Multi-Tenant Architecture
Nexus 3.0 supports multiple users working with AI from different access points. This section documents the user scoping model, collaboration patterns, and access control.
Identity System
User Stable ID
Format: u_XXXX (4 alphanumeric characters)
- Capacity: 1.68M unique users (36^4)
- Assigned at user creation, never changes
- Embedded in keys for user-scoped data
- Example: u_z1p5 (Chris), u_andr (Andrew)
Universal Identifier
Literal: UNIV (no prefix, no underscore)
- Used for shared/organizational data
- Not a user ID - a special keyword
- Any authenticated user can access
- Impossible collision with user IDs
- Self-documenting in any context
Key Pattern Examples:
Personal: kb:u_z1p5:20260103:node:abc123
Universal: kb:UNIV:20260103:node:def456
Access Control Hierarchy
System Admin
- Full access to ALL data across ALL users
- Can delete/lock user accounts
- Can view any locker contents
- Can override any permission
- Emergency lockout capability
- Typically the Nexus server owner
Manager (Role-Based)
- Can view subordinates' Track projects
- Can reassign tasks within team
- Cannot access personal lockers
- Cannot delete user accounts
- Defined by
manager/subordinatesin User profile
Standard User
- Own personal data
- Universal (UNIV) data
- Shared session data
- Items explicitly shared with them
Collaboration Model: Session-Based Sharing
Key Insight: Session can be a collaboration container, not just work history.
Solo Session (Default)
- One user
- All items created are personal
- Standard work tracking
Group Session
- Multiple assigned users
- Items created inherit session's user list
- Shared: Track projects, notes, documents, temp files
- Session reminders notify all members
- Each user sees session in their active list
{
"session_id": "20260103_1500_collab",
"stable_id": "s_grp1",
"type": "group",
"owner": "u_z1p5",
"members": ["u_z1p5", "u_andr"],
"title": "Phoenix Project Sprint",
"shared_items": {
"track_projects": ["t_abc1", "t_def2"],
"kb_nodes": ["kb_123"],
"documents": ["d_456"]
}
}
Benefits of Session-Based Collaboration
- Automatic sharing - Items created in session are shared
- Context isolation - Collaboration stays in session context
- Clean boundaries - End session, collaboration scope ends
- Unified view - Both users see same project state
Environment Scoping Matrix
| Environment | Personal | Universal | Session/Share | Admin |
|---|---|---|---|---|
| User | ✅ Profile | ✅ Guest/Default | Role-based | ✅ |
| Locker | ✅ My creds | ✅ Env passwords | Role-based | ✅ |
| Track | ✅ Default | ✅ Org projects | ✅ Session | ✅ |
| KB | ✅ Private | ✅ Org knowledge | ✅ Session/Direct | ✅ |
| Contact | ✅ Personal | ✅ Company CRM | ✅ Assign | ✅ |
| Session | ✅ Solo | ✅ Default? | ✅ Group | ✅ |
| Context | ✅ Notes | ✅ Org learnings | ✅ Via session | ✅ |
| Documents | ✅ My docs | ✅ Company docs | ✅ Session/Direct | ✅ |
| Links | ✅ Bookmarks | ✅ Shared resources | ✅ Via session | ✅ |
| Workflow | ✅ User prefs | ✅ System protocols | ❌ No | ✅ |
| Temp | ✅ My staging | ❌ No | ✅ Via session | ✅ |
| Transcript | ✅ Personal | ✅ Shared recordings | ✅ Session/Direct | ✅ |
| Chrono | ✅ My reminders | ❌ No | ✅ Session reminders | ✅ |
AI Behavior
Creating Items
- Check if in group session → offer to make session-shared
- Check if collaboration mentioned → ask about sharing
- Default to personal unless context suggests otherwise
Sharing Patterns
- "Share this with Andrew" → Direct share (add to assigned_users)
- "Let's work on this together" → Create/use group session
- "This is for everyone" → Use UNIV identifier
- "Make this organizational" → Use UNIV identifier
Workflow Protocol
- Universal protocols (UNIV scope) → All users inherit
- User protocols (u_XXXX scope) → Personal preferences
- Example: Voice preference is user-specific, save patterns are universal