PR Custody

fix(pinecone): migrate pinecone_oauth from OAuth2 to S2S OAuth (client_credentials)

@AgentWrapperchecks n/achecks…fix/PLEN-2215-pinecone-s2s → master1 files · +34 −18updated 1mo ago

▸Description· 1 comment · 1 noise

Summary

Per the PLEN-2215 audit (Pattern B "soft misuse"), pinecone_oauth was declared mode: 'OAUTH2' but had internally inconsistent params (authorization_params.response_type: 'code' + token_params.grant_type: 'client_credentials') — the authorize URL was unused and the scheme could not complete a token exchange.

Pinecone's Admin API service-account auth is client_credentials only (docs). Migrating to mode: 'S2S_OAUTH2' (pinecone_s2s_oauth2):

client_id/client_secret as auth_config_field (Pinecone service-account credentials are issued from the console; admin-managed).
auth_method: 'body' — https://login.pinecone.io/oauth/token accepts form-encoded creds in the body.
params.audience: 'https://api.pinecone.io/' is required by Pinecone's token endpoint and preserved.
Drops unused authorization_url, authorization_params, disable_pkce, token_request_auth_method, refresh_request_auth_method.

The unrelated pinecone_api_key scheme is untouched.

⚠️ Backwards compatibility: existing connections (if any) under pinecone_oauth will need to be re-created under pinecone_s2s_oauth2. Per the audit, the prior scheme cannot produce a working token.

Pattern matches PayPal (ComposioHQ/mercury#21885) and Neo4j (ComposioHQ/mercury#23064).

Refs: PLEN-2215.

Test plan

make validate-config file=apps/pinecone/config.ts passes.
Create staging auth config with real Pinecone service-account credentials; confirm /oauth/token returns 200 with audience set.
Verify the pinecone_api_key scheme is byte-for-byte unchanged.

@AgentWrapper1mo ago

Root Cause Analysis

The broken pinecone_oauth scheme replaced by this PR was introduced in:

Origin PR: ComposioHQ/mercury#6620 — "(source:pd) feat: 43 new apps"
Author: @Karthikeya-Meesala
Approved by: @Uday-sidagana, @abhishekpatil4, @sjd9021
Merged: 2025-12-21
Commit: ab33e33043

Per the PLEN-2215 audit, this is Pattern B "soft misuse" — mode: 'OAUTH2' declared with internally inconsistent params (authorization_params.response_type: 'code' for an authorize-code flow, but token_params.grant_type: 'client_credentials' for S2S). The two halves contradict each other and the scheme could not complete a token exchange end-to-end.

🤖 Auto-generated RCA.

▸ 1 bot/status comment hidden

@linear-code[bot]1mo ago

Context

Neo4j Aura's public API (https://api.neo4j.io/oauth/token) only supports the OAuth2 client_credentials grant — there is no redirect authorization_code flow. Today the toolkit declares four auth schemes, two of which target this endpoint:

neo4j_oauth (mode: OAUTH2) — uses OAUTH2 mode but with token_params: { grant_type: 'client_credentials' } and authorization_url === token_url, which is a hack around the missing client_credentials support in OAUTH2.
neo4j_s2s_oauth2 (mode: S2S_OAUTH2) — the correct mode, but currently a stub:
- strictFields: {} → no client_id / client_secret fields are exposed at auth-config creation, so users have no way to provide credentials.
- token_config.auth_method is unset.
- token_config.params: {} → no credentials are sent in the token exchange.

Net effect: the S2S scheme is visible in the UI but cannot actually succeed.

Proposed direction

Flesh out neo4j_s2s_oauth2 in mercury/apps/neo4j/config.ts to match the PayPal S2S pattern (see ComposioHQ/mercury#22415):

Add strictFields.db.client_id and strictFields.db.client_secret with field_type: 'auth_config_field'.
Set token_config.auth_method: 'basic' (Neo4j Aura accepts HTTP Basic).
Set token_config.params: { client_id: fields.client_id, client_secret: fields.client_secret }.

Open questions for planning

Do we deprecate or remove neo4j_oauth? It overlaps with the S2S scheme and the redirect flow isn't real.
Any per-tenant/region URLs for Neo4j Aura that would require the same base_url_host eval-field trick used for PayPal / Zoho Mail?

References

PayPal S2S fix (same pattern, recent):

loading diff…

@linear-code[bot]1mo ago

Context

neo4j_oauth (mode: OAUTH2) — uses OAUTH2 mode but with token_params: { grant_type: 'client_credentials' } and authorization_url === token_url, which is a hack around the missing client_credentials support in OAUTH2.
neo4j_s2s_oauth2 (mode: S2S_OAUTH2) — the correct mode, but currently a stub:
- strictFields: {} → no client_id / client_secret fields are exposed at auth-config creation, so users have no way to provide credentials.
- token_config.auth_method is unset.
- token_config.params: {} → no credentials are sent in the token exchange.

Net effect: the S2S scheme is visible in the UI but cannot actually succeed.

Proposed direction

Flesh out neo4j_s2s_oauth2 in mercury/apps/neo4j/config.ts to match the PayPal S2S pattern (see ComposioHQ/mercury#22415):

Add strictFields.db.client_id and strictFields.db.client_secret with field_type: 'auth_config_field'.
Set token_config.auth_method: 'basic' (Neo4j Aura accepts HTTP Basic).
Set token_config.params: { client_id: fields.client_id, client_secret: fields.client_secret }.

Open questions for planning

Do we deprecate or remove neo4j_oauth? It overlaps with the S2S scheme and the redirect flow isn't real.
Any per-tenant/region URLs for Neo4j Aura that would require the same base_url_host eval-field trick used for PayPal / Zoho Mail?

References

PayPal S2S fix (same pattern, recent):