Access Groups
Restrict which channels and identities can talk to which agents. Useful for shared gateways where multiple people connect.
Rule shape
{
"agent": "bags-hunter",
"allow": ["telegram:12345", "cli:*"],
"deny": ["telegram:*"],
"label": "only primary user + CLI"
}Resolution order
- Deny first โ any matching deny pattern blocks the message immediately
- Allow check โ if an allow list exists for that agent, identity must match
- Default allow โ if no rules touch this agent, access is permitted
Adding rules
curl -X POST http://127.0.0.1:18789/access \
-d '{
"agent": "defi-strategist",
"allow": ["telegram:12345", "cli:alice"],
"label": "private agent"
}'Checking access
curl -X POST http://127.0.0.1:18789/access/check \
-d '{"agent":"defi-strategist","channel":"telegram","identity":"99999"}'
# โ {"allowed": false, "reason": "not in allow list for \"private agent\""}Wildcard support
Same as routing: telegram:*, cli:*, etc.
Storage
Rules at ~/.openvesper/access.json (mode 0600).
Source
Implementation: apps/gateway/src/channel-routing.ts