From 8521f01b774849fcbfd7ee5a08738085d9433c12 Mon Sep 17 00:00:00 2001
From: Hephaestus <hep@aegis.dev>
Date: Sat, 23 May 2026 08:17:02 +0200
Subject: [PATCH] =?UTF-8?q?docs:=20fix=20PATCH=20/v1/sessions/:id=20RBAC?=
 =?UTF-8?q?=20role=20table=20=E2=80=94=20route=20uses=20ownership=20scopin?=
 =?UTF-8?q?g,=20not=20requireRole?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The PATCH endpoint for pinned sessions uses withOwnership (key-based
session ownership) rather than requireRole. The docs incorrectly stated
'admin, operator' role requirement. Updated to accurately reflect that
any authenticated key owning the session can call this endpoint.
---
 docs/api-reference.md | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/docs/api-reference.md b/docs/api-reference.md
index b3ffaf5d..590acf18 100644
--- a/docs/api-reference.md
+++ b/docs/api-reference.md
@@ -883,9 +883,7 @@ PATCH /v1/sessions/:id
 
 Updates mutable session metadata fields. Currently supports pinning sessions to protect them from automatic reaping.
 
-| Role | Required |
-|------|----------|
-| admin, operator | Yes |
+> **Ownership:** Requires a valid API key that owns the session (enforced by `withOwnership`).
 
 ```bash
 # Pin a session (reapers will never kill it)