feat(auth): mb auth login --workspace requests a workspace-manager-scoped grant#34
feat(auth): mb auth login --workspace requests a workspace-manager-scoped grant#34escherize wants to merge 1 commit into
Conversation
…oped grant The scoped token is the containment primitive for Option B: a parent credential on an agent's machine that can only do workspace CRUD, enforced server-side by default-deny scope middleware. - scope threads through discovery gating, dynamic client registration, the authorize URL, the stored credential, and refresh (which sends no scope parameter, so a refresh can never widen the grant) - pre-scope profile records resolve to mb:full, which is what every legacy login was minted with - workspace login is browser-OAuth only: --api-key, MB_API_KEY, and non-TTY contexts are refused so a key can't masquerade as scoped - a 403 on a scope-narrowed profile is enriched to name the scope and the fix instead of a bare "Forbidden." Refs GHY-4053
|
Warning Review limit reached
Next review available in: 2 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (20)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@coderabbitai review |
Refs GHY-4053 (Linear). Pairs with the parent-side defscope (GHY-4055).
The scoped token is Option B's containment primitive: the parent credential on an agent's machine can only do workspace CRUD, and the narrowness is enforced server-side by Metabase's default-deny scope middleware — curl with the same token 403s identically. The flag itself is the human's setup step: every OAuth path needs a TTY + browser consent, so a headless agent can neither run it nor mint itself anything broader.
Why the shape it has
mb:workspace-managerinscopes_supported, else a clean "not supported" error), dynamic client registration, the authorize URL, the stored credential, and refresh.profiles.jsongainsoauth.scope; pre-scope records resolve tomb:full— a fact, not a guess, since every legacy login was minted with the hardcoded full scope. This field is what the stale-credential sweep (GHY-4054) reads next.--api-key,MB_API_KEY, non-TTY) so an unscoped API key can't masquerade as a scoped login.--workspace, or use a workspace profile) instead of a bare "Forbidden." — follows theenrichTransformCollectionErrorprecedent (HttpError → ConfigError, exit 2).Known limit
No server ships the workspace-manager defscope yet (GHY-4055), so against every real server the interactive scoped login currently ends at the friendly unsupported error. The browser→403-proof e2e joins the containment suite (GHY-4062) once 4055 lands.
Test plan
--api-key,MB_API_KEY) with exact messages; full suite green (366 passed / 2 skipped) including the real-PKCE oauth suite against the live stack.