From 20099b9f7e107edae32187b9ae77c2a4054635d7 Mon Sep 17 00:00:00 2001
From: Michael Matloka <michael@posthog.com>
Date: Mon, 13 Apr 2026 00:12:16 +0000
Subject: [PATCH] feat(oauth): replace granular scopes with wildcard scope

Simplifies OAuth scopes to a single `*` wildcard, bumping
OAUTH_SCOPE_VERSION to 4 so existing sessions re-authenticate.

Generated-By: PostHog Code
Task-Id: 4b0bec91-9378-4d57-b6a3-63109299f5d4
---
 apps/code/src/shared/constants/oauth.test.ts | 34 ++----------------
 apps/code/src/shared/constants/oauth.ts      | 38 ++------------------
 2 files changed, 4 insertions(+), 68 deletions(-)

diff --git a/apps/code/src/shared/constants/oauth.test.ts b/apps/code/src/shared/constants/oauth.test.ts
index 2b5ae3c3e..4aac1ce9f 100644
--- a/apps/code/src/shared/constants/oauth.test.ts
+++ b/apps/code/src/shared/constants/oauth.test.ts
@@ -8,39 +8,9 @@ describe("OAUTH_SCOPES guard", () => {
       scopes: OAUTH_SCOPES,
     }).toMatchInlineSnapshot(`
       {
-        "scopeVersion": 3,
+        "scopeVersion": 4,
         "scopes": [
-          "user:read",
-          "user:write",
-          "project:read",
-          "task:write",
-          "llm_gateway:read",
-          "integration:read",
-          "introspection",
-          "action:read",
-          "action:write",
-          "dashboard:read",
-          "dashboard:write",
-          "error_tracking:read",
-          "error_tracking:write",
-          "event_definition:read",
-          "event_definition:write",
-          "experiment:read",
-          "experiment:write",
-          "feature_flag:read",
-          "feature_flag:write",
-          "insight:read",
-          "insight:write",
-          "logs:read",
-          "organization:read",
-          "property_definition:read",
-          "query:read",
-          "survey:read",
-          "survey:write",
-          "warehouse_table:read",
-          "warehouse_view:read",
-          "external_data_source:read",
-          "external_data_source:write",
+          "*",
         ],
       }
     `);
diff --git a/apps/code/src/shared/constants/oauth.ts b/apps/code/src/shared/constants/oauth.ts
index 9b2065b40..0a851215a 100644
--- a/apps/code/src/shared/constants/oauth.ts
+++ b/apps/code/src/shared/constants/oauth.ts
@@ -5,43 +5,9 @@ export const POSTHOG_EU_CLIENT_ID = "AIvijgMS0dxKEmr5z6odvRd8Pkh5vts3nPTzgzU9";
 export const POSTHOG_DEV_CLIENT_ID = "DC5uRLVbGI02YQ82grxgnK6Qn12SXWpCqdPb60oZ";
 
 // Bump OAUTH_SCOPE_VERSION below whenever OAUTH_SCOPES changes to force re-authentication
-export const OAUTH_SCOPES = [
-  // PostHog Code app needs
-  "user:read",
-  "user:write",
-  "project:read",
-  "task:write",
-  "llm_gateway:read",
-  "integration:read",
-  "introspection",
-  // MCP server scopes
-  "action:read",
-  "action:write",
-  "dashboard:read",
-  "dashboard:write",
-  "error_tracking:read",
-  "error_tracking:write",
-  "event_definition:read",
-  "event_definition:write",
-  "experiment:read",
-  "experiment:write",
-  "feature_flag:read",
-  "feature_flag:write",
-  "insight:read",
-  "insight:write",
-  "logs:read",
-  "organization:read",
-  "property_definition:read",
-  "query:read",
-  "survey:read",
-  "survey:write",
-  "warehouse_table:read",
-  "warehouse_view:read",
-  "external_data_source:read",
-  "external_data_source:write",
-];
+export const OAUTH_SCOPES = ["*"];
 
-export const OAUTH_SCOPE_VERSION = 3;
+export const OAUTH_SCOPE_VERSION = 4;
 
 export const REGION_LABELS: Record<CloudRegion, string> = {
   us: "🇺🇸 US Cloud",