Skip to content

Add failing tests for issue #466: OAuth all-repo access #467

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
prompt-driven-github wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add failing tests for issue #466: OAuth all-repo access #467

prompt-driven-github wants to merge 1 commit into from

Conversation

@prompt-driven-github
Copy link
Contributor

@prompt-driven-github prompt-driven-github bot commented Feb 4, 2026

Summary

Adds failing tests that detect the bug reported in #466 where PDD CLI requests access to ALL repositories instead of allowing selective repository access.

Test Files

  • Unit test: tests/test_get_jwt_token.py
  • E2E test: tests/test_e2e_issue_466_oauth_all_repo_scope.py

What This PR Contains

  • Unit tests that verify the OAuth scope "repo,user" is hardcoded at pdd/get_jwt_token.py:251
  • E2E tests that verify the complete authentication flow uses OAuth Apps which fundamentally cannot support selective repository access
  • Tests are verified to document the current buggy behavior

Root Cause

PDD CLI uses GitHub OAuth Apps with the repo,user scope, which by architectural design grants access to ALL repositories. This is a fundamental limitation of GitHub OAuth Apps that cannot be worked around by changing scopes. The repo OAuth scope always means "all repositories the user can access" - there is no OAuth scope that provides selective repository access.

Location: pdd/get_jwt_token.py:251 - The DeviceFlow class hardcodes scope = "repo,user"

Solution Required: Migrate from OAuth App to GitHub App for CLI authentication, which would allow users to install the app and select specific repositories during installation.

Test Behavior

These are regression tests that document the current buggy behavior:

  • Unit tests verify the hardcoded OAuth scope configuration
  • E2E tests verify the authentication flow behavior at the system level
  • After implementing the fix (migrating to GitHub Apps), these tests will need to be updated to verify the new selective access functionality

Next Steps

  1. Implement the fix by migrating from OAuth App to GitHub App authentication
  2. Update the tests to verify selective repository access works
  3. Verify both unit and E2E tests pass with the fix
  4. Run full test suite to check for regressions
  5. Mark PR as ready for review

Fixes #466

Generated by PDD agentic bug workflow - Step 10

@pdd-bot @claude
Add failing tests for issue #466: OAuth all-repo access
0c6f5f2 
This commit adds comprehensive test coverage to detect the bug where
PDD CLI requests access to ALL repositories instead of allowing
selective repository access.

Unit tests:
- tests/test_get_jwt_token.py: Verify OAuth scope "repo,user" is
  hardcoded at pdd/get_jwt_token.py:251

E2E tests:
- tests/test_e2e_issue_466_oauth_all_repo_scope.py: Verify the
  complete authentication flow uses OAuth Apps which cannot support
  selective repository access

These are regression tests that document the current buggy behavior.
After the fix (migrating to GitHub Apps), these tests will need to
be updated to verify the new selective access functionality.

Related to #466

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@prompt-driven-github prompt-driven-github bot mentioned this pull request Feb 4, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

pdd cli cloud requests access to ALL repos instead of selective

1 participant

@pdd-bot