Docs homeCore ConceptsWorkspaces

Workspaces

Workspaces are the top-level isolation boundary in Stackmint. Every user, Capability, budget, and governance policy lives inside a Workspace.

A Workspace is the primary multi-tenant container in Stackmint. It groups users, installed Capabilities, model allow lists, credit budgets, context Variables, and governance configuration into a single isolated environment.

Workspace isolation

Workspaces are fully isolated at the data layer. There is no cross-Workspace access to executions, audit logs, context Variables, or user data. A user can belong to multiple Workspaces, but their permissions and roles are evaluated independently within each one.

Workspace roles

Each Workspace has a role hierarchy that determines what actions its members can perform:

  • Owner — Full administrative access. Can modify governance settings, add users, manage billing, and install or remove Capabilities.
  • Admin — Can manage users, install Capabilities, and configure context Variables. Cannot modify billing or model allow lists.
  • Member — Can run Capabilities and view execution history. Cannot install Capabilities or modify Workspace configuration.
  • Viewer — Read-only access to execution history and Capability outputs. Cannot trigger executions.

Custom roles can be defined for fine-grained permission control. See Role-Based Access Control for the full permission matrix.

Workspace configuration

Workspace-level settings control how all Capabilities within it behave:

  • Model allow list — The set of AI models approved for use. Applies to all Buds in all installed Capabilities.
  • Credit budget — The total credit pool available for executions. Can be sub-allocated per team or per Capability.
  • Context Variables — Key/value pairs injected into Branch prompts at execution time (API keys, tenant identifiers, configuration values).
  • Governance policies — HITL checkpoint routing rules, escalation thresholds, and kill switch configuration.

Workspace lifecycle

Workspaces are created by platform administrators or through the partner onboarding flow. They can be:

  • Active — Normal operating state. Executions proceed according to governance policies.
  • Suspended — No new executions are accepted. Existing executions in progress are allowed to complete.
  • Terminated — Workspace is archived. All data is preserved for audit purposes but no new activity is possible.

Partner-managed Workspaces

Stackmint partners can provision and manage Workspaces on behalf of their clients through the Partner Cockpit. Partners have visibility into Capability usage and execution health across all their client Workspaces, without direct access to client data or execution content.

Previous

Introduction to Stackmint

Next

Buds