docs: add Gateway Operator Scopes feature page (fixes #810)#828
Conversation
Fixes #810 — documents OperatorScope, auth_scopes policy, scope-gated routes, and backward-compatible defaults for multi-operator gateways. Co-authored-by: Cursor <cursoragent@cursor.com>
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
|
Warning Review limit reached
More reviews will be available in 40 minutes and 30 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses rolling per-developer review limits. Reviews become available again as older review attempts age out of the rolling limit window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces documentation for the Gateway Operator Scopes feature, which enables role-based access control for multi-operator Gateway deployments. The review feedback points out a few areas for improvement, including correcting grammatical phrasing, ensuring US English spelling consistency (e.g., 'behavior' and 'defense'), and fixing incorrect API endpoint paths for the allowlist to prevent 404 errors.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| icon: "shield-check" | ||
| --- | ||
|
|
||
| Operator scopes grant teammates least-privilege access to a shared Gateway — read-only dashboards, send-but-not-approve operators, or full admins — without handing over the whole keys. |
There was a problem hiding this comment.
The phrase "without handing over the whole keys" is grammatically awkward. Consider changing it to "without handing over the master keys" or "without handing over all the keys" for better clarity and professional tone.
Operator scopes grant teammates least-privilege access to a shared Gateway — read-only dashboards, send-but-not-approve operators, or full admins — without handing over the master keys.
| </Steps> | ||
|
|
||
| <Note> | ||
| When **no** `auth_scopes` policy is configured, every successfully authenticated client is granted **all** scopes — identical to today's binary auth behaviour. Single-operator setups need no changes. |
There was a problem hiding this comment.
Change "behaviour" to "behavior" to maintain US English spelling consistency with the rest of the documentation (e.g., "behavior" is used in gateway-bind-aware-auth.mdx).
| | `/api/approval/allowlist` | GET | any authenticated | | ||
| | `/api/approval/allowlist` | POST/DELETE | `approvals` | |
There was a problem hiding this comment.
The actual endpoint implemented in the gateway server is /api/approval/allow-list (with a hyphen), as defined in praisonai/gateway/server.py (line 992). Using /api/approval/allowlist (without a hyphen) will result in a 404 error. Please update the route paths in this table to use /api/approval/allow-list.
| </Accordion> | ||
|
|
||
| <Accordion title="Pair approvals with the allowlist"> | ||
| Combine `approvals` scope with `/api/approval/allowlist` for defence-in-depth on tool execution. |
There was a problem hiding this comment.
Update /api/approval/allowlist to /api/approval/allow-list to match the actual server endpoint. Additionally, consider changing "defence-in-depth" to "defense-in-depth" to maintain US English spelling consistency with the rest of the documentation.
1 participant
Summary
docs/features/gateway-operator-scopes.mdxcovering OperatorScope enum, auth_scopes policy, scope-gated routes, and backward-compatible defaultsdocs.jsonunder Integration & InfrastructureFixes #810
Test plan
python3 -c "import json; json.load(open('docs.json'))"passesMade with Cursor