feat(#245): detect classic PAT rejection and show guidance#275
feat(#245): detect classic PAT rejection and show guidance#275fullsend-ai-coder[bot] wants to merge 2 commits into
Conversation
When a GitHub org blocks classic personal access tokens, API calls return a 403 with a specific message. The CLI now detects this at the forge layer (ErrClassicPATForbidden sentinel) and wraps it with actionable guidance: token resolution order, required fine-grained PAT permissions, and the export command. Wrapped call sites: ListOrgRepos (admin + github), GetRepo (applyPerRepoScaffold, ensureConfigRepoExists, loadRepoConfig). Added docs section with token resolution order and permissions table. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
E2E tests did not runE2E tests run automatically for org/repo members and collaborators on pull requests. For other contributors, a maintainer must add the See E2E testing guide for details. |
|
🤖 Finished Review · ❌ Failure · Started 12:59 PM UTC · Completed 1:00 PM UTC |
|
/fs-review |
|
🤖 Finished Review · ✅ Success · Started 3:57 PM UTC · Completed 4:11 PM UTC |
ReviewFindingsLow
Previous runReviewVerdict: comment · non-blocking findings Clean, well-structured PR that correctly addresses both gaps in issue #245. The forge-layer sentinel follows the established Two findings worth noting for follow-up — neither blocks this PR. Findings1. Incomplete call-site coverage —
|
|
/fs-fix |
|
🤖 Finished Fix · ✅ Success · Started 5:38 PM UTC · Completed 5:51 PM UTC |
Move wrapClassicPATError from 5 per-call-site invocations to the top-level Execute() function, covering all current and future commands automatically. This addresses incomplete call-site coverage flagged in review. Also update isClassicPATForbiddenError to check Errors[] in addition to Message, matching the peer pattern used by isBranchProtectionError and isAlreadyExistsError. Addresses review feedback on #275
🔧 Fix agent — iteration 1 (human-triggered)Addressed both review findings. Centralized classic PAT error wrapping in Execute() to cover all commands (finding 1), and aligned isClassicPATForbiddenError with peer pattern by checking Errors[] (finding 2). Fixed (2):
Tests: passed Updated by fullsend fix agent |
|
🤖 Finished Review · ✅ Success · Started 5:53 PM UTC · Completed 6:07 PM UTC |
| export GH_TOKEN=github_pat_...` | ||
|
|
||
| // wrapClassicPATError prepends actionable guidance when the error | ||
| // indicates a classic PAT was rejected by the GitHub org. |
There was a problem hiding this comment.
[low] naming-convention
The function wrapClassicPATError could be named addClassicPATGuidance or withClassicPATGuidance to better reflect that it conditionally enriches an error with user-facing guidance rather than wrapping unconditionally. Mild preference, not a convention violation.
| // Execute runs the root command with the given context. | ||
| // wrapClassicPATError is applied here so every command gets guidance | ||
| // when a GitHub org blocks classic PATs — no per-call-site wrapping needed. | ||
| func Execute(ctx context.Context) error { |
There was a problem hiding this comment.
[low] error-handling-idiom
The root-level wrapping in Execute() applies classic PAT guidance to all commands, which is correct since the 403 can occur on any GitHub API call. The comment already documents this intent. Consider noting the deliberate contrast with ErrBranchProtected targeted wrapping in commitFilesTo for future maintainers.
When a GitHub org blocks classic personal access tokens, API calls return a 403 with a specific message. The CLI now detects this at the forge layer (ErrClassicPATForbidden sentinel) and wraps it with actionable guidance: token resolution order, required fine-grained PAT permissions, and the export command.
Wrapped call sites: ListOrgRepos (admin + github), GetRepo (applyPerRepoScaffold, ensureConfigRepoExists, loadRepoConfig). Added docs section with token resolution order and permissions table.
Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com
Closes #245
Post-script verification
agent/245-classic-pat-guidance)c776c248ac9a91f10998ca7107e974a6c9d76514..HEAD)