Skip to content

Release 2.1.100 (2026-07-01)

Bug fixes

  • scope App token to the target owner, not the cwd org (#2070) (#2079) Commands taking an explicit cross-org target (--repo/--owner/--org/--epic/--task) minted the GitHub App installation token from the current working directory's org via _gh_env() -> get_installation_token() with no org, so a cwd org != target org produced a cryptic 'HTTP 403: Resource not accessible by integration'.

Add a ContextVar-backed github.target_org(org) context manager plus a shared no_installation_message() helper. _gh_env() now reads the context var and mints with require_installation=True when a target is set, so the fix propagates through any call depth (epics, roadmap, ...) without re-plumbing each lib function -- mirroring vrg-gh / #1413. A missing installation now fails loudly instead of silently minting a wrong-org token; an unset target keeps the historical cwd-detection default.

Wrap the eight genuine cross-org offenders in target_org scoped to their explicit target owner: vrg-epic-link, vrg-epic-move, vrg-epic-unlink, vrg-epic-rollup, vrg-issue-create, vrg-ensure-label, vrg-roadmap, vrg-activity-log. epics.single_target_org() rejects an operation whose refs span two owners (cross-org linking is out of scope), and the epic-family/issue-create commands reject a cross-org epic before any network call.

vrg-epic-audit and vrg-finalize-pr are intentionally unchanged: both are cwd-scoped by construction (no explicit cross-org target), and forcing require_installation would regress their ambient-auth fallback for repos whose org has no App installation.