fix(jira): add classic JSM scopes to close granular scope-set gap

[waleedlatif1]

Summary

• Add classic JSM scopes (read:servicedesk-request, write:servicedesk-request, manage:servicedesk-customer) and granular read:user:jira to the Jira OAuth provider scope list
• Atlassian enforces an endpoint's granular scope set as all-of, not any-of — JSM request endpoints list read:user:jira in their granular sets, so tokens built from our granular-only list failed with Unauthorized; scope does not match even though every individual scope was granted; each classic scope authorizes its endpoints standalone
• Add display names for the new scopes in the consent/credential UI
• Require read:servicedesk-request on the JSM knowledge connector so stale credentials surface a reconnect prompt instead of failing mid-sync
• Update the Atlassian service-account docs to include the JSM classic scopes in the minimum set, with a callout explaining the all-or-nothing granular enforcement

Type of Change

• Bug fix

Testing

Audited every Jira/JSM tool endpoint against Atlassian's API docs to confirm each operation now has a fully satisfied scope path (classic or complete granular). The classic-scope fix is verified against a live JSM instance. oauth/blocks/connector test suites pass (347 tests); check:api-validation passes.

Note for deploy: the Atlassian developer console app must have all four new scopes enabled before this reaches production — the three classic JSM scopes (read:servicedesk-request, write:servicedesk-request, manage:servicedesk-customer) and the granular read:user:jira, or new Jira connections will fail at the consent screen. Existing connections are unaffected either way (no execution-time scope gate; refresh preserves the original grant).

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Jun 12, 2026 8:44pm

[cursor]

PR Summary

Medium Risk
Changes the Jira OAuth consent scope set (new connections need matching scopes enabled in the Atlassian developer app) and may force JSM connector reconnects for credentials granted before the classic scope was requested.

Overview
Fixes Jira/JSM API Unauthorized; scope does not match failures by expanding what Sim requests at connect time and documenting the same for service-account tokens.

The Jira OAuth provider now includes classic JSM scopes (read:servicedesk-request, write:servicedesk-request, manage:servicedesk-customer) plus granular read:user:jira, with comments explaining Atlassian’s all-or-nothing granular scope enforcement. Consent UI labels for those scopes are added in SCOPE_DESCRIPTIONS.

The JSM knowledge connector now requires read:servicedesk-request so older Jira connections missing that grant prompt reconnect instead of failing mid-sync.

Atlassian service-account docs list the JSM classic minimum scopes, rename Jira to “classic,” and add a warning to prefer classic scopes over partial granular sets.

^{Reviewed by Cursor Bugbot for commit d318ab8. Configure here.}

[greptile-apps]

Greptile Summary

This PR closes a scope-gap in the Jira OAuth provider by adding three classic JSM scopes (read:servicedesk-request, write:servicedesk-request, manage:servicedesk-customer) and the granular read:user:jira scope to resolve Atlassian's all-or-nothing enforcement on granular scope sets.

• oauth.ts: Four new scopes appended to the Jira provider scope list; classic JSM scopes are accompanied by a clear inline comment explaining the enforcement model.
• jsm.ts: read:servicedesk-request added as the first requiredScope on the JSM knowledge connector so that pre-existing credentials lacking the new scope surface a reconnect prompt rather than silently failing at sync time.
• utils.ts / atlassian-service-account.mdx: Display names added for all three classic JSM scopes; docs updated to label Jira scopes as "classic" (correcting the previous "granular" label), add the JSM classic scope block, and include a callout warning about granular all-or-nothing enforcement.

Confidence Score: 5/5

Safe to merge once the Atlassian developer console app has the three classic JSM scopes enabled, as noted in the deploy instructions.

The changes are narrowly scoped to adding OAuth scopes, updating their display names, and aligning the knowledge connector's required-scope gate with the new classic scope. The intentional reconnect prompt for stale credentials is clearly motivated by the comment. No logic paths are altered; the only runtime effect on existing users is a reconnect prompt for JSM connector credentials that lack read:servicedesk-request.

No files require special attention beyond the deploy-time prerequisite of enabling the new scopes in the Atlassian developer console before this ships to production.

Important Files Changed

Filename	Overview
apps/sim/lib/oauth/oauth.ts	Adds read:user:jira (granular) and three classic JSM scopes to the Jira provider scope list with an explanatory comment; ordering and placement are consistent with surrounding scopes.
apps/sim/connectors/jsm/jsm.ts	Prepends read:servicedesk-request to requiredScopes with a clear explanatory comment; intentionally triggers reconnect for stale credentials that predate the classic scope addition.
apps/sim/lib/oauth/utils.ts	Adds display name entries for the three new classic JSM scopes in the correct section; read:user:jira already had a pre-existing description at line 150.
apps/docs/content/docs/en/integrations/atlassian-service-account.mdx	Corrects the Jira scope section label from "granular" to "classic", adds the JSM classic scope block, and adds a callout explaining Atlassian's all-or-nothing granular enforcement. read:user:jira is appropriately omitted since this doc covers the service account API-token flow, not OAuth 3LO.

Sequence Diagram

sequenceDiagram
    participant User
    participant Sim
    participant AtlassianOAuth as Atlassian OAuth
    participant JSMAPI as JSM API

    User->>Sim: Connect Jira (OAuth)
    Sim->>AtlassianOAuth: Request scopes (classic + granular)
    Note over AtlassianOAuth: read:servicedesk-request, write:servicedesk-request, manage:servicedesk-customer, read:user:jira now included
    AtlassianOAuth-->>Sim: Token with all scopes granted
    Sim->>JSMAPI: GET /request
    Note over JSMAPI: Classic scope satisfies endpoint
    JSMAPI-->>Sim: 200 OK

    Note over Sim: Stale credential check
    Sim->>Sim: requiredScopes check (read:servicedesk-request missing)
    Sim-->>User: Reconnect prompt surfaced

Loading

_{Reviews (2): Last reviewed commit: "fix(jira): note read:user:jira requireme..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 1b6e122. Configure here.}

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit d318ab8. Configure here.}