Per-user allowed workspaces in users.yaml with Telegram management #198
Description
Parent: #196
Problem
ALLOWED_WORKSPACES is a global env var (comma-separated paths). All users share the same list. User A sees user B's private repos in the /workspaces keyboard. There's no way to scope workspace access per user without editing a root-owned config file.
Proposal
Move allowed workspaces to users.yaml as a per-user field, with Telegram commands for self-service management.
users.yaml schema extension
users:
- telegram_id: 123456789
name: alice
role: admin
allowed_workspaces:
- ~/Projects/kai
- ~/Projects/anvilTelegram commands
/settings workspaces - list my allowed workspaces
/settings workspaces add <name> - add a workspace (resolved under WORKSPACE_BASE)
/settings workspaces remove <name> - remove a workspace
Precedence
- Database (user-added via Telegram)
- users.yaml
allowed_workspaces(admin-set) - Env var
ALLOWED_WORKSPACES(global fallback for backward compat)
All three sources merge (union). Admin-set workspaces cannot be removed by users; users can only add to their own list.
Access control changes
_is_workspace_allowed() in bot.py (line 712) currently checks a single global list. It needs to become user-aware, checking the merged per-user list instead.
The /workspaces keyboard (bot.py line 900) also needs to filter by user - only show workspaces the requesting user has access to.
WORKSPACE_BASE
Stays as a global env var. It defines the filesystem layout (where new workspaces are created via /workspace new), not access control. All users share the same base directory.
Migration
Existing ALLOWED_WORKSPACES env var becomes the global fallback. If a user has no allowed_workspaces in users.yaml and no database overrides, they see the global list (current behavior). New per-user entries layer on top.