From 9db4484857deac629597dede3d8974500d58e096 Mon Sep 17 00:00:00 2001 From: Kishore Kumar Date: Fri, 3 Jul 2026 09:27:32 +0530 Subject: [PATCH 1/2] =?UTF-8?q?docs(m109-004):=20operator-UI=20scope=20mig?= =?UTF-8?q?ration=20=E2=80=94=20changelog=20+=20retire=20UZ-AUTH-021?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - changelog: operator dashboard (runners, model catalogue) now gated on the same resource:action scopes the API enforces, not a separate platform-admin flag; UZ-AUTH-021 retired → UZ-AUTH-022 (insufficient scope); downward scope hierarchy applies on the dashboard as at the API. - error-codes: retire the UZ-AUTH-021 row (backend registry never defined it; §4 removed the last minter) with a note pointing to UZ-AUTH-022. Co-Authored-By: Claude Opus 4.8 (1M context) --- api-reference/error-codes.mdx | 6 +++++- changelog.mdx | 11 +++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/api-reference/error-codes.mdx b/api-reference/error-codes.mdx index f4f1df1..c5fb0f0 100644 --- a/api-reference/error-codes.mdx +++ b/api-reference/error-codes.mdx @@ -82,7 +82,11 @@ The device-style flow behind `agentsfleet login` (verification code + dashboard | `UZ-AUTH-018` | 400 | Invalid verification code shape | `verification_code` must be exactly 6 ASCII digits | | `UZ-AUTH-019` | 400 | Invalid ciphertext | `ciphertext` missing or empty — expect base64url-encoded AES-256-GCM output | | `UZ-AUTH-020` | 400 | Invalid nonce | `nonce` missing, empty, or wrong length — expect a base64url-encoded 12-byte value | -| `UZ-AUTH-021` | 403 | Platform-admin privileges required | Action restricted to agentsfleet platform operators | + +{/* UZ-AUTH-021 ("Platform-admin privileges required") retired — the operator + plane is gated on explicit `resource:action` scopes now, so a missing + operator capability returns `UZ-AUTH-022` (Insufficient scope) like any + other scope gate. See the changelog entry for the operator-UI scope migration. */} ## API keys diff --git a/changelog.mdx b/changelog.mdx index 6ebf7cc..4a7a39d 100644 --- a/changelog.mdx +++ b/changelog.mdx @@ -33,6 +33,17 @@ export const STAGE_SELF_MANAGED_M66 = "$0.0001"; - **Empty states** — empty Fleets and Events views now use simple "No ... found" copy, with direct links to install or create the next template. - **Models navigation** — the dashboard nav now labels the page **Models**, and **Bring your own key** uses the same primary button style as **Install fleet**. - **Route motion** — dashboard route changes no longer wobble; loading states rely on the spinner. + + + + ## Operator dashboard access follows the same scopes as the API + + The platform-operator surfaces — the runner fleet and the model catalogue — are now gated on the operator's explicit `resource:action` scopes, the same capabilities the API enforces on those routes, instead of a separate platform-admin flag that had to be set independently. A correctly-scoped operator reaches the dashboard surface, and there is no longer a second place for that access to drift out of sync with the API. + + - **Error code** — a request missing an operator capability now returns `UZ-AUTH-022` (Insufficient scope), whose `detail` names the scope required; the former `UZ-AUTH-021` ("platform-admin privileges required") is retired. + - **Scope hierarchy** — a held higher scope satisfies a lower one on the dashboard exactly as it does at the API (`model:admin` covers `model:read`, `runner:write` covers `runner:read`), so an operator granted the write rung sees the read-gated view without a second grant. + + Marketing-site analytics also recovers from a transient load failure now instead of staying dark for the rest of the visit. The route method-check consolidation behind these changes is internal and has no visible effect. From f64e20c52f2b0c71c10c80fcd5035e691f46fac7 Mon Sep 17 00:00:00 2001 From: Kishore Kumar Date: Fri, 3 Jul 2026 12:46:47 +0530 Subject: [PATCH 2/2] docs(api): keep retired UZ-AUTH-021 visible --- api-reference/error-codes.mdx | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/api-reference/error-codes.mdx b/api-reference/error-codes.mdx index c5fb0f0..8c22b7a 100644 --- a/api-reference/error-codes.mdx +++ b/api-reference/error-codes.mdx @@ -82,11 +82,7 @@ The device-style flow behind `agentsfleet login` (verification code + dashboard | `UZ-AUTH-018` | 400 | Invalid verification code shape | `verification_code` must be exactly 6 ASCII digits | | `UZ-AUTH-019` | 400 | Invalid ciphertext | `ciphertext` missing or empty — expect base64url-encoded AES-256-GCM output | | `UZ-AUTH-020` | 400 | Invalid nonce | `nonce` missing, empty, or wrong length — expect a base64url-encoded 12-byte value | - -{/* UZ-AUTH-021 ("Platform-admin privileges required") retired — the operator - plane is gated on explicit `resource:action` scopes now, so a missing - operator capability returns `UZ-AUTH-022` (Insufficient scope) like any - other scope gate. See the changelog entry for the operator-UI scope migration. */} +| ~~`UZ-AUTH-021`~~ | 403 | ~~Platform-admin privileges required~~ | Historical: this code was used before `UZ-AUTH-022` was introduced. Operator checks now return `UZ-AUTH-022` (Insufficient scope) with `detail` naming the required scope. | ## API keys