improvement(oauth): centralize scopes and remove dead scope evaluation code

[waleedlatif1]

Summary

• Centralized all OAuth scopes in OAUTH_PROVIDERS (oauth.ts) as single source of truth
• Migrated all 41 genericOAuth providers in auth.ts to use getCanonicalScopesForProvider() instead of hardcoded scope arrays
• Migrated all 39 blocks to use getScopesForService() for requiredScopes
• Merged scope-descriptions.ts into utils.ts and centralized SCOPE_DESCRIPTIONS
• Removed ~300 lines of local scope descriptions from OAuth modal
• Removed dead server-side scope evaluation code (evaluateScopeCoverage, normalizeScopes, ScopeEvaluation, requiresReauthorization, extraScopes)
• Deleted unused use-oauth-scope-status.ts hook (moved getMissingRequiredScopes to @/lib/oauth/utils)
• Updated skill/command files to document the new centralized scope system

Type of Change

• Improvement (refactor + dead code removal)

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[cursor]

PR Summary

Medium Risk
Medium risk because it changes OAuth provider config and scope handling across auth.ts, API routes, and many blocks, which can impact consent prompts, required scopes, and connection/credential payloads. Breakage is most likely around scope mismatches or consumers that relied on the removed missingScopes/requiresReauthorization fields.

Overview
OAuth scopes are now centralized: provider scope arrays in auth.ts and block requiredScopes across many apps/sim/blocks/blocks/* integrations are replaced with getCanonicalScopesForProvider() / getScopesForService() backed by OAUTH_PROVIDERS.

Removes legacy scope evaluation/metadata: OAuth connections/credentials API routes stop calling evaluateScopeCoverage and return only parsed scopes; the OAuth required modal drops its large local SCOPE_DESCRIPTIONS map in favor of getScopeDescription(), and the unused use-oauth-scope-status.ts hook plus Credential scope-status fields/types are deleted. Documentation/checklists are updated to enforce “no hardcoded scopes” and to treat oauth.ts as the single source of truth.

^{Written by Cursor Bugbot for commit 198a19a. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Mar 7, 2026 0:52am

[greptile-apps]

Greptile Summary

This PR centralizes all OAuth scopes into OAUTH_PROVIDERS in lib/oauth/oauth.ts as a single source of truth, migrating all 41 auth.ts providers and 39 block definitions away from hardcoded scope arrays. It also removes the server-side scope evaluation pipeline (evaluateScopeCoverage, normalizeScopes, ScopeEvaluation) that was previously unused by the frontend, and deletes the use-oauth-scope-status.ts hook by promoting getMissingRequiredScopes to a plain utility function in lib/oauth/utils.ts.

Key changes:

• OAUTH_PROVIDERS in oauth.ts is now the single source of truth; auth.ts uses getCanonicalScopesForProvider() and blocks use getScopesForService()
• SCOPE_DESCRIPTIONS and getScopeDescription moved from the OAuth modal component into lib/oauth/utils.ts, making them reusable across the codebase
• getMissingRequiredScopes promoted from a React hook to a pure utility; correctly ignores offline_access, refresh_token, and offline.access scopes that are not echoed back in token responses
• API responses from /oauth/connections and /oauth/credentials no longer include missingScopes, extraScopes, canonicalScopes, or requiresReauthorization — confirmed no frontend consumers of these fields exist
• Several Google provider entries in oauth.ts received missing userinfo.email / userinfo.profile scopes that auth.ts was already requesting; Webflow gained forms:read to align both sources
• 15 new tests added for getScopesForService and getMissingRequiredScopes; old evaluateScopeCoverage / normalizeScopes test suites removed with those functions

Confidence Score: 5/5

• This PR is safe to merge — it is a pure refactor with no behavioral regressions and correctly removes dead code.
• All scope arrays in auth.ts were verified to match the canonical values now defined in OAUTH_PROVIDERS. Removed API fields (missingScopes, extraScopes, etc.) have no live consumers. The new utility functions are well-tested. No hardcoded arrays remain in auth.ts or block files. The only functional change is the addition of missing userinfo.email/userinfo.profile scopes to several Google providers in oauth.ts, which aligns with what auth.ts was already requesting.
• No files require special attention — the changes are consistent and complete across all 57 modified files.

Important Files Changed

Filename	Overview
apps/sim/lib/oauth/utils.ts	Core utility file: adds SCOPE_DESCRIPTIONS, getScopeDescription, getScopesForService, and getMissingRequiredScopes. Dead functions (evaluateScopeCoverage, normalizeScopes) cleanly removed. IGNORED_SCOPES correctly handles offline_access, refresh_token, and offline.access edge cases.
apps/sim/lib/oauth/oauth.ts	Single source of truth for OAuth scopes. Added missing userinfo.email/userinfo.profile scopes to several Google services (calendar, contacts, bigquery, tasks, vault, groups, meet, vertex-ai) and added forms:read to Webflow. Scopes now match what auth.ts was previously requesting.
apps/sim/lib/oauth/types.ts	Removed ScopeEvaluation interface and canonicalScopes, missingScopes, extraScopes, requiresReauthorization from Credential type. No remaining consumers of these fields in the codebase.
apps/sim/app/api/auth/oauth/connections/route.ts	Removed evaluateScopeCoverage call and scope evaluation fields (missingScopes, extraScopes, canonicalScopes, requiresReauthorization) from API response. accountSummary objects now only carry id and name; connection-level scopes field is retained as raw granted scopes.
apps/sim/app/api/auth/oauth/credentials/route.ts	Removed evaluateScopeCoverage usage; credential response now exposes raw scopes array instead of evaluated scope metadata. Clean change with no downstream consumers of the removed fields.
apps/sim/lib/oauth/utils.test.ts	Removed 200+ lines of evaluateScopeCoverage/normalizeScopes tests and added 15 new tests for getScopesForService and getMissingRequiredScopes, covering key edge cases including undefined scopes, IGNORED_SCOPES filtering, and unknown serviceIds.
apps/sim/hooks/use-oauth-scope-status.ts	Deleted. getMissingRequiredScopes was moved to @/lib/oauth/utils, making it a plain function rather than a hook. All import sites updated correctly.
apps/sim/lib/auth/auth.ts	All 41 OAuth providers migrated to getCanonicalScopesForProvider(). Scopes match the previously hardcoded arrays exactly (verified for Microsoft Teams, Jira, Webflow, and others).
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal.tsx	Removed ~300-line local SCOPE_DESCRIPTIONS and getScopeDescription; now imported from @/lib/oauth barrel. Import is correct since utils.ts is re-exported via index.ts.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["OAUTH_PROVIDERS\n(lib/oauth/oauth.ts)\n— Single Source of Truth —"] -->|getCanonicalScopesForProvider| B["auth.ts\nBetter Auth\nOAuth providers"]
    A -->|getScopesForService| C["Block definitions\n(blocks/blocks/*.ts)\nrequiredScopes"]
    A -->|getScopeDescription\n/ SCOPE_DESCRIPTIONS| D["OAuthRequiredModal\n(oauth-required-modal.tsx)\nScope display UI"]
    C --> E["getMissingRequiredScopes\n(lib/oauth/utils.ts)"]
    E -->|Ignores IGNORED_SCOPES\noffline_access, refresh_token,\noffline.access| F["credential-selector.tsx\ntool credential-selector.tsx\nShow re-auth warning"]
    B --> G["/api/auth/oauth/connections\n/api/auth/oauth/credentials\nRaw scopes only in response"]

Loading

_{Last reviewed commit: 8927ac3}

[waleedlatif1]

@greptile