# Permissions Reference

This file lists the permissions currently checked by the application.

## Global Permissions

- `*`
    - Full access wildcard
    - Also used by the built-in Admin group
- admin.access
    - Access to admin API and admin UI
- space.create
    - Create a new space
- space.edit
    - Global space edit capability (used as fallback alongside space-scoped settings edit)
- space.delete
    - Global space delete capability (used as fallback alongside space-scoped settings.delete)

## Space-Scoped Permission Format

space.<space_permission_key>.<action>

- space_permission_key is derived from the space name (normalized token)
- Example:
    - space.product_docs.note.create
    - space.product_docs.settings.member.manage

## Space-Scoped Actions Currently Enforced

### Space Management

- settings.edit
- settings.delete

### Member Management

- settings.member.manage
- settings.member.view

### Category Management

- category.create
- category.edit
- category.delete

### Note Management

- note.create
- note.edit
- note.delete

## Wildcard Support

Permissions support wildcard matching with \*.

Examples:

- space.product_docs.\*
    - Grants all permissions for the product_docs space
- space.\*.note.create
    - Grants note.create for all spaces
- `*`
    - Grants all permissions globally

## Built-in Group

- Admin group is auto-created at startup if missing
- Admin group permissions:
    - `*`