Description
During basecamp auth login, the CLI prompts the user to select between "read-only" and "full" access. After selecting read-only, write operations succeed without any error.
Steps to Reproduce
- Run basecamp auth login (v0.2.3)
- When prompted for scope, select read-only access
- Complete authentication and account selection
- Run a write command: basecamp todo -c "test delete me"
- Expected: Error indicating read-only access cannot create resources
- Actual: Todo created successfully
CLI Output
$ basecamp auth login
Step 1: Selected "read-only" access
Authentication successful.
Account:
$ basecamp todo -c "test delete me"
Created todo #...
Why This Matters
The read-only scope option gives users a false sense of security. Users (and AI agents operating on their behalf) rely on OAuth scopes as a real permission boundary, not a suggestion. If the token issued during "read-only" login has full read/write access to the API, the scope selection is effectively meaningless.
This is especially important as more AI agents integrate with Basecamp via the CLI. Agent operators need to be able to grant genuine read-only access to ensure agents can monitor projects without the ability to modify data.
Expected Behavior
Tokens issued with read-only scope should be rejected by the Basecamp API when used for any write operation (POST, PUT, PATCH, DELETE).
Environment
CLI version: 0.2.3
OS: macOS
Account: Basecamp 3
Description
During basecamp auth login, the CLI prompts the user to select between "read-only" and "full" access. After selecting read-only, write operations succeed without any error.
Steps to Reproduce
CLI Output
$ basecamp auth login
Step 1: Selected "read-only" access
Authentication successful.
Account:
$ basecamp todo -c "test delete me"
Created todo #...
Why This Matters
The read-only scope option gives users a false sense of security. Users (and AI agents operating on their behalf) rely on OAuth scopes as a real permission boundary, not a suggestion. If the token issued during "read-only" login has full read/write access to the API, the scope selection is effectively meaningless.
This is especially important as more AI agents integrate with Basecamp via the CLI. Agent operators need to be able to grant genuine read-only access to ensure agents can monitor projects without the ability to modify data.
Expected Behavior
Tokens issued with read-only scope should be rejected by the Basecamp API when used for any write operation (POST, PUT, PATCH, DELETE).
Environment
CLI version: 0.2.3
OS: macOS
Account: Basecamp 3