Carry OAuth scopes through extraction to the invocation credential#1386
Draft
RhysSullivan wants to merge 1 commit into
Draft
Carry OAuth scopes through extraction to the invocation credential#1386RhysSullivan wants to merge 1 commit into
RhysSullivan wants to merge 1 commit into
Conversation
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
executor-marketing | 6ec24e3 | Commit Preview URL Branch Preview URL |
Jul 10 2026, 03:03 AM |
Contributor
Cloudflare preview
Sign-in is Cloudflare Access (one-time PIN to an allowed email). The preview has its own database and encryption key; it is destroyed when this PR closes. |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
executor-cloud | 6ec24e3 | Jul 10 2026, 03:06 AM |
@executor-js/cli
@executor-js/config
@executor-js/execution
@executor-js/sdk
@executor-js/codemode-core
@executor-js/runtime-quickjs
@executor-js/plugin-file-secrets
@executor-js/plugin-graphql
@executor-js/plugin-keychain
@executor-js/plugin-mcp
@executor-js/plugin-onepassword
@executor-js/plugin-openapi
executor
commit: |
0b23501 to
1dae20c
Compare
Tool catalogs were compiled with no notion of scope: an operation's security declaration never survived extraction, and the credential built for dispatch never carried what the connection's grant covers. A connection whose grant is narrower than its integration's catalog (the multi-product Google bundle case) exposed every tool as equally invocable, and the eventual upstream 403 could not say which scope was missing versus held. Extract per-operation security scopes into ExtractedOperation and OperationBinding (all three compile paths: whole-tree, streamed, and structure-streamed; optional so stored bindings keep decoding), add grantedScopes to ToolInvocationCredential sourced from the connection row's oauth_scope, and use both to annotate scope-insufficient 403s with the exact required and granted scopes. Advisory-only by design: scope-string containment needs provider semantics (a broad Google scope does not textually contain a narrow one), so nothing is blocked locally and unknown grants fail open. Refs #1384
1dae20c to
6ec24e3
Compare
1d08e44 to
516719c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Tool catalogs are compiled with no notion of scope: an operation's security declaration never survives extraction, and the credential built for dispatch never carries what the connection's grant covers.
This extracts per-operation security scopes into ExtractedOperation and OperationBinding (all three compile paths; optional so stored bindings keep decoding), adds grantedScopes to ToolInvocationCredential sourced from the connection row's oauth_scope, and uses both to annotate scope-insufficient 403s with the exact required and granted scopes.
Advisory-only by design: scope-string containment needs provider semantics (a broad Google scope does not textually contain a narrow one), so nothing is blocked locally and unknown grants fail open. Catalog projection by scope can build on this plumbing as a follow-up.
Refs #1384. Stacked on #1385.