Add a read-only OAuth mode for safe autonomous tool use#110
Closed
dthvt wants to merge 2 commits intoDoist:mainfrom
Closed
Add a read-only OAuth mode for safe autonomous tool use#110dthvt wants to merge 2 commits intoDoist:mainfrom
dthvt wants to merge 2 commits intoDoist:mainfrom
Conversation
Author
|
@scottlovegrove thanks for the ping - I will look at resolving the conflicts when I have a moment, but it may be a few days. |
Collaborator
Not a problem 👍🏻 |
5 tasks
scottlovegrove
added a commit
that referenced
this pull request
Mar 31, 2026
Add support for authenticating with a read-only OAuth token (scope `data:read`) via `td auth login --read-only`. When in read-only mode, all mutating API calls are blocked at the proxy layer before they reach the Todoist API. - Add `--read-only` flag to `td auth login` with `data:read` scope - Store auth metadata (mode, scope) in config file alongside secure token storage from #120 - Create permissions module with default-deny allowlist of safe API methods — unknown/new methods are blocked by default - Integrate permission checks into the API proxy and direct fetch calls (uploads) - Display auth mode in `td auth status` (human + JSON output) - Update README, skill content, and tests Supersedes #110. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
8 tasks
Collaborator
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Description
--read-onlyoption totd auth login, extendingbuildAuthorizationUrlto accept areadOnlyoption, and saving auth metadata (auth_modeandauth_scope) alongside tokens in the config.td auth token) asunknownmode and persistsauth_mode: 'unknown'when saving manual tokens.permissionsmodule that identifies mutating API calls and sync payloads and exposesensureWriteAllowedwhich throws when the stored auth mode isread-only.createSpinnerWrappedApito runensureWriteAllowedbefore mutating calls, preserve spinner/progress behavior, and emit progress events and errors consistently.README.mdand skill content) to document the read-only login flow and auth metadata behavior.Testing
vitestincluding modifiedsrc/__tests__/auth.test.tsand new testssrc/__tests__/oauth.test.tsandsrc/__tests__/permissions.test.ts, and all tests passed.data:readwhen--read-onlyis passed via the newbuildAuthorizationUrlunit test.getAuthMetadatareportsauthMode: 'read-only'via thepermissionsunit tests.