What's new
- GB-Agent access schema: new workspace settings and per-user allowlist tables store the workspace enabled toggle, per-mode toggles, all-members vs allowlist access mode, and audit pointers to workspace members.
- Server-side foundation API: domain contracts plus database adapters and admin-client wrappers can read defaults, persist workspace settings, validate allowlisted users against same-workspace membership, and answer access decisions for
draft_reply,draft_with_me, andhuman_review_preview. - Security boundary: authenticated users can read settings only for workspaces they can access; writes are intentionally service-route-only. No connector endpoint, token, streaming, composer, or settings UI changes are included in this release.
Why
This is the first foundation slice for real Settings → Integrations → GB-Agent gates. It establishes the database and server-side access-decision primitives before UI wiring or runtime enforcement is layered on top.