Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: Add list-scopes command to show required OAuth scopes#1487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
SamMorrowDrums wants to merge1 commit intoSamMorrowDrums/oauth-scopes-phase2
base:SamMorrowDrums/oauth-scopes-phase2
Choose a base branch
Loading
fromSamMorrowDrums/oauth-scopes-phase3
Open
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
364 changes: 364 additions & 0 deletionscmd/github-mcp-server/list_scopes.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,364 @@
package main

import (
"context"
"encoding/json"
"fmt"
"os"
"sort"
"strings"

"github.com/github/github-mcp-server/pkg/github"
"github.com/github/github-mcp-server/pkg/lockdown"
"github.com/github/github-mcp-server/pkg/raw"
"github.com/github/github-mcp-server/pkg/scopes"
"github.com/github/github-mcp-server/pkg/toolsets"
"github.com/github/github-mcp-server/pkg/translations"
gogithub "github.com/google/go-github/v79/github"
"github.com/shurcooL/githubv4"
"github.com/spf13/cobra"
"github.com/spf13/viper"
)

// ToolScopeInfo contains scope information for a single tool.
type ToolScopeInfo struct {
Name string `json:"name"`
Toolset string `json:"toolset"`
ReadOnly bool `json:"read_only"`
RequiredScopes []string `json:"required_scopes"`
AcceptedScopes []string `json:"accepted_scopes,omitempty"`
}

// ScopesOutput is the full output structure for the list-scopes command.
type ScopesOutput struct {
Tools []ToolScopeInfo `json:"tools"`
UniqueScopes []string `json:"unique_scopes"`
ScopesByTool map[string][]string `json:"scopes_by_tool"`
ToolsByScope map[string][]string `json:"tools_by_scope"`
EnabledToolsets []string `json:"enabled_toolsets"`
ReadOnly bool `json:"read_only"`
}

var listScopesCmd = &cobra.Command{
Use: "list-scopes",
Short: "List required OAuth scopes for enabled tools",
Long: `List the required OAuth scopes for all enabled tools.

This command creates a toolset group based on the same flags as the stdio command
and outputs the required OAuth scopes for each enabled tool. This is useful for
determining what scopes a token needs to use specific tools.

The output format can be controlled with the --output flag:
- text (default): Human-readable text output
- json: JSON output for programmatic use
- summary: Just the unique scopes needed

Examples:
# List scopes for default toolsets
github-mcp-server list-scopes

# List scopes for specific toolsets
github-mcp-server list-scopes --toolsets=repos,issues,pull_requests

# List scopes for all toolsets
github-mcp-server list-scopes --toolsets=all

# Output as JSON
github-mcp-server list-scopes --output=json

# Just show unique scopes needed
github-mcp-server list-scopes --output=summary`,
RunE: func(_ *cobra.Command, _ []string) error {
return runListScopes()
},
}

func init() {
listScopesCmd.Flags().StringP("output", "o", "text", "Output format: text, json, or summary")
_ = viper.BindPFlag("list-scopes-output", listScopesCmd.Flags().Lookup("output"))

rootCmd.AddCommand(listScopesCmd)
}

// mockScopesGetClient returns a mock GitHub client for scope listing.
func mockScopesGetClient(_ context.Context) (*gogithub.Client, error) {
return gogithub.NewClient(nil), nil
}

// mockScopesGetGQLClient returns a mock GraphQL client for scope listing.
func mockScopesGetGQLClient(_ context.Context) (*githubv4.Client, error) {
return githubv4.NewClient(nil), nil
}

// mockScopesGetRawClient returns a mock raw client for scope listing.
func mockScopesGetRawClient(_ context.Context) (*raw.Client, error) {
return nil, nil
}

func runListScopes() error {
// Get toolsets configuration (same logic as stdio command)
var enabledToolsets []string
if err := viper.UnmarshalKey("toolsets", &enabledToolsets); err != nil {
return fmt.Errorf("failed to unmarshal toolsets: %w", err)
}

// No passed toolsets configuration means we enable the default toolset
if len(enabledToolsets) == 0 {
enabledToolsets = []string{github.ToolsetMetadataDefault.ID}
}

readOnly := viper.GetBool("read-only")
outputFormat := viper.GetString("list-scopes-output")

// Create translation helper
t, _ := translations.TranslationHelper()

// Create toolset group with mock clients (no actual API calls needed)
repoAccessCache := lockdown.GetInstance(nil)
tsg := github.DefaultToolsetGroup(readOnly, mockScopesGetClient, mockScopesGetGQLClient, mockScopesGetRawClient, t, 5000, github.FeatureFlags{}, repoAccessCache)

// Process enabled toolsets (same logic as server.go)
// If "all" is present, override all other toolsets
if github.ContainsToolset(enabledToolsets, github.ToolsetMetadataAll.ID) {
enabledToolsets = []string{github.ToolsetMetadataAll.ID}
}
// If "default" is present, expand to real toolset IDs
if github.ContainsToolset(enabledToolsets, github.ToolsetMetadataDefault.ID) {
enabledToolsets = github.AddDefaultToolset(enabledToolsets)
}
Comment on lines +120 to +128

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

The toolset processing logic is missing a call togithub.CleanToolsets() that exists in the stdio command (seeinternal/ghmcp/server.go line 102). This function:

  1. Removes whitespace from toolset names
  2. Removes duplicates
  3. Validates toolset names and identifies invalid ones

Without this, the command may behave inconsistently with the stdio command when users provide invalid or malformed toolset names. Add the CleanToolsets call before processing special keywords:

// Clean up the passed toolsetsenabledToolsets,invalidToolsets:=github.CleanToolsets(enabledToolsets)// Optionally warn about invalid toolsets (like server.go does)iflen(invalidToolsets)>0 {fmt.Fprintf(os.Stderr,"Invalid toolsets ignored: %s\n",strings.Join(invalidToolsets,", "))}// If "all" is present, override all other toolsetsifgithub.ContainsToolset(enabledToolsets,github.ToolsetMetadataAll.ID) {enabledToolsets= []string{github.ToolsetMetadataAll.ID}}// ...

Copilot uses AI. Check for mistakes.

// Enable the requested toolsets
err := tsg.EnableToolsets(enabledToolsets, nil)
if err != nil {
return fmt.Errorf("failed to enable toolsets: %w", err)
}

// Collect all tools and their scopes
output := collectToolScopes(tsg, enabledToolsets, readOnly)

// Output based on format
switch outputFormat {
case "json":
return outputJSON(output)
case "summary":
return outputSummary(output)
default:
return outputText(output)
}
}

func collectToolScopes(tsg *toolsets.ToolsetGroup, enabledToolsets []string, readOnly bool) ScopesOutput {
var tools []ToolScopeInfo
scopeSet := make(map[string]bool)
scopesByTool := make(map[string][]string)
toolsByScope := make(map[string][]string)

// Get all toolset names and sort them for consistent output
var toolsetNames []string
for name := range tsg.Toolsets {
if name != "dynamic" { // Skip dynamic toolset
toolsetNames = append(toolsetNames, name)
}
}
sort.Strings(toolsetNames)

for _, toolsetName := range toolsetNames {
toolset := tsg.Toolsets[toolsetName]
if !toolset.Enabled {
continue
}

// Get active tools (respects read-only setting)
activeTools := toolset.GetActiveTools()

for _, serverTool := range activeTools {
tool := serverTool.Tool

// Extract scopes from tool metadata
requiredScopes := scopes.GetScopesFromMeta(tool.Meta)
requiredScopeStrs := scopes.ScopeStrings(requiredScopes)

// Calculate accepted scopes (scopes that also satisfy the requirement due to hierarchy)
acceptedScopeStrs := []string{}
for _, reqScope := range requiredScopes {
accepted := scopes.GetAcceptedScopes(reqScope)
for _, accScope := range accepted {
if accScope != reqScope { // Don't duplicate the required scope
accStr := accScope.String()
// Avoid duplicates
found := false
for _, existing := range acceptedScopeStrs {
if existing == accStr {
found = true
break
}
}
if !found {
acceptedScopeStrs = append(acceptedScopeStrs, accStr)
}
}
}
}
Comment on lines +182 to +201

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

The manual deduplication ofacceptedScopeStrs using nested loops is O(n²) and could be simplified for better maintainability and performance. Consider using a map for deduplication:

// Calculate accepted scopes (scopes that also satisfy the requirement due to hierarchy)acceptedScopeMap:=make(map[string]bool)for_,reqScope:=rangerequiredScopes {accepted:=scopes.GetAcceptedScopes(reqScope)for_,accScope:=rangeaccepted {ifaccScope!=reqScope {// Don't duplicate the required scopeacceptedScopeMap[accScope.String()]=true        }    }}acceptedScopeStrs:=make([]string,0,len(acceptedScopeMap))forscope:=rangeacceptedScopeMap {acceptedScopeStrs=append(acceptedScopeStrs,scope)}sort.Strings(acceptedScopeStrs)

This approach is more efficient and clearer in intent.

Suggested change
acceptedScopeStrs:= []string{}
for_,reqScope:=rangerequiredScopes {
accepted:=scopes.GetAcceptedScopes(reqScope)
for_,accScope:=rangeaccepted {
ifaccScope!=reqScope {// Don't duplicate the required scope
accStr:=accScope.String()
// Avoid duplicates
found:=false
for_,existing:=rangeacceptedScopeStrs {
ifexisting==accStr {
found=true
break
}
}
if!found {
acceptedScopeStrs=append(acceptedScopeStrs,accStr)
}
}
}
}
// Calculate accepted scopes (scopes that also satisfy the requirement due to hierarchy)
acceptedScopeMap:=make(map[string]bool)
for_,reqScope:=rangerequiredScopes {
accepted:=scopes.GetAcceptedScopes(reqScope)
for_,accScope:=rangeaccepted {
ifaccScope!=reqScope {// Don't duplicate the required scope
acceptedScopeMap[accScope.String()]=true
}
}
}
acceptedScopeStrs:=make([]string,0,len(acceptedScopeMap))
forscope:=rangeacceptedScopeMap {
acceptedScopeStrs=append(acceptedScopeStrs,scope)
}

Copilot uses AI. Check for mistakes.
sort.Strings(acceptedScopeStrs)

// Determine if tool is read-only
isReadOnly := tool.Annotations != nil && tool.Annotations.ReadOnlyHint

toolInfo := ToolScopeInfo{
Name: tool.Name,
Toolset: toolsetName,
ReadOnly: isReadOnly,
RequiredScopes: requiredScopeStrs,
AcceptedScopes: acceptedScopeStrs,
}
tools = append(tools, toolInfo)

// Track unique scopes
for _, s := range requiredScopeStrs {
scopeSet[s] = true
toolsByScope[s] = append(toolsByScope[s], tool.Name)
}

// Track scopes by tool
scopesByTool[tool.Name] = requiredScopeStrs
}
}

// Sort tools by name
sort.Slice(tools, func(i, j int) bool {
return tools[i].Name < tools[j].Name
})

// Get unique scopes as sorted slice
var uniqueScopes []string
for s := range scopeSet {
uniqueScopes = append(uniqueScopes, s)
}
sort.Strings(uniqueScopes)

// Sort tools within each scope
for scope := range toolsByScope {
sort.Strings(toolsByScope[scope])
}

return ScopesOutput{
Tools: tools,
UniqueScopes: uniqueScopes,
ScopesByTool: scopesByTool,
ToolsByScope: toolsByScope,
EnabledToolsets: enabledToolsets,
ReadOnly: readOnly,
}
}

func outputJSON(output ScopesOutput) error {
encoder := json.NewEncoder(os.Stdout)
encoder.SetIndent("", " ")
return encoder.Encode(output)
}

func outputSummary(output ScopesOutput) error {
if len(output.UniqueScopes) == 0 {
fmt.Println("No OAuth scopes required for enabled tools.")
return nil
}

fmt.Println("Required OAuth scopes for enabled tools:")
fmt.Println()
for _, scope := range output.UniqueScopes {
if scope == "" {
fmt.Println(" (no scope required for public read access)")
} else {
fmt.Printf(" %s\n", scope)
}
}
fmt.Printf("\nTotal: %d unique scope(s)\n", len(output.UniqueScopes))
return nil
}

func outputText(output ScopesOutput) error {
fmt.Printf("OAuth Scopes for Enabled Tools\n")
fmt.Printf("==============================\n\n")

fmt.Printf("Enabled Toolsets: %s\n", strings.Join(output.EnabledToolsets, ", "))
fmt.Printf("Read-Only Mode: %v\n\n", output.ReadOnly)

// Group tools by toolset
toolsByToolset := make(map[string][]ToolScopeInfo)
for _, tool := range output.Tools {
toolsByToolset[tool.Toolset] = append(toolsByToolset[tool.Toolset], tool)
}

// Get sorted toolset names
var toolsetNames []string
for name := range toolsByToolset {
toolsetNames = append(toolsetNames, name)
}
sort.Strings(toolsetNames)

for _, toolsetName := range toolsetNames {
tools := toolsByToolset[toolsetName]
fmt.Printf("## %s\n\n", formatToolsetNameForOutput(toolsetName))

for _, tool := range tools {
rwIndicator := "📝"
if tool.ReadOnly {
rwIndicator = "👁"
}

scopeStr := "(no scope required)"
if len(tool.RequiredScopes) > 0 {
scopeStr = strings.Join(tool.RequiredScopes, ", ")
}

fmt.Printf(" %s %s: %s\n", rwIndicator, tool.Name, scopeStr)
}
fmt.Println()
}

// Summary
fmt.Println("## Summary")
fmt.Println()
if len(output.UniqueScopes) == 0 {
fmt.Println("No OAuth scopes required for enabled tools.")
} else {
fmt.Println("Unique scopes required:")
for _, scope := range output.UniqueScopes {
if scope == "" {
fmt.Println(" • (no scope - public read access)")
} else {
fmt.Printf(" • %s\n", scope)
}
}
}
fmt.Printf("\nTotal: %d tools, %d unique scopes\n", len(output.Tools), len(output.UniqueScopes))

// Legend
fmt.Println("\nLegend: 👁 = read-only, 📝 = read-write")

return nil
}

func formatToolsetNameForOutput(name string) string {
switch name {
case "pull_requests":
return "Pull Requests"
case "repos":
return "Repositories"
case "code_security":
return "Code Security"
case "secret_protection":
return "Secret Protection"
case "orgs":
return "Organizations"
default:
// Capitalize first letter and replace underscores with spaces
parts := strings.Split(name, "_")
for i, part := range parts {
if len(part) > 0 {
parts[i] = strings.ToUpper(string(part[0])) + part[1:]
}
}
return strings.Join(parts, " ")
}
}
24 changes: 24 additions & 0 deletionsscript/list-scopes
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
#!/bin/bash
#
# List required OAuth scopes for enabled tools.
#
# Usage:
# script/list-scopes [--toolsets=...] [--output=text|json|summary]
#
# Examples:
# script/list-scopes
# script/list-scopes --toolsets=all --output=json
# script/list-scopes --toolsets=repos,issues --output=summary
#

set -e

cd "$(dirname "$0")/.."

# Build the server if it doesn't exist or is outdated
if [ ! -f github-mcp-server ] || [ cmd/github-mcp-server/list_scopes.go -nt github-mcp-server ]; then
echo "Building github-mcp-server..." >&2
go build -o github-mcp-server ./cmd/github-mcp-server
fi

exec ./github-mcp-server list-scopes "$@"
Comment on lines +18 to +24

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

[nitpick] The conditional build check may not detect all necessary rebuilds (e.g., when dependencies in other packages change). For consistency with other scripts likescript/generate-docs, consider usinggo run instead:

exec go run ./cmd/github-mcp-server list-scopes"$@"

This approach is simpler, always ensures up-to-date code execution, and aligns with the project's script patterns. The build time overhead is minimal (~1s according to the guidelines).

Suggested change
# Build the server if it doesn't exist or is outdated
if [ ! -f github-mcp-server ] || [ cmd/github-mcp-server/list_scopes.go -nt github-mcp-server ]; then
echo "Building github-mcp-server..." >&2
go build -o github-mcp-server ./cmd/github-mcp-server
fi
exec ./github-mcp-server list-scopes "$@"
# Always run the latest code, consistent with other scripts
exec go run ./cmd/github-mcp-server list-scopes "$@"

Copilot uses AI. Check for mistakes.
Loading
[8]ページ先頭
©2009-2025 Movatter.jp