Eval Labs Canon

# Role and Access Model > [!summary] > Eval Labs uses Clerk role metadata for role-based human evaluation access. Frontend role behavior comes from Clerk public metadata, while persisted evidence protection depends on the matching Clerk session claim reaching Supabase RLS. --- ## Clerk metadata Current public metadata key: ```json { "eval_labs_role": "..." } ``` Supported values: - `owner` - `admin` - `evaluator` - `tester` Missing or unknown role values should fail closed. Read the full surface matrix: [[08 - Eval Labs Roles and Access Matrix|Eval Labs Roles and Access Matrix]]. --- ## Owner Status: implemented. Owner has full current platform access: - Home dashboard - Launcher - Custom Prompt Test - Auto-generated Prompt Test - Guest Facing Agent Verification Check - Verification Results - Controlled Batch Runner - Run History - Team Review - Global Analysis - Registry Diagnostics - Behavioral Observatory - Single Run Analysis - review routes - future user/admin management - future cleanup/tools - Global Analysis visibility --- ## Admin Status: implemented. Admin has similar privileged operational access to owner. Current intent: - access Team Review, Global Analysis, and Single Run Analysis - access Registry Diagnostics - access Behavioral Observatory - use the batch runner and all test surfaces - review and inspect shared persisted evidence - support future evaluator/user oversight --- ## Evaluator Status: implemented; onboarding/workspace polish remains active hardening. Evaluator is the full human evaluation workbench role. Evaluators can: - use Custom Prompt Test - use Auto-generated Prompt Test - use Guest Facing Agent Verification Check - use Verification Results - use Controlled Batch Runner - use their own run, review, and history routes - review and finalize their own assigned work Evaluators cannot: - see Team Review - see Global Analysis - see platform-wide owner/admin evidence - use Registry Diagnostics unless explicitly widened later - use Behavioral Observatory unless explicitly widened later - see owner/admin tools - use owner/admin cleanup or management surfaces --- ## Tester Status: implemented as a narrower onboarding role. Tester is the entry-level prompt-testing lane. Testers can: - use Custom Prompt Test - use Auto-generated Prompt Test Testers cannot: - use Guest Facing Agent Verification Check - use Verification Results - use Controlled Batch Runner - see Team Review - see Global Analysis - use Registry Diagnostics - use Behavioral Observatory - see owner/admin tools Use tester for early human evaluation cohorts that need clean prompt-testing signal without broader platform access. --- ## Unassigned or missing role Status: implemented fail-closed posture. Users with no recognized `eval_labs_role` should have limited or no protected Eval Labs access. --- ## Persistence and RLS requirement Status: implemented; active hardening continues around verification and rollout safety. Real runs must persist to Supabase. The Clerk session token must include `eval_labs_role` so Supabase RLS can recognize owner/admin access to shared persisted evidence. Frontend role checks and persisted evidence access must agree. If they do not, the UI can look correct while Supabase denies or scopes the data differently. Verify the Clerk-to-Supabase role claim path whenever role metadata, JWT templates, RLS policies, or privileged evidence hydration changes. --- ## Deferred access work Not implemented yet: - assignment-based evaluator work - evaluator access to Behavioral Observatory - evaluator-reviewing-owner-run RLS policies - user/admin management - cleanup/tools - broader external rollout --- ## Canon rule Do not claim production maturity beyond the implemented access model. Use: ```text implemented active hardening deferred future ``` Do not describe the evaluator workspace as final while onboarding polish remains active hardening.