obs-pipelines commands return 401 with OAuth auth; docs reference scopes that aren't requested (and may not be valid OAuth scopes)

[Jansen-w]

TLDR: Obs pipelines is not usable at the moment with pup via oauth :( I don't think it auto falls back on API key usage either so agents get a bit confused.

Summary

Every pup obs-pipelines … subcommand returns 401 Unauthorized when run with OAuth credentials, against multiple Datadog sites. API-key auth works fine for the same commands, so the issue is OAuth-scope shaped.

How to reproduce

pup auth login --site datadoghq.com --org commercial   # browser flow
pup --org commercial obs-pipelines list
# Error: failed to list pipelines: ResponseError(... status: 401,
#   content: "{\"errors\":[\"Unauthorized\"]}" ...)

What I found

The scope names observability_pipelines_read, observability_pipelines_deploy, observability_pipelines_delete don't appear in default_scopes() / read_only_scopes() / all_known_scopes() in types.rs, so the OAuth consent screen never asks for them. pup auth list confirms: the granted scope set matches default_scopes() exactly, with no observability_pipelines_* entries.

I also tried --scopes observability_pipelines_read on pup auth login, but resolve_login_scopes validates the value against all_known_scopes() (== default_scopes()) and drops it with ⚠️ Unknown scope ignored, so users can't self-rescue.

What I tried

I attempted a small PR (#520) to add the three scopes to default_scopes(). With the patched binary, the OAuth authorize endpoint returns:

Authentication Failed: invalid_scope

So at least one of the three scope strings is not currently accepted by the Datadog OAuth authorization server, despite being documented in pup as required. The OAuth discovery endpoint at /.well-known/openid-configuration does not expose a scopes_supported list, so I couldn't enumerate the real catalog to confirm which one is the offender (or whether none are valid via OAuth today).

[srosenthal-dd]

Taking a look!