refactor: remove hardcoded getDefaultOAuthScopes fallback

SamMorrowDrums · SamMorrowDrums · commit a5ba7ff296d6 · 2026-01-19T10:38:05.000+01:00
Remove the hardcoded fallback in favor of deriving OAuth scopes from
the canonical inventory. This ensures scopes always match the enabled
tools rather than a potentially stale hardcoded list.

- Remove getDefaultOAuthScopes() function entirely
- Error case now returns nil scopes (error surfaces at server start)
- Empty scopes is valid (tools may not require auth)
- Scopes are always computed from inventory.AvailableTools()
diff --git a/cmd/github-mcp-server/main.go b/cmd/github-mcp-server/main.go
@@ -219,11 +219,11 @@ type oauthScopesResult struct {
 // from the tools that will be enabled based on user configuration
 func getOAuthScopes(enabledToolsets, enabledTools, enabledFeatures []string, t translations.TranslationHelperFunc) oauthScopesResult {
 	// Allow explicit override via --oauth-scopes flag
-	var scopes []string
+	var scopeList []string
 	if viper.IsSet("oauth_scopes") {
-		if err := viper.UnmarshalKey("oauth_scopes", &scopes); err == nil && len(scopes) > 0 {
+		if err := viper.UnmarshalKey("oauth_scopes", &scopeList); err == nil && len(scopeList) > 0 {
 			// When scopes are explicit, don't build inventory (will be built in server)
-			return oauthScopesResult{scopes: scopes}
+			return oauthScopesResult{scopes: scopeList}
 		}
 	}
 
@@ -238,33 +238,17 @@ func getOAuthScopes(enabledToolsets, enabledTools, enabledFeatures []string, t t
 
 	inv, err := inventoryBuilder.Build()
 	if err != nil {
-		// If inventory build fails, fall back to default scopes without inventory
-		return oauthScopesResult{scopes: getDefaultOAuthScopes()}
+		// Inventory build only fails if invalid tool names are passed via --tools
+		// In that case, return empty scopes - the error will surface when server starts
+		return oauthScopesResult{scopes: nil}
 	}
 
 	// Collect all required scopes from available tools
+	// This is the canonical source of OAuth scopes for the enabled tools
 	requiredScopes := collectRequiredScopes(inv)
-	if len(requiredScopes) == 0 {
-		// If no tools require scopes, use defaults
-		return oauthScopesResult{scopes: getDefaultOAuthScopes(), inventory: inv}
-	}
-
 	return oauthScopesResult{scopes: requiredScopes, inventory: inv}
 }
 
-// getDefaultOAuthScopes returns the default scopes for GitHub MCP Server
-// Based on the protected resource metadata at https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp
-func getDefaultOAuthScopes() []string {
-	return []string{
-		"repo",
-		"user",
-		"gist",
-		"notifications",
-		"read:org",
-		"project",
-	}
-}
-
 // collectRequiredScopes collects all unique required scopes from available tools
 // Returns a sorted, deduplicated list of OAuth scopes needed for the enabled tools
 func collectRequiredScopes(inv *inventory.Inventory) []string {
