Agent Access Control Matrix¶

Document ID: GOV-ACM-001
Status: Active
Owner: Paul (Infrastructure)
Approver: Simon (CEO)
Last Edited: Maya, 2026-02-23
Review Due: 2026-05-23

Purpose¶

Defines Read/Write/Execute (RWE) permissions for AI agents across all COOWN infrastructure, platforms, and repositories. Ensures least-privilege access aligned with operational roles.

Infrastructure Inventory (Agent-Ready)¶

VPS Compute¶

Asset	Role	Simon	Claude Code	OpenClaw (Cloud)	OpenClaw (Local)	NanoClaw/Qwen
VPS-CPU	Central Orchestrator & Deployment	S/RWE	RWE	RWE	N/A	N/A
VPS-AML	Sovereign Audit & Compliance	S/RWE	R	N/A	N/A	R
VPS-HUB	Public Interface & Marketing	S/RWE	RWE	N/A	N/A	None
LOC-MAYA	Development Sandbox (Local)	S/RWE	RWE	RWE	RWE	N/A

Internet Computer Canisters¶

Asset	Role	Simon	Claude Code	OpenClaw (Cloud)	NanoClaw/Qwen
CAN-CLAW	On-chain Notary & Trust Logic	A	R	R	R

Notes: - VPS-AML: No OpenClaw access. Human & n8n only for compliance isolation. - VPS-HUB: No OpenClaw access. Public-facing; changes via VPS-CPU deployment only. - LOC-MAYA: Full local development environment with unrestricted agent access.

Software & Platform RACI¶

Development & Operations¶

Platform	Simon	Abdullah	Developers	Claude Code	OpenClaw	Purpose
GitHub (Backoffice)	A/RWE	—	RWE	RW	RW	Marketing, compliance, dev, ops
GitHub (Engineering)	S	RWE	RWE	RW	R	Infrastructure, app code, CI/CD
Coolify	RW	RWE	—	RWE	RWE	Deployment on VPS-CPU/HUB
Plane.pm	RWE	RWE	RWE	RWE	RW	Sprint and task tracking

Knowledge & Data¶

Platform	Simon	Abdullah	Developers	Claude Code	OpenClaw	Public	Purpose
Outline Wiki	RWE	RWE	RWE	RWE	RW	—	KB visualization
Ollama Hub	RWE	RWE	RWE	RWE	RW	R	Released KB prompting
Supabase	A/RWE	RW	—	RW	R	—	SSOT for Knowledge Base

Compliance & Security¶

Platform	Simon	AML Officers	Abdullah	Claude Code	OpenClaw	Purpose
SQL-AML	A/RWE	RW	—	R	N/A	AML database (isolated)
n8n (CPU/HUB)	RW	—	RWE	RWE	RWE	Workflow automation
n8n (AML)	RWE	—	RW	RW	N/A	Compliance workflows only

Specialized¶

Platform	Users	Claude Code	OpenClaw	Purpose
IC-Claw	COOWN clients (RWE), Abdullah (RW), Developers (RW)	R	N/A	Wallet config, payment automations

Legend¶

Symbol	Meaning
S	Super/Owner - Full administrative control
A	Accountable - Decision authority
RWE	Read / Write / Execute - Full operational access
RW	Read / Write - Operational access, no execute
R	Read Only - View access only
N/A	No Access - Explicitly denied
—	Not applicable to role

Human Roles¶

Person	Primary Role
Simon	CEO, Infrastructure Owner, Final Authority
Abdullah	Lead Developer, Infrastructure
Developers	Engineering team (varies by project)
AML Officers	Compliance personnel (human only)

Agent Roles¶

Agent	Environment	Primary Functions
Claude Code	Local + VPS	Engineering, coding, architecture
OpenClaw (Cloud)	VPS-CPU	Orchestration, multi-agent coordination
OpenClaw (Local)	LOC-MAYA	Local development, testing
NanoClaw/Qwen	VPS-AML + Local	Lightweight local inference, compliance queries
IC-Claw	IC Canisters	On-chain operations, wallet automation

Security Boundaries¶

Critical Isolations¶

VPS-AML:
No OpenClaw access (cloud or local)
Claude Code: Read Only
Database: Human & n8n only
SQL-AML:
AI agents: Read Only (Claude Code)
No OpenClaw access
Writes: Human AML officers + n8n workflows only
IC-Claw:
OpenClaw: No access
Client-facing: Local Qwen/llama has RW for wallet ops
Claude Code: Read only for audit

Network Architecture¶

Tailscale mesh: All VPS communication
No inbound to local: Laptop initiates all connections
VPS-CPU: Central orchestrator, can reach HUB and AML
VPS-HUB: Public-facing, no direct agent access
VPS-AML: Isolated, API-only communication

Change Control¶

Access changes require: 1. Request via Plane.pm or direct to Simon 2. Risk assessment (Paul) 3. Approval by Simon 4. Documentation update (this matrix) 5. Implementation with audit log