feat: GitHub provider lifecycle and onboarding hardening (#351)

* feat: improve GitHub provider onboarding and lifecycle

* fix: address copilot review in provider manager

* fix: address follow-up copilot review comments

* test: resolve rebase conflict in provider profiles suite

* fix: clear stale github hydrated marker

* fix: harden github onboarding auth precedence

* fix: remove merge markers from provider tests

* fix: resolve latest copilot onboarding comments

---------

Co-authored-by: KRATOS <84986124+gnanam1990@users.noreply.github.com>

src/services/github/deviceFlow.test.ts

@@ -1,6 +1,7 @@
 import { afterEach, describe, expect, mock, test } from 'bun:test'
 
 import {
+  DEFAULT_GITHUB_DEVICE_SCOPE,
   GitHubDeviceFlowError,
   pollAccessToken,
   requestDeviceCode,
@@ -48,6 +49,81 @@ describe('requestDeviceCode', () => {
       requestDeviceCode({ clientId: 'x', fetchImpl: globalThis.fetch }),
     ).rejects.toThrow(GitHubDeviceFlowError)
   })
+
+  test('uses OAuth-safe default scope', async () => {
+    let capturedScope = ''
+    globalThis.fetch = mock((_url: RequestInfo | URL, init?: RequestInit) => {
+      const body = init?.body
+      if (body instanceof URLSearchParams) {
+        capturedScope = body.get('scope') ?? ''
+      } else {
+        capturedScope = new URLSearchParams(String(body ?? '')).get('scope') ?? ''
+      }
+
+      return Promise.resolve(
+        new Response(
+          JSON.stringify({
+            device_code: 'abc',
+            user_code: 'ABCD-1234',
+            verification_uri: 'https://github.com/login/device',
+          }),
+          { status: 200 },
+        ),
+      )
+    })
+
+    await requestDeviceCode({ clientId: 'test-client', fetchImpl: globalThis.fetch })
+    expect(capturedScope).toBe(DEFAULT_GITHUB_DEVICE_SCOPE)
+    expect(capturedScope).toBe('read:user')
+  })
+
+  test('retries with OAuth-safe scope on invalid_scope', async () => {
+    const scopesSeen: string[] = []
+    let callCount = 0
+
+    globalThis.fetch = mock((_url: RequestInfo | URL, init?: RequestInit) => {
+      const body = init?.body
+      const scope =
+        body instanceof URLSearchParams
+          ? body.get('scope') ?? ''
+          : new URLSearchParams(String(body ?? '')).get('scope') ?? ''
+      scopesSeen.push(scope)
+      callCount++
+
+      if (callCount === 1) {
+        return Promise.resolve(
+          new Response(
+            JSON.stringify({
+              error: 'invalid_scope',
+              error_description: 'invalid models scope',
+            }),
+            { status: 400 },
+          ),
+        )
+      }
+
+      return Promise.resolve(
+        new Response(
+          JSON.stringify({
+            device_code: 'abc',
+            user_code: 'ABCD-1234',
+            verification_uri: 'https://github.com/login/device',
+          }),
+          { status: 200 },
+        ),
+      )
+    })
+
+    const result = await requestDeviceCode({
+      clientId: 'test-client',
+      scope: 'read:user,models:read',
+      fetchImpl: globalThis.fetch,
+    })
+
+    expect(result.device_code).toBe('abc')
+    expect(callCount).toBe(2)
+    expect(scopesSeen).toEqual(['read:user,models:read', 'read:user'])
+  })
 })
 
 describe('pollAccessToken', () => {

src/services/github/deviceFlow.ts

@@ -10,8 +10,10 @@ export const GITHUB_DEVICE_CODE_URL = 'https://github.com/login/device/code'
 export const GITHUB_DEVICE_ACCESS_TOKEN_URL =
   'https://github.com/login/oauth/access_token'
 
-/** Match runtime devsper github_oauth DEFAULT_SCOPE */
-export const DEFAULT_GITHUB_DEVICE_SCOPE = 'read:user,models:read'
+// OAuth app device flow does not accept the GitHub Models permission token
+// scope (models:read). Use an OAuth-safe default.
+const OAUTH_SAFE_GITHUB_DEVICE_SCOPE = 'read:user'
+export const DEFAULT_GITHUB_DEVICE_SCOPE = OAUTH_SAFE_GITHUB_DEVICE_SCOPE
 
 export class GitHubDeviceFlowError extends Error {
   constructor(message: string) {
@@ -51,38 +53,61 @@ export async function requestDeviceCode(options?: {
     )
   }
   const fetchFn = options?.fetchImpl ?? fetch
-  const res = await fetchFn(GITHUB_DEVICE_CODE_URL, {
-    method: 'POST',
-    headers: { Accept: 'application/json' },
-    body: new URLSearchParams({
-      client_id: clientId,
-      scope: options?.scope ?? DEFAULT_GITHUB_DEVICE_SCOPE,
-    }),
-  })
-  if (!res.ok) {
-    const text = await res.text().catch(() => '')
-    throw new GitHubDeviceFlowError(
-      `Device code request failed: ${res.status} ${text}`,
-    )
-  }
-  const data = (await res.json()) as Record<string, unknown>
-  const device_code = data.device_code
-  const user_code = data.user_code
-  const verification_uri = data.verification_uri
-  if (
-    typeof device_code !== 'string' ||
-    typeof user_code !== 'string' ||
-    typeof verification_uri !== 'string'
-  ) {
-    throw new GitHubDeviceFlowError('Malformed device code response from GitHub')
-  }
-  return {
-    device_code,
-    user_code,
-    verification_uri,
-    expires_in: typeof data.expires_in === 'number' ? data.expires_in : 900,
-    interval: typeof data.interval === 'number' ? data.interval : 5,
+  const requestedScope =
+    options?.scope?.trim() || DEFAULT_GITHUB_DEVICE_SCOPE
+  const scopesToTry =
+    requestedScope === OAUTH_SAFE_GITHUB_DEVICE_SCOPE
+      ? [requestedScope]
+      : [requestedScope, OAUTH_SAFE_GITHUB_DEVICE_SCOPE]
+
+  let lastError = 'Device code request failed.'
+
+  for (const scope of scopesToTry) {
+    const res = await fetchFn(GITHUB_DEVICE_CODE_URL, {
+      method: 'POST',
+      headers: { Accept: 'application/json' },
+      body: new URLSearchParams({
+        client_id: clientId,
+        scope,
+      }),
+    })
+
+    if (!res.ok) {
+      const text = await res.text().catch(() => '')
+      lastError = `Device code request failed: ${res.status} ${text}`
+      const isInvalidScope = /invalid_scope/i.test(text)
+      const canRetryWithFallback =
+        scope !== OAUTH_SAFE_GITHUB_DEVICE_SCOPE && isInvalidScope
+      if (canRetryWithFallback) {
+        continue
+      }
+      throw new GitHubDeviceFlowError(lastError)
+    }
+
+    const data = (await res.json()) as Record<string, unknown>
+    const device_code = data.device_code
+    const user_code = data.user_code
+    const verification_uri = data.verification_uri
+    if (
+      typeof device_code !== 'string' ||
+      typeof user_code !== 'string' ||
+      typeof verification_uri !== 'string'
+    ) {
+      throw new GitHubDeviceFlowError(
+        'Malformed device code response from GitHub',
+      )
+    }
+
+    return {
+      device_code,
+      user_code,
+      verification_uri,
+      expires_in: typeof data.expires_in === 'number' ? data.expires_in : 900,
+      interval: typeof data.interval === 'number' ? data.interval : 5,
+    }
   }
+
+  throw new GitHubDeviceFlowError(lastError)
 }
 
 export type PollOptions = {