[BB-1013] fix pagination for scope

[MarcusGoldschmidt]

Fix pagination when --sync-permission is set as true

Summary by CodeRabbit

• Bug Fixes
  • Fixed pagination token generation in role grants so the next-token reflects the correct state.
• Refactor
  • Scope/resource identifiers now use ":" as the separator (e.g., server:resource) instead of "/" — this changes how scope IDs are produced and displayed.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Two changes: a bag.Pop() was added in pkg/connector/roles.go before marshaling the next pagination token, altering pagination bag state; pkg/connector/scopes.go changes formatScopeId to produce IDs using a colon (:) separator instead of a slash (/).

Changes

Cohort / File(s)	Summary
Pagination state fix pkg/connector/roles.go	Inserted bag.Pop() before marshaling the next pagination token in Grants for scopeResourceType.Id, removing the last pushed page state prior to token generation.
Scope ID format change pkg/connector/scopes.go	formatScopeId now formats scope IDs as "<server.Identifier>:<resourceServer.Value>" (colon separator) instead of "<server.Identifier>/<resourceServer.Value>" (slash).

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant Connector
  participant Bag
  rect rgb(230,245,255)
    Note over Connector,Bag: Grants pagination flow (updated)
  end
  Client->>Connector: Request Grants (page N)
  Connector->>Bag: Push(page state for scopeResourceType)
  Connector->>Connector: Build per-permission grants
  Connector->>Bag: Pop()  <!-- newly added step -->
  Connector->>Connector: Marshal next pagination token using Bag state
  Connector->>Client: Return grants + nextToken

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Review pagination semantics in pkg/connector/roles.go to ensure the removed state is correct for token generation and doesn't break multi-page flows.
• Verify tests or add tests that exercise pagination across scope boundaries.
• Check any consumers of scope IDs for the separator change: update expectations, storage keys, or comparisons relying on the old format.

Poem

🐰 A Pop before the token sings,
Colon now joins scope-y things,
Hopping through pages light and spry,
IDs click-colon, tokens fly! 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix pagination for scope' directly addresses the main change: fixing pagination logic when processing scopes, which is confirmed by the modifications in both roles.go (bag.Pop() addition for pagination state) and scopes.go (formatScopeId separator change affecting scope ID generation).

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch goldschmidt/fix-pagination-grants-role

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This PR adds a bag.Pop() call in the scopeResourceType case of the Grants method to properly manage pagination state after processing role permissions. This ensures the pagination bag is correctly maintained when transitioning from processing scope permissions back to the previous state.

Key Changes

• Added bag.Pop() call before marshaling the next pagination token in the scopeResourceType case

Comments suppressed due to low confidence (3)

pkg/connector/roles.go:236

• The early return at line 235 when len(permissions) == 0 bypasses the bag.Pop() call at line 255, which could leave the pagination bag in an inconsistent state. Consider adding bag.Pop() before this early return, or restructuring the code to ensure the bag is always popped when exiting this case.

		if len(permissions) == 0 {
			return nil, "", outputAnnotations, nil
		}

pkg/connector/roles.go:232

• The early return at line 231 when GetRolePermissions returns an error bypasses the bag.Pop() call at line 255, which could leave the pagination bag in an inconsistent state. Consider adding bag.Pop() before this early return, or restructuring the code to ensure the bag is always popped when exiting this case.

		if err != nil {
			return nil, "", outputAnnotations, err
		}

pkg/connector/roles.go:246

• The early return at line 245 when NewResourceID fails bypasses the bag.Pop() call at line 255, which could leave the pagination bag in an inconsistent state. Consider adding bag.Pop() before this early return, or restructuring the code to ensure the bag is always popped when exiting this case.

			if err != nil {
				return nil, "", outputAnnotations, err
			}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Bencheng21]

nextToken, err := bag.NextToken(client.GetNextToken(page, limit, total))
		if err != nil {
			return nil, "", nil, err
		}

I saw this one. Do we need to get the next page from the o.client.GetRolePermissions

[laurenleach]

https://auth0.com/docs/api/management/v2/roles/get-role-permission doesn't say it supports pagination like the other endpoint

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/connector/scopes.go (1)

68-70: Update the outdated comment to reflect colon separator.

The comment states the format should be <resourceServerId>/<scopeName> with a slash, but the implementation at line 91 now uses a colon separator. This inconsistency can mislead future developers.

Apply this diff to update the comment:

-	// Needs to be in the format of <resourceServerId>/<scopeName>
+	// Needs to be in the format of <resourceServerId>:<scopeName>
 	// Since each scope is unique to a resource server, we can use the resource server ID as a prefix

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8817b69 and d7d168c.

📒 Files selected for processing (1)

• pkg/connector/scopes.go (1 hunks)

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

Verify scope ID format change impact across the codebase.

Changing the separator from / to : alters the format of all scope identifiers. While this likely fixes the pagination bug (slashes can interfere with URL paths or token parsing), it's a breaking change if scope IDs were previously persisted in grants, entitlements, or external systems.

Run the following script to verify consistency and identify potential impacts:

---

🏁 Script executed:

#!/bin/bash
# Description: Search for scope ID construction, parsing, and usage patterns

echo "=== Searching for scope ID construction patterns ==="
# Look for other places that might construct scope IDs with slash
rg -n "Identifier.*/" --type go -C 3

echo -e "\n=== Searching for scope ID parsing or splitting ==="
# Look for code that might parse scope IDs expecting slash separator
rg -n 'strings\.Split.*"/"' --type go -C 3
rg -n 'strings\.Contains.*"/"' --type go -C 3

echo -e "\n=== Searching for formatScopeId usage ==="
# Find all usages of formatScopeId
rg -n "formatScopeId" --type go -C 5

echo -e "\n=== Searching for scopeResourceType usage ==="
# Find how scope resource types are used in grants/entitlements
rg -n "scopeResourceType" --type go -C 3

echo -e "\n=== Searching for scope-related comments ==="
# Find comments that might reference the old format
rg -n "scope.*/" --type go -C 2

Length of output: 7354

---

Update outdated comment about scope ID format.

The change to : separator is a consistency fix—roles.go line 241 was already using this format. However, the comment at line 68 in scopes.go still references the old / format and needs updating:

Change the comment from:

// Needs to be in the format of <resourceServerId>/<scopeName>

To:

// Needs to be in the format of <resourceServerId>:<scopeName>

The search found no other code constructing scope IDs with /, and roles.go already aligns with the : format, confirming this is a safe consistency improvement rather than a breaking change.

🤖 Prompt for AI Agents

In pkg/connector/scopes.go around line 68, update the outdated comment that says
"Needs to be in the format of <resourceServerId>/<scopeName>" to reflect the
current separator; change it to "Needs to be in the format of
<resourceServerId>:<scopeName>" so it matches the actual implementation (see
line 91) and roles.go usage.