Baseline (supacloud.*)
Always-on floor for every authenticated agent session — unconditionally
granted regardless of the allowlist. Covers subtask delegation, read-only
memory, outcome telemetry, and memory.propose_review.
Every SupaCloud agent session is granted a minimum surface and optionally elevated through an agent profile. Understanding how edition, entitlements, and MCP capability tiers compose helps you reason about what an agent can (and cannot) do — and why.
Before an agent can act, two independent gates must allow it.
Gate 1 — deployment edition. The SupaCloud instance runs either Community or Enterprise edition. Edition is a process-global, fail-closed property: enterprise features (including SSO, advanced seat types, and certain entitlement overrides) are simply unavailable on a Community instance regardless of what an individual workspace or agent profile requests. A seat can never grant an edition-gated feature.
Gate 2 — MCP capability allowlist. Every MCP tool belongs to a tier. A task session only has access to the tools explicitly allowed by the agent profile (or the workspace default profile). The two gates are independent — edition does not automatically broaden the MCP allowlist.
The 49 MCP tools are split across five allowlist tiers:
Baseline (supacloud.*)
Always-on floor for every authenticated agent session — unconditionally
granted regardless of the allowlist. Covers subtask delegation, read-only
memory, outcome telemetry, and memory.propose_review.
Read tier (supacloud.read.*)
Situational-awareness reads: workspace info, project and task listings, runner status, schedules, resources, apps, and workflows. Metadata only — no secrets, no connection strings.
Ops tier (supacloud.ops.*)
Operational triggers: start a workflow run, manage schedules, trigger a
repo sync. script.run is an ops-tier tool that requires an additional
explicit grant (supacloud.script.run) due to its indirect resource and
secret access.
Scaffold tier (supacloud.scaffold.*)
Create proposals and spawn scaffold tasks. Enables agent-driven planning workflows that propose work items and fan out subordinate tasks without requiring full ops or deploy permissions.
Deploy tier (supacloud.deploy.*)
Deployment actions: deploy or undeploy an app, apply app migrations.
Requires supacloud.deploy.* in the profile allowlist plus the task
actor must be an owner or admin of the workspace — both checks must pass.
supacloud.full grants all five tiers at once.
A task without an agent profile resolves to a read-only surface
(supacloud.read.* plus the unconditional baseline). Ops and deploy tiers stay
fail-closed.
Workspace administrators can promote a workspace-default agent profile — the
one profile flagged is_workspace_default — from Settings → Agent Profiles:
open a profile and choose Set as workspace default (a workspace can have at
most one, so promoting a profile clears the previous default). When set, all
profile-less tasks in that workspace inherit its allowlist instead of the
hard-coded read-only fallback.
Capability tiers carry tiered rate limits that apply at multiple scopes:
| Tier | Per task | Per workspace / day | Per profile / hour |
|---|---|---|---|
| Read | 50 calls | — | — |
| Ops | 10 calls | 100 calls | 30 calls |
| Scaffold | 10 calls | 10 proposals + 3 task-spawns | 10 proposals + 3 task-spawns |
| Deploy | 5 calls | 20 calls | 10 calls |
Workspace and profile caps guard against delegation chains multiplying per-task
budgets across many child tasks. Counters are derived from audit_events — they
survive server restarts.
app.deploy and app.migration.apply use a stateless two-step confirmation to
prevent accidental runs. The first call (no token) returns a signed
confirmation_token and a changes_summary. The agent must call again with
that token to proceed. The token is HMAC-signed with a server-side secret
(SUPACLOUD_MCP_CONFIRMATION_SECRET); if the secret is absent the tools fail
closed.
When both edition and MCP allowlists permit an action, the workspace’s own entitlement resolution still applies:
user override → seat type → workspace override → organization plan → defaultA seat type granted by the organization can therefore narrow or broaden what an agent sees through workspace-level workspace info reads — but it cannot elevate an agent past what the deployment edition permits.