Skip to content

Visible credential target selector for secret writes; SDK Result import cleanup#512

Draft
RhysSullivan wants to merge 1 commit intors/cloud-workspaces-11-source-targetfrom
rs/cloud-workspaces-12-secrets-connections
Draft

Visible credential target selector for secret writes; SDK Result import cleanup#512
RhysSullivan wants to merge 1 commit intors/cloud-workspaces-11-source-targetfrom
rs/cloud-workspaces-12-secrets-connections

Conversation

@RhysSullivan
Copy link
Copy Markdown
Owner

@RhysSullivan RhysSullivan commented May 4, 2026

Adds CredentialTargetSelector to the secret-create dialog, exposing the
full URL-context stack with the labels the plan in
notes/cloud-workspaces-and-global-sources-plan.md calls for:

  • Only me in this workspace → user-workspace
  • Everyone in → workspace
  • Only me across this org → user-org
  • Everyone in → org

Default selection is the URL context's active write scope (workspace in
workspace context, org in global). Local CLI hosts run a single-scope
stack and the selector renders one disabled option labeled with that
scope.

Server side, assertScopedWrite already rejects writes whose scope_id
is outside the URL-resolved stack as a typed StorageError; the new
credential-target.node.test.ts exercises both halves of the contract:

  • All four legal targets in workspace context succeed and list back
    tagged with the correct scope id.
  • A cross-org write from workspace context is rejected.

Connection writes in v1 still default to the source-add form's
configured tokenScope and bindingScope (per-user); a future change
can layer this selector into the OAuth setup flow without changing the
server contract.

@RhysSullivan
Visible credential target selector for secret writes; SDK Result impo…
5b7d768 
…rt cleanup

Adds `CredentialTargetSelector` to the secret-create dialog, exposing the
full URL-context stack with the labels the plan in
`notes/cloud-workspaces-and-global-sources-plan.md` calls for:

  - Only me in this workspace        → user-workspace
  - Everyone in <workspace name>     → workspace
  - Only me across this org          → user-org
  - Everyone in <org name>           → org

Default selection is the URL context's active write scope (workspace in
workspace context, org in global). Local CLI hosts run a single-scope
stack and the selector renders one disabled option labeled with that
scope.

Server side, `assertScopedWrite` already rejects writes whose scope_id
is outside the URL-resolved stack as a typed `StorageError`; the new
`credential-target.node.test.ts` exercises both halves of the contract:

  - All four legal targets in workspace context succeed and list back
    tagged with the correct scope id.
  - A cross-org write from workspace context is rejected.

Connection writes in v1 still default to the source-add form's
configured `tokenScope` and `bindingScope` (per-user); a future change
can layer this selector into the OAuth setup flow without changing the
server contract.
This was referenced May 4, 2026
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
@RhysSullivan Graphite App
Copy link
Copy Markdown
Owner Author

RhysSullivan commented May 4, 2026
edited
Loading

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

@RhysSullivan RhysSullivan mentioned this pull request May 4, 2026
Draft
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 4, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 executor-marketing 5b7d768 Commit Preview URL

Branch Preview URL		 May 04 2026, 05:12 PM

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 4, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 executor-cloud 5b7d768 May 04 2026, 05:13 PM

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 4, 2026

Open in StackBlitz

@executor-js/codemode-core

npm i https://pkg.pr.new/@executor-js/codemode-core@512

@executor-js/runtime-quickjs

npm i https://pkg.pr.new/@executor-js/runtime-quickjs@512

@executor-js/cli

npm i https://pkg.pr.new/@executor-js/cli@512

@executor-js/config

npm i https://pkg.pr.new/@executor-js/config@512

@executor-js/execution

npm i https://pkg.pr.new/@executor-js/execution@512

@executor-js/sdk

npm i https://pkg.pr.new/@executor-js/sdk@512

@executor-js/storage-core

npm i https://pkg.pr.new/@executor-js/storage-core@512

@executor-js/plugin-file-secrets

npm i https://pkg.pr.new/@executor-js/plugin-file-secrets@512

@executor-js/plugin-google-discovery

npm i https://pkg.pr.new/@executor-js/plugin-google-discovery@512

@executor-js/plugin-graphql

npm i https://pkg.pr.new/@executor-js/plugin-graphql@512

@executor-js/plugin-keychain

npm i https://pkg.pr.new/@executor-js/plugin-keychain@512

@executor-js/plugin-mcp

npm i https://pkg.pr.new/@executor-js/plugin-mcp@512

@executor-js/plugin-onepassword

npm i https://pkg.pr.new/@executor-js/plugin-onepassword@512

@executor-js/plugin-openapi

npm i https://pkg.pr.new/@executor-js/plugin-openapi@512

executor

npm i https://pkg.pr.new/executor@512

commit: 5b7d768

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@RhysSullivan