docs(m104): changelog — scope-based authorization#114
Merged
Conversation
Document the M104_001 auth-model change for API consumers and operators: the explicit scopes claim, the 403 UZ-AUTH-022 'Insufficient scope' shape, and the read<write<admin hierarchy. Correctly-provisioned principals see no behavior change. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
Greptile PR #114: 'authorization reference' on changelog.mdx:36 was unlinked and no /authorization page exists. Link to the existing error-codes reference instead, reword to match what's there, and add the missing UZ-AUTH-022 row to the error-codes table (referenced in the changelog but absent from the registry page).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changelog entry for M104_001 (agentsfleet PR agentsfleet/agentsfleet#465): authorization is now scope-based — the explicit
scopesclaim,403 UZ-AUTH-022, and theread<write<adminhierarchy. Correctly-provisioned principals see no behavior change.🤖 Generated with Claude Code
Greptile Summary
This PR documents the M104 scope-based authorization change: a new
scopesJWT claim, theUZ-AUTH-022error code for scope denials, and theread < write < adminper-resource hierarchy.changelog.mdx— adds a Jun 30 Update entry explaining the behavior change, backward-compatibility guarantee, and what thescopesclaim and denial detail look like in practice, with a link to the error-codes reference.api-reference/error-codes.mdx— inserts theUZ-AUTH-022row into the auth table with the correct 403 status and a concretedetailfield example.Confidence Score: 5/5
Safe to merge — both files contain documentation-only additions with no executable logic.
The changes are purely additive documentation: one new table row and one new changelog entry. The error-codes addition is factually consistent with the described API behavior, and the changelog entry correctly links to the reference. No breaking changes to existing content.
No files require special attention beyond the open question about whether UZ-AUTH-009 and UZ-AUTH-010 warrant a deprecation notice alongside the new UZ-AUTH-022 entry.
Important Files Changed
Sequence Diagram
%%{init: {'theme': 'neutral'}}%% sequenceDiagram participant Client participant API as agentsfleetd participant Token as Token Validator Client->>API: Request with Bearer token API->>Token: Decode token Token-->>API: "claims { scopes: "fleet:admin credential:write workspace:admin" }" alt Required scope present (e.g. fleet:read satisfied by fleet:admin) API-->>Client: 200 OK else Required scope missing API-->>Client: "403 UZ-AUTH-022 { detail: "Requires scope fleet:admin" }" end Note over API,Token: read < write < admin hierarchy: Note over API,Token: fleet:admin satisfies fleet:write and fleet:read%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%% sequenceDiagram participant Client participant API as agentsfleetd participant Token as Token Validator Client->>API: Request with Bearer token API->>Token: Decode token Token-->>API: "claims { scopes: "fleet:admin credential:write workspace:admin" }" alt Required scope present (e.g. fleet:read satisfied by fleet:admin) API-->>Client: 200 OK else Required scope missing API-->>Client: "403 UZ-AUTH-022 { detail: "Requires scope fleet:admin" }" end Note over API,Token: read < write < admin hierarchy: Note over API,Token: fleet:admin satisfies fleet:write and fleet:readReviews (2): Last reviewed commit: "docs(m104): link authorization ref, add ..." | Re-trigger Greptile