Skip to content

fix: request llm_gateway:read scope during signup provisioning#435

Open
MattBro wants to merge 2 commits intomainfrom
matt/fix-signup-llm-gateway-scope
Open

fix: request llm_gateway:read scope during signup provisioning#435
MattBro wants to merge 2 commits intomainfrom
matt/fix-signup-llm-gateway-scope

Conversation

@MattBro
Copy link
Copy Markdown
Contributor

@MattBro MattBro commented May 5, 2026

Problem

The wizard's --signup flow exits with a 401 ("Authentication failed") immediately after provisioning succeeds, so nothing is ever written into the user's project. Repro:

mkdir /tmp/ph-test && cd /tmp/ph-test && npm init -y
npx @posthog/wizard --signup --email someone+test@example.com --region us

/tmp/posthog-wizard.log shows the chain:

[provisioning] starting account creation
[provisioning] account created, exchanging code for tokens
[provisioning] tokens received, provisioning resources
[provisioning] resources provisioned successfully
...
Failed to authenticate. API Error: 401 {"detail":"Authentication required"}
Agent error: 401, showing auth error screen

Account + project + PAT are all created server-side, but the agent step that writes the SDK integration immediately bails on the first call to gateway.us.posthog.com/wizard.

Root cause: provisionNewAccount in src/utils/provisioning.ts POSTs to /api/agentic/provisioning/account_requests with no scopes field. The PostHog backend (ee/api/agentic_provisioning/views.py:315) defaults to [], _validate_scopes short-circuits empty lists as valid, and the issued OAuth token gets minted with zero scopes. The LLM gateway requires llm_gateway:read, so the agent's first request 401s.

The non-signup OAuth path in setup-utils.ts:491 already requests the right scopes (including llm_gateway:read); the signup path was just never updated to match.

Changes

  • Extract two scope constants in src/lib/constants.ts:
    • WIZARD_PROVISIONING_SCOPES — the 6 scopes the wizard needs that are also in the backend's ALLOWED_PROVISIONING_SCOPES allowlist.
    • WIZARD_OAUTH_SCOPES — superset that adds introspection and health_issue:read, which only apply to the OAuth login path (not in the provisioning allowlist).
  • Pass scopes: WIZARD_PROVISIONING_SCOPES in the account_requests body in provisionNewAccount.
  • Replace the inline scope list in setup-utils.ts with the new constant so the two paths can't drift again.
  • Test asserts the new scopes field is present on the outgoing request.

The provisioning subset deliberately excludes introspection and health_issue:read because they are not in ALLOWED_PROVISIONING_SCOPES (posthog/posthog ee/api/agentic_provisioning/views.py:2033-2052). If the wizard ever needs them on the signup path, they need to be added to that allowlist first.

Test plan

  • Existing provisionNewAccount tests still pass (pnpm exec jest src/utils/__tests__/provisioning.test.ts)
  • New assertion that scopes includes llm_gateway:read, project:read, user:read
  • pnpm typecheck
  • pnpm lint (no new errors; existing warnings only)
  • Manual: rerun npx @posthog/wizard --signup --email <fresh>@gmail.com --region us against a built copy of this branch and confirm the agent step proceeds past auth and writes the SDK integration into the project. (Will verify after merge or via local link.)

@MattBro
fix: request llm_gateway:read scope during signup provisioning
5a7dbba 
The wizard's --signup path was minting OAuth tokens with no scopes, so
the agent step's call to gateway.us.posthog.com/wizard returned 401
"Authentication required" and the wizard exited before writing the SDK
integration into the project.

Extract the wizard's required scopes into shared constants and pass them
to /api/agentic/provisioning/account_requests. The provisioning subset
intentionally excludes introspection and health_issue:read since those
are not in ALLOWED_PROVISIONING_SCOPES on the backend.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 5, 2026

🧙 Wizard CI

Run the Wizard CI and test your changes against wizard-workbench example apps by replying with a GitHub comment using one of the following commands:

Test all apps:

  • /wizard-ci all

Test all apps in a directory:

  • /wizard-ci basic-integration
  • /wizard-ci misc
  • /wizard-ci revenue

Test an individual app:

  • /wizard-ci basic-integration/android
  • /wizard-ci basic-integration/angular
  • /wizard-ci basic-integration/astro
Show more apps
  • /wizard-ci basic-integration/django
  • /wizard-ci basic-integration/fastapi
  • /wizard-ci basic-integration/flask
  • /wizard-ci basic-integration/javascript-node
  • /wizard-ci basic-integration/javascript-web
  • /wizard-ci basic-integration/laravel
  • /wizard-ci basic-integration/next-js
  • /wizard-ci basic-integration/nuxt
  • /wizard-ci basic-integration/python
  • /wizard-ci basic-integration/rails
  • /wizard-ci basic-integration/react-native
  • /wizard-ci basic-integration/react-router
  • /wizard-ci basic-integration/sveltekit
  • /wizard-ci basic-integration/swift
  • /wizard-ci basic-integration/tanstack-router
  • /wizard-ci basic-integration/tanstack-start
  • /wizard-ci basic-integration/vue
  • /wizard-ci misc/quack-quack
  • /wizard-ci revenue/stripe

Results will be posted here when complete.

@MattBro
chore: justify wizard provisioning scopes and tighten test
0e921b2 
Address self-review feedback:
- Document why each scope in WIZARD_PROVISIONING_SCOPES is needed (the
  agent step's actual usage), pre-empting least-privilege questions on
  dashboard:write and insight:write.
- Switch the provisioning test from arrayContaining to exact-array
  equality so adding/removing a scope without updating the test fails
  loudly.
@MattBro MattBro marked this pull request as ready for review May 5, 2026 17:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MattBro