What you're trying to do
When several agents and/or projects share one .vouch/ KB, I want retrieval (kb.search, kb.context, vouch search, vouch context) to return only artifacts meant for my project and agent — because today a single flat scope: project|private|team|public enum can't express which project or which agent owns an artifact.
Concrete example: Agent A on project billing runs vouch context "auth". It should see team-wide and unbound claims, plus billing-scoped claims and its own private scratch notes — but not project checkout's claims or Agent B's private notes.
This matters more now that deterministic KB sync (vouch sync-check / sync-apply) can merge diverged .vouch/ directories from multiple teammates/agents into one shared KB.
What you've tried
- Flat
scope enum on Claim/Source (private / project / team / public) — answers "how widely visible" but not "for whom."
VOUCH_AGENT for audit attribution — records who proposed/approved, but does not filter retrieval.
tags — untyped; every consumer would reinvent project/agent conventions.
- Per-project subdirectories under
.vouch/ — bigger on-disk layout change; doesn't model visibility tiers cleanly.
Suggested shape
Replace the single scope string with a structured object on Claim and Source:
scope:
visibility: project # private | project | team | public
project: billing # optional — None = not bound to a project
agent: claude-cli # optional — used for private owner binding
What you're trying to do
When several agents and/or projects share one
.vouch/KB, I want retrieval (kb.search,kb.context,vouch search,vouch context) to return only artifacts meant for my project and agent — because today a single flatscope: project|private|team|publicenum can't express which project or which agent owns an artifact.Concrete example: Agent A on project
billingrunsvouch context "auth". It should see team-wide and unbound claims, plusbilling-scoped claims and its ownprivatescratch notes — but not projectcheckout's claims or Agent B'sprivatenotes.This matters more now that deterministic KB sync (
vouch sync-check/sync-apply) can merge diverged.vouch/directories from multiple teammates/agents into one shared KB.What you've tried
scopeenum on Claim/Source (private/project/team/public) — answers "how widely visible" but not "for whom."VOUCH_AGENTfor audit attribution — records who proposed/approved, but does not filter retrieval.tags— untyped; every consumer would reinvent project/agent conventions..vouch/— bigger on-disk layout change; doesn't model visibility tiers cleanly.Suggested shape
Replace the single
scopestring with a structured object on Claim and Source: