From 61bd9407ab384f0155cc2e4ca6742673103ec6f7 Mon Sep 17 00:00:00 2001
From: dkanney <david.kanney@hashicorp.com>
Date: Tue, 10 Feb 2026 23:54:55 -0500
Subject: [PATCH] fix(apptoken): Clone slice to avoid parameter mutation

---
 internal/apptoken/repository.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/internal/apptoken/repository.go b/internal/apptoken/repository.go
index cf28004ebc..90c4835975 100644
--- a/internal/apptoken/repository.go
+++ b/internal/apptoken/repository.go
@@ -203,7 +203,9 @@ func createAppTokenGlobal(ctx context.Context, token *AppToken) (*appTokenGlobal
 		}
 		permissionGrantInserts = append(permissionGrantInserts, grantInserts...)
 
-		trimmedScopes := slices.DeleteFunc(perm.GrantedScopes, func(s string) bool {
+		// Create a copy of GrantedScopes before filtering to avoid mutating it
+		grantedScopes := slices.Clone(perm.GrantedScopes)
+		trimmedScopes := slices.DeleteFunc(grantedScopes, func(s string) bool {
 			return s == globals.GrantScopeThis ||
 				s == globals.GrantScopeChildren ||
 				s == globals.GrantScopeDescendants ||
@@ -315,8 +317,11 @@ func createAppTokenOrg(ctx context.Context, token *AppToken) (*appTokenOrg, []in
 		}
 		permissionGrantInserts = append(permissionGrantInserts, grantInserts...)
 
+		// Create a copy of GrantedScopes before filtering to avoid mutating it
+		grantedScopes := slices.Clone(perm.GrantedScopes)
+
 		// remove GrantScopeThis and GrantScopeChildren from perm.GrantedScopes as they've already been processed
-		trimmedScopes := slices.DeleteFunc(perm.GrantedScopes, func(s string) bool {
+		trimmedScopes := slices.DeleteFunc(grantedScopes, func(s string) bool {
 			return s == globals.GrantScopeThis || s == globals.GrantScopeChildren || s == token.GetScopeId()
 		})