From 6a0f537d66d90a1937a076891d468c0e22bb7496 Mon Sep 17 00:00:00 2001
From: Chris Coutinho <chris@coutinho.io>
Date: Mon, 3 Nov 2025 19:50:57 +0100
Subject: [PATCH] fix: make provisioning checks opt-in (default false)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Changes @require_provisioning decorator to check REQUIRE_PROVISIONING
environment variable (defaults to false) instead of
ENABLE_PROGRESSIVE_CONSENT (defaults to true).

This makes provisioning checks opt-in rather than required by default:
- BasicAuth mode: Always skips (no change)
- OAuth mode: Skips by default, requires REQUIRE_PROVISIONING=true to enforce
- Progressive Consent Flow 2: Enable via REQUIRE_PROVISIONING=true

Fixes OAuth smoke test failures where tools were checking for provisioning
even though Flow 2 hadn't been completed.

Testing:
- All 5 smoke tests passing (including OAuth)
- All 36 unit tests passing

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .../auth/provisioning_decorator.py                | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/nextcloud_mcp_server/auth/provisioning_decorator.py b/nextcloud_mcp_server/auth/provisioning_decorator.py
index 9095933..d9d18d1 100644
--- a/nextcloud_mcp_server/auth/provisioning_decorator.py
+++ b/nextcloud_mcp_server/auth/provisioning_decorator.py
@@ -63,7 +63,20 @@ def require_provisioning(func: Callable) -> Callable:
             logger.debug("BasicAuth mode detected - skipping provisioning check")
             return await func(*args, **kwargs)
 
-        # OAuth mode - check provisioning
+        # Check if provisioning is required (opt-in, defaults to false)
+        # Provisioning is only needed when using Progressive Consent with Flow 2
+        import os
+
+        require_provisioning = (
+            os.getenv("REQUIRE_PROVISIONING", "false").lower() == "true"
+        )
+        if not require_provisioning:
+            logger.debug(
+                "Provisioning not required (REQUIRE_PROVISIONING=false) - skipping check"
+            )
+            return await func(*args, **kwargs)
+
+        # OAuth mode with provisioning required - check provisioning status
         # Get user_id from authorization token
         user_id = None
         if hasattr(ctx, "authorization") and ctx.authorization: