Fix: verify gist scope on connect (#195 bug 4)

[tylergraydev]

Summary

Closes the last remaining bug from #195: connect_cloud_sync accepted any token gh auth token returned, so users without the gist scope got a generic 403 on first push instead of a helpful message at connect time.

Now verifies the gist scope via the X-OAuth-Scopes response header on GET /user before storing credentials. If the scope is absent, the error names the exact remediation: `gh auth refresh -h github.com -s gist`.

Fine-grained PATs don't emit X-OAuth-Scopes, so in that case we fall through (the API-level error will still surface later on the actual gist call).

What changed

• services/gist_sync.rs — added verify_gist_scope(token) + 4 tests (scope present / scope missing / header absent / 401).
• commands/cloud_sync.rs — call verify_gist_scope in connect_cloud_sync after get_authenticated_user, before find_or_create_gist.
• Cargo.lock — refresh to match Cargo.toml version (was stale at 3.8.1, now 3.8.3).

Test plan

• `cargo test --lib gist_sync` — 14/14 pass (4 new).
• `cargo fmt --check` clean.
• Manual: disconnect gh, re-auth without gist scope (`gh auth refresh -s repo`), click Connect — should see the scope error with remediation, not a 403 later.

Bugs 1–3 from #195 already landed

• Bug 1 (pagination): commit `511c98c`
• Bug 2 (disconnect empty-string check): commit `815cf4c`
• Bug 3 (backup extension): commits `1c55739`, `f74448e`

Once this merges, #195 can close.

🤖 Generated with Claude Code

[tylergraydev]

Second-pass review (independent agent)

Verdict: good to merge as-is. No high-confidence issues flagged.

Header-absent fall-through is correct. Classic OAuth/PAT tokens always emit X-OAuth-Scopes (even when empty); fine-grained PATs and GitHub App installation tokens don't. Falling through on absence is right — blocking would break fine-grained PAT users, and the API-level 403 still surfaces on the actual gist call.

Error message reaches the user verbatim. The call site maps verify_gist_scope's error as-is via e.to_string() (unlike get_authenticated_user, which wraps in "Failed to validate token: {}"), so the remediation command lands cleanly in the UI.

No security concerns. Token flows via existing auth_headers() helper, never logged. to_str().unwrap_or("") degrades gracefully on non-ASCII headers (no panic). Exact-match == "gist" avoids substring false positives. Lowercase "x-oauth-scopes" is correct — reqwest's HeaderMap is case-insensitive per HTTP spec.

Test coverage sufficient. 4 tests cover scope-present, scope-missing (asserts both message fragments), header-absent (fine-grained PAT), and 401. No gaps worth closing.

Style consistent. verify_gist_scope mirrors get_authenticated_user — same URL/headers/error shape. let Some(...) = ... else is idiomatic.

Minor note (not blocking)

Both service calls in connect_cloud_sync hit GET /user. A single call returning both login and scopes would save one request, but splitting keeps the methods independently testable/reusable — better tradeoff for a once-per-connect flow.