We planted a Descope privilege-escalation bug — can your coding agent catch it? FetchSandbox open-sourced a repository containing intentionally planted security bugs, including a privilege-escalation flaw in a Descope-based agent authentication gateway. The bug allows a read-only agent key to request write scopes because the token exchange endpoint trusts client-provided scopes without validation. The project challenges developers to use AI coding agents to detect and fix the vulnerabilities. We open-sourced a repo with a bug planted on purpose: github.com/fetchsandbox/playground https://github.com/fetchsandbox/playground . The bug is in apps/descope — a small FastAPI "Agent Gateway" where AI agents exchange a Descope access key for a scoped session. The flaw: the exchange endpoint trusts whatever scopes the client requests. A read-only agent key can ask for users:write and get it. This is the privilege-escalation shape that ships constantly in agentic auth. The token exchange returns 200, the happy path works, and nothing ever compares the granted scope against what the key was actually granted. Two tasks, both run from your IDE Cursor, Claude Code, or any MCP-capable editor . No Descope account, no API keys — the workflows run against FetchSandbox's hosted Descope sandbox over MCP, and each app ships a .mcp.json already wired. Task 1 — greenfield. apps/descope-onboarding is a tiny notes app with placeholder auth. Ask your agent to add Descope OTP sign-up, but with one constraint: prove the OTP + session flow in the sandbox before writing any code, then propose the diff. ./fetchsandbox I'm adding Descope OTP sign-up to this app — prove the Descope OTP + session flow in the sandbox before writing any code, then propose the diff. I'll decide whether to apply. Task 2 — brownfield. Point the agent at the Agent Gateway and ask it to audit: ./fetchsandbox our agent access-key exchange might be handing out more scope than the key was granted — audit the descope agentic auth Static review is not the bar. "This looks vulnerable" is a guess. The bar is: users:write session out /v1/... Auth bugs live in the lifecycle: replayed magic links, expired sessions, JWTs that were decoded instead of verified, scope grants nobody re-checked. Mocks return clean 200s for all of these. That's the gap the playground is designed to expose. If Descope isn't your stack, the repo also has broken Stripe webhook dedup keyed on the wrong header — events processed 2–3× , Resend bounces silently dropped, users stay "active" , Clerk session validation skipped on one endpoint , and a few more. Each app is ~50–150 lines of Python. Findings go back as a PR — there's a FINDINGS TEMPLATE.md in the repo. Paste your agent's session, the receipt URLs, and your honest reaction. Merged PRs show up on your GitHub contribution graph. We explicitly want the failure reports: MCP wouldn't connect, the agent caught nothing, the proof felt fake. An honest "it didn't work" beats a polite green checkmark. Start here: TESTING.md https://github.com/fetchsandbox/playground/blob/main/TESTING.md .