Access modes and required scopes

Before choosing an access mode

Use this page before asking a customer to grant repository, CMS, Shopify, GTM, CMP/config or agency-managed access. The goal is to choose the minimum access mode that can complete the documented fix, diagnostic or retest without collecting unnecessary credentials, customer data or write capability. Do not treat connected access as the default. Ticket-only, read-only and review-only paths should remain available whenever they can complete the work safely.

Choose the minimum safe scope

Follow the path `Report finding → Access mode comparison → Required scopes → Customer approval → Revoke or fallback`.

1. Open /reports/{report} and review the finding, fix task and platform access options. Result: remediation_access_mode is visible before any connected access request is made.
2. Start with ticket-only, read-only or review-only access when it can complete the task. Result: required_scopes are compared against the exact issue, provider and evidence need.
3. Select connected repository, CMS, Shopify, GTM or CMP access only when the task cannot proceed safely without it. Result: approved_scope names the provider, account, site, container or config surface and action boundary.
4. Confirm approval and revoke path before the customer grants access. Result: the customer can see who approves the scope and how revoked_at will be recorded after revoke.
5. Reject scope broader than the task needs. Result: admin, publish, write, order/customer data or credential access does not proceed unless the exact approved flow requires it.
6. Continue to Safe fallback paths whenever required_scopes are unsupported, unsafe or missing approval. Result: ticket-only or customer-applied remediation remains available without unsafe access.

Ready access mode states

Continue only when the product shows a scoped and customer-safe state.

• Ticket-only ready means remediation can continue without connected access.
• Read-only ready means evidence or code can be inspected without changing customer systems.
• Review-only ready means a draft, patch, tag recommendation or config recommendation can be reviewed before any write action.
• Connected scope approved means approved_scope matches the exact provider, resource and action boundary.
• Revoke path visible means revoked_at can be recorded when access is no longer needed or becomes unsafe.

Blocked or unsafe scope states

Do not work around unsafe scope. Use fallback or a narrower access mode before asking the customer to approve anything.

• Scope too broad means the requested role, permission or data access exceeds the task and must be rejected.
• Unsupported provider means use Safe fallback paths or a customer-applied instruction path.
• Missing approval means keep work ticket-only, read-only or review-only until the customer approves approved_scope.
• Credential request means stop and use the product access workflow or ticket-only fallback.
• Customer data requested means reject the scope unless the documented task explicitly requires that data and has a dedicated approved flow.
• Revoked access means do not reconnect without a new customer-approved scope.

Continue to safe fallback paths

Continue to Safe fallback paths whenever connected access is unsupported, too broad, missing approval, revoked or unsafe. Use the provider-specific access pages when a scoped connected path is available: WordPress and WooCommerce access, Shopify access, GTM access, or CMP and config access.