#23039: fix: subagent announce fails with pairing required due to missing operator.write scope
agents
size: XS
Cluster:
Device Pairing and Gateway Fixes
## Problem
When a sub-agent completes, `runSubagentAnnounceFlow` calls `callGateway()` for methods like `agent`, `send`, `chat.history`, etc. Without explicit scopes, `callGateway` resolves to least-privilege scopes per method (e.g., `operator.write` for `agent`).
If the device identity was originally paired with `[operator.admin, operator.approvals, operator.pairing]` but not `operator.write`, the gateway detects a scope-upgrade and rejects with "pairing required" (code 1008).
## Fix
Explicitly pass `ANNOUNCE_SCOPES` (`[operator.admin, operator.read, operator.write]`) to all `callGateway` calls in `src/agents/subagent-announce.ts`. This ensures the announce flow — which is an internal process running on the same machine — requests all needed scopes upfront rather than relying on least-privilege resolution that may trigger scope-upgrade rejection.
## Changes
- Added `ANNOUNCE_SCOPES` constant with admin + read + write scopes
- Added `scopes: ANNOUNCE_SCOPES` to all 7 `callGateway` calls in the announce flow
- No behavioral change for devices that already have all scopes paired
<!-- greptile_comment -->
<h3>Greptile Summary</h3>
Adds explicit scope declarations (`ANNOUNCE_SCOPES = [operator.admin, operator.read, operator.write]`) to all 7 `callGateway` calls in the subagent announce flow. This prevents "pairing required" errors when device identity was paired without `operator.write` scope, since the announce flow previously relied on least-privilege scope resolution that would trigger scope-upgrade rejection.
<h3>Confidence Score: 5/5</h3>
- This PR is safe to merge with no risk
- The fix is narrowly scoped to a single file, addresses a specific authentication issue with a well-documented solution, and all modified `callGateway` calls legitimately require the scopes being requested. The approach of explicitly passing scopes for internal operations is sound and follows security best practices.
- No files require special attention
<sub>Last reviewed commit: 49b20a6</sub>
<!-- greptile_other_comments_section -->
<sub>(2/5) Greptile learns from your feedback when you react with thumbs up/down!</sub>
<!-- /greptile_comment -->
Most Similar PRs
#23708: fix(gateway): auto-approve scope upgrades for loopback clients
by widingmarcus-cyber · 2026-02-22
84.4%
#23690: fix(gateway): subagent sessions fail with pairing required on loopb...
by yinghaosang · 2026-02-22
84.4%
#22583: fix(gateway): add operator.write to scope hierarchy (#22574)
by lailoo · 2026-02-21
82.8%
#22666: fix(gateway): operator.admin should imply all operator scopes
by maximveksler · 2026-02-21
81.7%
#21622: fix(gateway): include read/write in CLI default operator scopes
by zerone0x · 2026-02-20
81.2%
#21664: fix(gateway): require re-pairing for legacy devices that lack scope...
by AI-Reviewer-QS · 2026-02-20
80.9%
#21476: fix(cli): include operator.read in default CLI scopes
by heyrtl · 2026-02-20
80.4%
#21666: fix(gateway): restrict auto-paired device scopes to safe defaults
by AI-Reviewer-QS · 2026-02-20
80.2%
#17195: fix: Add operator.read/write scopes to Dashboard auto-pairing
by MisterGuy420 · 2026-02-15
80.2%
#17127: fix(webchat): include operator.read and operator.write in connect s...
by brandonwise · 2026-02-15
80.2%