

























@@ -0,0 +1,110 @@
1+---
2+summary: "Operator roles, scopes, and approval-time checks for Gateway clients"
3+read_when:
4+ - Debugging missing operator scope errors
5+ - Reviewing device or node pairing approvals
6+ - Adding or classifying Gateway RPC methods
7+title: "Operator scopes"
8+---
9+10+Operator scopes define what a Gateway client may do after it authenticates.
11+They are a control-plane guardrail inside one trusted Gateway operator domain,
12+not hostile multi-tenant isolation. If you need strong separation between
13+people, teams, or machines, run separate Gateways under separate OS users or
14+hosts.
15+16+Related: [Security](/gateway/security), [Gateway protocol](/gateway/protocol),
17+[Gateway pairing](/gateway/pairing), [Devices CLI](/cli/devices).
18+19+## Roles
20+21+Gateway WebSocket clients connect with one role:
22+23+- `operator`: control-plane clients such as CLI, Control UI, automation, and
24+ trusted helper processes.
25+- `node`: capability hosts such as macOS, iOS, Android, or headless nodes that
26+ expose commands through `node.invoke`.
27+28+Operator RPC methods require the `operator` role. Node-originated methods
29+require the `node` role.
30+31+## Scope levels
32+33+| Scope | Meaning |
34+| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
35+| `operator.read` | Read-only status, lists, catalog, logs, session reads, and other non-mutating control-plane calls. |
36+| `operator.write` | Normal mutating operator actions such as sending messages, invoking tools, updating talk/voice settings, and node command relay. Also satisfies `operator.read`. |
37+| `operator.admin` | Administrative control-plane access. Satisfies every `operator.*` scope. Required for config mutation, updates, native hooks, sensitive reserved namespaces, and high-risk approvals. |
38+| `operator.pairing` | Device and node pairing management, including listing, approving, rejecting, removing, rotating, and revoking pairing records or device tokens. |
39+| `operator.approvals` | Exec and plugin approval APIs. |
40+| `operator.talk.secrets` | Reading Talk configuration with secrets included. |
41+42+Unknown future `operator.*` scopes require an exact match unless the caller has
43+`operator.admin`.
44+45+## Method scope is only the first gate
46+47+Each Gateway RPC has a least-privilege method scope. That method scope decides
48+whether the request can reach the handler. Some handlers then apply stricter
49+approval-time checks based on the concrete thing being approved or mutated.
50+51+Examples:
52+53+- `device.pair.approve` is reachable with `operator.pairing`, but approving an
54+ operator device can only mint or preserve scopes the caller already holds.
55+- `node.pair.approve` is reachable with `operator.pairing`, then derives extra
56+ approval scopes from the pending node command list.
57+- `chat.send` is normally a write-scoped method, but persistent `/config set`
58+ and `/config unset` require `operator.admin` at command level.
59+60+This lets lower-scope operators perform low-risk pairing actions without making
61+all pairing approval admin-only.
62+63+## Device pairing approvals
64+65+Device pairing records are the durable source of approved roles and scopes.
66+Already paired devices do not get broader access silently: reconnects that ask
67+for a broader role or broader scopes create a new pending upgrade request.
68+69+When approving a device request:
70+71+- A request with no operator role does not need operator token scope approval.
72+- A request for `operator.read`, `operator.write`, `operator.approvals`,
73+`operator.pairing`, or `operator.talk.secrets` requires the caller to hold
74+ those scopes, or `operator.admin`.
75+- A request for `operator.admin` requires `operator.admin`.
76+- A repair request with no explicit scopes can inherit the existing operator
77+ token scopes. If that existing token is admin-scoped, approval still requires
78+`operator.admin`.
79+80+For paired-device token sessions, management is self-scoped unless the caller
81+also has `operator.admin`: non-admin callers can rotate, revoke, or remove only
82+their own device entry.
83+84+## Node pairing approvals
85+86+Legacy `node.pair.*` uses a separate Gateway-owned node pairing store. WS nodes
87+use device pairing with `role: node`, but the same approval-level vocabulary
88+applies.
89+90+`node.pair.approve` uses the pending request command list to derive additional
91+required scopes:
92+93+- Commandless request: `operator.pairing`
94+- Non-exec node commands: `operator.pairing` + `operator.write`
95+- `system.run`, `system.run.prepare`, or `system.which`:
96+`operator.pairing` + `operator.admin`
97+98+Node pairing establishes identity and trust. It does not replace the node's
99+own `system.run` exec approval policy.
100+101+## Shared-secret auth
102+103+Shared gateway token/password auth is treated as trusted operator access for
104+that Gateway. OpenAI-compatible HTTP surfaces and `/tools/invoke` restore the
105+normal full operator default scope set for shared-secret bearer auth, even if a
106+caller sends narrower declared scopes.
107+108+Identity-bearing modes, such as trusted proxy auth or private-ingress `none`,
109+can still honor explicit declared scopes. Use separate Gateways for real trust
110+boundary separation.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。