Skip to content

feat(seer): Gate Seer agent write requests behind user approval#118223

Draft
gricha wants to merge 1 commit into
masterfrom
greg/agent-write-permission-gate
Draft

feat(seer): Gate Seer agent write requests behind user approval#118223
gricha wants to merge 1 commit into
masterfrom
greg/agent-write-permission-gate

Conversation

@gricha

@gricha gricha commented Jun 23, 2026

Copy link
Copy Markdown
Member

What

A server-side gate so the Seer agent can't make mutating Sentry API calls without explicit user approval. Prototype, flag-gated (organizations:seer-agent-write-gate), default off.

How

  • An agent request (X-Is-Agent header + trusted viewer-context auth) has its scopes masked to read-only — the same trick demo mode already uses. Reads pass; writes fail the normal scope check.
  • A blocked write returns a structured 403 with a nonce + approval endpoint, and records a pending SeerAgentWriteGrant.
  • The user approves via GET/POST /api/0/organizations/{org}/agent/approve/{nonce}/ from their own session. Once approved, the matching scope is unmasked and the agent's retry goes through.
  • No new credential is ever minted — the gate only removes scopes, so there's nothing to leak.

Security (IDOR)

  • Approval requires the authenticated user to be the grant's user; another org member can't approve or read it.
  • Grant lookup is org-scoped; a nonce can't cross orgs.
  • The agent carries the user's identity, so approval is blocked for viewer-context sessions — it can't self-approve.
  • A grant can never exceed the user's own role scopes.

Scope / not yet

  • Covers OrganizationPermission-derived endpoints. Project-scoped and non-ScopedPermission endpoints aren't gated yet (deferred).
  • Seer-side changes (sending the header, showing the approval prompt, retrying) are a separate change.

Tests

19 tests: masking, challenge, grant unmask/expiry, flag-off no-op, plus the IDOR cases above. Planning artifacts under openspec/changes/add-agent-write-permission-gate/.

@gricha @claude
feat(seer): Gate Seer agent write requests behind user approval
df7de23 
Add a server-side permission gate so the Seer agent cannot perform mutating
Sentry API requests without explicit user approval.

Agent requests (X-Is-Agent header + trusted viewer-context auth) have their
effective scopes masked to read-only, mirroring the demo-mode read-only path,
unless an approved SeerAgentWriteGrant covers the required scope. A masked-out
write returns a structured 403 challenge with a nonce and approval endpoint;
the user approves via a first-party, user-authenticated API. Approval is
IDOR-safe: bound to the acting user and organization, and blocked for
viewer-context (agent) sessions so the agent cannot self-approve.

Flag-gated (organizations:seer-agent-write-gate), default off. Covers
OrganizationPermission-derived endpoints; broader coverage is deferred.

Co-Authored-By: Claude <noreply@anthropic.com>
@github-actions github-actions Bot added the Scope: Backend Automatically applied to PRs that change backend components label Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gricha