fix: request llm_gateway:read scope during signup provisioning (#435)

Author: MattBro

src/lib/constants.ts

@@ -91,6 +91,44 @@ export const POSTHOG_DEV_CLIENT_ID = 'DC5uRLVbGI02YQ82grxgnK6Qn12SXWpCqdPb60oZ';
 export const POSTHOG_PROXY_CLIENT_ID = POSTHOG_US_CLIENT_ID;
 export const DUMMY_PROJECT_API_KEY = '_YOUR_POSTHOG_PROJECT_TOKEN_';
 
+/**
+ * Scopes the wizard requests during the agentic provisioning signup flow.
+ *
+ * Each entry is justified by what the wizard's agent step does after signup:
+ * - user:read         identify the user for analytics + agent context
+ * - project:read      look up the freshly-provisioned project
+ * - llm_gateway:read  authenticate to gateway.{us,eu}.posthog.com/wizard
+ *                     (the agent's LLM calls — without this scope, every
+ *                     agent message returns 401)
+ * - query:read        run HogQL queries when the agent needs data
+ * - dashboard:write   create the onboarding dashboard during setup
+ * - insight:write     create the onboarding insights during setup
+ *
+ * Must be a subset of `ALLOWED_PROVISIONING_SCOPES` in
+ * `ee/api/agentic_provisioning/views.py` on the backend.
+ */
+export const WIZARD_PROVISIONING_SCOPES = [
+  'user:read',
+  'project:read',
+  'llm_gateway:read',
+  'dashboard:write',
+  'insight:write',
+  'query:read',
+] as const;
+
+/**
+ * Scopes the wizard requests during the OAuth login flow. Superset of
+ * `WIZARD_PROVISIONING_SCOPES` with two scopes that only apply to the login
+ * path and are not in the provisioning allowlist:
+ * - introspection      lets the wizard introspect its own token
+ * - health_issue:read  used by `wizard doctor`
+ */
+export const WIZARD_OAUTH_SCOPES = [
+  ...WIZARD_PROVISIONING_SCOPES,
+  'introspection',
+  'health_issue:read',
+] as const;
+
 // ── Wizard run / variants ───────────────────────────────────────────
 
 export const WIZARD_INTERACTION_EVENT_NAME = 'wizard interaction';

src/utils/__tests__/provisioning.test.ts

@@ -89,6 +89,14 @@ describe('provisionNewAccount', () => {
       (accountCall[1] as Record<string, unknown>).code_challenge,
     ).toBeTruthy();
     expect((accountCall[1] as Record<string, unknown>).client_id).toBeTruthy();
+    expect((accountCall[1] as Record<string, unknown>).scopes).toEqual([
+      'user:read',
+      'project:read',
+      'llm_gateway:read',
+      'dashboard:write',
+      'insight:write',
+      'query:read',
+    ]);
 
     // Verify token exchange includes code_verifier
     const tokenCall = mockedAxios.post.mock.calls[1];

src/utils/provisioning.ts

@@ -14,6 +14,7 @@ import {
   IS_DEV,
   POSTHOG_DEV_CLIENT_ID,
   POSTHOG_US_CLIENT_ID,
+  WIZARD_PROVISIONING_SCOPES,
   WIZARD_USER_AGENT,
 } from '../lib/constants';
 import { logToFile } from './debug';
@@ -117,6 +118,7 @@ export async function provisionNewAccount(
       client_id: WIZARD_CLIENT_ID,
       code_challenge: codeChallenge,
       code_challenge_method: 'S256',
+      scopes: WIZARD_PROVISIONING_SCOPES,
       configuration: {
         region,
         ...(opts?.orgName ? { organization_name: opts.orgName } : {}),

src/utils/setup-utils.ts

@@ -17,6 +17,7 @@ import {
   DEFAULT_HOST_URL,
   DUMMY_PROJECT_API_KEY,
   ISSUES_URL,
+  WIZARD_OAUTH_SCOPES,
 } from '../lib/constants';
 import { analytics } from './analytics';
 import { getUI } from '../ui';
@@ -489,16 +490,7 @@ async function askForWizardLogin(options: {
   }
 
   const tokenResponse = await performOAuthFlow({
-    scopes: [
-      'user:read',
-      'project:read',
-      'introspection',
-      'llm_gateway:read',
-      'dashboard:write',
-      'insight:write',
-      'query:read',
-      'health_issue:read',
-    ],
+    scopes: [...WIZARD_OAUTH_SCOPES],
     signup: false,
   });