Initial Commit

scripts/revoke_grant.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+#
+# revoke_grant.sh: open Gitea's "Authorized OAuth2 Applications" page so
+# the operator can revoke a stale OAuth grant whose scope set no longer
+# matches the unified scope set requested by this scaffold and the
+# orchestrator's gateway. See docs/oauth-grant-scope-mismatch.md for
+# the full failure mode and recovery procedure.
+
+set -euo pipefail
+
+here="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
+# shellcheck disable=SC1091
+. "$here/common.sh"
+
+load_env
+require_env FORGE_GITEA_URL
+require_env FSDGG_CLI_CLIENT_ID
+require_cmd python3
+
+base="${FORGE_GITEA_URL%/}"
+url="${base}/user/settings/applications"
+cid="${FSDGG_CLI_CLIENT_ID}"
+
+cat <<EOF
+[revoke-grant] Authorized OAuth2 Applications:
+    ${url}
+[revoke-grant] Client ID to revoke:
+    ${cid}
+
+Procedure:
+  1. The browser opens the URL above.
+  2. Locate the row whose Client ID matches ${cid}.
+  3. Press "Revoke".
+  4. Return here and run 'just login' (or re-run 'just deploy').
+
+EOF
+
+if [ "${FORGE_REVOKE_NO_BROWSER:-0}" = "1" ]; then
+    info "FORGE_REVOKE_NO_BROWSER=1 set; skipping browser launch."
+    exit 0
+fi
+
+python3 - "$url" <<'PY'
+import sys, webbrowser
+url = sys.argv[1]
+ok = webbrowser.open(url, new=1, autoraise=True)
+print(
+    "[revoke-grant] "
+    + ("opened in browser." if ok else "no browser launched; open the URL manually.")
+)
+PY