Summary
Align the two Google Tasks list actions flagged as real scope mismatches in the VERIFIEDGoogleTasks workbook with the canonical Google Tasks API docs, and document the need review batch action that was verified but left unchanged.
Changed actions
| Action | Old | New | Reason | Source |
|---|
GOOGLETASKS_LIST_TASKS | {"all_of": [{"any_of": ["https://www.googleapis.com/auth/tasks"]}]} | {"all_of": [{"any_of": ["https://www.googleapis.com/auth/tasks", "https://www.googleapis.com/auth/tasks.readonly"]}]} | The action makes a single GET /tasks/v1/lists/{tasklist}/tasks call, and the canonical tasks.list doc says either tasks or tasks.readonly authorizes that endpoint. The old scope unnecessarily rejected read-only tokens. | QA workbook mismatch row; ground truth: tasks.list |
GOOGLETASKS_LIST_ALL_TASKS | {"all_of": [{"any_of": ["https://www.googleapis.com/auth/tasks"]}]} | {"all_of": [{"any_of": ["https://www.googleapis.com/auth/tasks", "https://www.googleapis.com/auth/tasks.readonly"]}]} | The action always calls both GET /tasks/v1/users/@me/lists and GET /tasks/v1/lists/{tasklist}/tasks. Both doc pages list the same two valid scopes, so their intersection is non-empty and stays a single any_of clause. | QA workbook mismatch row; ground truth: tasklists.list + tasks.list |
Coverage matrix
GOOGLETASKS_LIST_TASKS
| Actual HTTP call from code | Canonical doc page | Doc scopes | In final CNF? |
|---|
GET /tasks/v1/lists/{tasklist}/tasks | tasks.list | tasks, tasks.readonly | Yes — single clause {"any_of": ["https://www.googleapis.com/auth/tasks", "https://www.googleapis.com/auth/tasks.readonly"]} |
GOOGLETASKS_LIST_ALL_TASKS
| Actual HTTP call from code | Canonical doc page | Doc scopes | Intersection impact |
|---|
GET /tasks/v1/users/@me/lists | tasklists.list | tasks, tasks.readonly | Contributes tasks + tasks.readonly |
GET /tasks/v1/lists/{tasklist}/tasks | tasks.list | tasks, tasks.readonly | Same set; intersection remains tasks + tasks.readonly |
Final CNF: {"all_of": [{"any_of": ["https://www.googleapis.com/auth/tasks", "https://www.googleapis.com/auth/tasks.readonly"]}]}.
Reviewed but not changed
| Action | Workbook status | Why no change | Source |
|---|
GOOGLETASKS_BATCH_EXECUTE | Need Review / FAIL | The action is a generic batch executor, not a fixed read-only list call. Its request model explicitly allows GET, POST, PATCH, PUT, and DELETE subrequests, so broadening _scopes to include tasks.readonly would let read-only tokens pass Mercury and then 403 on write batches. Keeping writable tasks only is consistent with the Tasks auth guide (tasks = create/edit/organize/delete; tasks.readonly = view only) and with write endpoints like tasks.insert, which require tasks. | Google Tasks auth guide, tasks.insert, RequestBatch |
Bugbot pass
- Fetched review comments with
gh api repos/ComposioHQ/mercury/pulls/23387/comments after push.
- Result at fetch time:
[] (no bugbot or reviewer comments to address).
- No code changes or reverts were needed after the comment fetch, so there is no retrospective/revert section for this PR.
Validation
./.nox/fmt_app/bin/ruff format apps/googletasks/actions/list_tasks.py apps/googletasks/actions/list_all_tasks.py./.nox/chk_app/bin/ruff check apps/googletasks/actions/list_tasks.py apps/googletasks/actions/list_all_tasks.py- AST-verified both edited
_scopes literals with ast.literal_eval against the allowed CNF shape.
Retrospective
- Follow-up commit
770d94295b removed scope_audit_googletasks.md from the repository root after Bugbot correctly flagged it as an audit working document that duplicated the PR notes and did not belong in the committed tree.
@surajmarkupchecks…fix/googletasks-scope-qa-mismatches → master2 files · +21 −2updated 1mo ago