---
title: Permissions and spaces
description: Understand workspace, brain, space, capability, and evidence boundaries.
product: platform
lifecycle: stable
appliesTo: current Sift authorization model
sourceArtifact: agent-contract@current
owner: Platform owner
raw: /raw/platform/permissions.md
---

Every CLI or MCP action carries the connected principal, actor, workspace, brain, capability set, and allowed visibility. Retrieval filters unauthorized candidates before ranking. Record visibility and evidence visibility are separate: a user may see a derived statement while some underlying evidence remains restricted.

Spaces and brains are explicit scope. Verify `whoami` or `scope.current` before consequential work. A token or OAuth grant never expands the connected user's authority; writes are authorized before mutation and audit records preserve the acting identity.
