- where a behavior can be included
- which capabilities a daemon can discover
- which tools make sense for the current request
- how far a runtime identity may look beyond its own node
Scope Types
Public: visible from public entrypoints or everywhere a public surface is exposed. This is used for public agent cards, public distribution surfaces, and unauthenticated discovery where supported.Aion: visible across the Aion platform. This is used for platform-provided system behaviors, control-plane capabilities, and globally available defaults.Organization: visible within the same organization. This is used for organization-shared behaviors and organization-wide capability discovery.Project: visible within the same project. This is used for project-local behavior inclusion, project-scoped capability discovery, and project-level daemon tool access.Request: visible within the current distribution request path up to the caller. This is used for contextual tool discovery inside an agent sequence.Node: visible to one configured agent environment. This is used for self-node capability discovery and isolated daemon access.
Project Scope
Project scope is the normal boundary for work that belongs to one composed agent system. A project contains nodes. Each node is backed by an agent environment, and each environment resolves the behavior, configuration, identities, and enabled capabilities for that node. Project scope lets a daemon discover tools or behaviors that belong to the same composed system without automatically crossing into unrelated projects. Project scope is broader than node scope. A node-scoped request can see only one configured environment. A project-scoped request may see other resources in the same project when the caller has project-level capability discovery access.Request Scope
Request scope is narrower than project scope. When a request enters through a distribution, Aion resolves an agent sequence: an ordered list of agent environments that may participate in that request. If a middleware node asks for request-scoped tools, Aion exposes only the sequence prefix from the distribution ingress through that caller. In this example, ifMiddleware A searches with request scope, the visible
request scope is:
- the distribution ingress
Middleware A
Middleware B or the terminal agent. This avoids leaking
downstream sequence details to an upstream caller and keeps tool discovery
aligned with the context that has actually led to the caller.
Request scope requires a distribution id as the contextual id. Aion then
resolves the caller’s runtime principal to an agent environment and truncates
the distribution sequence at that environment.
Node Scope
Node scope is the smallest agent-runtime scope. It is anchored to one agent environment. Use node scope when an agent needs to answer “what can I do?” or when an isolated daemon should discover only tools attached to its own configured environment. Node scope is intentionally not a fallback for request scope. If an operation requires request or project visibility and the caller lacks that access, Aion rejects the request instead of returning a partial view that could imply the larger sequence is smaller than it really is.Where Scopes Appear
Scopes appear in several places:- Behavior sharing uses scopes such as
Project,Organization, andAionto decide where behavior deployments can be included. - MCP tool discovery uses scopes such as
node,request,project, andorganizationto decide which tools are visible to a daemon. - Authorization roles may use contextual reach such as node, project, or organization reach to decide whether a principal can list or execute a capability.