Space Agent’s multi-user model is built around a three-layer filesystem: firmware at L0 (read-only, maintained by developers), group configuration at L1 (written by group managers and admins), and personal workspaces at L2 (written only by each individual user). Every permission decision — from module resolution to file writes — flows from group membership recorded inDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/agent0ai/space-agent/llms.txt
Use this file to discover all available pages before exploring further.
group.yaml files under L1/<group-id>/. This means access control is always auditable on disk, and the CLI is the only tool you need to manage it.
Before creating any users or groups in production, make sure
CUSTOMWARE_PATH is set: node space set CUSTOMWARE_PATH=/srv/space/customware. This ensures CLI writes land in the correct writable root rather than inside the source checkout.User Management
Creating users
--groups flag accepts a comma-separated list of group IDs. Groups that do not yet exist in L1 are created automatically. For example:
--force to replace an existing user directory:
Changing passwords
Changing a password rewrites the sealed SCRAM verifier and clears all active sessions for that user. The user will need to log in again on all devices.Group Model
Groups are the central organizing primitive. A user belongs to one or more groups, and those groups determine which L0 and L1 paths they can read, and which L1 paths they can write.Built-in groups
| Group ID | Description | Who creates it | What members can write |
|---|---|---|---|
_all | All users (firmware group, defined at L0) | Developer-maintained | Nothing — read only |
_admin | Admin users | Created automatically on first --groups _admin usage | Any L1 or L2 path |
Custom (e.g. team-red) | Team or role groups | CLI: node space group create | L1/<group-id>/... when manager |
_all is a firmware-level group defined at L0. It is always present and includes every authenticated user. You cannot create, modify, or delete it through the CLI.
Creating custom groups
--force to reinitialize an existing group directory:
Adding members
Making a user a group manager
Group managers can writeL1/<group-id>/... — they can update the group’s shared modules, skills, and configuration. Add --manager to grant manager status:
Removing members
Access Control Model
The permission model is enforced server-side byserver/lib/customware/file_access.js on every request. There are no client-controlled overrides.
What users can read
- Their own
L2/<username>/tree - Any
L0/<group>/root for groups they belong to - Any
L1/<group>/root for groups they belong to
What users can write
- Only their own
L2/<username>/... L1/<group-id>/...if they are a manager of that group- Any L1 or L2 path if they are in
_admin
Nobody writes L0. Firmware content is maintained by developers in the source checkout and is never writable at runtime, regardless of group membership.
The admin shell
The/admin route is clamped to maxLayer=0 — it resolves modules and extensions from L0 only, ignoring all L1 and L2 customizations. This gives administrators a stable, unmodified control plane even if a group or user customware layer breaks something in the regular app shell. Only _admin group members can access admin features through this route.
Layer override order
When the server resolves a module for a given user, it layers overrides in this order (last wins):L0/_all(firmware baseline, all users)L0/<group>/for each group the user belongs toL1/_all(shared server customizations)L1/<group>/for each group the user belongs toL2/<username>/(personal workspace)
Login and Access Gating
Disabling password login
SetLOGIN_ALLOWED=false to block the password-login form and endpoints while keeping the public shell available. Existing authenticated sessions continue to work normally.
Single-user mode (no login required)
SINGLE_USER_APP=true makes every request resolve to an implicit user principal with _admin access. No login is required. This is used by the desktop app and is appropriate for completely personal, single-person deployments.
Guest Users
Guest accounts allow anonymous visitors to create temporary sessions from the login screen, useful for demo servers and public instances.Enabling guest accounts
ALLOW_GUEST_USERS defaults to false. Guest account creation requires both ALLOW_GUEST_USERS=true and LOGIN_ALLOWED=true:
guest_...). The server’s periodic maintenance jobs automatically clean up stale guest accounts:
- Inactive guests are deleted after 72 hours of no file activity (checked hourly).
- Oversized guests are deleted when their folder exceeds 1,000 files or 1 GB of tracked data (checked every 5 minutes).
ALLOW_GUEST_USERS=false.
Per-User Disk Quotas
USER_FOLDER_SIZE_LIMIT_BYTES caps the on-disk size of each user’s L2/<username>/ folder. Set to 0 (the default) to disable quotas entirely.
Cloud Sharing
Space Agent supports hosted cloud-share uploads, allowing users to publish and share their spaces with a link.CLOUD_SHARE_ALLOWED defaults to false.
CLOUD_SHARE_URL defaults to share.space-agent.ai. It is exposed to the frontend so the share modal shows users the correct upload target and generates valid share links.
CLOUD_SHARE_ALLOWED enables the receiving side on this server. It depends on guest users being available and CUSTOMWARE_PATH being configured so share archives land under CUSTOMWARE_PATH/share/spaces/.