Employee
Default for everyone on the team. Can chat with shared agents, configure personal ones, view own audit log. Cannot view anyone else's data.
Luna · Governance
Designed first.
Documented next.
How Luna agents are scoped, audited, paused, and turned off entirely.
The framework is in code; this page is the human-readable version.
In one screen
- Identity. Cloudflare Access + Google Workspace SSO. No anonymous use.
- Roles. Three of them: Employee , Manager , AI admin — plus PHI authorized for PHI scope.
- Default-deny. Every agent declares who can invoke, configure, and view its logs. Nothing is implicit.
- Kill-switch. Per-agent. AI admins can stop an agent for everyone in seconds.
- Audit. Every invocation logged — metadata only, never message content. You can see your own.
- Cost caps. Per-agent and per-user budgets enforced at the AI Gateway.
- PHI separation. PHI-scoped agents live behind a separate access group with a documented BAA chain.
- Change control. Shared (Class A) agent edits require an AI-admin reviewer; personal (Class B) agents are self-serve.
Roles
Three roles. One PHI gate.
Roles come from your Google Workspace group membership and ride along on every request as a Cloudflare Access JWT claim. The backend reads the claim once, at the edge, and uses it to gate what you see and what you can do.
Manager
Sees team-level Fleet aggregates only — no individual usage, no leaderboards. Granted by Google Workspace group, not a manual flag.
AI admin
Configures shared agents, reviews edits, holds the kill-switch, views the full audit log. Today: John. Will expand as the team grows.
PHI authorized
Required to invoke any agent tagged piiScope: phi. Granted alongside Luna's clinical/regulatory access controls, not as a separate process.
How permissions are declared
Every agent's permissions live next to its description.
Each agent has an MDX file with frontmatter that the schema validates at build time. There's no hidden config. If an agent isn't listed as invokable by your role, no one wired it that way silently — the file says so, and it's reviewable in the repo.
---
name: "Basal"
status: "live"
scope: "1:many" # 1:many = shared (Class A); 1:1 = owner (Class B)
piiScope: "none" # touches no PHI
allowedUsers: # default-deny — only these emails reach this agent
- [email protected]
- [email protected]
department: "platform"
owner: "john"
skills: # knowledge files loaded into the prompt at runtime
- shared/memory-protocol
- shared/luna-agent-onboarding
---This is the actual schema enforced by src/content.config.ts, mirrored from the Workforce config repo (facets/<slug>.md). Default-deny: anything not in allowedUsers is blocked at the agent-router. PHI agents additionally require the phi-authorized Workspace group.
Kill switch
Stops an agent for everyone, in seconds.
Per-agent flag held in the agent's Durable Object and mirrored to KV for fast reads. Checked at both the router and the agent Worker — defense in depth, so a bug at one layer doesn't bypass the other. AI admins flip it from /fleet/<agent>.
Audit log
Metadata, never message content.
Every invocation writes a row to D1 with user email, agent slug, model, token counts, cost, and timestamp. Prompt and response contents are not stored — only hashes, and only when retention is explicitly enabled (off by default).
Cost caps
Per-agent. Per-user. Tripped at the gateway.
Daily and monthly budgets enforced by the AI Gateway in front of Anthropic. A runaway loop trips the cap and surfaces on Fleet before it hits the bottom line. Caps are reviewable on /fleet.
Change control
Class A and Class B — the only distinction that matters.
Class A 1:many
Shared agents
One agent, many people. Basal, the Data Agent, the briefing generator.
- Edits to definition, prompt, or permissions require an AI-admin reviewer.
- Every team member can still set personal overlays — custom instructions, memory off — without review.
- Versioned: prior definitions stay queryable so we can attribute past behavior.
Class B 1:1
Personal agents
One agent, one person. Tuned to your work, your inbox, your patterns.
- Self-serve: you own it, you configure it, no review queue.
- Can't act outside your authority — same auth and PHI scope as you.
- Audit log is yours — only you and AI admins see it.
PHI scope · HIPAA
PHI agents are a separate path with a separate gate.
Most Luna agents do not touch protected health information. Those that do are tagged piiScope: phi in their MDX frontmatter and are gated to the PHI authorized Workspace group, not the default employee group.
The BAA chain (Anthropic, Cloudflare) is documented per-vendor and surfaced here. Model output is contractually excluded from training on Luna's Anthropic workspace — Zero Data Retention is a contract clause, not a setting we toggle.
If you're not sure whether something you're about to paste is PHI, ask [email protected] — or default to "no, route it through the PHI-scoped agent."
What we haven't built yet
Honest gaps.
Trust compounds. The fastest way to lose it is to claim a control we haven't built. Here's what's flagged on the roadmap:
The fear
California-specific employment guardrails (CCPA-employee, AB 2930) aren't fully wired.
What we built
The hooks are in place — the audit log, the role-based access, the per-employee data view — but the formal CCPA employee data export, the AB 2930 automated-decision flag for any HR-adjacent agent, and the surveillance policy text need a counsel pass before they're claimed as 'shipped.' Tracked on the roadmap.
Enforced by: Roadmap status; HR-adjacent agents not deployed until reviewed.
The fear
The audit log surfaces metadata, but you can't yet pull a clean export of 'everything an agent has touched in my work.'
What we built
My Agents shows a 30-day window today. A full export endpoint is in Phase 2 of the platform plan. Until then, an AI admin can run the query for you on request.
Enforced by: Phase 2 of the platform delivery plan; ad-hoc support in the meantime.
The fear
External-vendor BAAs are documented but not all linkable from this page.
What we built
Anthropic and Cloudflare BAAs are on file. The tool-vendor BAAs (anyone an agent calls out to via MCP) are inventoried but not yet rendered here. Phase 3 surfaces the chain per-agent.
Going deeper