From de5cd62321e30338d2467244c955850818e580ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Salom=C3=A9=20Voltz?= <salome.voltz@gitguardian.com>
Date: Fri, 25 Apr 2025 13:57:32 +0200
Subject: [PATCH 1/2] fix: Add missing scopes to TokenScope enum

---
 changelog.d/20250425_135326_salome.voltz.md | 41 +++++++++++++++++++++
 pygitguardian/models.py                     | 10 +++--
 2 files changed, 48 insertions(+), 3 deletions(-)
 create mode 100644 changelog.d/20250425_135326_salome.voltz.md

diff --git a/changelog.d/20250425_135326_salome.voltz.md b/changelog.d/20250425_135326_salome.voltz.md
new file mode 100644
index 00000000..c686ae0f
--- /dev/null
+++ b/changelog.d/20250425_135326_salome.voltz.md
@@ -0,0 +1,41 @@
+<!--
+A new scriv changelog fragment.
+
+Uncomment the section that is right (remove the HTML comment wrapper).
+-->
+
+<!--
+### Removed
+
+- A bullet item for the Removed category.
+
+-->
+<!--
+### Added
+
+- A bullet item for the Added category.
+
+-->
+<!--
+### Changed
+
+- A bullet item for the Changed category.
+
+-->
+<!--
+### Deprecated
+
+- A bullet item for the Deprecated category.
+
+-->
+
+### Fixed
+
+- Added missing scopes to the TokenScope Enum.
+
+<!--
+### Security
+
+- A bullet item for the Security category.
+
+-->
diff --git a/pygitguardian/models.py b/pygitguardian/models.py
index d3af5581..8647532c 100644
--- a/pygitguardian/models.py
+++ b/pygitguardian/models.py
@@ -749,7 +749,11 @@ class TokenScope(str, Enum):
     IP_ALLOWLIST_WRITE = "ip_allowlist:write"
     SOURCES_READ = "sources:read"
     SOURCES_WRITE = "sources:write"
-    NHI_WRITE = "nhi:write"
+    NHI_WRITE_VAULT = "nhi:write-vault"
+    NHI_SEND_INVENTORY = "nhi:send-inventory"
+    CUSTOM_TAGS_READ = "custom_tags:read"
+    CUSTOM_TAGS_WRITE = "custom_tags:write"
+    SECRET_READ = "secrets:read"
 
 
 class APITokensResponseSchema(BaseSchema):
@@ -764,7 +768,7 @@ class APITokensResponseSchema(BaseSchema):
     revoked_at = fields.AwareDateTime(allow_none=True)
     member_id = fields.Int(allow_none=True)
     creator_id = fields.Int(allow_none=True)
-    scopes = fields.List(fields.Enum(TokenScope, by_value=True), required=False)
+    scopes = fields.List(fields.String, required=False)
 
     @post_load
     def make_api_tokens_response(
@@ -789,7 +793,7 @@ def __init__(
         revoked_at: Optional[datetime] = None,
         member_id: Optional[int] = None,
         creator_id: Optional[int] = None,
-        scopes: Optional[List[TokenScope]] = None,
+        scopes: Optional[List[str]] = None,
     ):
         self.id = id
         self.name = name

From 60b9f342c8974222327bbf76d7c78ca3efd21726 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Salom=C3=A9=20Voltz?= <salome.voltz@gitguardian.com>
Date: Fri, 25 Apr 2025 16:41:33 +0200
Subject: [PATCH 2/2] chore: add test for unlisted scope

---
 tests/test_models.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/test_models.py b/tests/test_models.py
index 2d501499..2322d499 100644
--- a/tests/test_models.py
+++ b/tests/test_models.py
@@ -80,7 +80,7 @@ def test_document_handle_surrogates(self):
                     "revoked_at": "2023-05-27T12:40:55.662949Z",
                     "member_id": 22015,
                     "creator_id": 22015,
-                    "scopes": ["incidents:read", "scan"],
+                    "scopes": ["incidents:read", "scan", "unplanned:scope"],
                 },
             ),
             (MatchSchema, Match, {"match": "hello", "type": "hello"}),