docs: add GitHub token configuration and debugging scripts

- Add comprehensive documentation for fixing GitHub token permissions
- Add diagnostic scripts for troubleshooting token authentication issues
- Add scripts to verify token scopes, SSO status, and PAT restrictions
- Add setup script for configuring GitHub tokens for issue creation
- Document the resolution process for authentication failures

Author: jdrhyne

FIX_GITHUB_TOKEN_PERMISSIONS.md

@@ -0,0 +1,74 @@
+# Fix GitHub Token Permissions for Issue Creation
+
+## Current Problem
+Your token can:
+- ✅ Push to branches
+- ✅ Read issues
+- ❌ Create issues (missing scope)
+
+## Quick Fix Options
+
+### Option 1: Use Fine-grained Personal Access Token (Recommended)
+1. Go to: https://github.com/settings/personal-access-tokens/new
+2. Token name: `nutrient-dws-development`
+3. Expiration: 90 days
+4. Repository access: Selected repositories
+   - Add: `PSPDFKit/nutrient-dws-client-python`
+5. Permissions:
+   - **Repository permissions:**
+     - Contents: Read/Write
+     - Issues: Read/Write
+     - Pull requests: Read/Write
+     - Actions: Read (optional)
+     - Metadata: Read (required)
+6. Click "Generate token"
+7. Copy the token (starts with `github_pat_`)
+
+### Option 2: Use Classic Personal Access Token
+1. Go to: https://github.com/settings/tokens/new
+2. Note: `nutrient-dws-development`
+3. Expiration: 90 days
+4. Select scopes:
+   - ✅ `repo` (Full control - includes private repos)
+   - OR just ✅ `public_repo` (if the repo is public)
+5. Generate and copy token
+
+## Apply the New Token
+
+### Method 1: GitHub CLI (Recommended)
+```bash
+# Re-authenticate with new token
+gh auth login
+
+# When prompted:
+# - Choose: GitHub.com
+# - Choose: Paste an authentication token
+# - Paste your new token
+```
+
+### Method 2: Environment Variable
+```bash
+# In your terminal
+export GITHUB_TOKEN='your_new_token_here'
+
+# Or add to your shell profile (~/.bashrc, ~/.zshrc, etc.)
+echo "export GITHUB_TOKEN='your_new_token_here'" >> ~/.zshrc
+source ~/.zshrc
+```
+
+## Verify Token Works
+```bash
+# Test creating a simple issue
+gh issue create --repo PSPDFKit/nutrient-dws-client-python \
+  --title "Test Issue (Delete Me)" \
+  --body "Testing token permissions"
+
+# If successful, close it:
+gh issue close <issue-number> --repo PSPDFKit/nutrient-dws-client-python
+```
+
+## Security Notes
+- Never commit tokens to git
+- Use environment variables or gh auth
+- Rotate tokens regularly
+- Use minimum required scopes

check-fine-grained-token.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+echo "Fine-Grained Personal Access Token Analysis"
+echo "==========================================="
+echo ""
+echo "Token type: Fine-grained PAT (github_pat_...)"
+echo ""
+echo "Fine-grained tokens have repository-specific permissions."
+echo "Even with 'Admin' access, you need explicit 'Issues: Write' permission."
+echo ""
+echo "To fix this:"
+echo ""
+echo "Option 1: Update your fine-grained token"
+echo "1. Go to: https://github.com/settings/personal-access-tokens"
+echo "2. Find your current token and click 'Edit'"
+echo "3. Under 'Repository permissions' for PSPDFKit/nutrient-dws-client-python:"
+echo "   - Issues: Read → Write"
+echo "   - Pull requests: Read → Write (if needed)"
+echo "4. Save changes"
+echo ""
+echo "Option 2: Create a classic token instead"
+echo "1. Go to: https://github.com/settings/tokens/new"
+echo "2. Create a classic token with 'repo' scope"
+echo "3. Use: gh auth login"
+echo "4. Paste the new classic token"
+echo ""
+echo "Classic tokens (ghp_...) have simpler, broader permissions."
+echo "Fine-grained tokens (github_pat_...) need explicit permissions per repository."

check-sso-status.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+echo "Checking SSO Status for PSPDFKit Organization"
+echo "============================================="
+echo ""
+
+# Check if the token needs SSO authorization
+response=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \
+  -H "Accept: application/vnd.github.v3+json" \
+  -I https://api.github.com/repos/PSPDFKit/nutrient-dws-client-python 2>&1)
+
+if echo "$response" | grep -q "X-GitHub-SSO:"; then
+    sso_url=$(echo "$response" | grep "X-GitHub-SSO:" | sed 's/.*authorize?//')
+    echo "❌ SSO Authorization Required!"
+    echo ""
+    echo "The PSPDFKit organization requires SAML SSO authorization."
+    echo ""
+    echo "To fix this:"
+    echo "1. Go to: https://github.com/settings/tokens"
+    echo "2. Find your current token"
+    echo "3. Click 'Configure SSO' next to the token"
+    echo "4. Authorize for 'PSPDFKit' organization"
+    echo ""
+    echo "Or visit this URL to authorize:"
+    echo "https://github.com/orgs/PSPDFKit/sso?authorization_request=$(echo $sso_url | cut -d'=' -f2)"
+else
+    echo "✅ No SSO requirement detected in headers"
+fi
+
+echo ""
+echo "Testing repository access..."
+if gh api repos/PSPDFKit/nutrient-dws-client-python >/dev/null 2>&1; then
+    echo "✅ Can read repository"
+else
+    echo "❌ Cannot read repository"
+fi
+
+echo ""
+echo "Testing issue list access..."
+if gh issue list --repo PSPDFKit/nutrient-dws-client-python --limit 1 >/dev/null 2>&1; then
+    echo "✅ Can list issues"
+else
+    echo "❌ Cannot list issues"
+fi
+
+echo ""
+echo "Testing push access..."
+if git ls-remote origin >/dev/null 2>&1; then
+    echo "✅ Can push to repository"
+else
+    echo "❌ Cannot push to repository"
+fi
+
+echo ""
+echo "Most likely cause: SAML SSO authorization needed"
+echo "Solution: Authorize your PAT for the PSPDFKit organization"

diagnose-issue-creation.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+
+echo "Comprehensive Issue Creation Diagnostic"
+echo "======================================="
+echo ""
+
+# Test 1: Your user info
+echo "1. User Information:"
+gh api user --jq '{login, type, site_admin}'
+
+# Test 2: Organization membership
+echo ""
+echo "2. Organization Relationship:"
+echo "   Checking if you're a member or outside collaborator..."
+is_member=$(gh api orgs/PSPDFKit/members --paginate 2>/dev/null | jq -r '.[] | select(.login == "jdrhyne") | .login' | wc -l)
+if [ "$is_member" -gt 0 ]; then
+    echo "   ✅ You are an organization member"
+else
+    echo "   ⚠️  You are NOT an organization member (likely outside collaborator)"
+    echo "   This might be the issue - outside collaborators may have restricted API access"
+fi
+
+# Test 3: Check teams
+echo ""
+echo "3. Team Membership:"
+gh api orgs/PSPDFKit/teams --paginate 2>/dev/null | jq -r '.[].name' | head -5 || echo "   Cannot access team information"
+
+# Test 4: Repository access type
+echo ""
+echo "4. Repository Access Type:"
+echo "   You have: Admin permissions"
+echo "   Can create PRs: Yes"
+echo "   Can push: Yes"
+echo "   Can create issues via API: No"
+
+# Test 5: Possible explanations
+echo ""
+echo "5. Possible Explanations:"
+echo "   a) You're an outside collaborator with admin access"
+echo "      - Outside collaborators can have limited API access even with admin permissions"
+echo "      - This is a GitHub security feature"
+echo ""
+echo "   b) Repository-specific API restrictions"
+echo "      - Some repos can have custom API restrictions"
+echo ""
+echo "   c) Token type mismatch"
+echo "      - Fine-grained tokens might need explicit issue permissions even for admins"
+
+# Test 6: Workarounds
+echo ""
+echo "6. Recommended Solutions:"
+echo "   a) Create issues via the web interface at:"
+echo "      https://github.com/PSPDFKit/nutrient-dws-client-python/issues/new"
+echo ""
+echo "   b) Ask an organization member to:"
+echo "      - Add you as an organization member (not just collaborator)"
+echo "      - Or create the issues on your behalf"
+echo ""
+echo "   c) Use the GitHub web UI to paste the issue content from:"
+echo "      ./github_issues/*.md files"
+
+# Final test
+echo ""
+echo "7. Testing Web Access:"
+echo "   Open: https://github.com/PSPDFKit/nutrient-dws-client-python/issues/new"
+echo "   If you CAN create issues there, you're an outside collaborator with API restrictions"

final-diagnosis.md

@@ -0,0 +1,55 @@
+# Final Diagnosis: Issue Creation Problem
+
+## The Situation
+- Repository created: June 17, 2025 (very recent)
+- You have full admin access
+- Can perform all operations EXCEPT create issues via API
+- Error: "Resource not accessible by personal access token"
+
+## Most Likely Cause: Fine-Grained PAT Repository Access
+
+Since you're using a fine-grained personal access token (github_pat_...), and this repository was created AFTER your token, the issue is likely:
+
+**Your fine-grained PAT was created before this repository existed, so it doesn't include this repository in its access list.**
+
+Fine-grained PATs have repository-specific access lists. When you create a token, you select which repositories it can access. Repositories created after the token won't automatically be included.
+
+## Solution
+
+### Option 1: Update Your Existing Token
+1. Go to: https://github.com/settings/personal-access-tokens
+2. Find your current token
+3. Click the pencil icon to edit
+4. Under "Repository access", ensure `PSPDFKit/nutrient-dws-client-python` is explicitly selected
+5. Under "Repository permissions", verify:
+   - Contents: Write
+   - Issues: Write
+   - Pull requests: Write
+6. Save the token
+
+### Option 2: Create a New Token
+1. Go to: https://github.com/settings/personal-access-tokens/new
+2. Select "All repositories" OR explicitly add `PSPDFKit/nutrient-dws-client-python`
+3. Set permissions:
+   - Contents: Write
+   - Issues: Write  
+   - Pull requests: Write
+4. Generate and use the new token
+
+### Option 3: Use a Classic Token
+Classic tokens don't have repository-specific restrictions:
+1. Go to: https://github.com/settings/tokens/new
+2. Select `repo` scope
+3. Generate and use this token
+
+## Why This Happens
+- Fine-grained PATs must explicitly list each repository
+- New repositories aren't automatically added to existing tokens
+- This explains why you can do everything else (push, PRs) but not create issues - the API might have different permission checks
+
+## Verification
+After updating your token, test with:
+```bash
+gh auth login  # Use the updated token
+gh issue create --repo PSPDFKit/nutrient-dws-client-python --title "Test" --body "Test"
+```

fix-gh-auth.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+echo "Fixing GitHub CLI Authentication for Issue Creation"
+echo "=================================================="
+echo ""
+echo "Current situation:"
+echo "- GITHUB_TOKEN environment variable is set with limited permissions"
+echo "- This is overriding GitHub CLI's stored credentials"
+echo ""
+echo "To fix this, run these commands:"
+echo ""
+echo "1. Temporarily unset the GITHUB_TOKEN environment variable:"
+echo "   unset GITHUB_TOKEN"
+echo ""
+echo "2. Login to GitHub CLI with a new token that has issue write permissions:"
+echo "   gh auth login"
+echo ""
+echo "   When prompted:"
+echo "   - Choose: GitHub.com"
+echo "   - Choose: HTTPS"
+echo "   - Choose: Paste an authentication token"
+echo "   - Generate a new token at: https://github.com/settings/tokens/new"
+echo "   - Required scopes: 'repo' (or at least 'public_repo' + 'write:issues')"
+echo "   - Paste the new token"
+echo ""
+echo "3. Verify the new authentication:"
+echo "   gh auth status"
+echo ""
+echo "4. Test issue creation:"
+echo "   gh issue create --repo PSPDFKit/nutrient-dws-client-python --title 'Test' --body 'Test'"
+echo ""
+echo "Alternative: If you want to keep using GITHUB_TOKEN:"
+echo "- Generate a new token with 'repo' scope"
+echo "- Export it: export GITHUB_TOKEN='new_token_with_repo_scope'"
+echo ""
+echo "Note: The gh CLI stored credentials take precedence over GITHUB_TOKEN when both exist."

setup-github-token-for-issues.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+
+echo "GitHub Token Setup for Issue Creation"
+echo "====================================="
+echo ""
+echo "Your current token can push to branches but not create issues."
+echo "You need to create a new Personal Access Token with additional scopes."
+echo ""
+echo "Steps to create a new token:"
+echo ""
+echo "1. Open this URL in your browser:"
+echo "   https://github.com/settings/tokens/new"
+echo ""
+echo "2. Give your token a descriptive name:"
+echo "   Example: 'nutrient-dws-client-development'"
+echo ""
+echo "3. Set expiration (recommended: 90 days)"
+echo ""
+echo "4. Select the following scopes:"
+echo "   ✓ repo (Full control of private repositories)"
+echo "     - This includes:"
+echo "       ✓ repo:status"
+echo "       ✓ repo_deployment" 
+echo "       ✓ public_repo"
+echo "       ✓ repo:invite"
+echo "       ✓ security_events"
+echo "   ✓ workflow (if you need to update GitHub Actions)"
+echo ""
+echo "5. Click 'Generate token'"
+echo ""
+echo "6. Copy the generated token (it starts with 'ghp_')"
+echo ""
+echo "7. Run this command to update your GitHub CLI authentication:"
+echo "   gh auth login"
+echo ""
+echo "   - Choose: GitHub.com"
+echo "   - Choose: Paste an authentication token"
+echo "   - Paste your new token"
+echo ""
+echo "Alternative: Set token as environment variable:"
+echo "   export GITHUB_TOKEN='your_new_token_here'"
+echo ""
+echo "To verify your new token has the correct scopes:"
+echo "   gh api user -H 'Accept: application/vnd.github.v3+json' --include | grep X-OAuth-Scopes"
+echo ""
+echo "The output should show: X-OAuth-Scopes: repo, workflow"
+echo ""
+echo "Once set up, you can create issues with:"
+echo "   gh issue create --repo PSPDFKit/nutrient-dws-client-python --title 'Test' --body 'Test issue'"
+echo ""
+
+# Make the script provide current status
+echo "Current authentication status:"
+gh auth status
+
+echo ""
+echo "Checking if we can access the PSPDFKit org repos:"
+gh api orgs/PSPDFKit/repos --paginate --jq '.[].name' | grep -E "^nutrient-dws-client-python$" || echo "Cannot access PSPDFKit repositories with current token"