Skip to content

[superlog] Add manage:websites scope to insights agent service auth#471

Open
superlog-app[bot] wants to merge 1 commit into
stagingfrom
superlog/fix-insights-manage-websites-scope
Open

[superlog] Add manage:websites scope to insights agent service auth#471
superlog-app[bot] wants to merge 1 commit into
stagingfrom
superlog/fix-insights-manage-websites-scope

Conversation

@superlog-app

@superlog-app superlog-app Bot commented Jun 12, 2026
edited by cubic-dev-ai Bot
Loading

Copy link
Copy Markdown

Summary

The insights agent (insights-generate-website job) calls annotations.create and goals.update as part of its analysis run, but these operations fail with FORBIDDEN: API key missing required scope: manage:websites because the service auth context only grants read:data.

The annotations.create and goals.update RPC procedures both call withWorkspace with resource: "website", permissions: ["update"]. requiredScopesForResource("website", ["update"]) resolves to manage:websites via RESOURCE_SCOPE_OVERRIDES in packages/api-keys/src/scopes.ts. The insights agent's serviceAuth was missing this scope, so every attempt to create an annotation or update a goal is rejected with a 403.

The fix adds "manage:websites" to the scopes array in runInsightsAgent's serviceAuth. This is consistent with the existing ALWAYS_ON_TOOLS set which already includes create_annotation, update_goal, create_goal, and create_funnel — all of which require manage:websites to write to website resources.

An alternative approach would be to use a user session instead of service auth (passing the userId through to an impersonated session), but service auth with explicit scopes is the current pattern for background jobs in this codebase and is simpler.

Incident on Superlog

Was this PR helpful? Leave feedback — goes straight to the Superlog team.

Summary by cubic

Add the manage:websites scope to the insights agent service auth so the insights-generate-website job can create annotations and update goals. This fixes 403 Forbidden errors in annotations.create and goals.update caused by the previous read:data-only scope.

Written for commit e77ba87. Summary will update on new commits.

Review in cubic

@vercel

vercel Bot commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
databuddy-status Ready Ready Preview, Comment Jun 12, 2026 9:13am
2 Skipped Deployments
Project Deployment Actions Updated (UTC)
dashboard Skipped Skipped Jun 12, 2026 9:13am
documentation Skipped Skipped Jun 12, 2026 9:13am

@vercel vercel Bot temporarily deployed to Preview – dashboard June 12, 2026 09:12 Inactive
@vercel vercel Bot temporarily deployed to Preview – documentation June 12, 2026 09:12 Inactive
@unkey-deploy

unkey-deploy Bot commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Unkey Deploy

Name Status Preview Inspect Updated (UTC)
api (preview) Ready Visit Preview Inspect Jun 12, 2026 9:13am

@greptile-apps

greptile-apps Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR fixes a FORBIDDEN error in the insights agent by adding the missing manage:websites scope to its serviceAuth context. Without this scope, every write operation (create_annotation, update_goal, create_goal, create_funnel) was rejected with a 403 because RESOURCE_SCOPE_OVERRIDES in scopes.ts maps all write permissions on the website resource to manage:websites.

  • The one-line addition to runInsightsAgent's serviceAuth.scopes array is consistent with ALWAYS_ON_TOOLS (which includes all four write tools) and with the scopes logic in packages/api-keys/src/scopes.ts.
  • No other serviceAuth contexts in the insights app are affected; this is the only call site.

Confidence Score: 5/5

Safe to merge — the change adds a single scope string to a service auth context to match what the agent's always-enabled write tools already require.

The fix is a one-line addition of manage:websites to a scopes array. The scope exists in API_SCOPES, the scope mapping logic in scopes.ts confirms it is exactly what withWorkspace requires for write operations on the website resource, and ALWAYS_ON_TOOLS already includes all four write tools that depend on it. There is only one serviceAuth call site in the insights app and no other code paths are touched.

No files require special attention.

Important Files Changed

Filename Overview
apps/insights/src/generation.ts Adds "manage:websites" to the serviceAuth scopes in runInsightsAgent, unblocking the create_annotation, create_goal, update_goal, and create_funnel tools that are always enabled for the agent.

Sequence Diagram

sequenceDiagram
    participant Job as insights-generate-website job
    participant Agent as ToolLoopAgent
    participant RPC as annotations.create / goals.update
    participant Auth as withWorkspace (scopes check)

    Job->>Agent: "runInsightsAgent({ serviceAuth: { scopes: ["read:data", "manage:websites"] } })"
    Agent->>RPC: create_annotation / update_goal (ALWAYS_ON_TOOLS)
    RPC->>Auth: requiredScopesForResource("website", ["update"/"create"])
    Auth-->>RPC: requires "manage:websites"
    RPC->>Auth: check serviceAuth.scopes includes "manage:websites"
    Auth-->>RPC: authorized (after fix)
    RPC-->>Agent: success
    Agent-->>Job: ParsedInsight[]
Loading

Reviews (1): Last reviewed commit: "[superlog] Add manage:websites scope to ..." | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants