@surajmarkupchecks…fix/googlesheets-search-spreadsheets-scopes → master1 files · +0 −2updated 1mo agoTwo GoogleSheets actions advertise OAuth scopes that work for one of their endpoints but get rejected by another. Users holding only the "wrong" scope pass Mercury's gate, then hit a runtime 403 from Google.
SEARCH_SPREADSHEETS — drop auth/spreadsheets and auth/spreadsheets.readonlyCalls only GET /drive/v3/files. Drive Files API does not accept Sheets-specific scopes. The 8 drive-prefixed scopes remain.
CREATE_GOOGLE_SHEET — drop auth/spreadsheets, keep auth/drive and auth/drive.fileCalls 3 endpoints:
POST /v4/spreadsheets — accepts drive, drive.file, spreadsheetsGET /drive/v3/files — Drive API; accepts only drive-prefixed scopesPATCH /drive/v3/files/{id} — Drive API; accepts only drive-prefixed scopesThe action uses Drive endpoints to optionally place the new spreadsheet inside a named folder (folder hierarchy is a Drive concept, not a Sheets concept). The intersection of accepted scopes across all 3 endpoints is {drive, drive.file}. Leaving spreadsheets in any_of would let a user with only that scope pass Mercury's gate and 403 at the Drive calls.
Built an independent verifier that:
apps/googlesheets/actions/ to enumerate every http_request(...) URL._scopes ⊆ the intersection of all endpoints' official scope lists (strict). Anything in Mercury that some endpoint rejects gets flagged.After this fix:
UPSERT_ROWS) — uses the gspread SDK rather than raw http_request. Static analysis can't auto-trace gspread's calls; manually confirmed Mercury's scopes (drive, drive.file, spreadsheets) match the intersection of every endpoint gspread is documented to call.[QA TESTING] Action To Scope Mapping.xlsx → VERIFIEDGoogleSheets flagged 13 mismatches. Independent verification shows:
SEARCH_SPREADSHEETS).CREATE_GOOGLE_SHEET) was missed by the spreadsheet entirely — its per-endpoint check passes for each of the 3 endpoints individually, but the cross-endpoint analysis (which the spreadsheet does not perform) catches the trap.Worth flagging back to QA: the spreadsheet's per-row Mercury vs Official scopes verdict is a per-endpoint comparison and isn't reliable for any action that hits more than one endpoint. 20 of 48 GoogleSheets actions are multi-endpoint.
spreadsheets) and confirming Mercury rejects the auth instead of the user discovering the failure mid-execute()🤖 Generated with Claude Code