Permissions & Scopes

Browse topics

Build an Applet Overview Quick Start Manifest Reference Method Architecture Entities & Storage Skills Agent Tools Permissions & Scopes CLI Testing

SDK Primitives Overview HTTP OAuth WebSocket Relay Database (SQLite) Key-Value Content Cache Project Filesystem Credentials Events Cron / Scheduler Feed Parsing

Platform & Discovery Resources Projects Places Stages Git Activity Notifications Clipboard Browser

RobinPath Overview

On this page

Scope catalog
Enforcement
Cross-applet calls
Legacy scopes

The capability model - every scope an applet can declare, how it is enforced, and how cross-applet calls work.

An applet declares every capability it uses in applet.json::scopes[]. Scopes are shown to the user at install time, validated when the bundle installs, and enforced on every call. There are no hidden capabilities.

A scope is a type:scope string, for example projectDb:write or http:fetch.

"scopes": [
  "projectDb:read",
  "projectDb:write",
  "http:fetch",
  "credentials:store",
  "events:emit",
  "system:sidecar"
]

Scope catalog

Type	Scopes	Grants
`projectDb`	`read`, `write`	Project-tier per-resource SQLite
`http`	`fetch`	Outbound HTTP via `ctx.sdk.http`
`network`	`http`, `ws`	Authenticated and paginated HTTP, WebSocket
`credentials`	`read`, `store`	Credential metadata read; secret storage
`contentCache`	`read`, `write`	Bundle-writable shared cache
`connection`	`mark`	Mark resource connection status
`oauth`	(via `credentials:store`)	OAuth 2.0 Authorization Code flow
`events`	`emit`, `listen`	Typed event bus
`cron`	`register`	Scheduled task registration
`storage`	`kv`	Key-value storage
`kv`	`read`, `write`	Encrypted key-value store for agent payloads
`parsing`	`rss`	Universal feed parser (RSS, Atom, JSON Feed)
`lifecycle`	`resources`	Resource create and delete events
`clipboard`	`read`, `write`	Clipboard access
`notifications`	`send`	OS notifications
`browser`	`open`	Open URLs
`projects`	`read`	List projects, current project
`resources`	`read`	Discover other applets’ resources
`places`	`read`	List places
`stages`	`read`	List and get stages
`git`	`read`	Git status, log, branches, diff
`relay`	`channel`	Peer-to-peer relay channel
`media`	`read`, `write`, `admin`	Remote media cache
`fs`	`read`, `write`	App-data filesystem (legacy)
`db`	`read`, `write`	App-data SQLite (legacy)
`system`	`read`, `sidecar`	App and OS info; Node sidecar runtime
`applets`	`read`, `write`	Method config and scope grants

Enforcement

A declared scope is checked at three points:

Install - unknown scopes are rejected against the catalog.
Pre-call - the SDK bridge checks the caller declared the scope.
Native command - the host re-checks as defense in depth.

A method’s permission field names the scope required to call it. The method cannot run unless the applet declares that scope.

Cross-applet calls

To call another applet’s method, declare the target’s scope in your own applet.json. The call routes through the same registry as any other method.

// caller declares "rss:write" in its own scopes
await ctx.sdk.rp.rss.addFeed({ url });

Calls between applets in the same bundle skip the scope check, because a bundle is a single trust unit.

Legacy scopes

fs:* and db:* target the app-data sandbox and are de-promoted. Prefer projectDb:* (per-resource project-tier SQLite) and projectFs for new applets.