Where
skills/first-tree/references/onboarding.md Step 6.2 (from PR #326, merged into v0.2.15):
gh api /repos/<source-repo>/subscription
# 200 → watching
# 404 → not watching
Problem
On a default gh auth login setup, the user's token does not include the notifications OAuth scope. With default scopes (e.g. admin:org, gist, repo, workflow), /subscription returns 404 for every repo, whether watching or not. The agent following this doc will:
- Run the check → get 404.
- Conclude "not watching," tell the user to click Watch → All Activity.
- User already is watching, clicks again, refreshes, reruns → still 404.
- Stuck.
Repro on a token lacking notifications:
$ gh auth status 2>&1 | grep scope
Token scopes: 'admin:org', 'gist', 'repo', 'workflow'
$ gh api /repos/paperclipai/paperclip/subscription
{"message":"Not Found","status":"404"}
$ # user IS watching the repo — verified via the GitHub UI
gh itself tells you: "This API operation needs the notifications scope. To request it, run: gh auth refresh -h github.com -s notifications" — but that's only when gh can see it's being called without scope. From a raw gh api call, it just returns 404.
Suggested fix
Update Step 6.2 to:
- Check scope first:
gh auth status 2>&1 | grep -i 'notifications'. If absent, instruct the user to run gh auth refresh -h github.com -s notifications (interactive) and re-run the check.
- Only treat 404 as "not watching" after confirming the token has
notifications scope.
Alternative: skip the programmatic watch check entirely and just ask the user to visit https://github.com/<source-repo> and confirm they see "Unwatch" rather than "Watch" on the repo page. That's low-tech but avoids the scope hurdle, and ~95% of users will be watching (or easily verifiable visually).
Env
- Discovered during v0.2.15 onboarding test (2026-04-23).
- Tree: serenakeyitan/paperclip-tree, source: paperclipai/paperclip.
- Token: default
gh auth login scopes.
/cc @serenakeyitan
Where
skills/first-tree/references/onboarding.mdStep 6.2 (from PR #326, merged into v0.2.15):Problem
On a default
gh auth loginsetup, the user's token does not include thenotificationsOAuth scope. With default scopes (e.g.admin:org, gist, repo, workflow),/subscriptionreturns 404 for every repo, whether watching or not. The agent following this doc will:Repro on a token lacking
notifications:ghitself tells you: "This API operation needs thenotificationsscope. To request it, run:gh auth refresh -h github.com -s notifications" — but that's only whenghcan see it's being called without scope. From a rawgh apicall, it just returns 404.Suggested fix
Update Step 6.2 to:
gh auth status 2>&1 | grep -i 'notifications'. If absent, instruct the user to rungh auth refresh -h github.com -s notifications(interactive) and re-run the check.notificationsscope.Alternative: skip the programmatic watch check entirely and just ask the user to visit
https://github.com/<source-repo>and confirm they see "Unwatch" rather than "Watch" on the repo page. That's low-tech but avoids the scope hurdle, and ~95% of users will be watching (or easily verifiable visually).Env
gh auth loginscopes./cc @serenakeyitan