Use workers:read scope instead of workers:write (#180)

Maximo-Guk · web-flow · commit 2621557548e3 · 2025-06-09T16:36:58.000-05:00
* Update agents and modelcontext dependencies

* Support AOT tokens

* Use new workers:read scope instead of workers:write, as these mcp servers don't require workers write permissions
diff --git a/.changeset/rich-chefs-nail.md b/.changeset/rich-chefs-nail.md
@@ -0,0 +1,7 @@
+---
+'workers-observability': minor
+'containers-mcp': minor
+'workers-bindings': minor
+---
+
+Use new workers:read scope instead of workers:write, as these mcp servers don't require workers write permissions
diff --git a/apps/sandbox-container/server/sandbox.server.app.ts b/apps/sandbox-container/server/sandbox.server.app.ts
@@ -33,8 +33,6 @@ export type Props = AuthProps
 const ContainerScopes = {
 	...RequiredScopes,
 	'account:read': 'See your account info such as account details, analytics, and memberships.',
-	'workers:write':
-		'See and change Cloudflare Workers data such as zones, KV storage, namespaces, scripts, and routes.',
 } as const
 
 export default {
diff --git a/apps/workers-observability/src/workers-observability.app.ts b/apps/workers-observability/src/workers-observability.app.ts
@@ -118,7 +118,7 @@ export class ObservabilityMCP extends McpAgent<Env, State, Props> {
 const ObservabilityScopes = {
 	...RequiredScopes,
 	'account:read': 'See your account info such as account details, analytics, and memberships.',
-	'workers:write':
+	'workers:read':
 		'See and change Cloudflare Workers data such as zones, KV storage, namespaces, scripts, and routes.',
 	'workers_observability:read': 'See observability logs for your account',
 } as const
