fix(scope): publish/label with the active repo scope's visibility#129
Merged
Conversation
load_publish_auth_context built the current_user (and project) scope_request with a hardcoded visibility="private", ignoring `roar scope use`. So with the active scope set to `public` (public attributed), register and label sync still requested a private scope and the server fell back to the anonymous public bucket, instead of the user's own public-attributed scope. Resolve scope_request visibility from the active RepoScope mode: public -> "public" (attributed) anonymous -> omit scope_request (server uses the anonymous public scope) private / project / unset -> "private" (unchanged) So `roar scope use public` + register/label sync now lands in the authenticated user's public-attributed scope (anonymous-readable but owned by them). Pairs with server-side owner_resolution=current_user support (treqs-inc/glaas-api#47). Note: the `roar register/put --public` flag still routes to the anonymous bucket; flipping it to attributed changes auth requirements and is a focused follow-up. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
TrevorBasinger
approved these changes
May 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
load_publish_auth_contextbuilt thecurrent_user(and project)scope_requestwith a hardcodedvisibility="private", ignoringroar scope use. So with the active repo scope set to public ("public attributed"),roar registerandroar label syncstill requested a private scope — and the server fell back to the legacy anonymous public bucket (owner0000…) — instead of the authenticated user's own public-attributed scope.roar scope statusreportedpublicwhile the publish payload saidprivate.Change
Resolve
scope_requestvisibility from the activeRepoScope.mode:public{owner_resolution: current_user, visibility: "public"}(attributed)anonymousprivate/project/ unsetvisibility: "private"(unchanged)So
roar scope use public+ register/label sync now lands in the authenticated user's public-attributed scope (anonymous-readable, but owned by them). Pairs with server-sideowner_resolution=current_usersupport in treqs-inc/glaas-api#47.Tests
tests/unit/test_publish_auth_context.py: adds active-public→ public current_user scope, and active-anonymous→ omitted scope_request. Existing private / project-bound / no-binding cases unchanged. Full unit suite green (one pre-existing, unrelated telemetry-endpoint env test aside).Follow-up (not in this PR)
The
roar register/put --publicflag still routes to the anonymous bucket. Flipping it to attributed changes auth requirements (attributed needs login/SSH;--anonymousbecomes the explicit unattributed path) and touches the publish-runtime plumbing + anonymous-public registration-session logic, so it's a focused follow-up to land after the active-scope path is validated end-to-end on dev.🤖 Generated with Claude Code