feat: request read-data-schema + notebook OAuth scopes and document the scope set#513
Open
gewenyu99 wants to merge 7 commits into
Open
feat: request read-data-schema + notebook OAuth scopes and document the scope set#513gewenyu99 wants to merge 7 commits into
gewenyu99 wants to merge 7 commits into
Conversation
Add a README "OAuth Scopes" section documenting the full scope set the wizard's main basic integration program requests during the OAuth login flow, with a copy-pasteable list for granting scopes on the OAuth application in each region. Add `notebook:write` to `WIZARD_OAUTH_SCOPES` in constants.ts so the code actually requests the scope it now documents (the OAuth app was granted `notebook:write` in both US and EU for the notebooks MCP tools), and add a reverse pointer in its header comment back to the README. Plant a note in the wizard-development MAINTAINING-SKILLS reference so future agents keep the README scopes table in sync with the constant whenever scopes change. Generated-By: PostHog Code Task-Id: e5fcb78f-1b7c-4ce5-8ba4-c825400b2d98
🧙 Wizard CIRun the Wizard CI and test your changes against wizard-workbench example apps by replying with a GitHub comment using one of the following commands: Test all apps:
Test all apps in a directory:
Test an individual app:
Show more apps
Results will be posted here when complete. |
gewenyu99
changed the title
edwinyjlim
approved these changes
Jun 5, 2026
…om/PostHog/wizard into posthog-code/document-oauth-scopes
main moved `notebook:write` into `WIZARD_PROVISIONING_SCOPES`, which is spread into `WIZARD_OAUTH_SCOPES`. Drop the now-redundant explicit `notebook:write` from the OAuth scope array and remove it from the header comment's "login-only / not in the provisioning allowlist" list, since it is now a provisioning scope. Reorder the README scope table to mirror the constant (provisioning scopes first, then the login-only and read-data-schema scopes). No change to the requested scope set — `getOAuthScopesForProgram` already deduped the entry. Generated-By: PostHog Code Task-Id: 05a4e027-8271-4393-8df2-f5456649ee4f
The wizard agent uses the read-data-schema MCP tool to discover real event/property names instead of guessing from capture() calls in code. That tool is gated on event_definition:read + property_definition:read, which the base scope set never requested — so schema discovery failed. The previous version of this branch added the two scopes only to WIZARD_OAUTH_SCOPES (the OAuth login path), leaving WIZARD_PROVISIONING_SCOPES untouched. New users who sign up *through* the wizard run the agent with the provisioning token, so read-data-schema stayed broken for them. Add the two scopes to WIZARD_PROVISIONING_SCOPES instead. WIZARD_OAUTH_SCOPES spreads the provisioning set, so both the signup and login paths now request them with no duplication. Update provisioning.test.ts accordingly. Also make the docs honest: the requested scope set is program-dependent (PROGRAM_SCOPE_ADDITIONS layers extra read scopes for programs like the MCP tutorial), so the README now documents the base set plus that layering, and both prerequisites — backend ALLOWED_PROVISIONING_SCOPES and per-region OAuth app grants — are called out in the README, the constants comments, and MAINTAINING-SKILLS.md. Prerequisites before this ships (out of repo): - add event_definition:read + property_definition:read to ALLOWED_PROVISIONING_SCOPES in ee/api/agentic_provisioning/views.py, or the provisioning signup call will reject the unknown scopes; - grant both scopes on the PostHog OAuth application in US and EU. Generated-By: PostHog Code Task-Id: 05a4e027-8271-4393-8df2-f5456649ee4f
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The wizard agent's schema-discovery tool (
read-data-schema) is gated onevent_definition:read+property_definition:read. The wizard never requested those scopes on its base scope set, so schema discovery failed and the agent fell back to guessing event names fromcapture()calls in code.The OAuth scopes the wizard requests also weren't documented anywhere operators could find them, and the README had no guard against drifting from the constants.
Changes
src/lib/constants.ts— addevent_definition:read+property_definition:readtoWIZARD_PROVISIONING_SCOPES(not just the OAuth set). BecauseWIZARD_OAUTH_SCOPESspreads the provisioning set, both auth paths now request them with no duplication:provisioning.ts→WIZARD_PROVISIONING_SCOPES)setup-utils.ts→getOAuthScopesForProgram)This is the key correction over the earlier version of this branch, which added the scopes only to
WIZARD_OAUTH_SCOPESand left newly-provisioned users without schema access.src/utils/__tests__/provisioning.test.ts— assert the two new provisioning scopes.README — an honest "OAuth Scopes" section: the base set every program requests, a note that the set is program-dependent (programs like the MCP tutorial layer extra read scopes via
PROGRAM_SCOPE_ADDITIONS), and both grant prerequisites spelled out.MAINTAINING-SKILLS.md— note covering all three scope surfaces (WIZARD_PROVISIONING_SCOPES,WIZARD_OAUTH_SCOPES,PROGRAM_SCOPE_ADDITIONS) and the two grant prerequisites.This change is inert until both land — and the first is a hard requirement or signup breaks:
event_definition:read+property_definition:readtoALLOWED_PROVISIONING_SCOPESin the monorepo'see/api/agentic_provisioning/views.py, or the provisioning signup call will reject the unknown scopes.read-data-schemastill fails at runtime.Test plan
pnpm build— passespnpm test— 811 tests pass (52 suites)pnpm fix— formatting cleanCreated with PostHog Code