fix: address PR review feedback

- Add runtime.GOOS check to Docker detection (macOS/Windows compatibility)
- Use cancellable contexts for elicitation goroutines (pollCtx, elicitCtx)
- Mark listener.Close() error as intentionally ignored in cleanup
- Remove redundant oauthMgr.GetAccessToken() check (always empty in lazy auth)
- Inline CSS in OAuth templates (remove CDN dependency)
- Add documentation to Result struct about token refresh behavior

Author: SamMorrowDrums

cmd/github-mcp-server/main.go

@@ -104,11 +104,6 @@ var (
 				}
 			}
 
-			// Extract token from OAuth manager if available
-			if oauthMgr != nil && token == "" {
-				token = oauthMgr.GetAccessToken()
-			}
-
 			ttl := viper.GetDuration("repo-access-cache-ttl")
 			stdioServerConfig := ghmcp.StdioServerConfig{
 				Version:              version,

docs/changelog/2026-01-intelligent-scope-features.md

@@ -0,0 +1,78 @@
+---
+title: "Intelligent Scope Features"
+date: 2026-01
+description: "OAuth scope challenges, automatic PAT filtering, and comprehensive scope documentation for smarter authentication"
+category: feature
+---
+
+# Intelligent Scope Features
+
+GitHub MCP Server now intelligently handles OAuth scopes—filtering tools based on your permissions and enabling dynamic scope requests when needed.
+
+## What's New
+
+### OAuth Scope Challenges
+
+The server now implements [MCP scope challenge handling](https://modelcontextprotocol.io/specification/2025-11-05/basic/authorization#scope-challenge-handling). Instead of failing when you lack a required scope, it requests additional permissions dynamically—start with minimal permissions and expand them as needed.
+
+### PAT Scope Filtering
+
+For classic Personal Access Tokens (`ghp_`), tools are automatically filtered based on your token's scopes. The server discovers your scopes at startup and hides tools you can't use.
+
+**Example:** If your PAT only has `repo` and `gist` scopes, tools requiring `admin:org`, `project`, or `notifications` are hidden.
+
+### Server-to-Server Token Handling
+
+For server-to-server tokens (like `GITHUB_TOKEN` in Actions), the server hides user-context tools like `get_me` that don't apply without a human user.
+
+### Documented OAuth Scopes
+
+Every MCP tool now documents its required and accepted OAuth scopes in the README and tool metadata.
+
+### New `list-scopes` Command
+
+Discover what scopes your toolsets need:
+
+```bash
+github-mcp-server list-scopes --output=summary
+github-mcp-server list-scopes --toolsets=all --output=json
+```
+
+## Scope Hierarchy
+
+The server understands GitHub's scope hierarchy, so parent scopes satisfy child scope requirements:
+
+| Parent Scope | Covers |
+|-------------|--------|
+| `repo` | `public_repo`, `security_events` |
+| `admin:org` | `write:org`, `read:org` |
+| `project` | `read:project` |
+| `write:org` | `read:org` |
+
+If a tool requires `read:org` and your token has `admin:org`, the tool is available.
+
+## Authentication Comparison
+
+| Authentication Method | Scope Handling |
+|----------------------|----------------|
+| **OAuth** (remote server) | Scope challenges — request permissions on-demand |
+| **Classic PAT** (`ghp_`) | Automatic filtering — hide unavailable tools |
+| **Fine-grained PAT** (`github_pat_`) | No filtering — fine-grained permissions, not OAuth scopes |
+| **GitHub App** (`ghs_`) | No filtering — fine-grained permissions, not OAuth scopes |
+| **Server-to-Server** (`GITHUB_TOKEN`) | User tools hidden — no user context available |
+
+## Getting Started
+
+**OAuth users:** No action required—scope challenges work automatically.
+
+**PAT users:** Run `list-scopes` to discover required scopes, create a PAT at [github.com/settings/tokens](https://github.com/settings/tokens), and start the server.
+
+## Related Documentation
+
+- [PAT Scope Filtering Guide](https://github.com/github/github-mcp-server/blob/v0.29.0/docs/scope-filtering.md)
+- [OAuth Authentication Guide](https://github.com/github/github-mcp-server/blob/v0.29.0/docs/oauth-authentication.md)
+- [Server Configuration](https://github.com/github/github-mcp-server/blob/v0.29.0/docs/server-configuration.md)
+
+## Feedback
+
+Share your experience in the [Scope filtering/challenging discussion](https://github.com/github/github-mcp-server/discussions/1802). We're exploring ways to better support fine-grained permissions in the future.

internal/oauth/manager.go

@@ -124,9 +124,11 @@ func (m *Manager) startDeviceFlowWithElicitation(ctx context.Context, session *m
 		go func() {
 			elicitID, err := generateRandomToken()
 			if err != nil {
+				// Non-critical: use fallback ID if generation fails
 				elicitID = "fallback-id"
 			}
-			result, err := session.Elicit(ctx, &mcp.ElicitParams{
+			// Use pollCtx so elicitation is cancelled when polling completes or is cancelled
+			result, err := session.Elicit(pollCtx, &mcp.ElicitParams{
 				Mode:          "url",
 				URL:           deviceAuth.VerificationURI,
 				ElicitationID: elicitID,
@@ -209,7 +211,7 @@ func (m *Manager) startPKCEFlowWithElicitation(ctx context.Context, session *mcp
 		shutdownCtx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
 		defer cancel()
 		_ = server.Shutdown(shutdownCtx)
-		listener.Close()
+		_ = listener.Close() // Error intentionally ignored in cleanup
 	}
 
 	// Try to open browser - if it works, no elicitation needed
@@ -218,13 +220,18 @@ func (m *Manager) startPKCEFlowWithElicitation(ctx context.Context, session *mcp
 	// Channel to signal elicitation cancellation
 	elicitCancelChan := make(chan struct{}, 1)
 
+	// Create cancellable context for elicitation
+	elicitCtx, cancelElicit := context.WithCancel(ctx)
+	defer cancelElicit()
+
 	// Only elicit if browser failed to open (e.g., headless environment)
 	// and we need to show the user the URL manually
 	if browserErr != nil && session != nil {
 		// Run elicitation in goroutine so we can monitor callback in parallel
 		go func() {
-			elicitID, _ := generateRandomToken()
-			result, err := session.Elicit(ctx, &mcp.ElicitParams{
+			elicitID, _ := generateRandomToken() // Non-critical: empty ID is acceptable
+			// Use elicitCtx so elicitation is cancelled when auth completes
+			result, err := session.Elicit(elicitCtx, &mcp.ElicitParams{
 				Mode:          "url",
 				URL:           authURL,
 				ElicitationID: elicitID,

internal/oauth/oauth.go

@@ -54,12 +54,16 @@ type Config struct {
 	CallbackPort  int    // Fixed callback port (0 for random)
 }
 
-// Result contains the OAuth flow result
+// Result contains the OAuth flow result.
+//
+// Note: This implementation does not currently perform automatic token refresh.
+// GitHub OAuth tokens for OAuth Apps do not expire, but GitHub Apps tokens do.
+// Callers should handle re-authentication when API calls fail with auth errors.
 type Result struct {
 	AccessToken  string
-	RefreshToken string
+	RefreshToken string // Captured but not currently used for automatic refresh
 	TokenType    string
-	Expiry       time.Time
+	Expiry       time.Time // Zero value if token does not expire
 }
 
 // generatePKCEVerifier generates a PKCE code verifier
@@ -74,8 +78,16 @@ func generatePKCEVerifier() (string, error) {
 	return verifier, nil
 }
 
-// isRunningInDocker detects if the process is running inside a Docker container
+// isRunningInDocker detects if the process is running inside a Docker container.
+// This detection is used to determine whether to use device flow (no browser available)
+// or PKCE flow (browser can be opened). On non-Linux systems, this always returns false
+// since the detection relies on Linux-specific paths.
 func isRunningInDocker() bool {
+	// Docker detection only works on Linux where /proc filesystem exists
+	if runtime.GOOS != "linux" {
+		return false
+	}
+
 	// Check for .dockerenv file (most common indicator)
 	if _, err := os.Stat("/.dockerenv"); err == nil {
 		return true

internal/oauth/templates/error.html

@@ -1,26 +1,60 @@
 <!DOCTYPE html>
-<html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark">
+<html lang="en">
 <head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width, initial-scale=1">
 <title>Authorization Failed</title>
-<link href="https://cdn.jsdelivr.net/npm/@primer/css@22/dist/primer.min.css" rel="stylesheet">
 <style>
 html, body { height: 100%; margin: 0; }
-body { display: flex; align-items: center; justify-content: center; min-height: 100vh; }
-.card { width: 500px; box-shadow: none !important; }
+body {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  min-height: 100vh;
+  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif;
+  background-color: #0d1117;
+  color: #e6edf3;
+}
+.card {
+  width: 500px;
+  background-color: #161b22;
+  border: 1px solid #30363d;
+  border-radius: 6px;
+  padding: 32px;
+  text-align: center;
+}
+.octicon { margin-bottom: 16px; }
+h1 {
+  font-size: 20px;
+  font-weight: 600;
+  margin: 0 0 12px 0;
+  color: #f85149;
+}
+p { font-size: 16px; color: #8b949e; margin: 16px 0 0 0; }
+.flash-error {
+  margin-top: 16px;
+  padding: 12px 16px;
+  background-color: rgba(248, 81, 73, 0.1);
+  border: 1px solid rgba(248, 81, 73, 0.4);
+  border-radius: 6px;
+}
+code {
+  font-family: ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, monospace;
+  font-size: 14px;
+  color: #f85149;
+}
 </style>
 </head>
-<body class="color-bg-canvas">
-<div class="Box color-bg-default card p-6 text-center">
-  <svg class="octicon color-fg-default mb-4" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="80" height="80" fill="currentColor">
+<body>
+<div class="card">
+  <svg class="octicon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="80" height="80" fill="currentColor">
     <path d="M8 0c4.42 0 8 3.58 8 8a8.013 8.013 0 0 1-5.45 7.59c-.4.08-.55-.17-.55-.38 0-.27.01-1.13.01-2.2 0-.75-.25-1.23-.54-1.48 1.78-.2 3.65-.88 3.65-3.95 0-.88-.31-1.59-.82-2.15.08-.2.36-1.02-.08-2.12 0 0-.67-.22-2.2.82-.64-.18-1.32-.27-2-.27-.68 0-1.36.09-2 .27-1.53-1.03-2.2-.82-2.2-.82-.44 1.1-.16 1.92-.08 2.12-.51.56-.82 1.28-.82 2.15 0 3.06 1.86 3.75 3.64 3.95-.23.2-.44.55-.51 1.07-.46.21-1.61.55-2.33-.66-.15-.24-.6-.83-1.23-.82-.67.01-.27.38.01.53.34.19.73.9.82 1.13.16.45.68 1.31 2.69.94 0 .67.01 1.3.01 1.49 0 .21-.15.45-.55.38A7.995 7.995 0 0 1 0 8c0-4.42 3.58-8 8-8Z"></path>
   </svg>
-  <h1 class="h2 color-fg-danger mb-3">Authorization Failed</h1>
-  <div class="flash flash-error mt-4">
-    <code class="f5">{{.ErrorMessage}}</code>
+  <h1>Authorization Failed</h1>
+  <div class="flash-error">
+    <code>{{.ErrorMessage}}</code>
   </div>
-  <p class="f4 color-fg-muted mt-4">You can close this window.</p>
+  <p>You can close this window.</p>
 </div>
 </body>
 </html>

internal/oauth/templates/success.html

@@ -1,25 +1,55 @@
 <!DOCTYPE html>
-<html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark">
+<html lang="en">
 <head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width, initial-scale=1">
 <title>Authorization Successful</title>
-<link href="https://cdn.jsdelivr.net/npm/@primer/css@22/dist/primer.min.css" rel="stylesheet">
 <style>
 html, body { height: 100%; margin: 0; }
-body { display: flex; align-items: center; justify-content: center; min-height: 100vh; }
-.card { width: 500px; box-shadow: none !important; }
+body {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  min-height: 100vh;
+  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif;
+  background-color: #0d1117;
+  color: #e6edf3;
+}
+.card {
+  width: 500px;
+  background-color: #161b22;
+  border: 1px solid #30363d;
+  border-radius: 6px;
+  padding: 32px;
+  text-align: center;
+}
+.octicon { margin-bottom: 16px; }
+h1 {
+  font-size: 20px;
+  font-weight: 600;
+  margin: 0 0 12px 0;
+  color: #3fb950;
+}
+p { font-size: 16px; color: #8b949e; margin: 0; }
+.flash {
+  margin-top: 16px;
+  padding: 12px 16px;
+  background-color: rgba(56, 139, 253, 0.15);
+  border: 1px solid rgba(56, 139, 253, 0.4);
+  border-radius: 6px;
+}
+.flash p { font-size: 14px; }
 </style>
 </head>
-<body class="color-bg-canvas">
-<div class="Box color-bg-default card p-6 text-center">
-  <svg class="octicon color-fg-default mb-4" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="80" height="80" fill="currentColor">
+<body>
+<div class="card">
+  <svg class="octicon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" width="80" height="80" fill="currentColor">
     <path d="M8 0c4.42 0 8 3.58 8 8a8.013 8.013 0 0 1-5.45 7.59c-.4.08-.55-.17-.55-.38 0-.27.01-1.13.01-2.2 0-.75-.25-1.23-.54-1.48 1.78-.2 3.65-.88 3.65-3.95 0-.88-.31-1.59-.82-2.15.08-.2.36-1.02-.08-2.12 0 0-.67-.22-2.2.82-.64-.18-1.32-.27-2-.27-.68 0-1.36.09-2 .27-1.53-1.03-2.2-.82-2.2-.82-.44 1.1-.16 1.92-.08 2.12-.51.56-.82 1.28-.82 2.15 0 3.06 1.86 3.75 3.64 3.95-.23.2-.44.55-.51 1.07-.46.21-1.61.55-2.33-.66-.15-.24-.6-.83-1.23-.82-.67.01-.27.38.01.53.34.19.73.9.82 1.13.16.45.68 1.31 2.69.94 0 .67.01 1.3.01 1.49 0 .21-.15.45-.55.38A7.995 7.995 0 0 1 0 8c0-4.42 3.58-8 8-8Z"></path>
   </svg>
-  <h1 class="h2 color-fg-success mb-3">Authorization Successful</h1>
-  <p class="f4 color-fg-muted">You have successfully authorized the GitHub MCP Server.</p>
-  <div class="flash mt-4">
-    <p class="mb-0 f5">You can close this window and retry your request.</p>
+  <h1>Authorization Successful</h1>
+  <p>You have successfully authorized the GitHub MCP Server.</p>
+  <div class="flash">
+    <p>You can close this window and retry your request.</p>
   </div>
 </div>
 </body>