feat: add project scope selector and inline scope editing for MCP tokens

Yuan Huang · Yuan Huang · commit 680ae35aae0c · 2026-06-26T15:03:34.000+08:00
- createMcpToken form: native checkbox list for project selection
- token list: edit button expands inline scope editor per token
- PATCH /api/v1/mcp/tokens/&lt;id&gt; via new updateMcpToken service method
- NewAPIService: add patch() method
- validation: show error messages on invalid name/days input
diff --git a/src/dashboard-client/src/components/user/UserGlobalTokens.vue b/src/dashboard-client/src/components/user/UserGlobalTokens.vue
@@ -207,19 +207,33 @@
                 <md-card-area>
                     <md-list class="m-t-md m-b-md">
                         <md-list-item>
-                            <md-input-container class="m-r-sm" style="flex: 2">
+                            <md-input-container class="m-r-sm" style="flex: 2" :class="{'md-input-invalid': mcpNameError}">
                                 <label>Token Name (e.g. "Claude Desktop")</label>
                                 <md-input v-model="mcpForm.name" @keyup.enter.native="createMcpToken"></md-input>
+                                <span class="md-error" v-if="mcpNameError">Name must be at least 3 characters</span>
                             </md-input-container>
-                            <md-input-container class="m-r-sm" style="flex: 0 0 160px">
+                            <md-input-container class="m-r-sm" style="flex: 0 0 160px" :class="{'md-input-invalid': mcpDaysError}">
                                 <label>Validity (days)</label>
                                 <md-input v-model.number="mcpForm.expiresDays" type="number" min="1" max="365" placeholder="365"></md-input>
+                                <span class="md-error" v-if="mcpDaysError">1–365 days</span>
                             </md-input-container>
-                            <md-button :disabled="disableMcpAdd" class="md-icon-button md-list-action" @click="createMcpToken">
+                            <md-button class="md-icon-button md-list-action" @click="createMcpToken">
                                 <md-icon md-theme="running" class="md-primary">add_circle</md-icon>
                                 <md-tooltip>Create MCP token</md-tooltip>
                             </md-button>
                         </md-list-item>
+                        <md-list-item v-if="userProjects.length > 0" style="flex-wrap: wrap; align-items: flex-start; padding: 0 16px 8px">
+                            <div style="width: 100%; font-size: 13px; color: #666; margin-bottom: 6px;">
+                                Project scope
+                                <small style="color: #999; margin-left: 6px;">leave all unchecked to allow access to all projects</small>
+                            </div>
+                            <div style="display: flex; flex-wrap: wrap; gap: 4px 16px;">
+                                <label v-for="p in userProjects" :key="p.id" class="mcp-project-checkbox">
+                                    <input type="checkbox" :value="p.id" v-model="mcpForm.selectedProjects">
+                                    {{ p.name }}
+                                </label>
+                            </div>
+                        </md-list-item>
                     </md-list>
                 </md-card-area>
             </md-card>
@@ -239,30 +253,56 @@
                         </md-table-row>
                     </md-table-header>
                     <md-table-body>
-                        <md-table-row v-for="t in mcpTokens" :key="t.token_id">
-                            <md-table-cell>{{ t.name }}</md-table-cell>
-                            <md-table-cell>
-                                <span v-if="!t.enabled_projects || Object.keys(t.enabled_projects).length === 0" class="mcp-all-projects">all projects</span>
-                                <span v-else class="mcp-project-count">{{ Object.keys(t.enabled_projects).length }} project(s)</span>
-                            </md-table-cell>
-                            <md-table-cell>{{ formatDate(t.created_at) }}</md-table-cell>
-                            <md-table-cell>
-                                <span :class="expiryClass(t.expires_at)">
-                                    {{ formatDate(t.expires_at) }}
-                                    <md-icon v-if="isExpiringSoon(t.expires_at)" style="font-size:16px;vertical-align:middle">warning</md-icon>
-                                </span>
-                            </md-table-cell>
-                            <md-table-cell>{{ t.last_used_at ? formatDate(t.last_used_at) : '—' }}</md-table-cell>
-                            <md-table-cell>
-                                <md-switch v-model="t.allow_trigger" @change="toggleMcpTrigger(t)" class="mcp-trigger-switch"></md-switch>
-                            </md-table-cell>
-                            <md-table-cell>
-                                <md-button class="md-icon-button" @click="confirmMcpRevoke(t)">
-                                    <md-icon class="md-primary">delete</md-icon>
-                                    <md-tooltip>Revoke token</md-tooltip>
-                                </md-button>
-                            </md-table-cell>
-                        </md-table-row>
+                        <template v-for="t in mcpTokens">
+                            <md-table-row :key="t.token_id">
+                                <md-table-cell>{{ t.name }}</md-table-cell>
+                                <md-table-cell>
+                                    <span v-if="!t.enabled_projects || Object.keys(t.enabled_projects).length === 0" class="mcp-all-projects">all projects</span>
+                                    <span v-else class="mcp-project-count">{{ Object.keys(t.enabled_projects).length }} project(s)</span>
+                                </md-table-cell>
+                                <md-table-cell>{{ formatDate(t.created_at) }}</md-table-cell>
+                                <md-table-cell>
+                                    <span :class="expiryClass(t.expires_at)">
+                                        {{ formatDate(t.expires_at) }}
+                                        <md-icon v-if="isExpiringSoon(t.expires_at)" style="font-size:16px;vertical-align:middle">warning</md-icon>
+                                    </span>
+                                </md-table-cell>
+                                <md-table-cell>{{ t.last_used_at ? formatDate(t.last_used_at) : '—' }}</md-table-cell>
+                                <md-table-cell>
+                                    <md-switch v-model="t.allow_trigger" @change="toggleMcpTrigger(t)" class="mcp-trigger-switch"></md-switch>
+                                </md-table-cell>
+                                <md-table-cell>
+                                    <md-button class="md-icon-button" @click="toggleScopeEdit(t)">
+                                        <md-icon>edit</md-icon>
+                                        <md-tooltip>Edit project scope</md-tooltip>
+                                    </md-button>
+                                    <md-button class="md-icon-button" @click="confirmMcpRevoke(t)">
+                                        <md-icon class="md-primary">delete</md-icon>
+                                        <md-tooltip>Revoke token</md-tooltip>
+                                    </md-button>
+                                </md-table-cell>
+                            </md-table-row>
+
+                            <!-- Inline scope editor -->
+                            <md-table-row v-if="scopeEditId === t.token_id" :key="t.token_id + '-scope'" class="log-row">
+                                <md-table-cell colspan="7" class="log-cell">
+                                    <div style="padding: 8px 0;">
+                                        <div style="font-size: 13px; color: #666; margin-bottom: 8px;">
+                                            Project scope
+                                            <small style="color: #999; margin-left: 6px;">leave all unchecked to allow access to all projects</small>
+                                        </div>
+                                        <div style="display: flex; flex-wrap: wrap; gap: 4px 16px; margin-bottom: 12px;">
+                                            <label v-for="p in userProjects" :key="p.id" class="mcp-project-checkbox">
+                                                <input type="checkbox" :value="p.id" v-model="scopeEditSelection">
+                                                {{ p.name }}
+                                            </label>
+                                        </div>
+                                        <md-button class="md-raised md-primary md-dense" @click="saveScopeEdit(t)">Save</md-button>
+                                        <md-button class="md-dense" @click="scopeEditId = null">Cancel</md-button>
+                                    </div>
+                                </md-table-cell>
+                            </md-table-row>
+                        </template>
 
                         <md-table-row v-if="mcpTokens.length === 0">
                             <md-table-cell colspan="7">No MCP tokens yet. Create one above.</md-table-cell>
@@ -321,9 +361,12 @@ export default {
         mcpTokens: [],
         newMcpToken: '',
         pendingMcpRevoke: null,
+        scopeEditId: null,
+        scopeEditSelection: [],
         mcpForm: {
             name: '',
-            expiresDays: 365
+            expiresDays: 365,
+            selectedProjects: []
         }
     }),
 
@@ -336,6 +379,16 @@ export default {
             return !this.mcpForm.name || this.mcpForm.name.length < 3 ||
                 !this.mcpForm.expiresDays || this.mcpForm.expiresDays < 1 || this.mcpForm.expiresDays > 365
         },
+        mcpNameError () {
+            return this.mcpForm.name !== '' && this.mcpForm.name.length < 3
+        },
+        mcpDaysError () {
+            return this.mcpForm.expiresDays !== '' && this.mcpForm.expiresDays !== null &&
+                (this.mcpForm.expiresDays < 1 || this.mcpForm.expiresDays > 365)
+        },
+        userProjects () {
+            return this.$store.state.projects || []
+        },
         adminProjects () {
             return this.$store.state.projects.filter(p => p.userHasAdminRights())
         },
@@ -437,8 +490,19 @@ export default {
         },
 
         createMcpToken () {
-            if (this.disableMcpAdd) return
-            UserTokenService.createMcpToken(this.mcpForm.name, {}, this.mcpForm.expiresDays)
+            if (!this.mcpForm.name || this.mcpForm.name.length < 3) {
+                NotificationService.$emit('NOTIFICATION', new Notification({ message: 'Token name must be at least 3 characters.' }))
+                return
+            }
+            const days = this.mcpForm.expiresDays
+            if (!days || days < 1 || days > 365) {
+                NotificationService.$emit('NOTIFICATION', new Notification({ message: 'Validity must be between 1 and 365 days.' }))
+                return
+            }
+            const enabledProjects = this.mcpForm.selectedProjects.length > 0
+                ? this.mcpForm.selectedProjects.reduce((acc, id) => { acc[id] = null; return acc }, {})
+                : {}
+            UserTokenService.createMcpToken(this.mcpForm.name, enabledProjects, this.mcpForm.expiresDays)
                 .then((result) => {
                     this.mcpTokens.unshift({
                         token_id: result.token_id,
@@ -453,6 +517,7 @@ export default {
                     this.$refs['mcpTokenDialog'].open()
                     this.mcpForm.name = ''
                     this.mcpForm.expiresDays = 365
+                    this.mcpForm.selectedProjects = []
                 })
                 .catch(() => {})
         },
@@ -477,6 +542,29 @@ export default {
                 .finally(() => { this.pendingMcpRevoke = null })
         },
 
+        toggleScopeEdit (token) {
+            if (this.scopeEditId === token.token_id) {
+                this.scopeEditId = null
+                return
+            }
+            this.scopeEditId = token.token_id
+            this.scopeEditSelection = Object.keys(token.enabled_projects || {})
+        },
+
+        saveScopeEdit (token) {
+            const enabledProjects = this.scopeEditSelection.reduce((acc, id) => {
+                acc[id] = null
+                return acc
+            }, {})
+            UserTokenService.updateMcpToken(token.token_id, enabledProjects)
+                .then(() => {
+                    token.enabled_projects = enabledProjects
+                    this.scopeEditId = null
+                    NotificationService.$emit('NOTIFICATION', new Notification({ message: `Scope updated for "${token.name}".` }))
+                })
+                .catch(() => {})
+        },
+
         toggleMcpTrigger (token) {
             const newVal = !token.allow_trigger
             UserTokenService.setMcpTrigger(token.token_id, newVal)
@@ -576,4 +664,18 @@ export default {
 .mcp-trigger-switch {
     margin: 0;
 }
+
+.mcp-project-checkbox {
+    display: inline-flex;
+    align-items: center;
+    gap: 4px;
+    font-size: 13px;
+    cursor: pointer;
+    user-select: none;
+    color: #444;
+}
+
+.mcp-project-checkbox input {
+    cursor: pointer;
+}
 </style>
diff --git a/src/dashboard-client/src/services/NewAPIService.js b/src/dashboard-client/src/services/NewAPIService.js
@@ -61,6 +61,16 @@ class NewAPIService {
             })
             .catch(this._handleError(false))
     }
+
+    patch (url, payload) {
+        console.log(`PATCH API: ${url}`)
+        const u = this.api + url
+        return Vue.http.patch(u, payload)
+            .then((response) => {
+                return response.body
+            })
+            .catch(this._handleError(false))
+    }
 }
 
 export default new NewAPIService()
diff --git a/src/dashboard-client/src/services/UserTokenService.js b/src/dashboard-client/src/services/UserTokenService.js
@@ -59,6 +59,14 @@ class UserTokenService {
         })
     }
 
+    updateMcpToken (tokenId, enabledProjects) {
+        return NewAPIService.patch(`mcp/tokens/${tokenId}`, { enabled_projects: enabledProjects })
+            .catch((err) => {
+                NotificationService.$emit('NOTIFICATION', new Notification(err))
+                throw err
+            })
+    }
+
     revokeMcpToken (tokenId) {
         return NewAPIService.delete(`mcp/tokens/${tokenId}`)
             .catch((err) => {
