From 805e9ac89f989fd8c92c61d724ba500d5c5f593b Mon Sep 17 00:00:00 2001 From: Martin Torp Date: Mon, 1 Jun 2026 10:22:57 +0200 Subject: [PATCH] fix: require fixes:list scope for socket fix socket fix resolves vulnerabilities via the Coana CLI, which now calls the scoped GET /v0/orgs/{org}/fixes endpoint (Coana switched from the unscoped legacy POST /v0/fixes/compute-fixes in 15.1.1). That endpoint requires the fixes:list API token scope, but requirements.json only advertised full-scans:create and packages:list, so a token granted exactly the documented scopes hit a 403 Forbidden. Add fixes:list to the fix command's advertised permissions so socket fix --help and the docs reflect the real requirement, and update the help snapshot to match. --- requirements.json | 2 +- src/commands/fix/cmd-fix.integration.test.mts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.json b/requirements.json index 6ecef5b0d..9b858f4e8 100644 --- a/requirements.json +++ b/requirements.json @@ -10,7 +10,7 @@ }, "fix": { "quota": 101, - "permissions": ["full-scans:create", "packages:list"] + "permissions": ["full-scans:create", "packages:list", "fixes:list"] }, "login": { "quota": 1, diff --git a/src/commands/fix/cmd-fix.integration.test.mts b/src/commands/fix/cmd-fix.integration.test.mts index 7ce327b44..8b2908a4a 100644 --- a/src/commands/fix/cmd-fix.integration.test.mts +++ b/src/commands/fix/cmd-fix.integration.test.mts @@ -160,7 +160,7 @@ describe('socket fix', async () => { API Token Requirements - Quota: 101 units - - Permissions: full-scans:create and packages:list + - Permissions: fixes:list, full-scans:create, and packages:list Options --all Process all discovered vulnerabilities in local mode. Cannot be used with --id.