From c8e58575e0ee44fad37b5f2ffe1ef0f220c3cf23 Mon Sep 17 00:00:00 2001
From: Cian Johnston <cian@coder.com>
Date: Fri, 20 Mar 2026 12:18:18 +0000
Subject: [PATCH] chore: attempt to nudge agents away from
 dbauthz.AsSystemRestricted (#23326)

Adds a warning comment to dbauthz.AsSystemRestricted to hopefully nudge agents away from it.

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 coderd/database/dbauthz/dbauthz.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
index 6f9b2d4bf4..e6601fe831 100644
--- a/coderd/database/dbauthz/dbauthz.go
+++ b/coderd/database/dbauthz/dbauthz.go
@@ -769,6 +769,9 @@ func AsSubAgentAPI(ctx context.Context, orgID uuid.UUID, userID uuid.UUID) conte
 
 // AsSystemRestricted returns a context with an actor that has permissions
 // required for various system operations (login, logout, metrics cache).
+// DO NOT USE THIS UNLESS YOU HAVE ABSOLUTELY NO OTHER CHOICE. Prefer using a
+// more specific As* helper above (or adding a new, narrowly-scoped one) so
+// that permissions remain limited to the operation you need.
 func AsSystemRestricted(ctx context.Context) context.Context {
 	return As(ctx, subjectSystemRestricted)
 }