From 2192780c43914763148c2c3edb7ef80f126c1e10 Mon Sep 17 00:00:00 2001 From: Palo Otcenas Date: Mon, 2 Mar 2026 22:22:36 +0100 Subject: [PATCH 1/2] fix(auth): add missing OAuth scopes for CI Visibility, Service Catalog, and Teams Several commands returned 403 Forbidden when using OAuth authentication because the required scopes were not requested during login. This adds 6 missing scopes: - ci_visibility_read (pipelines list/search, tests list/search, code coverage, flaky tests) - ci_visibility_pipelines_write (pipeline event submission) - apm_service_catalog_read (service-catalog list/get) - apm_service_catalog_write (service-catalog create/delete) - teams_read (on-call teams list/get, memberships list) - teams_write (on-call teams create/update/delete, memberships add/update/remove) Co-Authored-By: Claude Opus --- docs/OAUTH2.md | 12 ++++++++++++ src/auth/types.rs | 13 +++++++++++++ 2 files changed, 25 insertions(+) diff --git a/docs/OAUTH2.md b/docs/OAUTH2.md index 239d4c2..54a02a5 100644 --- a/docs/OAUTH2.md +++ b/docs/OAUTH2.md @@ -224,6 +224,18 @@ Pup requests the following OAuth scopes based on PR #84: ### Usage - `usage_read` - Read usage data +### CI Visibility +- `ci_visibility_read` - Read CI pipelines, tests, code coverage, and flaky tests +- `ci_visibility_pipelines_write` - Send CI pipeline events + +### Service Catalog +- `apm_service_catalog_read` - Read service definitions +- `apm_service_catalog_write` - Create/update/delete service definitions + +### Teams +- `teams_read` - Read teams and team memberships +- `teams_write` - Create/update/delete teams and memberships + ## Token Management ### Automatic Refresh diff --git a/src/auth/types.rs b/src/auth/types.rs index bed5ad2..b484fce 100644 --- a/src/auth/types.rs +++ b/src/auth/types.rs @@ -91,6 +91,15 @@ pub fn default_scopes() -> Vec<&'static str> { "oci_configurations_manage", "timeseries_query", "usage_read", + // CI Visibility (pipelines, tests, code coverage, flaky tests) + "ci_visibility_read", + "ci_visibility_pipelines_write", + // Service Catalog + "apm_service_catalog_read", + "apm_service_catalog_write", + // Teams (on-call) + "teams_read", + "teams_write", ] } @@ -141,6 +150,10 @@ mod tests { assert!(scopes.contains(&"dashboards_read")); assert!(scopes.contains(&"monitors_read")); assert!(scopes.contains(&"logs_read_data")); + // CI Visibility, Service Catalog, Teams + assert!(scopes.contains(&"ci_visibility_read")); + assert!(scopes.contains(&"apm_service_catalog_read")); + assert!(scopes.contains(&"teams_read")); } #[test] From 3a01a90409e220a699a7cde220b9bcafc1c1f83f Mon Sep 17 00:00:00 2001 From: Palo Otcenas Date: Tue, 3 Mar 2026 07:15:56 +0100 Subject: [PATCH 2/2] fix(auth): replace teams_write scope with teams_manage Rename the Teams write OAuth scope from teams_write to teams_manage to match the correct Datadog API scope name. - Update default_scopes() in src/auth/types.rs - Add teams_manage assertion to test_default_scopes in src/auth/types.rs - Update scope documentation in docs/OAUTH2.md Co-Authored-By: Claude Sonnet 4.6 --- docs/OAUTH2.md | 2 +- src/auth/types.rs | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/OAUTH2.md b/docs/OAUTH2.md index 54a02a5..4947fd0 100644 --- a/docs/OAUTH2.md +++ b/docs/OAUTH2.md @@ -234,7 +234,7 @@ Pup requests the following OAuth scopes based on PR #84: ### Teams - `teams_read` - Read teams and team memberships -- `teams_write` - Create/update/delete teams and memberships +- `teams_manage` - Create/update/delete teams and memberships ## Token Management diff --git a/src/auth/types.rs b/src/auth/types.rs index b484fce..abe69cd 100644 --- a/src/auth/types.rs +++ b/src/auth/types.rs @@ -99,7 +99,7 @@ pub fn default_scopes() -> Vec<&'static str> { "apm_service_catalog_write", // Teams (on-call) "teams_read", - "teams_write", + "teams_manage", ] } @@ -154,6 +154,7 @@ mod tests { assert!(scopes.contains(&"ci_visibility_read")); assert!(scopes.contains(&"apm_service_catalog_read")); assert!(scopes.contains(&"teams_read")); + assert!(scopes.contains(&"teams_manage")); } #[test]