docs: qualify all admin bypass statements by token type

crivetimihai · crivetimihai · commit 4c3c910e86e8 · 2026-03-23T12:59:32.000Z
Fix remaining stale references that described admin bypass without distinguishing API/legacy tokens from session tokens: - AGENTS.md:112 — security invariant now references both normalize_token_teams() and resolve_session_teams() - multitenancy.md:1247 — enforcement summary now qualifies admin bypass per token type - rbac.md:246 — "Explicit Admin Bypass" section split by token type - rbac.md:639 — scoping strategy table corrected for session tokens Closes #3003 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
diff --git a/AGENTS.md b/AGENTS.md
@@ -109,7 +109,7 @@ ContextForge implements a **two-layer security model**:
 - Keep the two-layer model on every path:
   - Layer 1: token scoping controls what a caller can see.
   - Layer 2: RBAC controls what a caller can do.
-- Do not re-implement token team interpretation logic; always use `normalize_token_teams()` in `mcpgateway/auth.py`.
+- Do not re-implement token team interpretation logic; use `normalize_token_teams()` for API/legacy tokens and `resolve_session_teams()` for session tokens (both in `mcpgateway/auth.py`).
 - Do not accept inbound client auth tokens via URL query parameters.
 - Legacy `INSECURE_ALLOW_QUERYPARAM_AUTH` is interop-only for outbound peer auth and must remain opt-in and host-restricted.
 - High-risk transports must be feature-flagged and disabled by default.
diff --git a/docs/docs/architecture/multitenancy.md b/docs/docs/architecture/multitenancy.md
@@ -1244,7 +1244,7 @@ These behaviors are enforced consistently across all access paths:
 
 1. `normalize_token_teams()` is the canonical interpreter of JWT team claims; `resolve_session_teams()` is the single policy point for session tokens (always DB-resolved)
 2. Missing `teams` key always returns `[]` (public-only, secure default)
-3. Admin bypass requires BOTH `teams: null` AND `is_admin: true`, and both `token_teams=None` AND `user_email=None` in the service layer
+3. Admin bypass for API/legacy tokens requires BOTH `teams: null` AND `is_admin: true`; for session tokens, admin bypass is DB-derived (`is_admin` flag). In both cases the service layer requires `token_teams=None` AND `user_email=None` for unrestricted queries
 4. Empty teams list (`[]`) results in public-only access, even for admins
 5. All list endpoints pass `token_teams` to the service layer
 6. Service layer applies visibility filtering based on `token_teams` via `BaseService._apply_access_control()`
diff --git a/docs/docs/manage/rbac.md b/docs/docs/manage/rbac.md
@@ -243,8 +243,9 @@ Key points:
 
 2. **Explicit Admin Bypass**
 
-   - Admin bypass requires explicit `teams: null` AND `is_admin: true`
-   - Empty teams `[]` disables bypass even for admins
+   - API/legacy tokens: admin bypass requires explicit `teams: null` AND `is_admin: true`
+   - Session tokens: admin bypass is DB-derived (DB `is_admin` flag); JWT `teams` only narrows non-admin sessions
+   - Empty teams `[]` disables bypass even for admins (API/legacy tokens)
 
 3. **Scoped Automation Tokens**
 
@@ -636,7 +637,7 @@ When `AUTH_REQUIRED=false`:
 
 | Use Case | Recommended Token Scope |
 |----------|------------------------|
-| Admin UI access | Session token (`teams: null` + `is_admin: true`) |
+| Admin UI access | Session token (admin bypass is DB-derived; no `teams` claim needed) |
 | CI/CD pipeline | `teams: []` (public-only) |
 | Service integration | Specific team(s) |
 | Developer access | Personal team + project teams |
