ui: add OAuth Grants page and identity exact-match filter for MCP sessions

[Pratham-Mishra04]

Summary

Adds an OAuth Grants management page to the UI and introduces an identity exact-match filter for MCP sessions. Together these allow operators to view all active downstream OAuth grants issued to MCP clients and drill through from a grant directly to the auth sessions belonging to that specific identity.

Changes

• Added Identity field to MCPSessionsFilterParams in the config store, which exact-matches against user_id, virtual_key_id, or session_id columns (ANDed with any other active filters).
• Exposed the identity query parameter in the HTTP handler so callers can pass it via the API.
• Added identity to the MCP sessions URL state and query params in the UI, included it in the "has active filters" check, and wired it into handleClearFilters.
• Created oauth2SessionsApi.ts with getOAuth2Grants and revokeOAuth2Grant endpoints, registered the OAuth2Grants cache tag in baseApi, and exported the new API from the store index.
• Built the OAuthGrantsPage component with client-side search and mode filtering, a paginated table showing client name, bound identity (user/virtual key/anonymous session), access token expiry, created time, and last used time, and per-row actions to revoke a grant or navigate to MCP sessions pre-filtered to that identity via auth_mode + identity query params.
• Added the OAuth Grants route and sidebar entry under the MCP Gateway section.

The identity filter is intentionally an exact match (not a substring) so that linking from a grant to its sessions produces a precise, unambiguous result rather than a fuzzy hit list.

Type of change

• Bug fix
• Feature
• Refactor
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (React)
• Docs

How to test

1. Start the gateway with at least one MCP client connected via the OAuth consent flow.
2. Navigate to OAuth Grants in the sidebar — the table should list active grants with client name, bound identity, expiry, and timestamps.
3. Use the search box and identity-mode filter to narrow results; verify the Clear filters button resets both.
4. Open the row actions menu on a user or virtual-key grant and click View auth sessions — confirm the MCP Sessions page opens filtered to that exact identity and auth mode.
5. Click Revoke on a grant, confirm the dialog, and verify the grant disappears from the list and a success toast appears.
6. On the MCP Sessions page, manually append &identity=<some-id> to the URL and confirm only sessions matching that exact identity are returned.

go test ./framework/configstore/...

cd ui
pnpm i
pnpm build

Screenshots/Recordings

Add before/after screenshots of the OAuth Grants page and the MCP Sessions identity filter.

Breaking changes

• Yes
• No

Related issues

Link related issues here.

Security considerations

Revocation stops refresh token rotation immediately; the current short-lived JWT access token (≤10 min TTL) remains valid until it expires naturally. This is documented in the revocation confirmation dialog so operators understand the brief window before full cutoff.

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[Pratham-Mishra04]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• tests: add MCP auth e2e collection covering discovery, credential matrix, OAuth issuance, refresh rotation, revocation window, and runtime mode flip #4525
• tests: add MCP auth mode e2e collection and Newman runner for headers/both/oauth #4524
• tests: add OAuth2 issuance, JWT verification, consent, discovery, sessions, and MCP auth unit tests #4523
• feat: add mcp_server_auth_mode and OAuth 2.1 gateway auth docs with gateway-auth page #4522
• ui: add OAuth Grants page and identity exact-match filter for MCP sessions #4511 👈 (View in Graphite)
• ui: add OAuth2 consent page and MCP server auth mode settings #4510
• feat: add OAuth2 session listing, revocation, family-revocation, VK liveness check, and sweep worker #4509
• feat: add JWT Bearer authentication path for /mcp with session validation and context injection #4508
• feat: add OAuth2ConsentHandler with VK, session, and user identity resolution modes #4507
• feat: add OAuth2 issuance endpoints (DCR, authorize, token) with PKCE and refresh token rotation #4506
• feat: add OAuth2 AS discovery endpoints, signing key management, and MCPServerAuthMode config #4505
• dev

This stack of pull requests is managed by Graphite. Learn more about stacking.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 7aadfc76-ff43-43d7-bd63-a8c873ea9a8f

📥 Commits

Reviewing files that changed from the base of the PR and between 8bff02e and 5da157b.

📒 Files selected for processing (16)

• framework/configstore/rdb.go
• framework/configstore/store.go
• transports/bifrost-http/handlers/mcp_sessions.go
• ui/app/workspace/mcp-sessions/page.tsx
• ui/app/workspace/oauth-grants/layout.tsx
• ui/app/workspace/oauth-grants/page.tsx
• ui/app/workspace/oauth-grants/views/grantActions.tsx
• ui/app/workspace/oauth-grants/views/grantsFilterBar.tsx
• ui/app/workspace/oauth-grants/views/grantsTable.tsx
• ui/app/workspace/oauth-grants/views/revokeGrantDialog.tsx
• ui/components/sidebar.tsx
• ui/lib/store/apis/baseApi.ts
• ui/lib/store/apis/index.ts
• ui/lib/store/apis/mcpSessionsApi.ts
• ui/lib/store/apis/oauth2SessionsApi.ts
• ui/lib/types/mcpSessions.ts

✅ Files skipped from review due to trivial changes (2)

• ui/lib/types/mcpSessions.ts
• ui/lib/store/apis/baseApi.ts

🚧 Files skipped from review as they are similar to previous changes (14)

• ui/lib/store/apis/index.ts
• ui/app/workspace/oauth-grants/layout.tsx
• ui/lib/store/apis/oauth2SessionsApi.ts
• ui/app/workspace/oauth-grants/views/grantsFilterBar.tsx
• ui/app/workspace/oauth-grants/views/revokeGrantDialog.tsx
• transports/bifrost-http/handlers/mcp_sessions.go
• ui/components/sidebar.tsx
• ui/app/workspace/mcp-sessions/page.tsx
• framework/configstore/store.go
• framework/configstore/rdb.go
• ui/app/workspace/oauth-grants/views/grantActions.tsx
• ui/lib/store/apis/mcpSessionsApi.ts
• ui/app/workspace/oauth-grants/views/grantsTable.tsx
• ui/app/workspace/oauth-grants/page.tsx

---

📝 Walkthrough

Summary by CodeRabbit

• New Features
  • Added an OAuth Grants workspace page to view, search/filter, paginate, and revoke OAuth grants, with per-row actions and deep-links to related MCP sessions.
  • Added exact-match identity filtering for MCP sessions, propagated end-to-end via URL/query parameters.
  • Added “OAuth Grants” sidebar navigation, plus new RTK Query endpoints/hooks and cache tag support for OAuth grants.
• Bug Fixes
  • Improved MCP session filtering so results can be pinned to a single resolved identity across supported identity columns.
  • Improved OAuth Grants pagination behavior when filters reduce the available results.

Walkthrough

Adds an exact-match identity filter to the MCP sessions backend (struct field, SQL OR predicate, HTTP query-param parsing) and wires it through to the frontend query type and UI state. Separately introduces a new OAuth Grants management page with an RTK Query API slice (fetch + revoke endpoints), a full table UI with client-side filtering and pagination, and a sidebar navigation entry.

Changes

MCP Sessions identity filter

Layer / File(s)	Summary
Backend identity filter: contract, SQL predicate, HTTP parsing framework/configstore/store.go, framework/configstore/rdb.go, transports/bifrost-http/handlers/mcp_sessions.go	Adds Identity string to MCPSessionsFilterParams with documentation, implements an OR predicate across user_id/virtual_key_id/session_id in applyMCPSessionFilters, and parses the trimmed identity query param in the HTTP handler.
Frontend identity filter: type, API param, UI state ui/lib/types/mcpSessions.ts, ui/lib/store/apis/mcpSessionsApi.ts, ui/app/workspace/mcp-sessions/page.tsx	Adds identity?: string to MCPSessionsQueryParams, maps it into buildMCPSessionsListParams, wires the URL query-state field into the page request, active-filter detection, and clear-filter reset, and simplifies the loading UI to an early return.

OAuth Grants management

Layer / File(s)	Summary
OAuth2 grants RTK Query API module ui/lib/store/apis/oauth2SessionsApi.ts, ui/lib/store/apis/baseApi.ts, ui/lib/store/apis/index.ts	Creates oauth2SessionsApi with OAuth2GrantRow/OAuth2GrantsListResponse types, getOAuth2Grants query and revokeOAuth2Grant DELETE mutation; registers the "OAuth2Grants" tag on baseApi; re-exports via the barrel index.
OAuth Grants page component logic ui/app/workspace/oauth-grants/page.tsx	Implements OAuthGrantsPage with client-side search/mode filtering and pagination, manages revoke dialog state and toast feedback, wires filtered results and state callbacks into subcomponents, and renders conditional loading/error/table states.
OAuth Grants UI subcomponents ui/app/workspace/oauth-grants/views/grantsFilterBar.tsx, ui/app/workspace/oauth-grants/views/grantsTable.tsx, ui/app/workspace/oauth-grants/views/grantActions.tsx, ui/app/workspace/oauth-grants/views/revokeGrantDialog.tsx	Provides filter bar (search input + mode multi-select), table with cells and helpers (BindingCell, AccessTokenExpiry, HeaderWithTooltip, EmptyGrantsState, formatRelativePast), per-row actions menu (view auth sessions link, revoke button with pending state), and revoke confirmation dialog.
OAuth Grants route wiring and sidebar entry ui/app/workspace/oauth-grants/layout.tsx, ui/components/sidebar.tsx	Configures TanStack Router file route at /workspace/oauth-grants, adds "OAuth Grants" navigation entry under MCP Gateway sidebar gated by hasMCPGatewayAccess.

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant OAuthGrantsPage
  participant oauth2SessionsApi
  participant Server

  User->>OAuthGrantsPage: Navigate to /workspace/oauth-grants
  OAuthGrantsPage->>oauth2SessionsApi: useGetOAuth2GrantsQuery()
  oauth2SessionsApi->>Server: GET /oauth2/sessions
  Server-->>oauth2SessionsApi: OAuth2GrantsListResponse
  oauth2SessionsApi-->>OAuthGrantsPage: grant rows

  User->>OAuthGrantsPage: Filter by search/mode or modify offset
  OAuthGrantsPage->>OAuthGrantsPage: Client-side filter + slice paginated results

  User->>OAuthGrantsPage: Click "Revoke" on a row
  OAuthGrantsPage->>OAuthGrantsPage: Open RevokeGrantDialog
  User->>OAuthGrantsPage: Confirm revoke
  OAuthGrantsPage->>oauth2SessionsApi: useRevokeOAuth2GrantMutation(id)
  oauth2SessionsApi->>Server: DELETE /oauth2/sessions/:id
  Server-->>oauth2SessionsApi: 200 OK
  oauth2SessionsApi->>baseApi: Invalidate "OAuth2Grants" tag
  baseApi-->>OAuthGrantsPage: Cache invalidated, trigger refetch
  OAuthGrantsPage-->>User: Toast success or error message

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• maximhq/bifrost#3824: Established the shared MCPSessionsFilterParams and applyMCPSessionFilters pipeline that this PR directly extends with the Identity exact-match predicate.
• maximhq/bifrost#3825: Introduced the URL-driven filterable/paginatable MCP sessions page that this PR extends by adding the identity URL query-state field and clear-filter handling.

Suggested reviewers

• akshaydeo
• danpiths

🐇 A new grants page hops into view,
With revoke and filter and shiny tabs too!
Identity columns now match with precision,
OAuth sessions bow to each revoke decision.
The sidebar glows with a ShieldCheck so bright —
This rabbit approved every last line tonight! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the two main changes: adding an OAuth Grants management page and introducing an identity filter for MCP sessions.
Description check	✅ Passed	The description follows the template structure with all major sections completed: Summary, Changes, Type of change, Affected areas, How to test, Breaking changes, and Checklist. However, the Screenshots/Recordings and Related issues sections are incomplete.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 06-18-feat_adds_mcp_oauth_grants_ui

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

ui/lib/store/apis/oauth2SessionsApi.ts (1)

25-28: ⚡ Quick win

Prefer deterministic cache patch for revoke to avoid stale grants rows.

For this delete-by-id mutation, patching getOAuth2Grants in onQueryStarted is safer than full invalidation in this codebase’s clustered setup.

♻️ Suggested change

 		revokeOAuth2Grant: builder.mutation<void, string>({
 			query: (id) => ({ url: `/oauth2/sessions/${id}`, method: "DELETE" }),
-			invalidatesTags: ["OAuth2Grants"],
+			async onQueryStarted(id, { dispatch, queryFulfilled }) {
+				const patch = dispatch(
+					oauth2SessionsApi.util.updateQueryData("getOAuth2Grants", undefined, (draft) => {
+						draft.sessions = draft.sessions.filter((s) => s.id !== id);
+					}),
+				);
+				try {
+					await queryFulfilled;
+				} catch {
+					patch.undo();
+				}
+			},
 		}),

Based on learnings: “In ui/lib/store/apis/, optimistically patch the cache with onQueryStarted + updateQueryData for deterministic mutations like deleting a known row.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ui/lib/store/apis/oauth2SessionsApi.ts` around lines 25 - 28, The
revokeOAuth2Grant mutation currently uses invalidatesTags to fully invalidate
the OAuth2Grants cache, which can cause stale rows in a clustered setup. Replace
the invalidatesTags approach with an onQueryStarted handler that uses
updateQueryData to patch the getOAuth2Grants query cache. The handler should
optimistically remove the revoked grant with the matching ID from the cached
grants list, ensuring only the specific deleted grant is removed rather than
invalidating the entire cache, making the mutation deterministic and cache-safe.

Source: Learnings

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ui/app/workspace/mcp-sessions/page.tsx`:
- Line 35: Normalize the identity value before using it in the query and
active-filter checks to handle whitespace-only values consistently with the
backend. At line 35 where identity is assigned from urlState.identity and at
line 69 where it's used in the active-filter check, apply trimming to the
identity string and convert empty or whitespace-only values to undefined. This
ensures that values like identity=%20 don't create inconsistent UI state and
unnecessary cache fragmentation between the UI and backend behavior.

In `@ui/app/workspace/oauth-grants/page.tsx`:
- Around line 108-126: The AlertDialog component in the revoke confirmation
dialog is missing data-testid attributes on its interactive controls for E2E
testing. Add data-testid attributes to the AlertDialogCancel (Cancel button) and
AlertDialogAction (Revoke button) elements within the AlertDialogFooter to
ensure they are properly selectable in E2E tests, following the repository's
testing convention.
- Around line 305-317: The AccessTokenExpiry function does not validate that the
timestamp from row.created_at is valid before using it in calculations. When new
Date(row.created_at).getTime() receives an invalid date string, it returns NaN
instead of throwing an error, which causes the function to render "in NaN min".
Add a Number.isFinite() guard check immediately after calculating createdMs to
validate it is a valid number, and return a fallback span with an appropriate
message (such as "Unknown expiry") if the timestamp is invalid. This same
validation pattern should also be applied to other similar timestamp
calculations referenced in the "Also applies to" comment at lines 401-414.
- Around line 60-276: The OAuthGrantsPage component contains excessive UI logic
and rendering that should be extracted into view components according to project
conventions. Move the filter bar section (search input, ComboboxSelect, clear
filters button) into a separate view component, extract the table rendering
logic with its header and body rows into another view component, and separate
the AlertDialog confirmation logic into its own component. Keep the
OAuthGrantsPage function focused on state management and composition, delegating
rendering to these view components. Create these new components in a views/
subdirectory alongside page.tsx.

---

Nitpick comments:
In `@ui/lib/store/apis/oauth2SessionsApi.ts`:
- Around line 25-28: The revokeOAuth2Grant mutation currently uses
invalidatesTags to fully invalidate the OAuth2Grants cache, which can cause
stale rows in a clustered setup. Replace the invalidatesTags approach with an
onQueryStarted handler that uses updateQueryData to patch the getOAuth2Grants
query cache. The handler should optimistically remove the revoked grant with the
matching ID from the cached grants list, ensuring only the specific deleted
grant is removed rather than invalidating the entire cache, making the mutation
deterministic and cache-safe.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 41aea2ef-4014-4abc-bd40-7165db2edfda

📥 Commits

Reviewing files that changed from the base of the PR and between 3d76e6a and ffd24d4.

📒 Files selected for processing (12)

• framework/configstore/rdb.go
• framework/configstore/store.go
• transports/bifrost-http/handlers/mcp_sessions.go
• ui/app/workspace/mcp-sessions/page.tsx
• ui/app/workspace/oauth-grants/layout.tsx
• ui/app/workspace/oauth-grants/page.tsx
• ui/components/sidebar.tsx
• ui/lib/store/apis/baseApi.ts
• ui/lib/store/apis/index.ts
• ui/lib/store/apis/mcpSessionsApi.ts
• ui/lib/store/apis/oauth2SessionsApi.ts
• ui/lib/types/mcpSessions.ts

[greptile-apps]

Confidence Score: 5/5

The changes are well-scoped: a new read-only management page with a straightforward revoke flow, and a small additive filter on an existing query.

The previously flagged SQL parenthesization bug is fixed with an explicit (... OR ... OR ...) in the raw string. The stale-offset bug after a revoke is addressed by the useEffect snap-back. The AccessTokenExpiry component now uses last_used_at ?? created_at as its base, which correctly handles silently-refreshed tokens. No new correctness or security issues were found in the remaining code.

No files require special attention.

Important Files Changed

Filename	Overview
framework/configstore/rdb.go	Adds Identity exact-match filter to applyMCPSessionFilters; the OR group is now explicitly parenthesized in the raw SQL string so it ANDs correctly with the preceding filters.
framework/configstore/store.go	Adds Identity string field to MCPSessionsFilterParams; straight struct extension with no interface breaks.
transports/bifrost-http/handlers/mcp_sessions.go	Exposes the new identity query parameter; properly trimmed with strings.TrimSpace and passed through the existing filter struct.
ui/app/workspace/oauth-grants/page.tsx	New OAuth Grants page with client-side search/filter, pagination, revoke flow, and a useEffect snap-back guard so revoking the last row on a trailing page doesn't strand the UI.
ui/app/workspace/oauth-grants/views/grantActions.tsx	Per-row actions dropdown; deep-link uses encodeURIComponent on the identity, and the trigger is disabled during any in-flight revoke to prevent concurrent mutations.
ui/app/workspace/oauth-grants/views/grantsTable.tsx	Results table with pinned actions column, relative-time helpers, AccessTokenExpiry now anchored to last_used_at ?? created_at for accurate display of silently-refreshed tokens.
ui/lib/store/apis/oauth2SessionsApi.ts	New RTK Query slice for /oauth2/sessions GET and DELETE; cache tag wired up correctly so revocation invalidates the list.
ui/app/workspace/mcp-sessions/page.tsx	Adds identity URL param wired into query, active-filter check, and handleClearFilters; existing behaviour preserved.
ui/lib/store/apis/mcpSessionsApi.ts	Serializes the new identity param into the query-string builder; no sorting applied (correct for an exact-match scalar).

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant UI as OAuth Grants Page
    participant RTK as RTK Query
    participant API as /oauth2/sessions
    participant MCP as MCP Sessions Page

    UI->>RTK: useGetOAuth2GrantsQuery()
    RTK->>API: GET /oauth2/sessions
    API-->>RTK: "OAuth2GrantsListResponse { sessions[] }"
    RTK-->>UI: allGrants (client-side filter/paginate)

    UI->>UI: User clicks View auth sessions
    UI->>MCP: "Navigate /workspace/mcp-sessions?auth_mode=&identity="

    MCP->>API: "GET /mcp-sessions?identity=exact&auth_mode=mode"
    Note over API: applyMCPSessionFilters:<br/>(user_id=? OR virtual_key_id=? OR session_id=?)

    UI->>UI: User clicks Revoke
    UI->>RTK: useRevokeOAuth2GrantMutation(id)
    RTK->>API: DELETE /oauth2/sessions/:id
    API-->>RTK: 200
    RTK->>RTK: invalidatesTags [OAuth2Grants]
    RTK->>API: GET /oauth2/sessions (refetch)
    API-->>UI: Updated grant list

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant UI as OAuth Grants Page
    participant RTK as RTK Query
    participant API as /oauth2/sessions
    participant MCP as MCP Sessions Page

    UI->>RTK: useGetOAuth2GrantsQuery()
    RTK->>API: GET /oauth2/sessions
    API-->>RTK: "OAuth2GrantsListResponse { sessions[] }"
    RTK-->>UI: allGrants (client-side filter/paginate)

    UI->>UI: User clicks View auth sessions
    UI->>MCP: "Navigate /workspace/mcp-sessions?auth_mode=&identity="

    MCP->>API: "GET /mcp-sessions?identity=exact&auth_mode=mode"
    Note over API: applyMCPSessionFilters:<br/>(user_id=? OR virtual_key_id=? OR session_id=?)

    UI->>UI: User clicks Revoke
    UI->>RTK: useRevokeOAuth2GrantMutation(id)
    RTK->>API: DELETE /oauth2/sessions/:id
    API-->>RTK: 200
    RTK->>RTK: invalidatesTags [OAuth2Grants]
    RTK->>API: GET /oauth2/sessions (refetch)
    API-->>UI: Updated grant list

Loading

_{Reviews (7): Last reviewed commit: "feat: adds mcp oauth grants ui" | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ui/app/workspace/oauth-grants/page.tsx`:
- Around line 33-35: The pagination offset can become invalid when the filtered
results shrink after actions like revoking items. On line 34 where
filtered.slice is called with offset, the offset variable needs to be clamped to
ensure it doesn't exceed the bounds of the new filtered array. Before calling
slice with offset and offset + PAGE_SIZE, calculate the maximum valid offset
using Math.max(0, Math.floor((totalCount - 1) / PAGE_SIZE)) or similar logic,
then use the smaller of the current offset and this maximum value to ensure
pagination stays within valid bounds when the filtered count decreases.

In `@ui/app/workspace/oauth-grants/views/grantActions.tsx`:
- Around line 40-47: The conditional check on the DropdownMenuItem gating the
View auth sessions link currently only includes user and vk modes, excluding
session-based grants. Extend the bf_mode condition to also include the "session"
mode so that session-bound grants can navigate to auth sessions, aligning with
the identity filter contract that supports exact matching on session_id just as
it does for user_id and virtual_key_id.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 92a7db2e-849e-43c1-8365-68106e57eb5f

📥 Commits

Reviewing files that changed from the base of the PR and between ffd24d4 and 9424fab.

📒 Files selected for processing (16)

• framework/configstore/rdb.go
• framework/configstore/store.go
• transports/bifrost-http/handlers/mcp_sessions.go
• ui/app/workspace/mcp-sessions/page.tsx
• ui/app/workspace/oauth-grants/layout.tsx
• ui/app/workspace/oauth-grants/page.tsx
• ui/app/workspace/oauth-grants/views/grantActions.tsx
• ui/app/workspace/oauth-grants/views/grantsFilterBar.tsx
• ui/app/workspace/oauth-grants/views/grantsTable.tsx
• ui/app/workspace/oauth-grants/views/revokeGrantDialog.tsx
• ui/components/sidebar.tsx
• ui/lib/store/apis/baseApi.ts
• ui/lib/store/apis/index.ts
• ui/lib/store/apis/mcpSessionsApi.ts
• ui/lib/store/apis/oauth2SessionsApi.ts
• ui/lib/types/mcpSessions.ts

✅ Files skipped from review due to trivial changes (3)

• ui/app/workspace/oauth-grants/layout.tsx
• ui/lib/store/apis/index.ts
• ui/lib/store/apis/baseApi.ts

🚧 Files skipped from review as they are similar to previous changes (6)

• ui/components/sidebar.tsx
• ui/lib/store/apis/mcpSessionsApi.ts
• framework/configstore/rdb.go
• transports/bifrost-http/handlers/mcp_sessions.go
• ui/lib/store/apis/oauth2SessionsApi.ts
• ui/app/workspace/mcp-sessions/page.tsx