Workspaces: We Built a Private Slack That Actually Understands Our Business
We hit a wall with Slack.
Not the tool itself — Slack is fine for what it is. The wall was the gap between where we talk and where we work. Every conversation about a PR required switching to GitHub. Every deployment discussion needed someone to paste a link. Every file lived in a different silo. And none of it knew who we were beyond a username and a profile picture.
We already had AitherRelay — our IRC-inspired chat layer where humans and agents share channels. It had public rooms, DMs, threads, polls, reactions, forums. What it didn't have was privacy, structure, or any concept of "this is our space."
So we built Workspaces.
The Architecture: Workspace = Tenant
The core design decision was simple: every workspace is a tenant.
AitherOS already has a full multi-tenant system — TenantContext propagation through async chains, plan-tier enforcement, data isolation across Strata, Flux, Chronicle, Memory, and Graph. When you create a workspace, you get a tnt_ identifier. Every message, file, task, and reminder created inside that workspace is automatically scoped to its tenant.
Workspace "aitherium" (tnt_aitherium)
├── #aitherium-general (private, 6 members)
├── #aitherium-random (private, 6 members)
├── #aitherium-announcements (private, 6 members)
├── Tasks & TODOs (scoped to workspace tag)
├── Calendar & Reminders (scoped to workspace tag)
├── File Storage (Proton Drive mount)
└── GitHub Events (webhook → channel)
This wasn't a week of architecture work. The tenant system was already there. The workspace layer is roughly 400 lines of models and Redis persistence, plus API endpoints that delegate to existing services.
Authentication: One Login, Everywhere
The biggest UX problem with bolting chat onto an existing platform is authentication. You end up with two accounts — your "real" account and your chat nick.
We killed that. When you visit irc.aitherium.com, the middleware detects you're on the public domain and checks for an AitherIdentity session. No session? You see one button: "Sign in with AitherIdentity." The auth cookie is set on .aitherium.com so it works across every subdomain — demo, irc, chat, forge, all of them.
Once authenticated, the relay backend auto-provisions a relay account from your Identity profile. No registration form. No separate password. Your Identity username becomes your nick, your email comes along, your roles apply.
async def _auto_provision_relay_account(identity: dict):
nick = _identity_nick(identity)
if not nick:
return
existing = await _redis_get_account(nick)
if existing:
return
account = RelayAccount(
nick=nick,
password_hash="", # SSO — no relay password needed
email=identity.get("email", ""),
display_name=identity.get("display_name") or nick,
badges=["sso", "registered"],
)
_accounts[nick] = account
await _redis_save_account(account)
What Lives Inside a Workspace
A workspace isn't just channels. It's a scoped business context.
File Sharing + Proton Drive
Drag a file into any channel. It uploads to Strata (fast, local) and optionally mirrors to Proton Drive (encrypted, external sharing). The Proton integration supports two modes: bridge mount (filesystem) or API session. We chose mount mode — D:\aithershare on the host maps to /mnt/proton-drive in the container.
POST /v1/channels/{channel}/upload
→ Stores in Strata
→ Posts download link to channel
→ Optional: syncs to Proton Drive workspace folder
Files uploaded in workspace channels are automatically namespaced: Workspaces/aitherium/Shared/filename.pdf.
GitHub Webhook Integration
One webhook URL. Every push, PR, issue, and CI result auto-posts to the workspace's general channel.
POST /v1/webhooks/github
X-GitHub-Event: pull_request
→ Finds workspace linked to repo (Aitherium/AitherOS → aitherium)
→ Formats: "PR #892 opened by demiurge: feat(workspace): add file upload"
→ Posts to #aitherium-general
→ Broadcasts via WebSocket to all connected members
No separate GitHub notification service. No Slack app to configure. The webhook talks directly to the relay, which knows what workspace owns what repo.
Agent Group Chat (Aeon)
Every workspace can trigger multi-agent discussions. Post a question to POST /v1/workspaces/{slug}/aeon/chat and your configured agent preset (balanced, creative, technical, security) fires up. Agent responses land in the channel as regular messages.
Your business partner asks "what's the status of the auth migration?" in #aitherium-general, and Atlas, Hydra, and Aither discuss it — right there in the conversation history.
Tasks, Calendar, Mail
Each workspace has:
- Tasks —
POST /v1/workspaces/{slug}/tasks— delegates to TaskTracker, scoped byworkspace:slugtag - Reminders —
POST /v1/workspaces/{slug}/reminders— delegates to SchedulerLoop, posts to channel at scheduled time - Internal mail —
POST /v1/workspaces/{slug}/mail/send— routes through AitherMail for internal delivery, AitherSMTP for external
The SMTP bridge connects to ProtonMail via the bridge app. Internal notifications go through AitherMail's priority routing. @mention a teammate who's offline? They get an email.
What We Actually Use
The aitherium workspace was provisioned in one API call:
curl -X POST localhost:8205/v1/workspaces/provision -d '{
"tenant_id": "tnt_aitherium",
"slug": "aitherium",
"name": "Aitherium",
"owner": "wzns",
"members": [
{"nick": "david", "role": "admin"},
{"nick": "alice", "role": "member"}
],
"github_repo": "Aitherium/AitherOS",
"smtp_from_address": "team@aitherium.com"
}'
Three private channels created. Six members auto-joined. GitHub webhook delivering events. SMTP configured. All backed by the same tenant isolation that powers every other part of the platform.
The Stack
| Layer | Technology |
|---|---|
| Chat transport | WebSocket + REST (FastAPI) |
| Persistence | Redis (hot) + Strata (durable) |
| File storage | Strata + Proton Drive (mount) |
| Authentication | AitherIdentity SSO (JWT + session cookie) |
| Tenant isolation | AitherTenant (ContextVar propagation) |
| Agent integration | AitherAeon (multi-agent group chat) |
| AitherMail (internal) + AitherSMTP (ProtonMail Bridge) | |
| CI/CD events | GitHub webhook → relay endpoint |
| Access control | Channel membership + workspace roles (owner/admin/member) |
| CLI | MCP tools (16 functions) + PowerShell (7020_Relay-Workspace.ps1) |
| Frontend | React (WorkspacePanel, Settings, FileUpload, Search) |
What's Missing (Honestly)
- Voice/video — AitherTelephony exists but isn't wired to workspaces yet. For now we use a separate call link.
- Full Proton Drive API mode — The mount works great locally. API mode needs the Proton SRP auth flow which is complex. It's stubbed, not production.
- Mobile — The Telegram bridge could map workspace channels but doesn't yet. The web UI is responsive enough for phone browsers.
- Custom emoji — We have 8 quick reactions. Custom workspace emoji uploads would be nice.
- Scheduled messages — The calendar/reminder system can post to channels at a time, but there's no "schedule this message for 9am" UX.
Why Not Just Use Slack
Because Slack doesn't know our agents exist. Slack doesn't know what tenant you belong to. Slack can't trigger a multi-agent architecture discussion when you ask a question in a channel. Slack doesn't store files in your encrypted Proton Drive. Slack doesn't have 196 microservices behind it that already know your codebase, your goals, and your deployment history.
We needed a communication layer that was part of the platform, not adjacent to it.
Workspaces are that layer.
The workspace system ships in the feat(workspace) commit. 18 files changed, 4,085 insertions. All backend endpoints are live on the CommunicationCore compound (port 8205). Frontend components require Veil rebuild. The aitherium workspace is provisioned and accepting messages at irc.aitherium.com.