Skip to content

Display required PAT scopes proactively during connection creation #17

Description

@ewega

Summary

Required PAT scopes (e.g. manage_billing:copilot for gh-copilot, repo + read:org for github) are only shown when the token is entered via the interactive masked prompt — source #4 in the resolution chain. If the token comes from --token, .devlake.env, or $GITHUB_TOKEN/$GH_TOKEN, the user never sees what scopes are needed until the connection test fails with a potentially unclear API error.

Current Behavior

  • ScopeHint is passed to token.Resolve() → only printed in promptMasked() (stderr)
  • Tokens from flag/envfile/env skip the hint entirely
  • On connection test failure, the error comes from the DevLake API and may not clearly indicate which scopes are missing

Proposed Changes

1. Always display required scopes at connection creation time

Print ScopeHint right after the connection creation step header, regardless of token source:

📡 Creating GitHub Copilot connection...
   Required PAT scopes: manage_billing:copilot, read:org (+ read:enterprise for enterprise metrics)
   ✅ Connection test passed
   ✅ Created GitHub Copilot connection (ID=2)

2. Enrich test failure messages with scope hints

When TestConnection fails, append a hint:

gh-copilot connection test failed: 401 Unauthorized
   💡 Ensure your PAT has these scopes: manage_billing:copilot, read:org

3. (Stretch) Distinguish classic vs fine-grained PAT permissions

Classic PATs and fine-grained PATs use different permission models. Consider adding a ClassicScopes / FineGrainedPermissions distinction to ConnectionDef:

Plugin Classic PAT Fine-grained PAT
github repo, read:org, read:user Repository: Read, Organization: Read
gh-copilot manage_billing:copilot, read:org Organization: Copilot Business (read)

Changes

  • In buildAndCreateConnection(): print def.ScopeHint before testing/creating
  • In buildAndCreateConnection(): on test failure, append scope hint to error message
  • Optionally extend ConnectionDef with ClassicScopes and FineGrainedHint fields

Acceptance Criteria

  • Required PAT scopes displayed during connection creation regardless of token source
  • Connection test failures include a hint about required scopes
  • Works for all available plugins (github, gh-copilot)
  • configure full flow also shows scopes per connection

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions