Team
RBAC, invites, and per-member spend.
Overview
Team provides role-based access control, email invites, and per-member spend tracking. Invite teammates with specific roles, track their LLM usage, and audit every change through Trust's ledger.
Roles
Four built-in roles control access: admin, developer, viewer, and auditor. Assign roles on invite or change them later via API.
API Endpoints
| Method | Path | Description |
|---|---|---|
| POST | /api/team/members | Invite a new team member |
| GET | /api/team/members | List all team members |
| PUT | /api/team/members/{id} | Update member role or name |
| DELETE | /api/team/members/{id} | Remove a team member |
| POST | /api/team/accept-invite | Accept an invite token |
| GET | /api/team/spend | Per-member spend this month |
Inviting Members
# Invite a developer curl -X POST http://localhost:4200/api/team/members \ -H "Authorization: Bearer $STOCKYARD_ADMIN_KEY" \ -d '{"email":"alice@acme.co", "name":"Alice", "role":"developer"}' # Response includes an invite token {"id":"tm_8a4f2c","email":"alice@acme.co","role":"developer","invite_token":"a1b2c3..."}
If a mailer is configured, the invite email is sent automatically with an accept link.
Spend Tracking
# Get per-member spend for the current month curl http://localhost:4200/api/team/spend \ -H "Authorization: Bearer $STOCKYARD_ADMIN_KEY" # Returns request counts, cost, and token breakdown per member
Spend data is pulled from billing_usage (if available) or observe_traces as a fallback, grouped by customer ID.
Audit Integration
Every invite, role change, and member removal is logged to Trust's append-only audit ledger. Events include team_member.invite, team_member.role.update, and team_member.remove.
Note: All
/api/team/* routes require the STOCKYARD_ADMIN_KEY header. Per-member RBAC enforcement is planned for a future release.