From 233c1c77b2e9b28a6cd49fac0ac8057d74370045 Mon Sep 17 00:00:00 2001
From: hailin <hailin.zhao@gdzx.xyz>
Date: Mon, 9 Mar 2026 09:58:00 -0700
Subject: [PATCH] fix(agent): revert operator-sees-all, restore per-user
 isolation

Operators now only see their own instances (same as regular users).
Admin role retains superuser view. Orphaned running instances were
reassigned to hailin via DB update.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../interfaces/rest/controllers/agent-instance.controller.ts  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/services/agent-service/src/interfaces/rest/controllers/agent-instance.controller.ts b/packages/services/agent-service/src/interfaces/rest/controllers/agent-instance.controller.ts
index 96f3e44..5615005 100644
--- a/packages/services/agent-service/src/interfaces/rest/controllers/agent-instance.controller.ts
+++ b/packages/services/agent-service/src/interfaces/rest/controllers/agent-instance.controller.ts
@@ -34,8 +34,8 @@ export class AgentInstanceController {
     const jwt = this.decodeJwt(req.headers?.['authorization'] as string | undefined);
     const userId = jwt?.sub;
     const roles: string[] = jwt?.roles ?? [];
-    // Admins and operators see all instances; regular users only see their own
-    if (!userId || roles.includes('admin') || roles.includes('operator')) {
+    // Admins see all instances; regular users only see their own
+    if (!userId || roles.includes('admin')) {
       return this.instanceRepo.findAll();
     }
     const instances = await this.instanceRepo.findByUserId(userId);