🔒 Vuln-DB Access Control — live permissions

The same retrieval, two ways — permissionless (Security Admin, left) vs permissioned (the scoped Query Agent, right). Change the agent's grant on context_runtime.vulns below and the right column re-slices live: withheld hits are dimmed (row scope), masked fields show as •••.

Query Agent — grant

Role
Grants
Row scope — ecosystems the agent may read (owns_rows_of)
Column mask
Query filter
Security Adminrole: security · full access (permissionless)
Query Agentscoped grant
The decision mirrors the enterprise PermissionsPlane: privileged bypass → database grant → table grant → row scope (owns_rows_of) → column mask. Min-CVSS is a shared query filter (applies to both), not a permission.