fix: remove global readability of namespace nodes

src/cmd/root.go

@@ -12,6 +12,21 @@ import (
 )
 
 func getNodeService() (service.NodeService, error) {
+	if token := os.Getenv("AX_TOKEN"); token != "" {
+		if cfg.Remote.Host != "" {
+			base := fmt.Sprintf("http://%s:%d", cfg.Remote.Host, cfg.Remote.Port)
+			return service.NewRemoteNodeService(base, ""), nil
+		}
+		st, err := store.FindAndOpenSQLiteStore()
+		if err != nil {
+			return nil, err
+		}
+		agentID := service.LookupAgentToken(st, token)
+		if agentID == "" {
+			return nil, fmt.Errorf("invalid AX_TOKEN: agent not found")
+		}
+		return service.NewLocalNodeService(st, agentID), nil
+	}
 	user := cfg.User
 	if user == "" {
 		return nil, fmt.Errorf("no user configured: run 'ax user set <username>' first")

src/e2e/e2e_aliases_test.go

@@ -2,7 +2,6 @@ package e2e_test
 
 import (
 	"encoding/json"
-	"slices"
 	"strings"
 	"testing"
 )
@@ -10,20 +9,14 @@ import (
 func TestAliases(t *testing.T) {
 	env := newTestEnv(t, "testuser")
 
-	t.Run("DefaultsPresent", func(t *testing.T) {
+	t.Run("EmptyByDefault", func(t *testing.T) {
 		out := env.mustAx("alias", "--json")
 		var aliases []map[string]string
 		if err := json.Unmarshal([]byte(out), &aliases); err != nil {
 			t.Fatalf("failed to parse alias JSON: %v\n%s", err, out)
 		}
-		names := make([]string, len(aliases))
-		for i, a := range aliases {
-			names[i] = a["name"]
-		}
-		for _, want := range []string{"mine", "due", "inbox"} {
-			if !slices.Contains(names, want) {
-				t.Errorf("default alias %q not found in: %v", want, names)
-			}
+		if len(aliases) != 0 {
+			t.Errorf("expected no aliases by default, got: %v", aliases)
 		}
 	})
 
@@ -46,22 +39,18 @@ func TestAliases(t *testing.T) {
 		}
 	})
 
-	t.Run("CannotDeleteDefault", func(t *testing.T) {
-		_, err := env.ax("alias", "del", "inbox")
-		if err == nil {
-			t.Fatal("expected error deleting default alias, got none")
-		}
-	})
-
 	t.Run("Execute_Due", func(t *testing.T) {
-		// The built-in 'due' alias lists open issues.
+		env.mustAx("alias", "due", "list --due")
 		out := env.mustAx("due", "--json")
 		env.parseNodes(out)
+		env.mustAx("alias", "del", "due")
 	})
 
 	t.Run("Execute_Mine_WithMeExpansion", func(t *testing.T) {
 		// 'mine' expands $me to AX_USER=testuser.
+		env.mustAx("alias", "mine", "list --assignee $me")
 		out := env.mustAx("mine", "--json")
 		env.parseNodes(out)
+		env.mustAx("alias", "del", "mine")
 	})
 }

src/service/node_service_impl.go

@@ -185,14 +185,13 @@ func (s *nodeServiceImpl) getPermContext() (*permContext, error) {
 		}
 	}
 
-	// User and namespace nodes are globally readable (they represent identities,
+	// User nodes are globally readable (they represent identities,
 	// and anyone can reference or assign to them).
-	for _, nodeType := range []string{"user", "namespace"} {
-		nodes, _ := s.store.FindNodes([]*models.Rel{{Type: models.RelType("_type::" + nodeType), Target: ""}})
-		for _, n := range nodes {
-			if pc.levels[n.ID] < permRead {
-				pc.levels[n.ID] = permRead
-			}
+	// Namespace nodes are NOT globally readable; access must be explicitly granted.
+	nodes, _ := s.store.FindNodes([]*models.Rel{{Type: "_type::user", Target: ""}})
+	for _, n := range nodes {
+		if pc.levels[n.ID] < permRead {
+			pc.levels[n.ID] = permRead
 		}
 	}