fix(oauth): drop ungrantable JSM Forms scopes from Jira scope list

[waleedlatif1]

Summary

• Remove read/write/delete:form:jira-service-management from the canonical Jira OAuth scope list (and their entries in SCOPE_DESCRIPTIONS). Atlassian never published these scopes to the OAuth 2.0 (3LO) or Forge scope catalogs, so no OAuth app can be configured with them — the authorize flow silently omits them from every grant. Since the credential check hard-requires the full list, every Jira credential showed a permanent "Additional permissions required" banner that "Update access" could never clear (reported on self-hosted, reproduces on hosted too)
• No credential has ever been granted these scopes and no saved workflow uses the JSM forms operations, so this changes no working behavior. The forms operations themselves are left in place; removing or service-account-gating them is a follow-up
• Fix the secrets page value mask for read-only viewers: the mask length was derived from the value, but withheld values now arrive empty, so the bullets disappeared. Viewers now always get a fixed-length mask, which also stops leaking secret length

Type of Change

• Bug fix

Testing

Typecheck and oauth/blocks unit tests pass. Verified repo-wide that nothing else references the removed scopes.

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Jun 11, 2026 1:17am

[cursor]

PR Summary

Low Risk
Targeted OAuth scope list and UI masking changes; no auth flow redesign and no behavior change for scopes that were never granted.

Overview
Fixes a stuck Jira OAuth “Additional permissions required” state by dropping three JSM Forms scopes (read/write/delete:form:jira-service-management) from the canonical Jira scope list in oauth.ts and their labels in SCOPE_DESCRIPTIONS. Those scopes were never grantable via Atlassian OAuth, so the credential check could never pass even after re-authorizing.

Separately, read-only secret viewers on the secrets settings page now always see a fixed 10-bullet mask in SecretValueField instead of masking from value.length, which broke when withheld values arrived as empty strings and also leaked secret length.

^{Reviewed by Cursor Bugbot for commit 1458af6. Configure here.}

[greptile-apps]

Greptile Summary

This PR fixes two independent bugs: it removes three Jira Service Management Forms scopes that Atlassian never published to its OAuth 3LO catalog (causing a permanent "Additional permissions required" banner that could never be cleared), and it fixes the secrets UI mask for read-only viewers where the server-returned empty string was causing the bullet mask to disappear.

• Jira scope cleanup (oauth.ts, utils.ts): read/write/delete:form:jira-service-management are dropped from the canonical scope list and their SCOPE_DESCRIPTIONS entries are removed. The credential check's full-list comparison will now resolve cleanly for all existing Jira credentials.
• Viewer mask fix (secret-value-field.tsx): The displayValue expression for non-editors changes from value ? BULLET.repeat(value.length) : '' to BULLET.repeat(VIEWER_MASK_LENGTH), where VIEWER_MASK_LENGTH = 10 is a module constant. This both restores the visible mask (server withholds the value as '') and stops leaking secret length to non-admin viewers.

Confidence Score: 5/5

Safe to merge — both fixes are narrow, well-scoped, and directly address confirmed bugs with no regressions on existing behavior.

The scope removals are additive-safe (no credential has ever held these scopes, so no grant is broken) and the mask fix restores previously visible UI without altering any data path. All three changed files have clear, isolated impact and the logic is straightforward to verify.

No files require special attention.

Important Files Changed

Filename	Overview
apps/sim/app/workspace/[workspaceId]/settings/components/secrets/components/secret-value-field/secret-value-field.tsx	Replaces length-derived bullet mask with a fixed VIEWER_MASK_LENGTH (10) for non-editor viewers, fixing the blank field caused by the server returning empty string for withheld values and stopping secret-length leakage.
apps/sim/lib/oauth/oauth.ts	Removes three JSM Forms scopes (read/write/delete:form:jira-service-management) that Atlassian never published to the OAuth 3LO catalog, eliminating the permanent "Additional permissions required" banner on Jira credentials.
apps/sim/lib/oauth/utils.ts	Removes SCOPE_DESCRIPTIONS entries for the three deleted JSM Forms scopes, keeping the description map in sync with the scope list in oauth.ts.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[SecretValueField renders] --> B{canEdit?}
    B -- yes --> C[displayValue = real value\nfrom server]
    B -- no --> D["displayValue = BULLET.repeat(10)\nfixed mask — server returned ''"]
    C --> E{maskActive?\ncanEdit && !unmasked && !focused}
    E -- yes --> F[WebkitTextSecurity: disc\nhides value while unfocused]
    E -- no --> G[Render plain text]
    D --> H[Render 10 bullets\nlength and existence hidden]

Loading

_{Reviews (2): Last reviewed commit: "fix(secrets): keep a fixed-length value ..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 1458af6. Configure here.}