Governance
Per-project keys, model allowlists, spend caps, audit log, RBAC. The reason Synapse Garden exists.
This is what you're paying for. Governance-on-tap. Every call from your app — including the AI SDK's streamText — flows through the same project-scoped gates: allowlist, rate limit, spend cap.
Projects
A project is the unit of governance. Each project has its own:
API keys
Issue, rotate, revoke without touching production.
Rate limits
RPM and TPM caps independently per project.
Spend cap
Hard ceiling on monthly cost. Exceeded = HTTP 402.
Model allowlist
Toggle which models this project can call.
Audit trail
Every dashboard action — 90-day retention (Pro+), unlimited (Scale).
Routing defaults
Default provider order, sort, and fallback strategy.
Common project layouts:
acme-co/
├── production ← live customer traffic, strict allowlist, tight cap
├── staging ← QA + integration tests, looser cap
├── eval ← model comparison runs, all models enabled
└── per-developer/
├── ayush ← dev sandbox
└── jane ← dev sandboxSpend caps
Set a hard ceiling per project in Dashboard → Project → Settings → Spend cap.
When consumed_cents >= included + cap:
Requests start returning 402
New requests immediately return HTTP 402 Payment Required with code BUDGET_EXCEEDED.
Project owner gets emailed
Email goes out to all project owners. Includes the rolling consumption chart and a one-click link to raise the cap.
Cap resets at the period boundary
Or you can manually reset from the dashboard. Resetting mid-period bills you for the additional usage at the standard rate.
You can also set soft caps at 80% / 90% / 100% of the included tokens to email you ahead of the hard limit.
We deduct from the credit balance with a single SQL UPDATE — no race condition. Bursts can't overshoot the cap by more than one in-flight request.
Model allowlists
In Dashboard → Project → Models, toggle which models this project can call.
Production project Eval project
[x] openai/gpt-5.4 [x] openai/gpt-5.5
[x] openai/gpt-5.4-mini [x] openai/gpt-5.4
[x] anthropic/claude-sonnet-4.6 [x] anthropic/*
[ ] anthropic/claude-opus-4.6 [x] google/*
[ ] google/* [x] meta/*
[ ] meta/* [x] bfl/*
[x] (everything)A blocked model returns HTTP 403 Forbidden with code MODEL_NOT_ALLOWED.
Allowlist resolution
The allowlist resolves in this order (per lib/rules/model-access.rule.ts):
- If a row exists for
(orgId, projectId, modelId)→ use itsenabledvalue - Else if a row exists for
(orgId, NULL, modelId)(org default) → use that - Else → fall back to the plan's default allowlist
In English: project-specific rules win, then org-wide rules, then plan defaults.
Audit log
Every dashboard action lands here:
| Action | Actor | Target | When |
|---|---|---|---|
api_key.created | ayush@… | mg_live_a1b2… (prefix) | 2026-05-10 15:42 |
project.archived | jane@… | staging | 2026-05-09 10:11 |
member.role_changed | owner@… | bob@… (developer → admin) | 2026-05-08 09:30 |
allowlist.updated | ayush@… | production | 2026-05-07 14:00 |
plan.changed | owner@… | Hobby → Pro | 2026-05-01 08:00 |
Visible at Dashboard → Audit log. Filter by actor, action, target, date range. Export as CSV from any view.
RBAC
Workspace roles, in order of access:
| Role | Can do |
|---|---|
| Owner | Everything, including delete workspace, transfer ownership, manage billing. |
| Admin | Everything except delete workspace and transfer ownership. |
| Developer | Create / manage projects + keys; see usage. Cannot manage billing or members. |
| Viewer | Read-only on usage and projects. No mutation. |
Roles are workspace-wide for v1. Per-project roles ship in v2.
Rate limits
Set per project in Dashboard → Project → Settings → Rate limits.
| Limit | Default | Configurable up to |
|---|---|---|
| RPM (requests / minute) | 60 | Plan ceiling |
| TPM (tokens / minute) | 100,000 | Plan ceiling |
Exceeded = HTTP 429 Too Many Requests with X-RateLimit-* headers and a Retry-After value (seconds).
Plan ceilings:
| Plan | Max RPM / project | Max TPM / project |
|---|---|---|
| Free | 60 | 100,000 |
| Hobby | 600 | 1,000,000 |
| Pro | 6,000 | 10,000,000 |
| Agency | 60,000 | 100,000,000 |
| Scale | Custom | Custom |
Per-environment patterns
The pattern most teams settle on:
production cap: $1,000/mo allowlist: known-good models rpm: 6,000
staging cap: $50/mo allowlist: ~production rpm: 600
eval cap: $20/mo allowlist: everything rpm: 60
local-dev cap: $5/mo allowlist: cheap models only rpm: 60All four projects share the workspace's billing and audit log. One "rogue test loop" can never blow your production cap.