ShellYard

Spaces

Personal and Shared Spaces. Per-Space RBAC + audit. Type-the-name delete modal with cascade. Force Resync diagnostic. Cross-Space search is opt-in only.

A Space is the tenant boundary in ShellYard. Every connection, document, vault credential, audit row, and snippet is scoped to exactly one Space.

Personal vs Shared

  • Personal Space (id personal) — synthetic, every user has one, nobody else can read it, never syncs into a Shared-Space context.
  • Shared Space — belongs to an Org (Team or Enterprise tier), has role-based membership, runs a separate audit log.

RBAC

Per-Space role-based access control with three roles:

  • Owner — can delete the Space and rotate the CMK
  • Admin — can invite, remove members, change member roles
  • Member — read + write on Space resources by default

New members get default-read access. Reads are Go-filtered (never SQL-leaked) so a broken query can’t expose another Space’s data.

Switching

The Space switcher in the top bar swaps the active scope. Every list view (Connections, Documents, Tools, Audit) flushes and re-pulls from the new scope’s cloud DDB partition.

Off by default. Each list shows only the active Space. An opt-in toggle widens to all your Spaces (results carry a Space column).

Deleting a Space

Manage Space → Delete — a type-the-name confirm modal opens (no window.confirm shortcut). On confirm the delete cascades cloud-side:

  • Every member’s membership row removed
  • Every resource (connection, document, vault row, etc.) deleted
  • Per-Space CMK scheduled for 7-day recoverable deletion (you can cancel in AWS Console within the window)
  • Every cascaded delete writes an audit row with via=cascade marker

Orphaned-Space recovery: if cloud state is already empty (a prior delete partially succeeded), the cascade succeeds idempotently rather than failing.

Force Resync diagnostic

Manage Space → Force Resync — surfaces what the cloud actually holds for the active identity in this Space. Useful when something appears locally but not on another device, or vice versa. Reads GET /me/resources and diffs against local state.

Why this matters

For MSPs in particular, the Space boundary is the unit of “this is Acme Corp work” vs “this is Beta Industries work.” Magellan context, audit trails, vault credentials, and even imported IT Glue documents inherit Space scoping, so client data never leaks across tenants.

Team and Enterprise both ship per-Space customer-managed KMS keys so the data inside one Space can be cryptographically erased independently. Enterprise adds per-Space audit-log filtering, larger storage caps, and custom contracts on top of the same crypto.