single-node-api-raises-permissionerror

IN premise

API functions that target a single node by ID (`show_node`, `explain_node`, `trace_assumptions`, `trace_access_tags`) raise `PermissionError` when the caller lacks clearance; collection endpoints silently filter instead.

Summary

When you call an API function that looks up one specific node by its ID, the system will throw a PermissionError if you don't have sufficient clearance to see that node. But when you call functions that return lists or collections of nodes, restricted nodes are quietly omitted from the results rather than causing an error. This means callers need to handle two different access-denial patterns depending on whether they're fetching a single item or browsing a set.

Dependents

These beliefs depend on this one:

Details

Sourceentries/2026/04/24/tests-test_access_tags.md