#22374: Allow operator.admin to satisfy operator scope compatibility
size: XS
Cluster:
Device Pairing and Gateway Fixes
## What changed
- Treat `operator.admin` as sufficient for all operator scope requests in `operatorScopeSatisfied`.
- Add/align compatibility tests in `src/shared/operator-scope-compat.test.ts`.
- Update `src/infra/device-pairing.test.ts` expectation to match the new admin behavior.
## Why it fixes the issue
`operatorScopeSatisfied` previously treated only `operator.read`/`operator.write` as admin-compatible, while some paths relied on admin satisfying any operator scope request (for example, isolated cron pairing token checks). This aligns scope compatibility behavior with full operator admin semantics used elsewhere, preventing false `scope-mismatch` failures.
## Tests run
- `pnpm vitest run src/shared/operator-scope-compat.test.ts src/infra/device-pairing.test.ts`
- `pnpm check`
## Edge cases / notes
- `operator.write` requests are now accepted with `operator.admin`.
- No unrelated behavior changes beyond operator-scope compatibility checks.
<!-- greptile_comment -->
<h3>Greptile Summary</h3>
Extends `operator.admin` scope to satisfy all operator scope requests, fixing authorization mismatches in runtime paths like isolated cron pairing.
**Key Changes:**
- `operatorScopeSatisfied` in `src/shared/operator-scope-compat.ts:17` now checks for `operator.admin` first and returns true for any requested operator scope
- Updated test expectations in `src/shared/operator-scope-compat.test.ts` and `src/infra/device-pairing.test.ts` to align with the new admin behavior
- Maintains backward compatibility for `operator.read` being satisfied by `operator.write`
The logic is sound and consistent with typical RBAC semantics where an admin role has full privileges within its domain.
<h3>Confidence Score: 5/5</h3>
- This PR is safe to merge with minimal risk
- The change is a focused, well-tested fix that aligns authorization semantics across the codebase. The implementation follows RBAC best practices where admin scopes grant full privileges. All tests pass, including comprehensive coverage of the new behavior with admin, read, write, and mixed scope scenarios.
- No files require special attention
<sub>Last reviewed commit: 5f54cb0</sub>
<!-- greptile_other_comments_section -->
<!-- /greptile_comment -->
Most Similar PRs
#22666: fix(gateway): operator.admin should imply all operator scopes
by maximveksler · 2026-02-21
90.6%
#22583: fix(gateway): add operator.write to scope hierarchy (#22574)
by lailoo · 2026-02-21
85.2%
#17127: fix(webchat): include operator.read and operator.write in connect s...
by brandonwise · 2026-02-15
79.6%
#12802: fix(gateway): default unscoped operator connections to read-only
by yubrew · 2026-02-09
79.3%
#21622: fix(gateway): include read/write in CLI default operator scopes
by zerone0x · 2026-02-20
78.0%
#21666: fix(gateway): restrict auto-paired device scopes to safe defaults
by AI-Reviewer-QS · 2026-02-20
76.9%
#23708: fix(gateway): auto-approve scope upgrades for loopback clients
by widingmarcus-cyber · 2026-02-22
76.3%
#23039: fix: subagent announce fails with pairing required due to missing o...
by ascott · 2026-02-21
76.2%
#21476: fix(cli): include operator.read in default CLI scopes
by heyrtl · 2026-02-20
75.9%
#17195: fix: Add operator.read/write scopes to Dashboard auto-pairing
by MisterGuy420 · 2026-02-15
75.4%