- Move httpx import to top-level and use anyio task group for concurrent
validation in cleanup_invalid_app_passwords (storage.py)
- Respect Retry-After header for 429 responses, capped at 300s (oauth_sync.py)
- Soften pre-validation exceptions so transient failures don't crash the
background sync task (oauth_sync.py)
- Replace f-string SQL with blanket DELETE and add returncode checks (conftest.py)
- Extract clear_stale_test_state() helper to deduplicate cleanup logic
in astrolabe background sync tests
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The revoke test failed because it only completed Step 2 (app password) but
not Step 1 (OAuth authorization). In hybrid mode, Astrolabe requires both
steps for $isFullyConfigured=true, which gates the "Revoke Access" button.
Changes:
- Use complete_astrolabe_authorization() in revoke test for full two-step flow
- Add stale state cleanup (app passwords, bruteforce entries, Astrolabe prefs)
to both enablement and revoke tests
- Add startup cleanup of invalid app passwords in BasicAuth mode
- Pre-validate credentials before entering scanner loop to fail fast
- Handle 401/403/429 in scanner with proper backoff and circuit breaking
- Clean up app passwords in test_users_setup fixture teardown
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Renovate's helpers:pinGitHubActionDigestsToSemver preset reads version
comments to track updates. Major-only comments (e.g. # v6) produce
unhelpful changelog diffs like "v6 → v6". Full semver comments
(e.g. # v6.0.2) let Renovate show meaningful version changes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Changes based on review:
1. Add Nextcloud platform limitation section documenting OAuth/scope
support by endpoint type (WebDAV supports OAuth, others don't)
2. Update MCP elicitation to show capability negotiation and graceful
fallback - URL in error message when elicitation not supported
3. Simplify Smithery section - recommend self-hosted for privacy,
don't detail platform changes
4. Expand re-auth section with scope merging behavior, scenarios table,
and explicit design choice for tool-based re-auth over auto-elicitation
5. Make rate limiting configurable with environment variables and
admin guidance by deployment size
6. Clarify OAuth alternative - keep simple now, revisit if Nextcloud
adds scoped OAuth support
7. Expand verification steps with required tests, add recommended
Nextcloud configuration, add required README security notice
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Proposes consolidating five deployment modes into two:
- Single-User: App password in env vars (trusted environment)
- Multi-User: Login Flow v2 for per-user app password acquisition
Key changes:
- Use Nextcloud Login Flow v2 (NC 16+) for delegated authentication
- Application-level scope enforcement (app passwords have no native scopes)
- MCP elicitation for seamless authorization prompting
- Astrolabe front-end integration for scope management UI
- Clear security posture documentation for administrators
This removes the need for upstream Nextcloud OAuth patches and simplifies
deployment while maintaining security through defense-in-depth.
Related: #521
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Chris Coutinho