Skip to content

docs(onboarding): gate Step 6.2 watch check on notifications token scope#333

Merged
serenakeyitan merged 2 commits intomainfrom
docs/onboarding-notifications-scope
Apr 23, 2026
Merged

docs(onboarding): gate Step 6.2 watch check on notifications token scope#333
serenakeyitan merged 2 commits intomainfrom
docs/onboarding-notifications-scope

Conversation

@serenakeyitan
Copy link
Copy Markdown
Contributor

@serenakeyitan serenakeyitan commented Apr 23, 2026

Fixes #332.

Problem

gh api /repos/<repo>/subscription returns 404 for every repo when the user's gh token lacks the notifications OAuth scope — which default gh auth login does not grant (typical scopes are admin:org, gist, repo, workflow). An agent following Step 6.2 on a default token would:

  1. Run the check → get 404.
  2. Conclude "not watching," tell the user to click Watch → All Activity.
  3. User already is watching, clicks again, refreshes, agent re-runs → still 404.
  4. Stuck.

Change

Step 6.2 now:

  1. Runs gh auth status | grep notifications first.
  2. If absent, tells the user to run gh auth refresh -h github.com -s notifications (interactive) and waits for confirmation.
  3. Only then runs the /subscription check.

Also added a Pitfalls bullet so agents skimming ahead still catch the trap.

Test plan

  • Read Step 6.2: flow is scope check → refresh if needed → subscription check.
  • Read Pitfalls bullet: explains 404-without-scope explicitly.
  • No changes outside skills/first-tree/references/onboarding.md.

Discovered during v0.2.15 onboarding test.

@serenakeyitan
docs(onboarding): gate Step 6.2 watch check on notifications token …
a5c83f7 
…scope

Fixes #332.

`gh api /repos/<repo>/subscription` returns 404 for every repo when the
user's token lacks the `notifications` OAuth scope — which default
`gh auth login` does not grant (`admin:org, gist, repo, workflow`).
An agent following Step 6.2 on a default token would:

1. Run the check → get 404.
2. Conclude "not watching," tell the user to click Watch.
3. User already is watching, clicks again, refreshes, reruns → still 404.
4. Stuck.

Change:
- Step 6.2 now checks `gh auth status` for the `notifications` scope
  first; if missing, instructs the user to run
  `gh auth refresh -h github.com -s notifications` (interactive) and
  wait for confirmation.
- Pitfalls section gains a bullet explaining the 404-without-scope
  trap, so agents that skim ahead still catch it.

Discovered during v0.2.15 onboarding test.
@yuezengwu yuezengwu added the breeze:wip breeze is actively working on it label Apr 23, 2026
yuezengwu
yuezengwu requested changes Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown

@yuezengwu yuezengwu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new scope gate still has a false-positive path: gh auth status 2>&1 | grep -i 'notifications' is not scoped to the active github.com account. On setups with multiple hosts or multiple stored accounts, that grep can match a different host/account that has the scope, so the agent skips the refresh and lands back in the same /subscription 404 loop for the account it is actually using. Please scope the check to the active github.com auth context (for example gh auth status --active --hostname github.com 2>&1 | grep -i 'notifications') and mirror that wording in the pitfalls note.

This reply was drafted by breeze, an autonomous agent running on behalf of the account owner.

Comment thread skills/first-tree/references/onboarding.md Outdated
watching or not:

```bash
gh auth status 2>&1 | grep -i 'notifications'
Copy link
Copy Markdown

@yuezengwu yuezengwu Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check is too broad for the problem you’re trying to solve. gh auth status reports all known hosts and, on a host, can include multiple stored accounts; a plain grep can succeed on some other host/account that has notifications while the active github.com account still lacks it. In that case the agent would skip the refresh and the later /subscription call would still 404. Please scope the probe to the active github.com auth context, e.g. gh auth status --active --hostname github.com 2>&1 | grep -i 'notifications'.

@yuezengwu yuezengwu added breeze:done breeze has finished handling it and removed breeze:wip breeze is actively working on it labels Apr 23, 2026
@serenakeyitan
docs(onboarding): scope notifications-scope check to active github.co…
045ad06 
…m account

Addresses review feedback on #333.

On gh setups with multiple hosts or multiple stored accounts, a bare
`gh auth status | grep notifications` can match a scope on a different
host/account than the one `gh api` will actually use, letting the agent
skip the refresh and loop back on the same 404.

Change both the Step 6.2 check and the Pitfalls bullet to use
`gh auth status --active --hostname github.com` so the grep only sees
the active github.com account's token scopes.
@serenakeyitan
Copy link
Copy Markdown
Contributor Author

serenakeyitan commented Apr 23, 2026

Thanks — good catch. Pushed 045ad06 scoping both the Step 6.2 check and the Pitfalls bullet to gh auth status --active --hostname github.com so the grep only sees the active github.com account's token scopes. Verified against my own multi-output gh auth status — the scoped form cleanly returns just the active account's block.

yuezengwu
yuezengwu approved these changes Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown

@yuezengwu yuezengwu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — 045ad06 scopes both the Step 6.2 check and the Pitfalls bullet to gh auth status --active --hostname github.com, which closes the multi-host / multi-account false-positive path. Thanks for the quick turnaround.

This reply was drafted by breeze, an autonomous agent running on behalf of the account owner.

@serenakeyitan serenakeyitan merged commit 07e6b08 into main Apr 23, 2026
1 of 2 checks passed
@serenakeyitan serenakeyitan deleted the docs/onboarding-notifications-scope branch April 23, 2026 21:46
@serenakeyitan serenakeyitan mentioned this pull request Apr 23, 2026
Merged
1 task
serenakeyitan added a commit that referenced this pull request Apr 23, 2026
@serenakeyitan
chore(release): 0.2.16 (#334)
e5451da 
## Summary
Docs-only patch release so npm users get the updated onboarding
narrative bundled into `first-tree tree help onboarding`.

Unreleased since v0.2.15:
- #333 — gate Step 6.2 watch check on notifications token scope (fixes
#332)

## Test plan
- [x] `pnpm release:check` green locally (version:check, validate:skill,
typecheck, test, build, test:dist, test:release)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yuezengwu yuezengwu yuezengwu approved these changes

Assignees

No one assigned

Labels

breeze:done breeze has finished handling it

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Onboarding Step 6.2: gh api /subscription check fails with 404 without notifications token scope

2 participants

@serenakeyitan @yuezengwu