Admin API

Why a separate module

Per-user isolation is the default. Cross-tenant queries — search all users for a string, list all user IDs, write to the unscoped shard — are sometimes necessary (audits, migrations, debugging) but should never be reachable from tab-completion on Memory. Atlaso puts them in their own module and requires a literal confirm string so the function is greppable by auditors.

Shape

from atlaso import Memory
from atlaso.admin import (
    search_across_users,
    list_all_user_ids,
    search_unscoped,
    add_unscoped,
)

m = Memory()

hits = search_across_users(
    m,
    "leaked api key",
    confirm="I_UNDERSTAND_THIS_CROSSES_TENANTS",
    limit=100,
)

The confirm parameter is a Literal["I_UNDERSTAND_THIS_CROSSES_TENANTS"] — static checkers reject any other value. Auditors can grep for the string to find every call site that crossed tenants.

Functions

• search_across_users(memory, query, *, confirm, limit=100) → list[Deposit]
• search_across_users_async(memory, query, *, confirm, limit=100)
• list_all_user_ids(memory, *, confirm) → list[str]
• search_unscoped(memory, query, *, confirm, limit=100) — searches the _unscoped/ shard atlaso uses for non-user-scoped deposits.
• add_unscoped(memory, text, *, confirm) — write into the unscoped shard.

Why "import is a code-review event"

Tab-completing m. never offers an admin verb. The word adminappears in the import statement and the confirm string appears in every call. Any reviewer reading a diff can't miss it. Greppable by design.