Access Groups

Restrict which channels and identities can talk to which agents. Useful for shared gateways where multiple people connect.

Rule shape

{
  "agent": "bags-hunter",
  "allow": ["telegram:12345", "cli:*"],
  "deny": ["telegram:*"],
  "label": "only primary user + CLI"
}

Resolution order

  1. Deny first โ€” any matching deny pattern blocks the message immediately
  2. Allow check โ€” if an allow list exists for that agent, identity must match
  3. Default allow โ€” if no rules touch this agent, access is permitted

Adding rules

curl -X POST http://127.0.0.1:18789/access \
  -d '{
    "agent": "defi-strategist",
    "allow": ["telegram:12345", "cli:alice"],
    "label": "private agent"
  }'

Checking access

curl -X POST http://127.0.0.1:18789/access/check \
  -d '{"agent":"defi-strategist","channel":"telegram","identity":"99999"}'
# โ†’ {"allowed": false, "reason": "not in allow list for \"private agent\""}

Wildcard support

Same as routing: telegram:*, cli:*, etc.

Storage

Rules at ~/.openvesper/access.json (mode 0600).

Source

Implementation: apps/gateway/src/channel-routing.ts