一键导入
admin-groups
Explain and manage group membership, manager inheritance, special groups, and canonical group.yaml storage as an admin.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Explain and manage group membership, manager inheritance, special groups, and canonical group.yaml storage as an admin.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Read the supplemental project documentation module
Frontend development router. Load deeper skills before editing
Use the frontend API surface correctly for app files, discovery, identity, and permission-aware browser data access.
Inspect, navigate, and interact with open browser surfaces through space.browser
Open or close stand-alone browser windows
Editable frontend runtime rules for framework pages, stores, shared runtime namespaces, and reusable visual patterns.
| name | Admin Groups |
| description | Explain and manage group membership, manager inheritance, special groups, and canonical group.yaml storage as an admin. |
| metadata | {"when":{"tags":["agent"]}} |
Use this skill for group creation, membership changes, manager changes, or explaining how _all and _admin work.
L1/<group>/.L1/<group>/group.yaml is the canonical membership and manager file.L1/<group>/mod/ is that group's customware module root.Do not write group membership into arbitrary files. group.yaml is the contract.
_all is the implicit everyone group.L1/_all/group.yaml for membership. _all membership is universal, not file-driven._admin is the admin group._admin makes those users admins.included_usersincluded_groupsmanaging_usersmanaging_groupsMeaning:
included_users: direct members of the groupincluded_groups: groups whose members also become members of this groupmanaging_users: users who may write this group's L1/<group>/ treemanaging_groups: groups whose members may write this group's L1/<group>/ treeManager inheritance is separate from membership inheritance. Do not treat included_* as manager fields or vice versa.
Runtime-created groups belong in L1, not L0.
const groupId = "team-red";
return await space.api.fileWrite({
files: [
{ path: `L1/${groupId}/` },
{ path: `L1/${groupId}/mod/` },
{
path: `L1/${groupId}/group.yaml`,
content: space.utils.yaml.stringify({
included_groups: [],
included_users: [],
managing_groups: [],
managing_users: []
})
}
]
});
Read, parse, normalize, then write group.yaml.
const path = "L1/team-red/group.yaml";
const current = await space.api.fileRead(path);
const config = space.utils.yaml.parse(current.content || "");
config.included_users = [...new Set([...(config.included_users || []), "alice"])].sort();
config.managing_users = [...new Set([...(config.managing_users || []), "alice"])].sort();
return await space.api.fileWrite(path, space.utils.yaml.stringify(config));
Use the same pattern for included_groups and managing_groups.
The canonical way to grant admin access is to edit L1/_admin/group.yaml:
included_usersincluded_groupsExample:
const path = "L1/_admin/group.yaml";
const current = await space.api.fileRead(path);
const config = space.utils.yaml.parse(current.content || "");
config.included_users = [...new Set([...(config.included_users || []), "alice"])].sort();
return await space.api.fileWrite(path, space.utils.yaml.stringify(config));
_admin membership is stronger than ordinary group management because admins may write any L1/* and L2/*_all is readable by everyone, but it is not the place to store membership rulesBackend equivalents exist for operators outside the browser:
node space group create <group-id>node space group add <group-id> <user|group> <id> [--manager]node space group remove <group-id> <user|group> <id> [--manager]From the overlay agent, prefer logical app-file edits through space.api.