Admin Console
V2 only — invite-only edition. This is part of AI Partner V2 and is not in the open-source V1 you self-host from the Quick Start. V2 is available now, by invite. See V1 vs V2.
What it is
When authentication is enabled (see Authentication), users with the admin flag get an extra sidebar item: the Admin Console. It is the operator view of a multi-user deployment — six tabs that answer what is happening, who is doing it, what does it cost, and what knowledge/skills are shared org-wide.
Regular members never see it; every endpoint behind it returns 403 for non-admins.
| Tab | What it shows | What admins can do |
|---|---|---|
| Overview | Live tiles (users, goals running, cost today, pending skill shares, pending approvals, failures last 24h) + a real-time activity feed of all users' lifecycle events | Click a tile to jump to its tab |
| Users | Member list with join/last-login dates | Generate single-use invite codes (optional expiry), promote/demote admins, delete users |
| Activity | The org-wide audit log — every tool call, auth event, goal, and security event across all users | Filter by user, category, severity, action; paginate |
| Usage & Cost | LLM spend aggregated per user (calls, tokens, cost, latency) for daily/weekly/monthly periods | Spot expensive users/workflows |
| Skill Governance | Skills members have requested to share org-wide | Review the full template, approve (re-runs the security scan — failing templates are auto-rejected) or reject with a reason; deprecate org skills back to private |
| Knowledge Sources | External sources (Notion / Slack / Google Drive) synced into the shared knowledge base | Add/test/pause/delete sources, set schedules, trigger Sync now, see per-source status and errors |
| Agent Access | The inbound Agent API (A2A) and outbound mesh toggles + external agent consumers | Enable/disable inbound A2A, create consumers (service account + API key in one step), rotate/revoke keys, see per-consumer cost, export billing statements |
The live activity feed
Admins' browser sessions join a dedicated socket room (admin:events). Lifecycle events from all users — goal started/completed/failed, sub-agents, approvals waiting, skill share requests, delegation updates, knowledge sync completions — stream into the Overview tab in real time, each attributed to its user.
High-frequency streams (message tokens, browser frames, reasoning traces) are deliberately not mirrored: the feed is an activity overview, not a firehose, and users' private content stays in their own rooms.
Skill Governance��
The trust layer for org-wide skill sharing:
- A member clicks Share with org on one of their learned skills → it enters the pending queue (badge:
pending review). - The admin opens Skill Governance, views the full template (the exact script every user would be able to run), strategy, and provenance.
- Approve re-runs the code security scan; a failing template is automatically rejected with the reason. On success the skill becomes recallable by every member (badge:
org). - Reject records a reason the owner sees on their skill. Deprecate reverts an org skill to private (the owner keeps it).
Nothing is ever shared automatically — sharing requires both the owner's request and an admin's approval. See Skills for the member-side flow.
Knowledge Sources
Connect an external source once and its content syncs into the knowledge base on a schedule, searchable by every member (docs appear in their Knowledge view with an org badge; only admins can remove them).
Adding a source
- First connect the service's credentials under Integrations (Notion API key, Slack bot token, or Google Drive token) — syncing uses your credentials, stored encrypted per-user.
- Admin Console → Knowledge Sources → Add Source.
- Pick the type and enter its identifier:
| Type | Identifier | What gets synced |
|---|---|---|
| Notion | Database ID (32-char ID from the database URL) | Each page's properties + block text; changed pages are re-synced (no duplicates) |
| Slack | Channel name (#handbook) or ID | New messages since the last sync, batched into timestamped documents |
| Google Drive | Folder ID (from the folder URL) | Text-extractable files (Docs, Sheets as CSV, plain text) modified since the last sync |
- Test connection validates credentials + identifier before saving.
- Pick a schedule — every hour, every 6 hours, or daily — and save. The first sync runs shortly after.
Operating sources
- Sync now runs immediately and shows stats (
ingested / updated / skipped). - Pause/Resume stops the schedule without deleting anything.
- Errors (e.g. an expired token) appear as a red chip with the message; the schedule keeps running and recovers when credentials are fixed.
- Delete asks whether to also remove the documents the source ingested.
API
GET /api/admin/knowledge-sources # list with status + doc counts
POST /api/admin/knowledge-sources # {type, name, config, schedule_minutes}
PATCH /api/admin/knowledge-sources/:id # update config/schedule/enabled
DELETE /api/admin/knowledge-sources/:id?deleteDocs=true
POST /api/admin/knowledge-sources/test # validate a draft source
POST /api/admin/knowledge-sources/:id/sync # manual sync, returns stats
All admin endpoints live under /api/admin/* and require an authenticated admin.
Agent Access
The operator side of the Agent API: toggle Inbound Agent API (external agents with a key can run goals here) and Outbound Agent Mesh (this server may delegate to registered external agents), and manage consumers — each external customer gets a service account whose API key, workspace, usage metering, and 3-concurrent-goal cap are all isolated. Per-consumer monthly cost shows inline; Statement downloads a CSV (goals, calls, tokens, cost, by-model) for invoicing. Keys are shown exactly once at mint time and can be rotated or revoked at any moment.
Privacy model
The console is read-only across users (plus governance actions that change sharing state, never content). What admins see: activity metadata, usage numbers, skill templates submitted for sharing, goal lifecycle events. What admins do not see: members' chat content, message streams, browser screenshots, DM/phone proxy content — those stay in each user's own socket room and are never mirrored to the admin feed.