nylas · qasim-nylas · May 21, 2026 · May 25, 2026 · May 28, 2026 · May 28, 2026
diff --git a/cmd/nylas/main.go b/cmd/nylas/main.go
@@ -31,6 +31,7 @@ import (
 	"github.com/nylas/cli/internal/cli/update"
 	"github.com/nylas/cli/internal/cli/webhook"
 	"github.com/nylas/cli/internal/cli/workflow"
+	"github.com/nylas/cli/internal/cli/workspace"
 	"github.com/nylas/cli/internal/ui"
 )
 
@@ -66,6 +67,7 @@ func main() {
 	rootCmd.AddCommand(chat.NewChatCmd())
 	rootCmd.AddCommand(update.NewUpdateCmd())
 	rootCmd.AddCommand(workflow.NewWorkflowCmd())
+	rootCmd.AddCommand(workspace.NewWorkspaceCmd())
 
 	if err := cli.Execute(); err != nil {
 		cli.LogAuditError(err)

diff --git a/docs/COMMANDS.md b/docs/COMMANDS.md
@@ -458,20 +458,17 @@ Create and manage Nylas-managed agent accounts backed by provider `nylas`.
 nylas agent account list                       # List agent accounts
 nylas agent account create <email>             # Create agent account
 nylas agent account create <email> --app-password PW  # Create account with IMAP/SMTP app password
-nylas agent account create <email> --policy-id <policy-id>  # Create account attached to a policy
 nylas agent account update [agent-id|email] --app-password PW  # Add or rotate IMAP/SMTP app password
 nylas agent account get <agent-id|email>       # Show one agent account
 nylas agent account delete <agent-id|email>    # Delete/revoke agent account
 nylas agent account delete <agent-id|email> --yes  # Skip confirmation
-nylas agent policy list                        # List policy for default agent account
-nylas agent policy list --all                  # List all policies attached to agent accounts
+nylas agent policy list                        # List all policies
 nylas agent policy create --name NAME          # Create a policy
 nylas agent policy get <policy-id>             # Show one policy
 nylas agent policy read <policy-id>            # Read one policy
 nylas agent policy update <policy-id> --name NAME  # Update a policy
 nylas agent policy delete <policy-id> --yes    # Delete an unattached policy
-nylas agent rule list                          # List rules for default agent policy
-nylas agent rule list --all                    # List all rules attached to agent policies
+nylas agent rule list                          # List all rules
 nylas agent rule read <rule-id>                # Read one rule
 nylas agent rule get <rule-id>                 # Show one rule
 nylas agent rule create --name NAME --condition from.domain,is,example.com --action mark_as_spam  # Create a rule from common flags

diff --git a/docs/commands/agent-policy.md b/docs/commands/agent-policy.md
@@ -2,13 +2,12 @@
 
 Detailed reference for `nylas agent policy`.
 
-Agent policies are filtered through `provider=nylas` agent accounts in the CLI, even though the underlying policy objects are application-level resources.
+Policies are application-level resources backed by `/v3/policies`. They attach to workspaces via `policy_id`.
 
 ## Commands
 
 ```bash
 nylas agent policy list
-nylas agent policy list --all
 nylas agent policy create --name "Strict Policy"
 nylas agent policy create --data-file policy.json
 nylas agent policy get <policy-id>
@@ -18,45 +17,14 @@ nylas agent policy update <policy-id> --data-file update.json
 nylas agent policy delete <policy-id> --yes
 ```
 
-## Scope Model
-
-The CLI intentionally treats policies as an agent-scoped surface:
-
-- `nylas agent policy list` shows only the policy attached to the current default `provider=nylas` grant
-- `nylas agent policy list --all` shows only policies referenced by at least one `provider=nylas` agent account
-- text output includes the attached agent email and grant ID so you can see which agent account uses which policy
-
-This means:
-
-- a policy can exist in the application but still not appear under `nylas agent policy`
-- a policy with no attached `provider=nylas` account is hidden from the agent policy list
-
 ## Listing Policies
 
-### Default Agent Policy
-
 ```bash
 nylas agent policy list
 nylas agent policy list --json
 ```
 
-Behavior:
-
-- resolves the current default local grant
-- requires that default grant to be `provider=nylas`
-- returns the single attached policy for that grant
-
-### All Agent Policies
-
-```bash
-nylas agent policy list --all
-nylas agent policy list --all --json
-```
-
-Behavior:
-
-- lists all policies referenced by at least one `provider=nylas` agent account
-- text output includes one `Agent:` line per attached agent account
+Lists all policies from `/v3/policies`. Text output shows which workspace has each policy attached.
 
 ## Reading Policies
 
@@ -156,37 +124,29 @@ nylas agent policy delete <policy-id> --yes
 
 Safety rule:
 
-- delete is rejected if any `provider=nylas` agent account still references the policy
-
-To remove a policy from active use:
-
-1. create or choose another policy
-2. create future agent accounts with `--policy-id <new-policy-id>`
-3. remove or rotate away the attached agent accounts that still reference the old policy
-4. delete the now-unattached policy
+- delete is rejected if any `provider=nylas` agent workspace still references the policy
 
-## Relationship to Agent Accounts
+## Relationship to Workspaces
 
-Policies are primarily attached at agent account creation time:
+Policies attach to workspaces via `policy_id`. To assign a policy to an agent account's workspace:
 
 ```bash
-nylas agent account create me@yourapp.nylas.email --policy-id <policy-id>
+nylas workspace update <workspace-id> --policy-id <policy-id>
 ```
 
-The CLI now has `nylas agent account update`, but it currently manages mutable account settings such as `--app-password`, not `settings.policy_id`. In practice, policy attachment remains a create-time workflow on the agent account surface.
+The API auto-creates a default workspace and policy when an agent account is created.
 
 ## Troubleshooting
 
 If `nylas agent policy list` returns nothing:
 
-- make sure your default local grant is a `provider=nylas` account
-- verify the agent account actually has a `settings.policy_id`
-- try `nylas auth list` to confirm which grant is marked default
+- no policies have been explicitly created via `/v3/policies`
+- the API auto-creates a default policy on the workspace, but it does not appear in `/v3/policies`
 
 If `nylas agent policy delete` fails:
 
-- the policy is still attached to one or more `provider=nylas` agent accounts
-- run `nylas agent policy list --all` to see the attached agent mappings
+- the policy is still attached to one or more agent workspaces
+- run `nylas agent policy list` to see the attached workspace mappings
 
 ## See Also