Feature request: support read-only OAuth scopes for `auth login`

[RaeesBhatti]

Summary

sentry auth login always requests the full hardcoded OAuth scope set, including write/admin scopes. There's no way to authenticate with a read-only token via the OAuth device flow.

Motivation

• AI agents: a growing use case is letting an AI agent (Claude Code, Cursor, etc.) read Sentry issues and events for debugging context. These agents act autonomously and can misinterpret instructions — handing them a token that can resolve issues, mutate projects, or delete teams is a real footgun. A read-only OAuth path means "let the agent investigate" doesn't also mean "let the agent accidentally change production state."
• Principle of least privilege: CI jobs and local dev sessions that only read issues, events, or projects shouldn't hold tokens that can modify or delete them.
• Today the only read-only path is creating a User Auth Token in the web UI and passing --token, which bypasses the device flow's UX entirely and pushes users toward long-lived manually-managed tokens.

Current behavior

src/lib/oauth.ts defines OAUTH_SCOPES as a fixed list:

project:read, project:write, project:admin,
org:read, event:read, event:write,
member:read, team:read, team:write

auth login has no flag to override this, so every OAuth session is granted write + admin permissions on projects and teams, plus event write — more than read-only / observability use cases need.

Requested behavior

A way to scope the OAuth login to read-only, e.g. one of:

• sentry auth login --read-only — swap to the *:read subset
• sentry auth login --scope project:read --scope org:read ... — explicit scope selection

Workaround

sentry auth login --token <token> with a manually-created read-only User Auth Token.

[betegon]

We wanted to be strict about the permissions needed to take fully advantage of the CLI. that said, I see your point and we'll look at this and come back with a firm answer!

Thanks for opening the issue and sharing your experience @RaeesBhatti ;)