feat: GitHub provider lifecycle and onboarding hardening (#351)

* feat: improve GitHub provider onboarding and lifecycle * fix: address copilot review in provider manager * fix: address follow-up copilot review comments * test: resolve rebase conflict in provider profiles suite * fix: clear stale github hydrated marker * fix: harden github onboarding auth precedence * fix: remove merge markers from provider tests * fix: resolve latest copilot onboarding comments --------- Co-authored-by: KRATOS <84986124+gnanam1990@users.noreply.github.com>
2026-04-06 16:48:58 +05:30
parent 8ece290087
commit ff7d49990d
20 changed files with 1150 additions and 166 deletions
--- a/src/services/github/deviceFlow.test.ts
+++ b/src/services/github/deviceFlow.test.ts
@@ -1,6 +1,7 @@
 import { afterEach, describe, expect, mock, test } from 'bun:test'

 import {
+  DEFAULT_GITHUB_DEVICE_SCOPE,
  GitHubDeviceFlowError,
  pollAccessToken,
  requestDeviceCode,
@@ -48,6 +49,81 @@ describe('requestDeviceCode', () => {
      requestDeviceCode({ clientId: 'x', fetchImpl: globalThis.fetch }),
    ).rejects.toThrow(GitHubDeviceFlowError)
  })
+
+  test('uses OAuth-safe default scope', async () => {
+    let capturedScope = ''
+    globalThis.fetch = mock((_url: RequestInfo | URL, init?: RequestInit) => {
+      const body = init?.body
+      if (body instanceof URLSearchParams) {
+        capturedScope = body.get('scope') ?? ''
+      } else {
+        capturedScope = new URLSearchParams(String(body ?? '')).get('scope') ?? ''
+      }
+
+      return Promise.resolve(
+        new Response(
+          JSON.stringify({
+            device_code: 'abc',
+            user_code: 'ABCD-1234',
+            verification_uri: 'https://github.com/login/device',
+          }),
+          { status: 200 },
+        ),
+      )
+    })
+
+    await requestDeviceCode({ clientId: 'test-client', fetchImpl: globalThis.fetch })
+    expect(capturedScope).toBe(DEFAULT_GITHUB_DEVICE_SCOPE)
+    expect(capturedScope).toBe('read:user')
+  })
+
+  test('retries with OAuth-safe scope on invalid_scope', async () => {
+    const scopesSeen: string[] = []
+    let callCount = 0
+
+    globalThis.fetch = mock((_url: RequestInfo | URL, init?: RequestInit) => {
+      const body = init?.body
+      const scope =
+        body instanceof URLSearchParams
+          ? body.get('scope') ?? ''
+          : new URLSearchParams(String(body ?? '')).get('scope') ?? ''
+      scopesSeen.push(scope)
+      callCount++
+
+      if (callCount === 1) {
+        return Promise.resolve(
+          new Response(
+            JSON.stringify({
+              error: 'invalid_scope',
+              error_description: 'invalid models scope',
+            }),
+            { status: 400 },
+          ),
+        )
+      }
+
+      return Promise.resolve(
+        new Response(
+          JSON.stringify({
+            device_code: 'abc',
+            user_code: 'ABCD-1234',
+            verification_uri: 'https://github.com/login/device',
+          }),
+          { status: 200 },
+        ),
+      )
+    })
+
+    const result = await requestDeviceCode({
+      clientId: 'test-client',
+      scope: 'read:user,models:read',
+      fetchImpl: globalThis.fetch,
+    })
+
+    expect(result.device_code).toBe('abc')
+    expect(callCount).toBe(2)
+    expect(scopesSeen).toEqual(['read:user,models:read', 'read:user'])
+  })
 })

 describe('pollAccessToken', () => {