Agent permissions
AI agents need authorization, not just authentication. Pore treats agents as first-class subjects so you can grant, scope, and revoke agent authority independently of the user they act for.
Register the agent as a subject
Section titled “Register the agent as a subject”const agentId = "agent:claude-4-alice-a1b2";
await pore.grants.create({ subject: agentId, relation: "member", object: "user:alice",});The agent is now a member of the user’s group. Grants held by user:alice
flow to the agent via one-level group expansion.
Narrowing the agent’s authority
Section titled “Narrowing the agent’s authority”The agent inherits everything alice has. If that’s too broad, grant the agent explicit tuples instead of binding it to the user:
await pore.grants.create({ subject: agentId, relation: "viewer", object: "document:42",});Check agent authority exactly like any other subject:
const { authorized } = await pore.check({ subject: agentId, relation: "editor", object: "document:42",});Time-bounded agents
Section titled “Time-bounded agents”For a one-time task, grant the minimum needed and revoke on task completion:
try { await agent.run();} finally { await pore.grants.revoke({ subject: agentId, relation: "viewer", object: "document:42", });}Revoking a rogue agent
Section titled “Revoking a rogue agent”Revoke the agent’s binding to its user:
await pore.grants.revoke({ subject: agentId, relation: "member", object: "user:alice",});Every inherited grant drops instantly. Existing explicit grants on the agent still need separate revocation — list and sweep them if you want full revocation:
const { objects } = await pore.objects.list({ namespace: "document", subject: agentId, relation: "viewer",});
await Promise.all( objects.map((id) => pore.grants.revoke({ subject: agentId, relation: "viewer", object: `document:${id}`, }), ),);