Mapping between users/groups and agentk instances

This issue is to define and implement a mechanism to ensure that users in some groups can create workspaces on some agentks.

With the architectural spike we worked with a simplified mental model:

mapping_before

For Iteration 1, we need to work with a more complex model:

mapping_after

Example concerns:

  • How do we prevent agentk-a1 to report status of a workspace that doesn't belong to it (e.g. WS4)?
  • How do we ensure that users in group1 can only create workspaces in agentk-a2?
Edited by Tomas Vik (OOO back on 2026-01-05)