Team Governance

Team Governance provides the access control and accountability layer that makes VaultCrux safe for multi-user and multi-agent deployments. Every tenant starts with an owner - the account that provisioned the API key. From there, the owner can invite team members with one of four roles: owner (full control including billing and deletion), admin (manage members, constraints, and proof jobs), member (ingest, query, and create watches), and viewer (read-only access to answers and receipts).

Roles control access at the capability level, not the endpoint level. A member can call verify_before_acting but cannot call declare_constraint - because declaring a constraint encodes organisational judgment that requires authority, while verifying before acting is a safety check any agent should perform. This distinction matters: the goal is not to restrict agents from being careful, but to ensure that authority-bearing actions (creating constraints, promoting suggestions, modifying watches) require the appropriate role.

The invite flow uses single-use tokens with a configurable expiry (default: 7 days). Invites are logged to the audit trail before they're sent, so there's a record even if the invite is never accepted. Accepted invites record the joining timestamp and the role granted. Role changes are append-only events - if an admin demotes a member to viewer, the history shows both the original role grant and the demotion, with timestamps and the actor who made each change.

The audit trail is the backbone of team governance. Every action taken by any team member or agent is logged: who did what, when, and with what role. For proof jobs, the trail shows who initiated the job, which mode was selected, and whether the receipt was shared externally. For constraint management, it shows who declared each constraint, who reviewed agent suggestions, and who promoted or dismissed them. For Watch, it shows who created each watch, who was notified of alerts, and what action was taken.

This audit trail is not optional or configurable - it runs for every tenant, every tier. The difference between tiers is not whether actions are logged but how many seats are available and which capabilities are unlocked. The Free tier includes a single seat. Starter adds up to 5 seats. Pro provides unlimited seats with full role hierarchy. Enterprise adds custom roles, SSO integration, and data residency controls.

For organisations deploying agents at scale, team governance provides the answer to "who is responsible when an agent acts?" Every agent operates under a specific API key, which belongs to a specific team member, which has a specific role. The chain of authority is always traceable, and the audit trail provides the evidence.