merge: hard-cutover sync main into kontext-dev#31
Conversation
Validated login + refresh flows. Removing scopes from the refresh request until we have upgrade flow in place. Confirmed that tokens refresh with existing scopes.
merge: hard-cutover sync upstream/main into main
![kontext-review[bot]](https://avatars.githubusercontent.com/in/2989619?s=60&v=4){kind=small}
There was a problem hiding this comment.
Inline findings posted:
- [LOW][maintainability] Architectural finding (
codex-rs/login/src/server.rs:434)
Reviewer summary:
- The PR successfully syncs main into kontext-dev, updating OAuth scopes for the login server and cleaning up the refresh token request by removing the unnecessary scope field.
- The changes are minimal, focused, and align with standard OAuth2 practices for refresh tokens.
Scores and diagnostics
- Architecture: 7.0/10
- Organization: 7.0/10
- Cleanliness: 7.0/10
- Overall: 7.0/10
- Candidate findings: 1
- Published inline: 1
- Published summary-only: 0
- Suppressed findings: 0
Limitations
-
Review is limited to the provided diff.
-
Cannot verify if the removed scope field in RefreshRequest impacts the specific OAuth provider's non-standard requirements, though it aligns with the standard OAuth2 spec.
-
Model:
gemini-3.1-pro-preview -
Omitted files: 0
Generated at 2026-03-04T16:51:21.456Z.
| ( | ||
| "scope".to_string(), | ||
| "openid profile email offline_access".to_string(), | ||
| "openid profile email offline_access api.connectors.read api.connectors.invoke" |
There was a problem hiding this comment.
[LOW][maintainability] Architectural finding
Impact: Can reduce maintainability or correctness if left unresolved.
Suggested fix: Apply a targeted refactor and add/adjust tests where needed.
Evidence: The OAuth scopes are hardcoded as a single string literal. If these scopes are referenced in other parts of the application (e.g., token validation), extracting them to a shared constant would prevent drift.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
2 participants
Hard-cutover sync continuation. This PR merges main into kontext-dev using a real merge commit (no squash).