Problem
Greg's post argues that agent behavior should delegate to existing platform permissions, not invent a parallel ACL. Data Machine already has the pieces:
- action-to-WordPress-capability checks
- agent bearer tokens with optional capability restrictions
- agents executing under the owner's WordPress capability ceiling
- per-user agent access grants with
admin, operator, and viewer roles
- token auth that records acting agent/token context
These are generic agent substrate concepts.
Proposed shape
Add generic contracts/value objects:
WP_Agent_Access_Grant
WP_Agent_Access_Store_Interface
WP_Agent_Token
WP_Agent_Token_Store_Interface
WP_Agent_Token_Authenticator
WP_Agent_Authorization_Policy_Interface
WP_Agent_Capability_Ceiling
Acceptance criteria
- Agents API can represent who is acting, which agent is effective, which workspace applies, what token/client is involved, and what capability ceiling applies.
- Agent access grants are generic, role-based, and host-extensible.
- Token metadata supports label, expiry, last-used timestamp, and capability restrictions without storing raw tokens.
- Authorization checks compose token restrictions with the acting user's WordPress capabilities.
- Data Machine can delegate to the Agents API authorization model instead of owning the generic model.
AI assistance
- AI assistance: Yes
- Tool(s): OpenCode (GPT-5.5)
- Used for: Source audit and issue drafting.
Problem
Greg's post argues that agent behavior should delegate to existing platform permissions, not invent a parallel ACL. Data Machine already has the pieces:
admin,operator, andviewerrolesThese are generic agent substrate concepts.
Proposed shape
Add generic contracts/value objects:
Acceptance criteria
AI assistance