From f2010ce3bd33832d8d6da33099e300cf17cd1ba3 Mon Sep 17 00:00:00 2001
From: A <258483684+la14-1@users.noreply.github.com>
Date: Sun, 22 Feb 2026 11:14:26 -0800
Subject: [PATCH] fix: add account:read scope to DigitalOcean OAuth flow
 (#1724)

OAuth token validation calls GET /v2/account which requires the
account:read scope. Without it, the token exchange succeeds but
validation fails with 403, falling through to manual token entry.

Co-authored-by: lab <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 cli/package.json                     | 2 +-
 cli/src/digitalocean/digitalocean.ts | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/cli/package.json b/cli/package.json
index 439a9f7f..6eb13ff6 100644
--- a/cli/package.json
+++ b/cli/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@openrouter/spawn",
-  "version": "0.6.5",
+  "version": "0.6.6",
   "type": "module",
   "bin": {
     "spawn": "cli.js"
diff --git a/cli/src/digitalocean/digitalocean.ts b/cli/src/digitalocean/digitalocean.ts
index f9b549c1..03ecc7af 100644
--- a/cli/src/digitalocean/digitalocean.ts
+++ b/cli/src/digitalocean/digitalocean.ts
@@ -29,6 +29,7 @@ const DO_CLIENT_SECRET = "8083ef0317481d802d15b68f1c0b545b726720dbf52d00d17f649c
 
 // Fine-grained scopes for spawn (minimum required)
 const DO_SCOPES = [
+  "account:read",
   "droplet:create", "droplet:delete", "droplet:read",
   "ssh_key:create", "ssh_key:read",
   "regions:read", "sizes:read",