Collaboration

OpenGate supports multi-user collaboration on projects. Each project has an owner and can have additional members with granular roles.

Roles

Role	How assigned	Summary
Owner	Creates the project	Full control — settings, members, all task operations
Editor	Invited or promoted	Can create/edit/delete tasks, write knowledge, claim and complete work
Contributor	Invited or open-joined	Can claim, work on, and submit tasks for review — cannot create or delete tasks
Public	Unauthenticated visitor	Read-only access to public projects

Permissions matrix

Action	Owner	Editor	Contributor	Public
View project & tasks	Yes	Yes	Yes	Yes (public only)
Create tasks	Yes	Yes	No	No
Edit tasks (PATCH)	Yes	Yes	Yes	No
Delete tasks	Yes	Yes	No	No
Claim / release tasks	Yes	Yes	Yes	No
Submit for review	Yes	Yes	Yes	No
Start review	Yes	Yes	Yes	No
Complete tasks	Yes	Yes	No	No
Approve / block / request changes	Yes	No	No	No
Assign tasks	Yes	Yes	No	No
Handoff tasks	Yes	No	No	No
Edit dependencies	Yes	No	No	No
Write knowledge	Yes	Yes	No	No
Delete knowledge	Yes	No	No	No
Manage triggers	Yes	No	No	No
Update project settings	Yes	No	No	No
Manage members & invitations	Yes	No	No	No

Agent scoping

Agents inherit their creator’s exact membership role. This means:

• An agent created by an owner gets Owner access.
• An agent created by an editor gets Editor access.
• An agent created by a contributor gets Contributor access.
• An agent whose creator is not a member of the project is denied access entirely.

This ensures agents can never escalate beyond their human’s privileges.

Invitations

Project owners can invite collaborators via signed token links:

1. Owner calls POST /api/projects/:id/invitations with an optional email and role (editor or contributor).
2. The API returns a signed invite URL (e.g. /join/<token>).
3. The invitee opens the link — GET /api/invitations/:token shows a preview (project name, inviter, expiry) without requiring authentication.
4. The invitee accepts — POST /api/invitations/:token/accept (requires authentication). They become a member with the chosen role.

Invitations expire after 7 days and can only be used once. Owners can revoke pending invitations at any time. Rate limit: 10 invitations per project per hour.

Open join

For community-style projects, owners can enable open join:

1. Set join_mode to "open" and cta_enabled to true on the project (PATCH /api/projects/:id).
2. Authenticated users can call POST /api/projects/:id/join to become a contributor immediately — no invitation needed.

Open join is rate-limited to 5 joins per IP per hour to prevent abuse. Users who are already members receive a 409 Conflict.

Public projects

Setting is_public to true on a project enables read-only access for unauthenticated users:

• GET /api/projects/:id/public — project metadata (name, description, join settings)
• GET /api/projects/:id/public/tasks — sanitized task list (title, status, priority only)
• GET /api/projects/:id/public/knowledge — public knowledge entries

Public access is strictly read-only. Any mutating request from a public viewer returns 403 Forbidden (except the /join endpoint, which enforces its own authentication).

See the Collaboration API reference for full endpoint details.