An authorization mismatch allowed authenticated callers with operator.write access to invoke owner-only tool surfaces (gateway, cron) through agent runs in scoped-token deployments.

On affected deployments, write-scoped callers could perform control-plane actions beyond intended write scope.

Owner-only gating is now enforced consistently for owner-only tool surfaces during agent execution, and tool scope classification was tightened to remove the privilege mismatch.