Skip to content

feat(dashboard): show connection token inline with get-or-create fetch#5412

Merged
abcxff merged 8 commits into
mainfrom
stack/feat-dashboard-show-connection-token-inline-with-get-or-create-fetch-lqlowsml
Jul 15, 2026
Merged

feat(dashboard): show connection token inline with get-or-create fetch#5412
abcxff merged 8 commits into
mainfrom
stack/feat-dashboard-show-connection-token-inline-with-get-or-create-fetch-lqlowsml

Conversation

@abcxff

@abcxff abcxff commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

No description provided.

@claude

claude Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Review

Small, well-scoped change: switches the connection-token card from an explicit "Issue Token" mutation to a queryOptions-based get-or-create fetch, matching the pattern already used for engineAdminTokenQueryOptions / publishableTokenQueryOptions in the same file.

Worth a look

Connection token now auto-reveals in cleartext on mount (tokens.tsx:399, <DiscreteInput value={data.token} show />). Previously the token was only shown after an explicit "Issue Token" click. Now useQuery fires as soon as the drawer/card mounts, so the token is fetched and rendered in plain text (no mask, no reveal toggle — show suppresses the eye-icon toggle in DiscreteInput) without any user action. Compare with the sibling secret-token displays in app/dialogs/tokens-frame.tsx, which call DiscreteInput without show so admin/publishable tokens stay masked behind a click-to-reveal toggle. The card's own copy still frames this as a sensitive credential ("clients that must not create actors or manage the namespace"), so it's closer to those admin tokens than to the always-public DSN/publishable token (tokens.tsx:150) that intentionally shows in clear. Given the endpoint is now get-or-create (so gating doesn't prevent re-fetching), auto-reveal may be an intentional tradeoff, but worth confirming — this increases exposure risk during screen shares/recordings since no click is required to surface the secret.

Looks good

  • connectionTokenQueryOptions() query key (cloud-data-provider.tsx:1189-1197) doesn't collide with any sibling key in the same context, and staleTime/gcTime match the existing convention for the other token queries in this file.
  • The dataProvider?.connectionTokenQueryOptions capability check in ConnectionTokens correctly guards against non-cloud data providers (engine/OSS) that don't implement this method, and the outer/inner split preserves the existing hook-order-stability pattern.
  • Dropping the "This token is only shown once, copy it now" copy is correct now that the backend is get-or-create — the token is always retrievable again, so that message would be misleading.
  • mutationOptions import in cloud-data-provider.tsx is still used elsewhere in the file, so no dead import left behind.

No test coverage changes, but this matches the existing convention for this file (no unit tests for the dashboard token cards, no Ladle story for sibling cards either).

@abcxff abcxff changed the base branch from stack/chore-dashboard-bump-rivet-gg-cloud-and-adopt-sdk-connection-token-endpoint-uqlvksts to main July 15, 2026 15:40
@abcxff abcxff merged commit d803799 into main Jul 15, 2026
8 of 11 checks passed
@abcxff abcxff deleted the stack/feat-dashboard-show-connection-token-inline-with-get-or-create-fetch-lqlowsml branch July 15, 2026 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant