gateway proxies to

api.slack.com

api.github.com

api.stripe.com

+ any integration

Workspace scopes: agents, permissions, memory, sessions. Org = workspace by default.

Components

Organization— billing, members, shared integrations

Workspace— scoped container (org = workspace by default)

Integration— org-level or workspace-level

Gateway— enforcement, injection, audit

Action— routed through gateway

Permission— enforced at gateway

Memory— persists across sessions

Session— agent runtime

Key Relationships

Organization —contains→ Workspaces (org = workspace by default)

Workspace —inherits→ Org-level integrations + own integrations

Session —calls→ Gateway —proxies→ External API

Gateway —checks→ Permission —before→ every Action

Memory —scoped to→ org > workspace > project > user > session

Sub-session —uses same→ Gateway (narrower scope)

Why GatewayHumans grant broader permissions because they can revoke instantly|Sessions never hold credentials — blast radius bounded|Complete audit trail at one point|Permission changes take effect immediately