github-mcp-server icon indicating copy to clipboard operation
github-mcp-server copied to clipboard
verified publisher icon github

feat: Add list-scopes command to show required OAuth scopes

Open SamMorrowDrums opened this issue 1 month ago • 1 comments

Summary

Adds a new list-scopes subcommand that outputs the required OAuth scopes for all enabled tools. This helps users determine what scopes their token needs to use specific tools.

Part 3 of the OAuth scopes work:

  • PR #1485: Phase 1 - OAuth scopes on tool metadata
  • PR #1486: Phase 2 - Fine-grained permissions documentation
  • This PR: Phase 3 - list-scopes command

Changes

  • Add cmd/github-mcp-server/list_scopes.go - new subcommand
  • Add script/list-scopes - convenience wrapper script

Features

  • Respects all toolset configuration flags (--toolsets, --read-only)
  • Three output formats: text (default), json, summary
  • JSON output includes: tools, unique_scopes, scopes_by_tool, tools_by_scope
  • Calculates accepted scopes (parent scopes that satisfy requirements)

Usage Examples

# List scopes for default toolsets
github-mcp-server list-scopes

# List scopes for specific toolsets  
github-mcp-server list-scopes --toolsets=repos,issues,pull_requests

# List scopes for all toolsets
github-mcp-server list-scopes --toolsets=all

# Output as JSON (for programmatic use)
github-mcp-server list-scopes --output=json

# Just show unique scopes needed
github-mcp-server list-scopes --output=summary

# Read-only mode (excludes write tools)
github-mcp-server list-scopes --read-only --output=summary

Example Output

$ github-mcp-server list-scopes --output=summary
Required OAuth scopes for enabled tools:

  (no scope required for public read access)
  read:org
  repo

Total: 3 unique scope(s)

Testing

  • script/lint - 0 issues
  • script/test - All tests pass

SamMorrowDrums avatar Nov 25 '25 13:11 SamMorrowDrums

Note: By default (without --toolsets), the command shows scopes for the default toolset (context, repos, issues, pull_requests, users):

$ ./github-mcp-server list-scopes --output=summary
Required OAuth scopes for enabled tools:

  (no scope required for public read access)
  read:org
  repo

Total: 3 unique scope(s)

Compare this to all toolsets:

$ ./github-mcp-server list-scopes --toolsets=all --output=summary
Required OAuth scopes for enabled tools:

  (no scope required for public read access)
  gist
  notifications
  project
  public_repo
  read:org
  read:project
  repo
  security_events

Total: 9 unique scope(s)

This matches the same default behavior as the stdio command.

SamMorrowDrums avatar Nov 25 '25 13:11 SamMorrowDrums