#21666: fix(gateway): restrict auto-paired device scopes to safe defaults
gateway
size: XS
Cluster:
Device Pairing and Gateway Fixes
## Summary
- When a local device auto-pairs (silent=true), it receives whatever scopes it self-declared in the connect request
- Any localhost process can silently obtain `operator.admin` scopes without user approval, creating a local privilege escalation vector
- Fix: intersect requested scopes with a safe default set (`operator.read`, `operator.write`) when auto-pairing, so silently paired devices cannot escalate to admin privileges
## Test plan
- Verify auto-paired (silent) local devices only receive scopes within the `DEFAULT_AUTO_PAIR_SCOPES` set
- Verify non-silent pairing requests continue to pass through all requested scopes for user approval
- Verify a localhost process requesting `operator.admin` only gets `operator.read` and `operator.write` after auto-pairing
<!-- greptile_comment -->
<h3>Greptile Summary</h3>
Restricted auto-paired local device scopes to safe defaults (`operator.read`, `operator.write`) to prevent local privilege escalation. Previously, localhost processes could silently obtain `operator.admin` scopes without user approval during auto-pairing.
- Added `DEFAULT_AUTO_PAIR_SCOPES` constant with safe scope whitelist
- Scope filtering now applies when `silent=true` and `reason="not-paired"`
- Non-silent (manual approval) pairing requests retain all requested scopes for user review
- Excludes sensitive scopes (`operator.admin`, `operator.approvals`, `operator.pairing`) from auto-pairing
<h3>Confidence Score: 5/5</h3>
- This PR is safe to merge with minimal risk - it's a focused security fix that properly addresses a local privilege escalation vulnerability
- The implementation is minimal, surgical, and correctly addresses the security issue. The logic properly distinguishes between silent auto-pairing (restricted scopes) and manual pairing (full user approval). The safe default set excludes admin/approvals/pairing scopes as intended. No edge cases or potential issues identified.
- No files require special attention
<sub>Last reviewed commit: 0881350</sub>
<!-- greptile_other_comments_section -->
<!-- /greptile_comment -->
Most Similar PRs
#22280: fix(gateway): silently auto-approve local paired-device scope upgrades
by abhishekp76 · 2026-02-21
86.0%
#22712: fix(gateway): auto-approve all device pairing for localhost connect...
by NewdlDewdl · 2026-02-21
85.2%
#23708: fix(gateway): auto-approve scope upgrades for loopback clients
by widingmarcus-cyber · 2026-02-22
84.8%
#22587: fix(gateway): silently auto-approve local paired-device scope upgrades
by abhishekp76 · 2026-02-21
84.3%
#21664: fix(gateway): require re-pairing for legacy devices that lack scope...
by AI-Reviewer-QS · 2026-02-20
84.0%
#22794: fix: allow local clients to auto-pair without manual approval
by Matrix-Meta · 2026-02-21
83.9%
#17425: fix(gateway): auto-approve scope/role upgrades for already-paired d...
by sauerdaniel · 2026-02-15
83.5%
#21622: fix(gateway): include read/write in CLI default operator scopes
by zerone0x · 2026-02-20
82.8%
#22583: fix(gateway): add operator.write to scope hierarchy (#22574)
by lailoo · 2026-02-21
81.6%
#23690: fix(gateway): subagent sessions fail with pairing required on loopb...
by yinghaosang · 2026-02-22
81.3%