feat(permissions): MCP settings page

[adityathebe]

Summary by CodeRabbit

• New Features

  • MCP settings area with Overview, Playbooks, and Views tabs; per-resource permission management, resource/subject access cards, and permission access-check modal
  • Searchable, paginated subject selector and subject-level allow/deny workflows
  • Role support and subject-access review endpoints for richer permission checks

• UI/UX Improvements

  • Refined Switch control (size variants) and improved modal scrolling/layout; in-form error display for token creation
  • Better loading/refresh behavior across MCP pages

• Tests

  • Updated unit tests and test helpers for query/cache behavior

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
aws-preview	Ready	Preview	Apr 13, 2026 0:46am
flanksource-ui	Ready	Preview	Apr 13, 2026 0:46am

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds MCP settings and permission management: new MCP settings pages and components, permission services/types/fetchers, mapping utilities and a permissions hook, UI permission controls (cards, selectors, switches), RBAC review API, and a Radix-based Switch dependency.

Changes

Cohort / File(s)	Summary
Dependency package.json	Added @radix-ui/react-switch@^1.2.6.
App Routing src/App.tsx	Registered MCP settings submenu and routes (/settings/mcp → overview, playbooks, views) with authorization checks.
Permission Services src/api/services/permissions.ts	Added MCP_SETTINGS_PERMISSION_SOURCE, expanded FetchPermissionsInput.subject_type to include role, added fetchMcpRunPermissions, fetchMcpUserPermissions, subject search/fetch functions and normalization to [].
RBAC API src/api/services/rbac.ts	Added SubjectAccessReview request/response types and reviewSubjectAccess POST helper.
Permission Types src/api/types/permissions.ts	Added optional Selectors fields (id,name,namespace) and extended PermissionTable.subject_type to include "role".
Playbook API src/api/services/playbooks.ts	Extended getAllPlaybookNames fields and added paginated getPlaybookNamesPaginated with ordering and exact-count pagination.
Permission Mapping Utilities src/lib/permissions/mcpPermissionCardMappings.ts	New utilities to index resources, resolve refs, build subject lookup, bucket permissions by resource, and compute per-resource global overrides.
Permissions Hook src/lib/permissions/useMcpResourcePermissions.ts	New generic hook to derive per-resource permission maps, compute preselected subject IDs, and perform mutations for global override and selective access (with refetch/rollback logic).
Permission UI Components src/components/Permissions/...	Added SubjectSelectorPanel, ResourceAccessCard, SubjectAccessCard, PermissionAccessCheckModal, and wired access-check integration into PermissionsView.
MCP UI & Pages src/components/MCP/..., src/pages/Settings/mcp/...	Added McpTabsLinks, UserList, and pages McpOverviewPage, McpPlaybooksPage, McpViewsPage, integrating hooks/components for per-resource permission management.
Switch Component src/components/ui/switch.tsx, src/ui/FormControls/Switch.tsx	Added Radix-based Switch wrapper; existing Switch enhanced with size support and active-item class props; UI sizing adjustments (sm used in places).
Modal Behavior src/ui/Modal/index.tsx, src/components/Users/SetupMcpModal.tsx	Added allowBodyScroll prop and conditional document/body overflow handling; updated MCP setup modal layout to allow body scroll and simplified sizing.
Playbook Permissions UI src/components/Playbooks/Settings/PlaybookPermissionsModal.tsx	Added playbookAccessReviewActions and enabled access-check config for inbound PermissionsView.
Form/Token/Layout Tweaks src/components/Tokens/..., src/components/Forms/...	Inline token creation error viewer, removed some fixed height/overflow constraints, and added renderMenuInPortal prop to FormikResourceSelectorDropdown.
Tests src/components/Configs/..., src/components/Connections/...	Adjusted test imports/fixtures and React Query test options (removed waitFor import, removed gcTime: 0, updated connection type enums).
Feature Flags src/services/permissions/features.ts	Added settings.mcp feature key.

Sequence Diagrams

sequenceDiagram
    participant User
    participant MCP_UI as "MCP UI (Pages/Components)"
    participant PermissionsHook as "useMcpResourcePermissions"
    participant PermissionAPI as "Permission API Client"
    participant Backend

    User->>MCP_UI: open MCP tab / select resource / toggle override / open selector
    MCP_UI->>PermissionsHook: read resources + permissions (init)
    PermissionsHook->>PermissionAPI: GET permissions (mcp:run / mcp:use), GET subjects
    PermissionAPI->>Backend: HTTP GET /permissions, /subjects
    Backend-->>PermissionAPI: permissions[], subjects[]
    PermissionAPI-->>PermissionsHook: data
    PermissionsHook-->>MCP_UI: permissionsByResource, globalOverrideByResource, preselectedSubjectIds

    User->>MCP_UI: toggle global override / apply subject selection
    MCP_UI->>PermissionsHook: setGlobalOverride / allowSelectiveAccess
    PermissionsHook->>PermissionAPI: POST/PATCH/DELETE /permissions
    PermissionAPI->>Backend: HTTP POST/PATCH/DELETE /permissions
    Backend-->>PermissionAPI: success
    PermissionAPI-->>PermissionsHook: result
    PermissionsHook->>MCP_UI: refetch/update state
    MCP_UI->>User: updated UI

Loading

Possibly related PRs

• feat: mcp:use action #2971 — Overlaps on MCP permission actions/objects and related UI flows for MCP permission management.
• feat: Playbook permissions Inbound & Outbound #2974 — Touches src/api/services/permissions.ts and permission-fetching helpers/types similar to this PR.
• feat: permission table filters #2972 — Modifies permission fetchers/types and pagination logic related to permissions queries, overlapping the same API surface.

Suggested Reviewers

• moshloop

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 4.08% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main objective: introducing an MCP (permissions) settings page with comprehensive permission management features, new UI components, and service layer updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/permissions-bulk-selection-ui

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch feat/permissions-bulk-selection-ui

Warning

Review ran into problems

🔥 Problems

Timed out fetching pipeline failures after 30000ms

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/pages/Settings/mcp/McpOverviewPage.tsx`:
- Around line 208-215: The icon-only button that opens the MCP setup modal (the
button with key "setup-mcp" that calls setIsSetupMcpModalOpen(true) and renders
AiFillPlusCircle) lacks an explicit accessible name; add an aria-label (e.g.,
aria-label="Setup MCP") to the button element so screen readers announce the
action consistently while keeping the existing title prop and onClick handler
unchanged.
- Around line 138-188: The mutation currently only calls refetchPermissions() in
onSuccess so partial failures (Promise.all rejecting) leave the UI stale; update
the mutation callbacks to call refetchPermissions() in onSettled (or both
onSuccess and onError) so it always runs after the Promise.all of
deletePermission/updatePermission completes or fails—look for the mutation
definition using onSuccess/onError here (and the Promise.all logic with
primaryPermission, duplicatePermissionIds, deletePermission, updatePermission)
and move or add the refetchPermissions() call into an onSettled handler to
guarantee a refresh regardless of partial failures.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 969b4d8a-54bc-41ba-810c-5d5f2c58f6db

📥 Commits

Reviewing files that changed from the base of the PR and between b612f75 and e0ef0f4.

📒 Files selected for processing (7)

• src/components/MCP/UserList.tsx
• src/components/Permissions/ResourceAccessCard.tsx
• src/components/Permissions/SubjectAccessCard.tsx
• src/components/Tokens/Add/CreateTokenForm.tsx
• src/pages/Settings/mcp/McpOverviewPage.tsx
• src/pages/Settings/mcp/McpPlaybooksPage.tsx
• src/pages/Settings/mcp/McpViewsPage.tsx

🚧 Files skipped from review as they are similar to previous changes (6)

• src/components/Tokens/Add/CreateTokenForm.tsx
• src/components/Permissions/SubjectAccessCard.tsx
• src/pages/Settings/mcp/McpPlaybooksPage.tsx
• src/pages/Settings/mcp/McpViewsPage.tsx
• src/components/MCP/UserList.tsx
• src/components/Permissions/ResourceAccessCard.tsx

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/components/Permissions/PermissionAccessCheckModal.tsx`:
- Around line 152-183: The async checkAccess call in
PermissionAccessCheckModal.tsx can update state after the modal closes; guard
against stale updates by tracking cancellation and only calling setResult /
setRequestError / helpers.setSubmitting when the modal is still open. Wrap the
try/catch/finally body with a local flag (e.g., let cancelled = false) or an
AbortController tied to the modal's close handler, set cancelled = true when the
modal is closed, and before each state update check !cancelled (or
controller.signal.aborted) to avoid applying results after close; ensure the
cancel flag is set where the modal close logic runs so in-flight promises won't
mutate state.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ea958173-2c9f-4fab-b1e0-b3ea3b57dbbf

📥 Commits

Reviewing files that changed from the base of the PR and between e0ef0f4 and 1c1ef9d.

📒 Files selected for processing (5)

• src/api/services/rbac.ts
• src/components/Forms/Formik/FormikResourceSelectorDropdown.tsx
• src/components/Permissions/PermissionAccessCheckModal.tsx
• src/components/Permissions/PermissionsView.tsx
• src/components/Playbooks/Settings/PlaybookPermissionsModal.tsx

🚧 Files skipped from review as they are similar to previous changes (1)

• src/api/services/rbac.ts