From ed9ce1e099164583e32ddb3bd1b62d8358d00c24 Mon Sep 17 00:00:00 2001
From: Stephen Rosenthal <stephen.rosenthal@datadoghq.com>
Date: Mon, 8 Jun 2026 09:14:27 -0700
Subject: [PATCH 1/3] feat(dbm): add OAuth support for dbm samples search

Adds dbm_read and built_in_features to the OAuth scope list so
pup auth login sessions can call the DBM logs analytics endpoint.

built_in_features is currently required on US1/EU1; the DBM team is
migrating to dbm_read. Requesting both ensures the command works on
all sites during the transition.
---
 src/auth/types.rs | 9 +++++++++
 src/main.rs       | 3 ++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/auth/types.rs b/src/auth/types.rs
index a2e86eb..03fd1d0 100644
--- a/src/auth/types.rs
+++ b/src/auth/types.rs
@@ -62,6 +62,7 @@ pub fn read_only_scopes() -> Vec<&'static str> {
         "test_optimization_read",
         "dashboards_read",
         "data_scanner_read",
+        "dbm_read",
         "error_tracking_read",
         "events_read",
         "gcp_configuration_read",
@@ -146,6 +147,11 @@ pub fn default_scopes() -> Vec<&'static str> {
         "data_scanner_read",
         // Data Streams
         "data_streams_monitoring_capture_messages",
+        // Database Monitoring
+        // built_in_features is required on US1/EU1 while the DBM team migrates to dbm_read.
+        // Both are requested so the command works on all sites.
+        "built_in_features",
+        "dbm_read",
         // Error Tracking
         "error_tracking_read",
         // Events
@@ -318,6 +324,9 @@ mod tests {
         assert!(scopes.contains(&"apps_run"));
         assert!(scopes.contains(&"apps_write"));
         assert!(scopes.contains(&"connections_read"));
+        // Database Monitoring
+        assert!(scopes.contains(&"dbm_read"));
+        assert!(scopes.contains(&"built_in_features"));
     }
 
     #[test]
diff --git a/src/main.rs b/src/main.rs
index 73f8985..a3a1fc1 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1054,7 +1054,8 @@ enum Commands {
     ///   pup dbm samples search --query "dbm_type:activity service:orders env:prod" --from 1h --limit 10
     ///
     /// AUTHENTICATION:
-    ///   Requires DD_API_KEY + DD_APP_KEY.
+    ///   Accepts OAuth2 (`pup auth login`, requires `dbm_read` scope) or
+    ///   DD_API_KEY + DD_APP_KEY.
     #[command(verbatim_doc_comment)]
     Dbm {
         #[command(subcommand)]

From 6d7244a7b1324e44a01bf1211fca67f52042027a Mon Sep 17 00:00:00 2001
From: Stephen Rosenthal <stephen.rosenthal@datadoghq.com>
Date: Mon, 8 Jun 2026 09:20:31 -0700
Subject: [PATCH 2/3] fix(dbm): add built_in_features to read_only_scopes;
 clarify migration comment

- built_in_features was in default_scopes but not read_only_scopes,
  meaning --read-only mode would fail on US1/EU1 for DBM commands
- Add test assertions verifying both scopes are present in read_only_scopes
- Extend the migration comment to note when built_in_features can be removed
---
 src/auth/types.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/auth/types.rs b/src/auth/types.rs
index 03fd1d0..142811d 100644
--- a/src/auth/types.rs
+++ b/src/auth/types.rs
@@ -61,6 +61,7 @@ pub fn read_only_scopes() -> Vec<&'static str> {
         "code_coverage_read",
         "test_optimization_read",
         "dashboards_read",
+        "built_in_features",
         "data_scanner_read",
         "dbm_read",
         "error_tracking_read",
@@ -149,7 +150,8 @@ pub fn default_scopes() -> Vec<&'static str> {
         "data_streams_monitoring_capture_messages",
         // Database Monitoring
         // built_in_features is required on US1/EU1 while the DBM team migrates to dbm_read.
-        // Both are requested so the command works on all sites.
+        // Both are requested so the command works on all sites during the transition.
+        // Once the migration is complete, built_in_features can be removed from both scope lists.
         "built_in_features",
         "dbm_read",
         // Error Tracking
@@ -343,6 +345,8 @@ mod tests {
         assert!(ro.contains(&"dashboards_read"));
         assert!(ro.contains(&"monitors_read"));
         assert!(ro.contains(&"apps_run"));
+        assert!(ro.contains(&"dbm_read"));
+        assert!(ro.contains(&"built_in_features"));
         assert!(!ro.contains(&"org_management"));
         assert!(!ro.contains(&"teams_manage"));
         assert!(!ro.contains(&"monitors_write"));

From ba0b4ae1cac83b16779c67d75e9f70f2fcea56e9 Mon Sep 17 00:00:00 2001
From: Stephen Rosenthal <stephen.rosenthal@datadoghq.com>
Date: Mon, 8 Jun 2026 09:21:58 -0700
Subject: [PATCH 3/3] =?UTF-8?q?docs(dbm):=20simplify=20AUTHENTICATION=20he?=
 =?UTF-8?q?lp=20=E2=80=94=20don't=20name=20specific=20scopes?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Default login already requests both required scopes. Naming dbm_read
alone was misleading for users on sites that still require built_in_features.
---
 src/main.rs | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index a3a1fc1..8035e29 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1054,8 +1054,7 @@ enum Commands {
     ///   pup dbm samples search --query "dbm_type:activity service:orders env:prod" --from 1h --limit 10
     ///
     /// AUTHENTICATION:
-    ///   Accepts OAuth2 (`pup auth login`, requires `dbm_read` scope) or
-    ///   DD_API_KEY + DD_APP_KEY.
+    ///   Accepts OAuth2 (`pup auth login`) or DD_API_KEY + DD_APP_KEY.
     #[command(verbatim_doc_comment)]
     Dbm {
         #[command(subcommand)]