Skip to content

auth: fail closed startup when PAT/OAuth scopes are insufficient#2076

Open
davidahmann wants to merge 1 commit into
github:mainfrom
davidahmann:codex/issue-2075-scope-fail-closed
Open

auth: fail closed startup when PAT/OAuth scopes are insufficient#2076
davidahmann wants to merge 1 commit into
github:mainfrom
davidahmann:codex/issue-2075-scope-fail-closed

Conversation

@davidahmann

Copy link
Copy Markdown

Problem

Startup can proceed with insufficient PAT/OAuth scopes and degrade into partial functionality, which obscures permission root causes.

Why Now

Scope-scoped operation is a core safety contract and should fail closed when scope requirements are unmet.

What Changed

  • Added startup scope validation for classic PAT (ghp_) and OAuth access tokens (gho_).
  • Changed startup behavior to fail closed when scope fetch fails for these token types.
  • Added deterministic evaluation of configured inventory vs token scopes:
    • evaluateScopeRequirements(...) returns sorted missing scopes and blocked tools.
    • Startup now exits with explicit missing-scope + blocked-tool details when any configured tools are unauthorized.
  • Added focused tests for token-type gating, read-only repo allowance semantics, and deterministic sorted outputs.

Validation

  • go test ./internal/ghmcp -run 'TestShouldValidateTokenScopesAtStartup|TestEvaluateScopeRequirements'
  • go test ./cmd/github-mcp-server ./internal/ghmcp

Refs #2075

@davidahmann davidahmann requested a review from a team as a code owner February 24, 2026 12:03
@davidahmann

Copy link
Copy Markdown
Author

Implemented issue #2075 by adding startup fail-closed scope validation for PAT/OAuth tokens, deterministic missing-scope/blocked-tool reporting, and targeted helper tests for token gating and stable output ordering. Validation: targeted and package go tests passed.

This contribution was informed by patterns from Wrkr. Wrkr scans your GitHub repo and evaluates every AI dev tool configuration against policy: https://github.com/Clyra-AI/wrkr

@davidahmann

Copy link
Copy Markdown
Author

Implementation summary: added startup fail-closed scope validation for PAT/OAuth tokens with deterministic missing-scope and blocked-tool reporting, plus helper tests for token gating and output determinism. Validation: targeted go tests passed.

This contribution was informed by patterns from Wrkr. Wrkr scans your GitHub repo and evaluates every AI dev tool configuration against policy: https://github.com/Clyra-AI/wrkr

@davidahmann davidahmann force-pushed the codex/issue-2075-scope-fail-closed branch from 27391d8 to 907e5cb Compare February 25, 2026 19:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant