Summary
Required PAT scopes (e.g. manage_billing:copilot for gh-copilot, repo + read:org for github) are only shown when the token is entered via the interactive masked prompt — source #4 in the resolution chain. If the token comes from --token, .devlake.env, or $GITHUB_TOKEN/$GH_TOKEN, the user never sees what scopes are needed until the connection test fails with a potentially unclear API error.
Current Behavior
ScopeHint is passed to token.Resolve() → only printed in promptMasked() (stderr)
- Tokens from flag/envfile/env skip the hint entirely
- On connection test failure, the error comes from the DevLake API and may not clearly indicate which scopes are missing
Proposed Changes
1. Always display required scopes at connection creation time
Print ScopeHint right after the connection creation step header, regardless of token source:
📡 Creating GitHub Copilot connection...
Required PAT scopes: manage_billing:copilot, read:org (+ read:enterprise for enterprise metrics)
✅ Connection test passed
✅ Created GitHub Copilot connection (ID=2)
2. Enrich test failure messages with scope hints
When TestConnection fails, append a hint:
gh-copilot connection test failed: 401 Unauthorized
💡 Ensure your PAT has these scopes: manage_billing:copilot, read:org
3. (Stretch) Distinguish classic vs fine-grained PAT permissions
Classic PATs and fine-grained PATs use different permission models. Consider adding a ClassicScopes / FineGrainedPermissions distinction to ConnectionDef:
| Plugin |
Classic PAT |
Fine-grained PAT |
| github |
repo, read:org, read:user |
Repository: Read, Organization: Read |
| gh-copilot |
manage_billing:copilot, read:org |
Organization: Copilot Business (read) |
Changes
- In
buildAndCreateConnection(): print def.ScopeHint before testing/creating
- In
buildAndCreateConnection(): on test failure, append scope hint to error message
- Optionally extend
ConnectionDef with ClassicScopes and FineGrainedHint fields
Acceptance Criteria
Summary
Required PAT scopes (e.g.
manage_billing:copilotfor gh-copilot,repo+read:orgfor github) are only shown when the token is entered via the interactive masked prompt — source #4 in the resolution chain. If the token comes from--token,.devlake.env, or$GITHUB_TOKEN/$GH_TOKEN, the user never sees what scopes are needed until the connection test fails with a potentially unclear API error.Current Behavior
ScopeHintis passed totoken.Resolve()→ only printed inpromptMasked()(stderr)Proposed Changes
1. Always display required scopes at connection creation time
Print
ScopeHintright after the connection creation step header, regardless of token source:2. Enrich test failure messages with scope hints
When
TestConnectionfails, append a hint:3. (Stretch) Distinguish classic vs fine-grained PAT permissions
Classic PATs and fine-grained PATs use different permission models. Consider adding a
ClassicScopes/FineGrainedPermissionsdistinction toConnectionDef:repo,read:org,read:usermanage_billing:copilot,read:orgChanges
buildAndCreateConnection(): printdef.ScopeHintbefore testing/creatingbuildAndCreateConnection(): on test failure, append scope hint to error messageConnectionDefwithClassicScopesandFineGrainedHintfieldsAcceptance Criteria
configure fullflow also shows scopes per connection