From 08dcdc0dc609532a1cacf5ab07ac0c4da858a5d8 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 6 Apr 2026 18:32:27 +0545
Subject: [PATCH 01/48] feat: MCP settings paget pu

---
 src/App.tsx                                 | 280 +++++++-----
 src/api/services/permissions.ts             | 105 ++++-
 src/api/services/playbooks.ts               |  32 +-
 src/api/types/permissions.ts                |   3 +-
 src/components/MCP/McpTabsLinks.tsx         |  94 ++++
 src/components/MCP/PermissionAccessCard.tsx | 210 +++++++++
 src/components/MCP/PlaybooksTable.tsx       | 185 ++++++++
 src/components/MCP/SubjectSelectorModal.tsx | 235 ++++++++++
 src/components/MCP/ViewsTable.tsx           | 184 ++++++++
 src/pages/Settings/mcp/McpOverviewPage.tsx  |  30 ++
 src/pages/Settings/mcp/McpPlaybooksPage.tsx | 416 ++++++++++++++++++
 src/pages/Settings/mcp/McpViewsPage.tsx     | 463 ++++++++++++++++++++
 src/services/permissions/features.ts        |   3 +-
 src/ui/FormControls/Switch.tsx              |  21 +-
 14 files changed, 2145 insertions(+), 116 deletions(-)
 create mode 100644 src/components/MCP/McpTabsLinks.tsx
 create mode 100644 src/components/MCP/PermissionAccessCard.tsx
 create mode 100644 src/components/MCP/PlaybooksTable.tsx
 create mode 100644 src/components/MCP/SubjectSelectorModal.tsx
 create mode 100644 src/components/MCP/ViewsTable.tsx
 create mode 100644 src/pages/Settings/mcp/McpOverviewPage.tsx
 create mode 100644 src/pages/Settings/mcp/McpPlaybooksPage.tsx
 create mode 100644 src/pages/Settings/mcp/McpViewsPage.tsx

diff --git a/src/App.tsx b/src/App.tsx
index cb70bfd0b1..6b7179a2e3 100644
--- a/src/App.tsx
+++ b/src/App.tsx
@@ -210,6 +210,18 @@ const NotificationsSilencedPage = dynamic(
     )
 );
 
+const McpOverviewPage = dynamic(
+  () => import("@flanksource-ui/pages/Settings/mcp/McpOverviewPage")
+);
+
+const McpPlaybooksPage = dynamic(
+  () => import("@flanksource-ui/pages/Settings/mcp/McpPlaybooksPage")
+);
+
+const McpViewsPage = dynamic(
+  () => import("@flanksource-ui/pages/Settings/mcp/McpViewsPage")
+);
+
 const UsersPage = dynamic(() =>
   import("@flanksource-ui/pages/UsersPage").then((m) => m.UsersPage)
 );
@@ -380,112 +392,139 @@ const settingsNav: SettingsNavigationItems = {
   name: "Settings",
   icon: AdjustmentsIcon,
   checkPath: false,
-  submenu: [
-    {
-      name: "Connections",
-      href: "/settings/connections",
-      icon: BsLink,
-      featureName: features["settings.connections"],
-      resourceName: tables.connections
-    },
-    {
-      name: "Permissions",
-      href: "/settings/permissions",
-      icon: RiShieldUserFill,
-      featureName: features["settings.permissions"],
-      resourceName: tables.permissions
-    },
-    {
-      name: "Scopes",
-      href: "/settings/scopes",
-      icon: FaCrosshairs,
-      featureName: features["settings.permissions"],
-      resourceName: tables.scopes
-    },
-    ...(process.env.NEXT_PUBLIC_AUTH_IS_CLERK === "true"
-      ? []
-      : [
-          {
-            name: "Users",
-            href: "/settings/users",
-            icon: HiUser,
-            featureName: features["settings.users"],
-            resourceName: tables.identities
-          }
-        ]),
-    ...schemaResourceTypes
-      // remove catalog_scraper from settings
-      .filter((resource) => resource.table !== "config_scrapers")
-      .map((x) => ({
-        ...x,
-        href: `/settings/${x.table}`
-      })),
-    {
-      name: "Jobs History",
-      href: "/settings/jobs",
-      icon: FaTasks,
-      featureName: features["settings.job_history"],
-      resourceName: tables.database
-    },
-    {
-      name: "Feature Flags",
-      href: "/settings/feature-flags",
-      icon: BsToggles,
-      featureName: features["settings.feature_flags"],
-      resourceName: tables.database
-    },
-    {
-      name: "Log Backends",
-      href: "/settings/log-backends",
-      icon: LogsIcon,
-      featureName: features["logs"],
-      resourceName: tables.database
-    },
-    {
-      name: "Event Queue",
-      href: "/settings/event-queue-status",
-      icon: FaTasks,
-      featureName: features["settings.event_queue_status"],
-      resourceName: tables.database
-    },
-    {
-      name: "Agents",
-      href: "/settings/agents",
-      icon: MdOutlineSupportAgent,
-      featureName: features.agents,
-      resourceName: tables.database
-    },
-    {
-      name: "Tokens",
-      href: "/settings/tokens",
-      icon: VscKey,
-      featureName: features.agents,
-      resourceName: tables.database
-    },
-    {
-      name: "Notifications",
-      href: "/notifications/rules",
-      icon: FaBell,
-      featureName: features["settings.notifications"],
-      resourceName: tables.notifications
-    },
-    {
-      name: "Integrations",
-      href: "/settings/integrations",
-      icon: MdOutlineIntegrationInstructions,
-      featureName: features["settings.integrations"],
-      resourceName: tables.database
-    },
-    {
-      name: "Views",
-      href: "/settings/views",
-      icon: ({ className }: { className: string }) => (
-        <Icon name="workflow" className={className} />
-      ),
-      featureName: features.views,
-      resourceName: tables.views
+  submenu: (() => {
+    const sortedSubmenu = [
+      {
+        name: "Connections",
+        href: "/settings/connections",
+        icon: BsLink,
+        featureName: features["settings.connections"],
+        resourceName: tables.connections
+      },
+      {
+        name: "Permissions",
+        href: "/settings/permissions",
+        icon: RiShieldUserFill,
+        featureName: features["settings.permissions"],
+        resourceName: tables.permissions
+      },
+      {
+        name: "Scopes",
+        href: "/settings/scopes",
+        icon: FaCrosshairs,
+        featureName: features["settings.permissions"],
+        resourceName: tables.scopes
+      },
+      ...(process.env.NEXT_PUBLIC_AUTH_IS_CLERK === "true"
+        ? []
+        : [
+            {
+              name: "Users",
+              href: "/settings/users",
+              icon: HiUser,
+              featureName: features["settings.users"],
+              resourceName: tables.identities
+            }
+          ]),
+      ...schemaResourceTypes
+        // remove catalog_scraper from settings
+        .filter((resource) => resource.table !== "config_scrapers")
+        .map((x) => ({
+          ...x,
+          href: `/settings/${x.table}`
+        })),
+      {
+        name: "Jobs History",
+        href: "/settings/jobs",
+        icon: FaTasks,
+        featureName: features["settings.job_history"],
+        resourceName: tables.database
+      },
+      {
+        name: "MCP",
+        href: "/settings/mcp",
+        icon: ({ className }: { className: string }) => (
+          <Icon name="mcp" className={`${className} [&_path]:!fill-white`} />
+        ),
+        featureName: features["settings.mcp"],
+        resourceName: tables.database
+      },
+      {
+        name: "Feature Flags",
+        href: "/settings/feature-flags",
+        icon: BsToggles,
+        featureName: features["settings.feature_flags"],
+        resourceName: tables.database
+      },
+      {
+        name: "Log Backends",
+        href: "/settings/log-backends",
+        icon: LogsIcon,
+        featureName: features["logs"],
+        resourceName: tables.database
+      },
+      {
+        name: "Event Queue",
+        href: "/settings/event-queue-status",
+        icon: FaTasks,
+        featureName: features["settings.event_queue_status"],
+        resourceName: tables.database
+      },
+      {
+        name: "Agents",
+        href: "/settings/agents",
+        icon: MdOutlineSupportAgent,
+        featureName: features.agents,
+        resourceName: tables.database
+      },
+      {
+        name: "Tokens",
+        href: "/settings/tokens",
+        icon: VscKey,
+        featureName: features.agents,
+        resourceName: tables.database
+      },
+      {
+        name: "Notifications",
+        href: "/notifications/rules",
+        icon: FaBell,
+        featureName: features["settings.notifications"],
+        resourceName: tables.notifications
+      },
+      {
+        name: "Integrations",
+        href: "/settings/integrations",
+        icon: MdOutlineIntegrationInstructions,
+        featureName: features["settings.integrations"],
+        resourceName: tables.database
+      },
+      {
+        name: "Views",
+        href: "/settings/views",
+        icon: ({ className }: { className: string }) => (
+          <Icon name="workflow" className={className} />
+        ),
+        featureName: features.views,
+        resourceName: tables.views
+      }
+    ].sort((v1, v2) => stringSortHelper(v1.name, v2.name));
+
+    const jobsHistoryIndex = sortedSubmenu.findIndex(
+      (item) => item.name === "Jobs History"
+    );
+    const mcpIndex = sortedSubmenu.findIndex((item) => item.name === "MCP");
+
+    if (
+      jobsHistoryIndex !== -1 &&
+      mcpIndex !== -1 &&
+      mcpIndex !== jobsHistoryIndex + 1
+    ) {
+      const [mcpItem] = sortedSubmenu.splice(mcpIndex, 1);
+      sortedSubmenu.splice(jobsHistoryIndex + 1, 0, mcpItem);
     }
-  ].sort((v1, v2) => stringSortHelper(v1.name, v2.name))
+
+    return sortedSubmenu;
+  })()
 };
 
 const CANARY_API = "/api/canary/api/summary";
@@ -841,6 +880,37 @@ export function IncidentManagerRoutes({ sidebar }: { sidebar: ReactNode }) {
           />
         </Route>
 
+        <Route path="mcp">
+          <Route index element={<Navigate to="/settings/mcp/overview" />} />
+          <Route
+            path="overview"
+            element={withAuthorizationAccessCheck(
+              <McpOverviewPage />,
+              tables.database,
+              "read",
+              true
+            )}
+          />
+          <Route
+            path="playbooks"
+            element={withAuthorizationAccessCheck(
+              <McpPlaybooksPage />,
+              tables.database,
+              "read",
+              true
+            )}
+          />
+          <Route
+            path="views"
+            element={withAuthorizationAccessCheck(
+              <McpViewsPage />,
+              tables.database,
+              "read",
+              true
+            )}
+          />
+        </Route>
+
         {settingsNav.submenu
           .filter((v) => (v as SchemaResourceType).table)
           .map((x) => {
diff --git a/src/api/services/permissions.ts b/src/api/services/permissions.ts
index 49acc18283..d1885d8d94 100644
--- a/src/api/services/permissions.ts
+++ b/src/api/services/permissions.ts
@@ -1,4 +1,4 @@
-import { IncidentCommander } from "../axios";
+import { apiBase, IncidentCommander } from "../axios";
 import { resolvePostGrestRequestWithPagination } from "../resolve";
 import { PermissionsSummary, PermissionTable } from "../types/permissions";
 import { AVATAR_INFO } from "@flanksource-ui/constants";
@@ -17,8 +17,14 @@ export type FetchPermissionsInput = {
   connectionId?: string;
   subject?: string;
   action?: string;
-  subject_type?: "playbook" | "team" | "person" | "notification" | "component";
   direction?: "inbound" | "outbound";
+  subject_type?:
+    | "playbook"
+    | "team"
+    | "person"
+    | "notification"
+    | "component"
+    | "role";
 };
 
 function composeQueryParamForFetchPermissions({
@@ -149,3 +155,98 @@ export function recheckPermission(id: string) {
     error: null
   });
 }
+
+export type BulkApplySelection = {
+  mode: "selective" | "all" | "allExcept";
+  ids: string[];
+};
+
+export type BulkApplyScope = {
+  table: "playbooks" | "views";
+  filters?: Record<string, unknown>;
+};
+
+export type BulkApplyPermissionRequest = {
+  action: "allow" | "deny";
+  selection: BulkApplySelection;
+  scope: BulkApplyScope;
+};
+
+export async function bulkApplyPermission(payload: BulkApplyPermissionRequest) {
+  const response = await apiBase.post("/permission/bulk-apply", payload);
+  return response.data;
+}
+
+export type BulkApplyMcpPermissionRequest = {
+  object: "mcp";
+  action: "mcp:use";
+  changes: Array<{
+    user_id: string;
+    effect: "allow" | "deny" | "remove";
+  }>;
+};
+
+export async function bulkApplyMcpPermission(
+  payload: BulkApplyMcpPermissionRequest
+) {
+  const response = await apiBase.post("/permission/bulk-apply", payload);
+  return response.data;
+}
+
+export async function fetchMcpPlaybookPermissions() {
+  const response = await IncidentCommander.get<PermissionsSummary[] | null>(
+    "/permissions_summary?select=*&action=eq.mcp:run&playbook_id=not.is.null&deleted_at=is.null&limit=5000"
+  );
+
+  return response.data ?? [];
+}
+
+export async function fetchMcpViewPermissions() {
+  const response = await IncidentCommander.get<PermissionsSummary[] | null>(
+    "/permissions_summary?select=*&action=eq.mcp:run&deleted_at=is.null&limit=5000"
+  );
+
+  return response.data ?? [];
+}
+
+export type PermissionSubject = {
+  id: string;
+  name: string;
+  type: "team" | "permission_subject_group" | "person" | "role";
+};
+
+export async function fetchPermissionSubjectsPaginated({
+  search = "",
+  pageIndex = 0,
+  pageSize = 20
+}: {
+  search?: string;
+  pageIndex?: number;
+  pageSize?: number;
+}) {
+  const query = search.trim();
+
+  let url =
+    "/permission_subjects?select=id,name,type&type=neq.role&order=name.asc";
+  url += `&limit=${pageSize}&offset=${pageIndex * pageSize}`;
+
+  if (query) {
+    url += `&name=ilike.*${encodeURIComponent(query)}*`;
+  }
+
+  return resolvePostGrestRequestWithPagination<PermissionSubject[]>(
+    IncidentCommander.get(url, {
+      headers: {
+        Prefer: "count=exact"
+      }
+    })
+  );
+}
+
+export async function fetchPermissionSubjects() {
+  const response = await IncidentCommander.get<PermissionSubject[] | null>(
+    "/permission_subjects?select=id,name,type&type=neq.role&order=name.asc&limit=5000"
+  );
+
+  return response.data ?? [];
+}
diff --git a/src/api/services/playbooks.ts b/src/api/services/playbooks.ts
index c9a0be84ca..94ea0dacdc 100644
--- a/src/api/services/playbooks.ts
+++ b/src/api/services/playbooks.ts
@@ -27,11 +27,41 @@ export async function getAllPlaybooksSpecs() {
 
 export async function getAllPlaybookNames() {
   const res = await IncidentCommander.get<PlaybookNames[] | null>(
-    `/playbook_names?select=id,name,title,icon,category&order=title.asc`
+    `/playbook_names?select=id,name,namespace,title,icon,category,description&order=title.asc`
   );
   return res.data ?? [];
 }
 
+export async function getPlaybookNamesPaginated({
+  pageIndex,
+  pageSize,
+  sortBy,
+  sortOrder
+}: {
+  pageIndex: number;
+  pageSize: number;
+  sortBy?: string;
+  sortOrder?: "asc" | "desc";
+}) {
+  let url =
+    "/playbook_names?select=id,name,namespace,title,icon,category,description";
+  url += `&limit=${pageSize}&offset=${pageIndex * pageSize}`;
+
+  if (sortBy) {
+    url += `&order=${encodeURIComponent(`${sortBy}.${sortOrder ?? "asc"}`)}`;
+  } else {
+    url += `&order=${encodeURIComponent("title.asc")}`;
+  }
+
+  return resolvePostGrestRequestWithPagination<PlaybookNames[]>(
+    IncidentCommander.get(url, {
+      headers: {
+        Prefer: "count=exact"
+      }
+    })
+  );
+}
+
 export async function getPlaybookSpec(id: string) {
   const res = await IncidentCommander.get<PlaybookSpec[] | null>(
     `/playbooks?id=eq.${id}&select=*,created_by(${AVATAR_INFO})`
diff --git a/src/api/types/permissions.ts b/src/api/types/permissions.ts
index 73dbb6a0f3..87347ed68f 100644
--- a/src/api/types/permissions.ts
+++ b/src/api/types/permissions.ts
@@ -47,7 +47,8 @@ export type PermissionTable = {
     | "team"
     | "person"
     | "notification"
-    | "component";
+    | "component"
+    | "role";
   created_by: string;
   updated_by: string;
   created_at: string;
diff --git a/src/components/MCP/McpTabsLinks.tsx b/src/components/MCP/McpTabsLinks.tsx
new file mode 100644
index 0000000000..6c9b6e3762
--- /dev/null
+++ b/src/components/MCP/McpTabsLinks.tsx
@@ -0,0 +1,94 @@
+import {
+  BreadcrumbChild,
+  BreadcrumbNav,
+  BreadcrumbRoot
+} from "@flanksource-ui/ui/BreadcrumbNav";
+import { Head } from "@flanksource-ui/ui/Head";
+import { SearchLayout } from "@flanksource-ui/ui/Layout/SearchLayout";
+import TabbedLinks from "@flanksource-ui/ui/Tabs/TabbedLinks";
+import clsx from "clsx";
+import { useMemo } from "react";
+import { useSearchParams } from "react-router-dom";
+import ConfigSidebar from "../Configs/Sidebar/ConfigSidebar";
+import { ErrorBoundary } from "../ErrorBoundary";
+
+type McpTabsLinksProps = {
+  activeTab: "Overview" | "Playbooks" | "Views";
+  children: React.ReactNode;
+  className?: string;
+  onRefresh?: () => void;
+  loading?: boolean;
+};
+
+export default function McpTabsLinks({
+  activeTab,
+  children,
+  className,
+  onRefresh = () => {},
+  loading = false
+}: McpTabsLinksProps) {
+  const [searchParams] = useSearchParams();
+
+  const tabLinks = useMemo(() => {
+    const query = searchParams.toString();
+    const search = query ? `?${query}` : "";
+
+    return [
+      {
+        label: "Overview",
+        path: "/settings/mcp/overview",
+        key: "Overview",
+        search
+      },
+      {
+        label: "Playbooks",
+        path: "/settings/mcp/playbooks",
+        key: "Playbooks",
+        search
+      },
+      {
+        label: "Views",
+        path: "/settings/mcp/views",
+        key: "Views",
+        search
+      }
+    ];
+  }, [searchParams]);
+
+  return (
+    <>
+      <Head prefix={`MCP - ${activeTab}`} />
+      <SearchLayout
+        title={
+          <BreadcrumbNav
+            list={[
+              <BreadcrumbRoot key="mcp" link="/settings/mcp/overview">
+                MCP
+              </BreadcrumbRoot>,
+              <BreadcrumbChild key={activeTab}>{activeTab}</BreadcrumbChild>
+            ]}
+          />
+        }
+        onRefresh={onRefresh}
+        loading={loading}
+        contentClass="p-0 h-full overflow-y-hidden"
+      >
+        <div className="flex h-full flex-row">
+          <div className="flex flex-1 flex-col">
+            <TabbedLinks
+              activeTabName={activeTab}
+              tabLinks={tabLinks}
+              contentClassName={clsx(
+                "bg-white border border-t-0 border-gray-300 flex-1 overflow-y-auto",
+                className
+              )}
+            >
+              <ErrorBoundary>{children}</ErrorBoundary>
+            </TabbedLinks>
+          </div>
+          <ConfigSidebar />
+        </div>
+      </SearchLayout>
+    </>
+  );
+}
diff --git a/src/components/MCP/PermissionAccessCard.tsx b/src/components/MCP/PermissionAccessCard.tsx
new file mode 100644
index 0000000000..1a52a0517d
--- /dev/null
+++ b/src/components/MCP/PermissionAccessCard.tsx
@@ -0,0 +1,210 @@
+import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
+import { Button } from "@flanksource-ui/components/ui/button";
+import {
+  Card,
+  CardContent,
+  CardHeader
+} from "@flanksource-ui/components/ui/card";
+import { Avatar } from "@flanksource-ui/ui/Avatar";
+import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
+import { Icon } from "@flanksource-ui/ui/Icons/Icon";
+
+type PermissionAccessCardProps = {
+  entity: {
+    id: string;
+    name: string;
+    namespace?: string;
+    icon?: string;
+  };
+  users: PermissionsSummary[];
+  groups: PermissionsSummary[];
+  subjectLookup?: Record<string, { name: string; type: string }>;
+  globalOverride?: "allow" | "none" | "deny";
+  onGlobalOverrideChange: (value: "allow" | "none" | "deny") => void;
+  onAllowSelective: () => void;
+  isMutating?: boolean;
+};
+
+function PermissionGroupItem({
+  permission,
+  subjectLookup
+}: {
+  permission: PermissionsSummary;
+  subjectLookup?: Record<string, { name: string; type: string }>;
+}) {
+  if (permission.team) {
+    return (
+      <div className="inline-flex items-center gap-1 rounded-full bg-indigo-50 px-2 py-1 text-xs font-medium text-indigo-700">
+        <Icon name={permission.team.icon} className="h-3.5 w-3.5" />
+        <span>Team: {permission.team.name}</span>
+      </div>
+    );
+  }
+
+  const lookup = permission.subject
+    ? subjectLookup?.[permission.subject]
+    : undefined;
+  const groupName = lookup?.name || permission.group?.name || "Unknown group";
+
+  return (
+    <div className="inline-flex items-center gap-1 rounded-full bg-purple-50 px-2 py-1 text-xs font-medium text-purple-700">
+      <span>{groupName}</span>
+    </div>
+  );
+}
+
+function PermissionUserItem({
+  permission
+}: {
+  permission: PermissionsSummary;
+}) {
+  if (!permission.person) {
+    return (
+      <div className="text-xs text-gray-600">
+        {permission.subject || "Unknown user"}
+      </div>
+    );
+  }
+
+  return (
+    <div className="flex items-center gap-2">
+      <Avatar size="xs" user={permission.person} />
+      <div className="flex items-center gap-1.5 text-xs text-gray-800">
+        <span className="font-medium">{permission.person.name}</span>
+        {permission.person.email && (
+          <span className="text-gray-500">{permission.person.email}</span>
+        )}
+      </div>
+    </div>
+  );
+}
+
+export default function PermissionAccessCard({
+  entity,
+  users,
+  groups,
+  subjectLookup,
+  globalOverride = "none",
+  onGlobalOverrideChange,
+  onAllowSelective,
+  isMutating = false
+}: PermissionAccessCardProps) {
+  return (
+    <Card className="rounded-xl border-gray-200 shadow-sm">
+      <CardHeader className="p-4 pb-0">
+        <div className="flex items-start gap-3">
+          <div className="flex h-9 w-9 shrink-0 items-center justify-center rounded-md bg-gray-100 text-xs font-semibold text-gray-700">
+            <Icon name={entity.icon || "playbook"} className="h-5 w-5" />
+          </div>
+
+          <div className="flex min-w-0 flex-1 items-start justify-between gap-2">
+            <div className="min-w-0">
+              <div
+                className="truncate text-sm font-semibold text-gray-900"
+                title={entity.name}
+              >
+                {entity.name}
+              </div>
+              {entity.namespace ? (
+                <div
+                  className="mt-0.5 truncate text-xs text-gray-500"
+                  title={entity.namespace}
+                >
+                  {entity.namespace}
+                </div>
+              ) : null}
+            </div>
+
+            <div className="shrink-0">
+              <div
+                className={isMutating ? "pointer-events-none opacity-60" : ""}
+              >
+                <Switch
+                  options={["Deny all", "Custom", "Allow all"]}
+                  value={
+                    globalOverride === "deny"
+                      ? "Deny all"
+                      : globalOverride === "allow"
+                        ? "Allow all"
+                        : "Custom"
+                  }
+                  onChange={(value) => {
+                    const mappedValue =
+                      value === "Deny all"
+                        ? "deny"
+                        : value === "Allow all"
+                          ? "allow"
+                          : "none";
+
+                    onGlobalOverrideChange(mappedValue);
+                  }}
+                  className="h-auto"
+                  itemsClassName=""
+                  getActiveItemClassName={(option) =>
+                    option === "Allow all"
+                      ? "bg-blue-50 text-blue-700 ring-blue-200"
+                      : option === "Deny all"
+                        ? "bg-red-50 text-red-700 ring-red-200"
+                        : undefined
+                  }
+                />
+              </div>
+            </div>
+          </div>
+        </div>
+      </CardHeader>
+
+      <CardContent className="mt-4 border-t border-gray-200 p-4 pt-3">
+        <div className="space-y-3">
+          <div>
+            <div className="mb-1 text-[11px] font-semibold uppercase tracking-wide text-gray-500">
+              Groups
+            </div>
+            {groups.length > 0 ? (
+              <div className="flex flex-wrap gap-2">
+                {groups.map((groupPermission) => (
+                  <PermissionGroupItem
+                    key={groupPermission.id}
+                    permission={groupPermission}
+                    subjectLookup={subjectLookup}
+                  />
+                ))}
+              </div>
+            ) : (
+              <div className="text-xs text-gray-500">No groups have access</div>
+            )}
+          </div>
+
+          <div>
+            <div className="mb-1 text-[11px] font-semibold uppercase tracking-wide text-gray-500">
+              Users
+            </div>
+            {users.length > 0 ? (
+              <div className="space-y-2">
+                {users.map((userPermission) => (
+                  <PermissionUserItem
+                    key={userPermission.id}
+                    permission={userPermission}
+                  />
+                ))}
+              </div>
+            ) : (
+              <div className="text-xs text-gray-500">No users have access</div>
+            )}
+          </div>
+
+          <div>
+            <Button
+              variant="outline"
+              size="sm"
+              className="h-8"
+              onClick={onAllowSelective}
+            >
+              + Add user or group
+            </Button>
+          </div>
+        </div>
+      </CardContent>
+    </Card>
+  );
+}
diff --git a/src/components/MCP/PlaybooksTable.tsx b/src/components/MCP/PlaybooksTable.tsx
new file mode 100644
index 0000000000..8e8e245f1c
--- /dev/null
+++ b/src/components/MCP/PlaybooksTable.tsx
@@ -0,0 +1,185 @@
+import { bulkApplyMcpPermission } from "@flanksource-ui/api/services/permissions";
+import { PlaybookNames } from "@flanksource-ui/api/types/playbooks";
+import { Button } from "@flanksource-ui/components";
+import {
+  toastError,
+  toastSuccess
+} from "@flanksource-ui/components/Toast/toast";
+import useMrtBulkSelection from "@flanksource-ui/ui/MRTDataTable/Hooks/useMrtBulkSelection";
+import MRTDataTable from "@flanksource-ui/ui/MRTDataTable/MRTDataTable";
+import { MRT_ColumnDef } from "mantine-react-table";
+import { ChangeEvent, useCallback } from "react";
+
+type PlaybooksTableProps = {
+  data: PlaybookNames[];
+  isLoading?: boolean;
+  pageCount?: number;
+  totalRowCount?: number;
+};
+
+const columns: MRT_ColumnDef<PlaybookNames>[] = [
+  {
+    header: "Name",
+    accessorKey: "name"
+  },
+  {
+    header: "Namespace",
+    accessorKey: "namespace"
+  },
+  {
+    header: "Title",
+    accessorKey: "title"
+  },
+  {
+    header: "Category",
+    accessorKey: "category"
+  },
+  {
+    header: "Description",
+    accessorKey: "description"
+  }
+];
+
+export default function PlaybooksTable({
+  data,
+  isLoading,
+  pageCount,
+  totalRowCount = 0
+}: PlaybooksTableProps) {
+  const {
+    rowSelection,
+    hasSelectedRows,
+    selectionSummary,
+    onRowSelectionChange,
+    onSelectAllChange,
+    clearSelection,
+    buildPayload
+  } = useMrtBulkSelection<PlaybookNames, { table: "playbooks" }>({
+    rows: data,
+    totalRowCount,
+    getRowId: (row) => row.id,
+    selectionScope: { table: "playbooks" }
+  });
+
+  const triggerBulkAction = useCallback(
+    async (action: "allow" | "deny") => {
+      const selection = buildPayload();
+
+      if (selection.mode !== "selective") {
+        toastError(
+          "This endpoint only accepts explicit user changes. Please select rows directly instead of using Select All."
+        );
+        return;
+      }
+
+      if (selection.ids.length === 0) {
+        toastError("No rows selected");
+        return;
+      }
+
+      try {
+        await bulkApplyMcpPermission({
+          object: "mcp",
+          action: "mcp:use",
+          changes: selection.ids.map((id) => ({
+            user_id: id,
+            effect: action
+          }))
+        });
+
+        toastSuccess(
+          `Applied ${action} to ${selection.ids.length} selected rows`
+        );
+
+        clearSelection();
+      } catch (error) {
+        toastError(error as any);
+      }
+    },
+    [buildPayload, clearSelection]
+  );
+
+  return (
+    <>
+      <div className="pointer-events-none absolute inset-x-0 top-3 z-50 flex justify-center px-4">
+        <div
+          className={`pointer-events-auto flex flex-row flex-wrap items-center gap-1.5 rounded-xl border border-gray-300 bg-gray-100 px-2.5 py-1.5 shadow-lg transition-all duration-500 ease-out ${
+            hasSelectedRows
+              ? "translate-y-0 opacity-100"
+              : "translate-y-2 opacity-0"
+          }`}
+        >
+          <span className="pr-1 text-xs font-medium text-gray-700">
+            {selectionSummary}
+          </span>
+          <Button
+            size="none"
+            disabled={!hasSelectedRows}
+            className="rounded border border-gray-400 bg-white px-2 py-1 text-xs leading-none text-gray-800 hover:bg-gray-50"
+            onClick={() => triggerBulkAction("allow")}
+          >
+            Allow All
+          </Button>
+          <Button
+            size="none"
+            disabled={!hasSelectedRows}
+            className="rounded border border-gray-400 bg-gray-200 px-2 py-1 text-xs leading-none text-gray-800 hover:bg-gray-300"
+            onClick={() => triggerBulkAction("deny")}
+          >
+            Deny All
+          </Button>
+        </div>
+      </div>
+      <div className="relative flex h-full flex-col">
+        <MRTDataTable
+          columns={columns}
+          data={data}
+          isLoading={isLoading}
+          enableServerSidePagination
+          enableServerSideSorting
+          manualPageCount={pageCount}
+          totalRowCount={totalRowCount}
+          defaultPageSize={50}
+          enableRowSelection
+          enableSelectAll
+          getRowId={(row) => row.id}
+          rowSelection={rowSelection}
+          onRowSelectionChange={onRowSelectionChange}
+          mantineSelectCheckboxProps={{
+            size: "xs",
+            radius: "lg",
+            styles: {
+              icon: {
+                display: "none"
+              },
+              input: {
+                opacity: 0.9,
+                borderWidth: 1,
+                borderColor: "#d1d5db",
+                backgroundColor: "#f9fafb"
+              }
+            }
+          }}
+          mantineSelectAllCheckboxProps={{
+            size: "xs",
+            radius: "lg",
+            onChange: (event: ChangeEvent<HTMLInputElement>) => {
+              onSelectAllChange(event.currentTarget.checked);
+            },
+            styles: {
+              icon: {
+                display: "none"
+              },
+              input: {
+                opacity: 0.9,
+                borderWidth: 1,
+                borderColor: "#d1d5db",
+                backgroundColor: "#f9fafb"
+              }
+            }
+          }}
+        />
+      </div>
+    </>
+  );
+}
diff --git a/src/components/MCP/SubjectSelectorModal.tsx b/src/components/MCP/SubjectSelectorModal.tsx
new file mode 100644
index 0000000000..450fe1b75e
--- /dev/null
+++ b/src/components/MCP/SubjectSelectorModal.tsx
@@ -0,0 +1,235 @@
+import {
+  fetchPermissionSubjectsPaginated,
+  PermissionSubject
+} from "@flanksource-ui/api/services/permissions";
+import { Badge } from "@flanksource-ui/components/ui/badge";
+import { Button } from "@flanksource-ui/components/ui/button";
+import { Checkbox } from "@flanksource-ui/components/ui/checkbox";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle
+} from "@flanksource-ui/components/ui/dialog";
+import { Input } from "@flanksource-ui/components/ui/input";
+import { Avatar } from "@flanksource-ui/ui/Avatar";
+import { useQuery } from "@tanstack/react-query";
+import { useEffect, useMemo, useState } from "react";
+
+const PAGE_SIZE = 20;
+
+type SubjectSelectorModalProps = {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  title: string;
+  description?: string;
+  onAllow: (selection: PermissionSubject[]) => Promise<void> | void;
+  preselectedSubjectIds?: string[];
+  isSubmitting?: boolean;
+};
+
+function typeLabel(type: PermissionSubject["type"]) {
+  if (type === "permission_subject_group") {
+    return "group";
+  }
+
+  return type;
+}
+
+export default function SubjectSelectorModal({
+  open,
+  onOpenChange,
+  title,
+  description,
+  onAllow,
+  preselectedSubjectIds = [],
+  isSubmitting = false
+}: SubjectSelectorModalProps) {
+  const [search, setSearch] = useState("");
+  const [pageIndex, setPageIndex] = useState(0);
+  const [selectedIds, setSelectedIds] = useState<Record<string, true>>({});
+  const [selectedSubjects, setSelectedSubjects] = useState<
+    Record<string, PermissionSubject>
+  >({});
+
+  useEffect(() => {
+    setPageIndex(0);
+  }, [search]);
+
+  useEffect(() => {
+    if (!open) {
+      setSearch("");
+      setPageIndex(0);
+      setSelectedIds({});
+      setSelectedSubjects({});
+      return;
+    }
+
+    const preselectedMap: Record<string, true> = {};
+    for (const id of preselectedSubjectIds) {
+      preselectedMap[id] = true;
+    }
+    setSelectedIds(preselectedMap);
+  }, [open, preselectedSubjectIds]);
+
+  const { data, isLoading } = useQuery({
+    queryKey: ["mcp", "subject-selector", search, pageIndex],
+    queryFn: async () =>
+      fetchPermissionSubjectsPaginated({
+        search,
+        pageIndex,
+        pageSize: PAGE_SIZE
+      }),
+    enabled: open
+  });
+
+  const subjects = (data?.data ?? []) as PermissionSubject[];
+  const totalEntries = data?.totalEntries ?? 0;
+  const pageCount = Math.ceil(totalEntries / PAGE_SIZE);
+
+  useEffect(() => {
+    if (subjects.length === 0) {
+      return;
+    }
+
+    setSelectedSubjects((prev) => {
+      const next = { ...prev };
+      for (const subject of subjects) {
+        if (selectedIds[subject.id]) {
+          next[subject.id] = subject;
+        }
+      }
+      return next;
+    });
+  }, [subjects, selectedIds]);
+
+  const selectedCount = useMemo(
+    () => Object.keys(selectedIds).length,
+    [selectedIds]
+  );
+
+  const toggleSubject = (subject: PermissionSubject, checked: boolean) => {
+    setSelectedIds((prev) => {
+      if (checked) {
+        return { ...prev, [subject.id]: true };
+      }
+
+      const next = { ...prev };
+      delete next[subject.id];
+      return next;
+    });
+
+    setSelectedSubjects((prev) => {
+      if (checked) {
+        return { ...prev, [subject.id]: subject };
+      }
+
+      const next = { ...prev };
+      delete next[subject.id];
+      return next;
+    });
+  };
+
+  return (
+    <Dialog open={open} onOpenChange={onOpenChange}>
+      <DialogContent className="flex h-[640px] max-w-2xl flex-col">
+        <DialogHeader>
+          <DialogTitle>{title}</DialogTitle>
+          {description ? (
+            <DialogDescription>{description}</DialogDescription>
+          ) : null}
+        </DialogHeader>
+
+        <Input
+          placeholder="Search users or groups"
+          value={search}
+          onChange={(event) => setSearch(event.target.value)}
+        />
+
+        <div className="min-h-0 flex-1 space-y-1 overflow-y-auto rounded-md border p-2">
+          {isLoading ? (
+            <div className="p-2 text-sm text-gray-500">Loading...</div>
+          ) : subjects.length > 0 ? (
+            subjects.map((subject) => (
+              <label
+                key={subject.id}
+                className="flex cursor-pointer items-center justify-between rounded px-2 py-1.5 hover:bg-gray-50"
+              >
+                <div className="flex min-w-0 flex-1 items-center gap-2 pr-2">
+                  <Checkbox
+                    checked={!!selectedIds[subject.id]}
+                    onCheckedChange={(checked) =>
+                      toggleSubject(subject, checked === true)
+                    }
+                  />
+                  <Avatar size="xs" user={{ name: subject.name }} />
+                  <div className="min-w-0 truncate text-sm font-medium text-gray-900">
+                    {subject.name}
+                  </div>
+                </div>
+
+                <div className="ml-2 flex shrink-0 items-center">
+                  <Badge variant="outline" className="text-[10px] font-normal">
+                    {typeLabel(subject.type)}
+                  </Badge>
+                </div>
+              </label>
+            ))
+          ) : (
+            <div className="p-2 text-sm text-gray-500">No subjects found</div>
+          )}
+        </div>
+
+        <div className="flex items-center justify-between text-xs text-gray-500">
+          <div>
+            Selected: {selectedCount} subject{selectedCount === 1 ? "" : "s"}
+          </div>
+          <div className="flex items-center gap-2">
+            <Button
+              type="button"
+              variant="outline"
+              size="sm"
+              disabled={pageIndex === 0}
+              onClick={() => setPageIndex((p) => Math.max(0, p - 1))}
+            >
+              Previous
+            </Button>
+            <span>
+              Page {pageCount === 0 ? 0 : pageIndex + 1} of {pageCount || 0}
+            </span>
+            <Button
+              type="button"
+              variant="outline"
+              size="sm"
+              disabled={pageCount === 0 || pageIndex + 1 >= pageCount}
+              onClick={() =>
+                setPageIndex((p) => (p + 1 < pageCount ? p + 1 : p))
+              }
+            >
+              Next
+            </Button>
+          </div>
+        </div>
+
+        <DialogFooter>
+          <Button
+            type="button"
+            variant="outline"
+            onClick={() => onOpenChange(false)}
+          >
+            Cancel
+          </Button>
+          <Button
+            type="button"
+            disabled={selectedCount === 0 || isSubmitting}
+            onClick={() => onAllow(Object.values(selectedSubjects))}
+          >
+            Apply
+          </Button>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+}
diff --git a/src/components/MCP/ViewsTable.tsx b/src/components/MCP/ViewsTable.tsx
new file mode 100644
index 0000000000..7cf311c841
--- /dev/null
+++ b/src/components/MCP/ViewsTable.tsx
@@ -0,0 +1,184 @@
+import {
+  bulkApplyPermission,
+  BulkApplyScope
+} from "@flanksource-ui/api/services/permissions";
+import { View } from "@flanksource-ui/api/services/views";
+import { Button } from "@flanksource-ui/components";
+import {
+  toastError,
+  toastSuccess
+} from "@flanksource-ui/components/Toast/toast";
+import useMrtBulkSelection from "@flanksource-ui/ui/MRTDataTable/Hooks/useMrtBulkSelection";
+import { MRTDateCell } from "@flanksource-ui/ui/MRTDataTable/Cells/MRTDateCells";
+import MRTDataTable from "@flanksource-ui/ui/MRTDataTable/MRTDataTable";
+import { MRT_ColumnDef } from "mantine-react-table";
+import { ChangeEvent, useCallback } from "react";
+
+type ViewsTableProps = {
+  data: View[];
+  isLoading?: boolean;
+  pageCount?: number;
+  totalRowCount?: number;
+  filters?: Record<string, unknown>;
+};
+
+const columns: MRT_ColumnDef<View>[] = [
+  {
+    header: "Name",
+    accessorKey: "name"
+  },
+  {
+    header: "Namespace",
+    accessorKey: "namespace"
+  },
+  {
+    header: "Source",
+    accessorKey: "source"
+  },
+  {
+    header: "Created",
+    accessorKey: "created_at",
+    Cell: MRTDateCell,
+    sortingFn: "datetime"
+  },
+  {
+    header: "Updated",
+    accessorKey: "updated_at",
+    Cell: MRTDateCell,
+    sortingFn: "datetime"
+  }
+];
+
+export default function ViewsTable({
+  data,
+  isLoading,
+  pageCount,
+  totalRowCount = 0,
+  filters = {}
+}: ViewsTableProps) {
+  const {
+    rowSelection,
+    hasSelectedRows,
+    selectionSummary,
+    onRowSelectionChange,
+    onSelectAllChange,
+    clearSelection,
+    buildPayload
+  } = useMrtBulkSelection<View, { table: "views" }>({
+    rows: data,
+    totalRowCount,
+    getRowId: (row) => row.id,
+    selectionScope: { table: "views" }
+  });
+
+  const triggerBulkAction = useCallback(
+    async (action: "allow" | "deny") => {
+      const selection = buildPayload();
+      const scope: BulkApplyScope = {
+        table: "views",
+        filters
+      };
+
+      try {
+        await bulkApplyPermission({
+          action,
+          selection,
+          scope
+        });
+
+        toastSuccess(
+          `action=${action}, ids=${selection.ids.join(",") || "none"}, mode=${selection.mode}`
+        );
+
+        clearSelection();
+      } catch (error) {
+        toastError(error as any);
+      }
+    },
+    [buildPayload, clearSelection, filters]
+  );
+
+  return (
+    <>
+      <div className="pointer-events-none absolute inset-x-0 top-3 z-50 flex justify-center px-4">
+        <div
+          className={`pointer-events-auto flex flex-row flex-wrap items-center gap-1.5 rounded-xl border border-gray-300 bg-gray-100 px-2.5 py-1.5 shadow-lg transition-all duration-500 ease-out ${
+            hasSelectedRows
+              ? "translate-y-0 opacity-100"
+              : "translate-y-2 opacity-0"
+          }`}
+        >
+          <span className="pr-1 text-xs font-medium text-gray-700">
+            {selectionSummary}
+          </span>
+          <Button
+            size="none"
+            disabled={!hasSelectedRows}
+            className="rounded border border-gray-400 bg-white px-2 py-1 text-xs leading-none text-gray-800 hover:bg-gray-50"
+            onClick={() => triggerBulkAction("allow")}
+          >
+            Allow All
+          </Button>
+          <Button
+            size="none"
+            disabled={!hasSelectedRows}
+            className="rounded border border-gray-400 bg-gray-200 px-2 py-1 text-xs leading-none text-gray-800 hover:bg-gray-300"
+            onClick={() => triggerBulkAction("deny")}
+          >
+            Deny All
+          </Button>
+        </div>
+      </div>
+      <div className="relative flex h-full flex-col">
+        <MRTDataTable
+          columns={columns}
+          data={data}
+          isLoading={isLoading}
+          enableServerSideSorting
+          enableServerSidePagination
+          manualPageCount={pageCount}
+          totalRowCount={totalRowCount}
+          defaultPageSize={50}
+          enableRowSelection
+          enableSelectAll
+          getRowId={(row) => row.id}
+          rowSelection={rowSelection}
+          onRowSelectionChange={onRowSelectionChange}
+          mantineSelectCheckboxProps={{
+            size: "xs",
+            radius: "lg",
+            styles: {
+              icon: {
+                display: "none"
+              },
+              input: {
+                opacity: 0.9,
+                borderWidth: 1,
+                borderColor: "#d1d5db",
+                backgroundColor: "#f9fafb"
+              }
+            }
+          }}
+          mantineSelectAllCheckboxProps={{
+            size: "xs",
+            radius: "lg",
+            onChange: (event: ChangeEvent<HTMLInputElement>) => {
+              onSelectAllChange(event.currentTarget.checked);
+            },
+            styles: {
+              icon: {
+                display: "none"
+              },
+              input: {
+                opacity: 0.9,
+                borderWidth: 1,
+                borderColor: "#d1d5db",
+                backgroundColor: "#f9fafb"
+              }
+            }
+          }}
+        />
+      </div>
+    </>
+  );
+}
diff --git a/src/pages/Settings/mcp/McpOverviewPage.tsx b/src/pages/Settings/mcp/McpOverviewPage.tsx
new file mode 100644
index 0000000000..13176ddb01
--- /dev/null
+++ b/src/pages/Settings/mcp/McpOverviewPage.tsx
@@ -0,0 +1,30 @@
+import PermissionsView from "@flanksource-ui/components/Permissions/PermissionsView";
+import { useRef, useState } from "react";
+import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
+
+const MCP_ACTIONS_FILTER = "mcp____run:1,mcp____use:1";
+
+export default function McpOverviewPage() {
+  const [isLoading, setIsLoading] = useState(false);
+  const refetchFunctionRef = useRef<(() => void) | null>(null);
+
+  return (
+    <McpTabsLinks
+      activeTab="Overview"
+      loading={isLoading}
+      onRefresh={() => refetchFunctionRef.current?.()}
+    >
+      <div className="flex h-full w-full flex-1 flex-col p-6 pb-0">
+        <div className="flex min-h-0 flex-1 flex-col">
+          <PermissionsView
+            permissionRequest={{ action: MCP_ACTIONS_FILTER }}
+            setIsLoading={setIsLoading}
+            onRefetch={(refetch) => {
+              refetchFunctionRef.current = refetch;
+            }}
+          />
+        </div>
+      </div>
+    </McpTabsLinks>
+  );
+}
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
new file mode 100644
index 0000000000..2829448404
--- /dev/null
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -0,0 +1,416 @@
+import { getAllPlaybookNames } from "@flanksource-ui/api/services/playbooks";
+import {
+  addPermission,
+  deletePermission,
+  fetchMcpPlaybookPermissions,
+  updatePermission,
+  fetchPermissionSubjects,
+  PermissionSubject
+} from "@flanksource-ui/api/services/permissions";
+import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
+import PermissionAccessCard from "@flanksource-ui/components/MCP/PermissionAccessCard";
+import SubjectSelectorModal from "@flanksource-ui/components/MCP/SubjectSelectorModal";
+import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
+import {
+  toastError,
+  toastSuccess
+} from "@flanksource-ui/components/Toast/toast";
+import { useUser } from "@flanksource-ui/context";
+import { useMutation, useQuery } from "@tanstack/react-query";
+import { useMemo, useState } from "react";
+
+type PermissionBuckets = {
+  users: PermissionsSummary[];
+  groups: PermissionsSummary[];
+};
+
+const EVERYONE_SUBJECT_ID = "everyone";
+const EVERYONE_SUBJECT_TYPE = "role";
+
+export default function McpPlaybooksPage() {
+  const { user } = useUser();
+  const [selectedPlaybookId, setSelectedPlaybookId] = useState<string | null>(
+    null
+  );
+  const [mutatingPlaybookId, setMutatingPlaybookId] = useState<string | null>(
+    null
+  );
+
+  const {
+    data: playbooks = [],
+    isLoading: isPlaybooksLoading,
+    refetch: refetchPlaybooks,
+    isRefetching: isPlaybooksRefetching
+  } = useQuery({
+    queryKey: ["mcp", "playbooks", "all"],
+    queryFn: getAllPlaybookNames
+  });
+
+  const {
+    data: playbookPermissions = [],
+    isLoading: isPermissionsLoading,
+    refetch: refetchPermissions,
+    isRefetching: isPermissionsRefetching
+  } = useQuery({
+    queryKey: ["mcp", "playbooks", "permissions"],
+    queryFn: fetchMcpPlaybookPermissions
+  });
+
+  const { data: permissionSubjects = [] } = useQuery({
+    queryKey: ["mcp", "permission-subjects", "all"],
+    queryFn: fetchPermissionSubjects
+  });
+
+  const subjectLookup = useMemo(() => {
+    return Object.fromEntries(
+      permissionSubjects.map((subject) => [
+        subject.id,
+        { name: subject.name, type: subject.type }
+      ])
+    );
+  }, [permissionSubjects]);
+
+  const { mutate: setGlobalOverride, isLoading: isUpdatingGlobalOverride } =
+    useMutation({
+      mutationFn: async ({
+        playbookId,
+        override
+      }: {
+        playbookId: string;
+        override: "allow" | "none" | "deny";
+      }) => {
+        const existingOverrides = playbookPermissions.filter(
+          (permission) =>
+            permission.playbook_id === playbookId &&
+            permission.action === "mcp:run" &&
+            permission.subject_type === EVERYONE_SUBJECT_TYPE &&
+            permission.subject === EVERYONE_SUBJECT_ID &&
+            permission.id &&
+            permission.source === "mcp_settings"
+        );
+
+        if (override === "none") {
+          await Promise.all(
+            existingOverrides.map((permission) =>
+              deletePermission(permission.id)
+            )
+          );
+          return;
+        }
+
+        const targetDeny = override === "deny";
+        const existingOverride = existingOverrides[0];
+
+        if (existingOverride) {
+          if (existingOverride.deny !== targetDeny) {
+            await updatePermission({
+              id: existingOverride.id,
+              deny: targetDeny
+            } as any);
+          }
+          return;
+        }
+
+        await addPermission({
+          playbook_id: playbookId,
+          action: "mcp:run",
+          subject: EVERYONE_SUBJECT_ID,
+          subject_type: EVERYONE_SUBJECT_TYPE,
+          deny: targetDeny,
+          source: "mcp_settings",
+          created_by: user?.id!
+        } as any);
+      },
+      onSuccess: () => {
+        refetchPermissions();
+      },
+      onError: (error) => {
+        toastError(error as any);
+      }
+    });
+
+  const { mutateAsync: allowSelectiveAccess, isLoading: isAllowingSelective } =
+    useMutation({
+      mutationFn: async ({
+        playbookId,
+        subjects
+      }: {
+        playbookId: string;
+        subjects: PermissionSubject[];
+      }) => {
+        const normalizeSubject = (subject: PermissionSubject) => {
+          const subjectType =
+            subject.type === "person"
+              ? "person"
+              : subject.type === "team"
+                ? "team"
+                : subject.type === "permission_subject_group"
+                  ? "group"
+                  : null;
+
+          if (!subjectType) {
+            return null;
+          }
+
+          return `${subjectType}:${subject.id}`;
+        };
+
+        const desiredKeys = new Set(
+          subjects.map(normalizeSubject).filter(Boolean) as string[]
+        );
+
+        const existingPermissions = playbookPermissions.filter(
+          (permission) =>
+            permission.playbook_id === playbookId &&
+            permission.action === "mcp:run" &&
+            permission.deny !== true &&
+            permission.subject &&
+            permission.id &&
+            (permission.subject_type === "person" ||
+              permission.subject_type === "team" ||
+              permission.subject_type === "group") &&
+            (permission.source === "mcp_settings" || permission.source === "UI")
+        );
+
+        const existingKeys = new Set(
+          existingPermissions.map(
+            (permission) => `${permission.subject_type}:${permission.subject}`
+          )
+        );
+
+        const payloads = subjects
+          .map((subject) => {
+            const subjectType =
+              subject.type === "person"
+                ? "person"
+                : subject.type === "team"
+                  ? "team"
+                  : subject.type === "permission_subject_group"
+                    ? "group"
+                    : null;
+
+            if (!subjectType) {
+              return null;
+            }
+
+            const key = `${subjectType}:${subject.id}`;
+            if (existingKeys.has(key)) {
+              return null;
+            }
+
+            return {
+              playbook_id: playbookId,
+              action: "mcp:run",
+              subject: subject.id,
+              subject_type: subjectType,
+              deny: false,
+              source: "mcp_settings" as const,
+              created_by: user?.id
+            };
+          })
+          .filter(Boolean);
+
+        const deleteIds = existingPermissions
+          .filter(
+            (permission) =>
+              !desiredKeys.has(
+                `${permission.subject_type}:${permission.subject}`
+              )
+          )
+          .map((permission) => permission.id);
+
+        await Promise.all([
+          ...payloads.map((payload) => addPermission(payload as any)),
+          ...deleteIds.map((id) => deletePermission(id))
+        ]);
+
+        return {
+          added: payloads.length,
+          removed: deleteIds.length
+        };
+      },
+      onSuccess: ({ added, removed }) => {
+        if (added === 0 && removed === 0) {
+          toastSuccess("No permission changes");
+        } else {
+          toastSuccess(`Updated permissions: +${added} / -${removed}`);
+        }
+
+        setSelectedPlaybookId(null);
+        refetchPermissions();
+      },
+      onError: (error) => {
+        toastError(error as any);
+      }
+    });
+
+  const permissionsByPlaybook = useMemo(() => {
+    const map = new Map<string, PermissionBuckets>();
+
+    for (const permission of playbookPermissions) {
+      if (!permission.playbook_id || permission.deny === true) {
+        continue;
+      }
+
+      if (
+        permission.subject_type === EVERYONE_SUBJECT_TYPE &&
+        permission.subject === EVERYONE_SUBJECT_ID
+      ) {
+        continue;
+      }
+
+      const current = map.get(permission.playbook_id) ?? {
+        users: [],
+        groups: []
+      };
+
+      if (permission.subject_type === "person") {
+        current.users.push(permission);
+      } else if (
+        permission.subject_type === "team" ||
+        permission.subject_type === "group"
+      ) {
+        current.groups.push(permission);
+      }
+
+      map.set(permission.playbook_id, current);
+    }
+
+    return map;
+  }, [playbookPermissions]);
+
+  const globalOverrideByPlaybook = useMemo(() => {
+    const map = new Map<string, "allow" | "none" | "deny">();
+
+    for (const permission of playbookPermissions) {
+      if (
+        !permission.playbook_id ||
+        permission.action !== "mcp:run" ||
+        permission.subject_type !== EVERYONE_SUBJECT_TYPE ||
+        permission.subject !== EVERYONE_SUBJECT_ID
+      ) {
+        continue;
+      }
+
+      map.set(
+        permission.playbook_id,
+        permission.deny === true ? "deny" : "allow"
+      );
+    }
+
+    return map;
+  }, [playbookPermissions]);
+
+  const selectedPlaybook = useMemo(() => {
+    return playbooks.find((playbook) => playbook.id === selectedPlaybookId);
+  }, [playbooks, selectedPlaybookId]);
+
+  const loading =
+    isPlaybooksLoading ||
+    isPermissionsLoading ||
+    isPlaybooksRefetching ||
+    isPermissionsRefetching ||
+    isUpdatingGlobalOverride ||
+    isAllowingSelective;
+
+  return (
+    <McpTabsLinks
+      activeTab="Playbooks"
+      loading={loading}
+      onRefresh={() => {
+        refetchPlaybooks();
+        refetchPermissions();
+      }}
+    >
+      <div className="flex h-full w-full flex-1 flex-col gap-4 p-6 pb-6">
+        <div>
+          <h3 className="text-lg font-semibold text-gray-900">
+            Playbook permissions
+          </h3>
+          <p className="text-sm text-gray-600">
+            Control which playbooks MCP clients can invoke through this gateway.
+          </p>
+        </div>
+
+        <div className="grid min-h-0 flex-1 grid-cols-1 content-start gap-3 overflow-y-auto">
+          {playbooks.map((playbook) => {
+            const permissions = permissionsByPlaybook.get(playbook.id) ?? {
+              users: [],
+              groups: []
+            };
+
+            return (
+              <PermissionAccessCard
+                key={playbook.id}
+                entity={{
+                  id: playbook.id,
+                  name: playbook.title || playbook.name,
+                  namespace: playbook.namespace,
+                  icon: playbook.icon
+                }}
+                users={permissions.users}
+                groups={permissions.groups}
+                subjectLookup={subjectLookup}
+                globalOverride={
+                  globalOverrideByPlaybook.get(playbook.id) ?? "none"
+                }
+                isMutating={mutatingPlaybookId === playbook.id}
+                onGlobalOverrideChange={(override) => {
+                  setMutatingPlaybookId(playbook.id);
+                  setGlobalOverride(
+                    { playbookId: playbook.id, override },
+                    {
+                      onSettled: () => {
+                        setMutatingPlaybookId((current) =>
+                          current === playbook.id ? null : current
+                        );
+                      }
+                    }
+                  );
+                }}
+                onAllowSelective={() => setSelectedPlaybookId(playbook.id)}
+              />
+            );
+          })}
+        </div>
+      </div>
+
+      <SubjectSelectorModal
+        open={!!selectedPlaybook}
+        onOpenChange={(open) => {
+          if (!open) {
+            setSelectedPlaybookId(null);
+          }
+        }}
+        title={`Allow access: ${selectedPlaybook?.title || selectedPlaybook?.name || ""}`}
+        description="Select users or groups to allow this playbook for MCP usage."
+        preselectedSubjectIds={
+          selectedPlaybook
+            ? playbookPermissions
+                .filter(
+                  (permission) =>
+                    permission.playbook_id === selectedPlaybook.id &&
+                    permission.deny !== true &&
+                    permission.subject &&
+                    (permission.subject_type === "person" ||
+                      permission.subject_type === "team" ||
+                      permission.subject_type === "group")
+                )
+                .map((permission) => permission.subject!)
+            : []
+        }
+        isSubmitting={isAllowingSelective}
+        onAllow={async (subjects) => {
+          if (!selectedPlaybook) {
+            return;
+          }
+
+          await allowSelectiveAccess({
+            playbookId: selectedPlaybook.id,
+            subjects
+          });
+        }}
+      />
+    </McpTabsLinks>
+  );
+}
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
new file mode 100644
index 0000000000..0e891704f5
--- /dev/null
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -0,0 +1,463 @@
+import {
+  addPermission,
+  deletePermission,
+  fetchMcpViewPermissions,
+  updatePermission,
+  fetchPermissionSubjects,
+  PermissionSubject
+} from "@flanksource-ui/api/services/permissions";
+import { getAllViews, View } from "@flanksource-ui/api/services/views";
+import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
+import PermissionAccessCard from "@flanksource-ui/components/MCP/PermissionAccessCard";
+import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
+import SubjectSelectorModal from "@flanksource-ui/components/MCP/SubjectSelectorModal";
+import {
+  toastError,
+  toastSuccess
+} from "@flanksource-ui/components/Toast/toast";
+import { useUser } from "@flanksource-ui/context";
+import { useMutation, useQuery } from "@tanstack/react-query";
+import { useMemo, useState } from "react";
+
+type PermissionBuckets = {
+  users: PermissionsSummary[];
+  groups: PermissionsSummary[];
+};
+
+const EVERYONE_SUBJECT_ID = "everyone";
+const EVERYONE_SUBJECT_TYPE = "role";
+
+function permissionMatchesView(permission: PermissionsSummary, view: View) {
+  const viewRefs = permission.object_selector?.views ?? [];
+
+  return viewRefs.some((viewRef) => {
+    if (!viewRef.name) {
+      return false;
+    }
+
+    if (viewRef.namespace) {
+      return viewRef.namespace === view.namespace && viewRef.name === view.name;
+    }
+
+    return viewRef.name === view.name;
+  });
+}
+
+export default function McpViewsPage() {
+  const { user } = useUser();
+  const [selectedViewId, setSelectedViewId] = useState<string | null>(null);
+  const [mutatingViewId, setMutatingViewId] = useState<string | null>(null);
+
+  const {
+    isLoading: isViewsLoading,
+    data: viewsResponse,
+    refetch: refetchViews,
+    isRefetching: isViewsRefetching
+  } = useQuery({
+    queryKey: ["mcp", "views", "all"],
+    queryFn: async () => getAllViews(undefined, 0, 1000)
+  });
+
+  const views = viewsResponse?.data ?? [];
+
+  const {
+    data: viewPermissions = [],
+    isLoading: isPermissionsLoading,
+    refetch: refetchPermissions,
+    isRefetching: isPermissionsRefetching
+  } = useQuery({
+    queryKey: ["mcp", "views", "permissions"],
+    queryFn: fetchMcpViewPermissions
+  });
+
+  const { data: permissionSubjects = [] } = useQuery({
+    queryKey: ["mcp", "permission-subjects", "all"],
+    queryFn: fetchPermissionSubjects
+  });
+
+  const subjectLookup = useMemo(() => {
+    return Object.fromEntries(
+      permissionSubjects.map((subject) => [
+        subject.id,
+        { name: subject.name, type: subject.type }
+      ])
+    );
+  }, [permissionSubjects]);
+
+  const { mutate: setGlobalOverride, isLoading: isUpdatingGlobalOverride } =
+    useMutation({
+      mutationFn: async ({
+        view,
+        override
+      }: {
+        view: View;
+        override: "allow" | "none" | "deny";
+      }) => {
+        const existingOverrides = viewPermissions.filter(
+          (permission) =>
+            permission.action === "mcp:run" &&
+            permission.subject_type === EVERYONE_SUBJECT_TYPE &&
+            permission.subject === EVERYONE_SUBJECT_ID &&
+            permission.id &&
+            permission.source === "mcp_settings" &&
+            permissionMatchesView(permission, view)
+        );
+
+        if (override === "none") {
+          await Promise.all(
+            existingOverrides.map((permission) =>
+              deletePermission(permission.id)
+            )
+          );
+          return;
+        }
+
+        const targetDeny = override === "deny";
+        const existingOverride = existingOverrides[0];
+
+        if (existingOverride) {
+          if (existingOverride.deny !== targetDeny) {
+            await updatePermission({
+              id: existingOverride.id,
+              deny: targetDeny
+            } as any);
+          }
+          return;
+        }
+
+        await addPermission({
+          object_selector: {
+            views: [{ name: view.name, namespace: view.namespace }]
+          },
+          action: "mcp:run",
+          subject: EVERYONE_SUBJECT_ID,
+          subject_type: EVERYONE_SUBJECT_TYPE,
+          deny: targetDeny,
+          source: "mcp_settings",
+          created_by: user?.id!
+        } as any);
+      },
+      onSuccess: () => {
+        refetchPermissions();
+      },
+      onError: (error) => {
+        toastError(error as any);
+      }
+    });
+
+  const { mutateAsync: allowSelectiveAccess, isLoading: isAllowingSelective } =
+    useMutation({
+      mutationFn: async ({
+        view,
+        subjects
+      }: {
+        view: View;
+        subjects: PermissionSubject[];
+      }) => {
+        const normalizeSubject = (subject: PermissionSubject) => {
+          const subjectType =
+            subject.type === "person"
+              ? "person"
+              : subject.type === "team"
+                ? "team"
+                : subject.type === "permission_subject_group"
+                  ? "group"
+                  : null;
+
+          if (!subjectType) {
+            return null;
+          }
+
+          return `${subjectType}:${subject.id}`;
+        };
+
+        const desiredKeys = new Set(
+          subjects.map(normalizeSubject).filter(Boolean) as string[]
+        );
+
+        const existingPermissions = viewPermissions.filter(
+          (permission) =>
+            permission.action === "mcp:run" &&
+            permission.deny !== true &&
+            permission.subject &&
+            permission.id &&
+            (permission.subject_type === "person" ||
+              permission.subject_type === "team" ||
+              permission.subject_type === "group") &&
+            (permission.source === "mcp_settings" ||
+              permission.source === "UI") &&
+            permissionMatchesView(permission, view)
+        );
+
+        const existingKeys = new Set(
+          existingPermissions.map(
+            (permission) => `${permission.subject_type}:${permission.subject}`
+          )
+        );
+
+        const viewSelector = [{ name: view.name, namespace: view.namespace }];
+
+        const payloads = subjects
+          .map((subject) => {
+            const subjectType =
+              subject.type === "person"
+                ? "person"
+                : subject.type === "team"
+                  ? "team"
+                  : subject.type === "permission_subject_group"
+                    ? "group"
+                    : null;
+
+            if (!subjectType) {
+              return null;
+            }
+
+            const key = `${subjectType}:${subject.id}`;
+            if (existingKeys.has(key)) {
+              return null;
+            }
+
+            return {
+              object_selector: { views: viewSelector },
+              action: "mcp:run",
+              subject: subject.id,
+              subject_type: subjectType,
+              deny: false,
+              source: "mcp_settings" as const,
+              created_by: user?.id
+            };
+          })
+          .filter(Boolean);
+
+        const deleteIds = existingPermissions
+          .filter(
+            (permission) =>
+              !desiredKeys.has(
+                `${permission.subject_type}:${permission.subject}`
+              )
+          )
+          .map((permission) => permission.id);
+
+        await Promise.all([
+          ...payloads.map((payload) => addPermission(payload as any)),
+          ...deleteIds.map((id) => deletePermission(id))
+        ]);
+
+        return {
+          added: payloads.length,
+          removed: deleteIds.length
+        };
+      },
+      onSuccess: ({ added, removed }) => {
+        if (added === 0 && removed === 0) {
+          toastSuccess("No permission changes");
+        } else {
+          toastSuccess(`Updated permissions: +${added} / -${removed}`);
+        }
+
+        setSelectedViewId(null);
+        refetchPermissions();
+      },
+      onError: (error) => {
+        toastError(error as any);
+      }
+    });
+
+  const permissionsByView = useMemo(() => {
+    const map = new Map<string, PermissionBuckets>();
+
+    const viewsByNamespacedRef = new Map<string, View>();
+    const viewsByName = new Map<string, View[]>();
+
+    for (const view of views) {
+      viewsByNamespacedRef.set(`${view.namespace || ""}/${view.name}`, view);
+
+      const existingViews = viewsByName.get(view.name) ?? [];
+      existingViews.push(view);
+      viewsByName.set(view.name, existingViews);
+    }
+
+    for (const permission of viewPermissions) {
+      if (permission.deny === true) {
+        continue;
+      }
+
+      if (
+        permission.subject_type === EVERYONE_SUBJECT_TYPE &&
+        permission.subject === EVERYONE_SUBJECT_ID
+      ) {
+        continue;
+      }
+
+      const viewRefs = permission.object_selector?.views ?? [];
+      if (viewRefs.length === 0) {
+        continue;
+      }
+
+      for (const viewRef of viewRefs) {
+        const matchedView = viewRef.namespace
+          ? viewsByNamespacedRef.get(`${viewRef.namespace}/${viewRef.name}`)
+          : viewsByName.get(viewRef.name)?.[0];
+
+        if (!matchedView) {
+          continue;
+        }
+
+        const current = map.get(matchedView.id) ?? { users: [], groups: [] };
+
+        if (permission.subject_type === "person") {
+          current.users.push(permission);
+        } else if (
+          permission.subject_type === "team" ||
+          permission.subject_type === "group"
+        ) {
+          current.groups.push(permission);
+        }
+
+        map.set(matchedView.id, current);
+      }
+    }
+
+    return map;
+  }, [viewPermissions, views]);
+
+  const globalOverrideByView = useMemo(() => {
+    const map = new Map<string, "allow" | "none" | "deny">();
+
+    for (const permission of viewPermissions) {
+      if (
+        permission.action !== "mcp:run" ||
+        permission.subject_type !== EVERYONE_SUBJECT_TYPE ||
+        permission.subject !== EVERYONE_SUBJECT_ID
+      ) {
+        continue;
+      }
+
+      const viewRefs = permission.object_selector?.views ?? [];
+      for (const viewRef of viewRefs) {
+        const view = views.find(
+          (v) =>
+            v.name === viewRef.name &&
+            (viewRef.namespace ? v.namespace === viewRef.namespace : true)
+        );
+
+        if (view) {
+          map.set(view.id, permission.deny === true ? "deny" : "allow");
+        }
+      }
+    }
+
+    return map;
+  }, [viewPermissions, views]);
+
+  const selectedView = useMemo(() => {
+    return views.find((view) => view.id === selectedViewId);
+  }, [selectedViewId, views]);
+
+  const loading =
+    isViewsLoading ||
+    isPermissionsLoading ||
+    isViewsRefetching ||
+    isPermissionsRefetching ||
+    isUpdatingGlobalOverride ||
+    isAllowingSelective;
+
+  return (
+    <McpTabsLinks
+      activeTab="Views"
+      loading={loading}
+      onRefresh={() => {
+        refetchViews();
+        refetchPermissions();
+      }}
+    >
+      <div className="flex h-full w-full flex-1 flex-col gap-4 p-6 pb-6">
+        <div>
+          <h3 className="text-lg font-semibold text-gray-900">
+            View permissions
+          </h3>
+          <p className="text-sm text-gray-600">
+            Control which views MCP clients can invoke through this gateway.
+          </p>
+        </div>
+
+        <div className="grid min-h-0 flex-1 content-start gap-3 overflow-y-auto [grid-template-columns:repeat(auto-fit,minmax(460px,1fr))]">
+          {views.map((view) => {
+            const permissions = permissionsByView.get(view.id) ?? {
+              users: [],
+              groups: []
+            };
+
+            return (
+              <PermissionAccessCard
+                key={view.id}
+                entity={{
+                  id: view.id,
+                  name: view.spec?.title || view.name,
+                  namespace: view.namespace,
+                  icon: view.spec?.icon || "workflow"
+                }}
+                users={permissions.users}
+                groups={permissions.groups}
+                subjectLookup={subjectLookup}
+                globalOverride={globalOverrideByView.get(view.id) ?? "none"}
+                isMutating={mutatingViewId === view.id}
+                onGlobalOverrideChange={(override) => {
+                  setMutatingViewId(view.id);
+                  setGlobalOverride(
+                    { view, override },
+                    {
+                      onSettled: () => {
+                        setMutatingViewId((current) =>
+                          current === view.id ? null : current
+                        );
+                      }
+                    }
+                  );
+                }}
+                onAllowSelective={() => setSelectedViewId(view.id)}
+              />
+            );
+          })}
+        </div>
+      </div>
+
+      <SubjectSelectorModal
+        open={!!selectedView}
+        onOpenChange={(open) => {
+          if (!open) {
+            setSelectedViewId(null);
+          }
+        }}
+        title={`Allow access: ${selectedView?.spec?.title || selectedView?.name || ""}`}
+        description="Select users or groups to allow this view for MCP usage."
+        preselectedSubjectIds={
+          selectedView
+            ? viewPermissions
+                .filter(
+                  (permission) =>
+                    permission.deny !== true &&
+                    permission.subject &&
+                    (permission.subject_type === "person" ||
+                      permission.subject_type === "team" ||
+                      permission.subject_type === "group") &&
+                    permissionMatchesView(permission, selectedView)
+                )
+                .map((permission) => permission.subject!)
+            : []
+        }
+        isSubmitting={isAllowingSelective}
+        onAllow={async (subjects) => {
+          if (!selectedView) {
+            return;
+          }
+
+          await allowSelectiveAccess({
+            view: selectedView,
+            subjects
+          });
+        }}
+      />
+    </McpTabsLinks>
+  );
+}
diff --git a/src/services/permissions/features.ts b/src/services/permissions/features.ts
index 22ca5c9817..7d6c330ffb 100644
--- a/src/services/permissions/features.ts
+++ b/src/services/permissions/features.ts
@@ -24,7 +24,8 @@ export const features = {
   "settings.notifications": "settings.notifications",
   "settings.playbooks": "settings.playbooks",
   "settings.integrations": "settings.integrations",
-  "settings.permissions": "settings.permissions"
+  "settings.permissions": "settings.permissions",
+  "settings.mcp": "settings.mcp"
 } as const;
 
 export const featureToParentMap = {
diff --git a/src/ui/FormControls/Switch.tsx b/src/ui/FormControls/Switch.tsx
index fe37b69292..69260d71f7 100644
--- a/src/ui/FormControls/Switch.tsx
+++ b/src/ui/FormControls/Switch.tsx
@@ -7,6 +7,8 @@ type Props<T extends string | number | boolean> = {
   options: T[];
   className?: string;
   itemsClassName?: string;
+  activeItemClassName?: string;
+  getActiveItemClassName?: (option: T) => string | undefined;
 } & Omit<React.DetailsHTMLAttributes<HTMLDivElement>, "onChange">;
 
 export function Switch<T extends string | number | boolean>({
@@ -15,9 +17,14 @@ export function Switch<T extends string | number | boolean>({
   value,
   className,
   itemsClassName = "flex-1",
+  activeItemClassName,
+  getActiveItemClassName,
   ...props
 }: Props<T>) {
-  const [activeOption, setActiveOption] = useState(() => value ?? options[0]);
+  const fallbackOption = options[0];
+  const [activeOption, setActiveOption] = useState(
+    () => value ?? fallbackOption
+  );
   const activeClasses =
     "p-1.5 lg:pl-2.5 lg:pr-3.5 rounded-md flex items-center text-sm font-medium bg-white shadow-sm ring-1 ring-black ring-opacity-5";
   const inActiveClasses =
@@ -28,8 +35,8 @@ export function Switch<T extends string | number | boolean>({
   }
 
   useEffect(() => {
-    setActiveOption(value ?? options[0]);
-  }, [options, value]);
+    setActiveOption(value ?? fallbackOption);
+  }, [fallbackOption, value]);
 
   return (
     <div
@@ -49,9 +56,11 @@ export function Switch<T extends string | number | boolean>({
             key={option.toString()}
           >
             <span
-              className={
-                activeOption === option ? activeClasses : inActiveClasses
-              }
+              className={clsx(
+                activeOption === option ? activeClasses : inActiveClasses,
+                activeOption === option && activeItemClassName,
+                activeOption === option && getActiveItemClassName?.(option)
+              )}
             >
               {option}
             </span>

From 3b771f01a0088787af15e02875c798a89e5c5ca7 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 6 Apr 2026 18:32:46 +0545
Subject: [PATCH 02/48] chore: remove playbook and view table for MCP

---
 src/App.tsx                           | 246 ++++++++++++--------------
 src/api/services/permissions.ts       |  39 +---
 src/components/MCP/PlaybooksTable.tsx | 185 -------------------
 src/components/MCP/ViewsTable.tsx     | 184 -------------------
 4 files changed, 115 insertions(+), 539 deletions(-)
 delete mode 100644 src/components/MCP/PlaybooksTable.tsx
 delete mode 100644 src/components/MCP/ViewsTable.tsx

diff --git a/src/App.tsx b/src/App.tsx
index 6b7179a2e3..b7b5efa31c 100644
--- a/src/App.tsx
+++ b/src/App.tsx
@@ -392,139 +392,121 @@ const settingsNav: SettingsNavigationItems = {
   name: "Settings",
   icon: AdjustmentsIcon,
   checkPath: false,
-  submenu: (() => {
-    const sortedSubmenu = [
-      {
-        name: "Connections",
-        href: "/settings/connections",
-        icon: BsLink,
-        featureName: features["settings.connections"],
-        resourceName: tables.connections
-      },
-      {
-        name: "Permissions",
-        href: "/settings/permissions",
-        icon: RiShieldUserFill,
-        featureName: features["settings.permissions"],
-        resourceName: tables.permissions
-      },
-      {
-        name: "Scopes",
-        href: "/settings/scopes",
-        icon: FaCrosshairs,
-        featureName: features["settings.permissions"],
-        resourceName: tables.scopes
-      },
-      ...(process.env.NEXT_PUBLIC_AUTH_IS_CLERK === "true"
-        ? []
-        : [
-            {
-              name: "Users",
-              href: "/settings/users",
-              icon: HiUser,
-              featureName: features["settings.users"],
-              resourceName: tables.identities
-            }
-          ]),
-      ...schemaResourceTypes
-        // remove catalog_scraper from settings
-        .filter((resource) => resource.table !== "config_scrapers")
-        .map((x) => ({
-          ...x,
-          href: `/settings/${x.table}`
-        })),
-      {
-        name: "Jobs History",
-        href: "/settings/jobs",
-        icon: FaTasks,
-        featureName: features["settings.job_history"],
-        resourceName: tables.database
-      },
-      {
-        name: "MCP",
-        href: "/settings/mcp",
-        icon: ({ className }: { className: string }) => (
-          <Icon name="mcp" className={`${className} [&_path]:!fill-white`} />
-        ),
-        featureName: features["settings.mcp"],
-        resourceName: tables.database
-      },
-      {
-        name: "Feature Flags",
-        href: "/settings/feature-flags",
-        icon: BsToggles,
-        featureName: features["settings.feature_flags"],
-        resourceName: tables.database
-      },
-      {
-        name: "Log Backends",
-        href: "/settings/log-backends",
-        icon: LogsIcon,
-        featureName: features["logs"],
-        resourceName: tables.database
-      },
-      {
-        name: "Event Queue",
-        href: "/settings/event-queue-status",
-        icon: FaTasks,
-        featureName: features["settings.event_queue_status"],
-        resourceName: tables.database
-      },
-      {
-        name: "Agents",
-        href: "/settings/agents",
-        icon: MdOutlineSupportAgent,
-        featureName: features.agents,
-        resourceName: tables.database
-      },
-      {
-        name: "Tokens",
-        href: "/settings/tokens",
-        icon: VscKey,
-        featureName: features.agents,
-        resourceName: tables.database
-      },
-      {
-        name: "Notifications",
-        href: "/notifications/rules",
-        icon: FaBell,
-        featureName: features["settings.notifications"],
-        resourceName: tables.notifications
-      },
-      {
-        name: "Integrations",
-        href: "/settings/integrations",
-        icon: MdOutlineIntegrationInstructions,
-        featureName: features["settings.integrations"],
-        resourceName: tables.database
-      },
-      {
-        name: "Views",
-        href: "/settings/views",
-        icon: ({ className }: { className: string }) => (
-          <Icon name="workflow" className={className} />
-        ),
-        featureName: features.views,
-        resourceName: tables.views
-      }
-    ].sort((v1, v2) => stringSortHelper(v1.name, v2.name));
-
-    const jobsHistoryIndex = sortedSubmenu.findIndex(
-      (item) => item.name === "Jobs History"
-    );
-    const mcpIndex = sortedSubmenu.findIndex((item) => item.name === "MCP");
-
-    if (
-      jobsHistoryIndex !== -1 &&
-      mcpIndex !== -1 &&
-      mcpIndex !== jobsHistoryIndex + 1
-    ) {
-      const [mcpItem] = sortedSubmenu.splice(mcpIndex, 1);
-      sortedSubmenu.splice(jobsHistoryIndex + 1, 0, mcpItem);
+  submenu: [
+    {
+      name: "Connections",
+      href: "/settings/connections",
+      icon: BsLink,
+      featureName: features["settings.connections"],
+      resourceName: tables.connections
+    },
+    {
+      name: "Permissions",
+      href: "/settings/permissions",
+      icon: RiShieldUserFill,
+      featureName: features["settings.permissions"],
+      resourceName: tables.permissions
+    },
+    {
+      name: "Scopes",
+      href: "/settings/scopes",
+      icon: FaCrosshairs,
+      featureName: features["settings.permissions"],
+      resourceName: tables.scopes
+    },
+    ...(process.env.NEXT_PUBLIC_AUTH_IS_CLERK === "true"
+      ? []
+      : [
+          {
+            name: "Users",
+            href: "/settings/users",
+            icon: HiUser,
+            featureName: features["settings.users"],
+            resourceName: tables.identities
+          }
+        ]),
+    ...schemaResourceTypes
+      // remove catalog_scraper from settings
+      .filter((resource) => resource.table !== "config_scrapers")
+      .map((x) => ({
+        ...x,
+        href: `/settings/${x.table}`
+      })),
+    {
+      name: "Jobs History",
+      href: "/settings/jobs",
+      icon: FaTasks,
+      featureName: features["settings.job_history"],
+      resourceName: tables.database
+    },
+    {
+      name: "MCP",
+      href: "/settings/mcp",
+      icon: ({ className }: { className: string }) => (
+        <Icon name="mcp" className={`${className} [&_path]:!fill-white`} />
+      ),
+      featureName: features["settings.mcp"],
+      resourceName: tables.database
+    },
+    {
+      name: "Feature Flags",
+      href: "/settings/feature-flags",
+      icon: BsToggles,
+      featureName: features["settings.feature_flags"],
+      resourceName: tables.database
+    },
+    {
+      name: "Log Backends",
+      href: "/settings/log-backends",
+      icon: LogsIcon,
+      featureName: features["logs"],
+      resourceName: tables.database
+    },
+    {
+      name: "Event Queue",
+      href: "/settings/event-queue-status",
+      icon: FaTasks,
+      featureName: features["settings.event_queue_status"],
+      resourceName: tables.database
+    },
+    {
+      name: "Agents",
+      href: "/settings/agents",
+      icon: MdOutlineSupportAgent,
+      featureName: features.agents,
+      resourceName: tables.database
+    },
+    {
+      name: "Tokens",
+      href: "/settings/tokens",
+      icon: VscKey,
+      featureName: features.agents,
+      resourceName: tables.database
+    },
+    {
+      name: "Notifications",
+      href: "/notifications/rules",
+      icon: FaBell,
+      featureName: features["settings.notifications"],
+      resourceName: tables.notifications
+    },
+    {
+      name: "Integrations",
+      href: "/settings/integrations",
+      icon: MdOutlineIntegrationInstructions,
+      featureName: features["settings.integrations"],
+      resourceName: tables.database
+    },
+    {
+      name: "Views",
+      href: "/settings/views",
+      icon: ({ className }: { className: string }) => (
+        <Icon name="workflow" className={className} />
+      ),
+      featureName: features.views,
+      resourceName: tables.views
     }
-
-    return sortedSubmenu;
-  })()
+  ].sort((v1, v2) => stringSortHelper(v1.name, v2.name))
 };
 
 const CANARY_API = "/api/canary/api/summary";
diff --git a/src/api/services/permissions.ts b/src/api/services/permissions.ts
index d1885d8d94..9bac9ee910 100644
--- a/src/api/services/permissions.ts
+++ b/src/api/services/permissions.ts
@@ -1,4 +1,4 @@
-import { apiBase, IncidentCommander } from "../axios";
+import { IncidentCommander } from "../axios";
 import { resolvePostGrestRequestWithPagination } from "../resolve";
 import { PermissionsSummary, PermissionTable } from "../types/permissions";
 import { AVATAR_INFO } from "@flanksource-ui/constants";
@@ -156,43 +156,6 @@ export function recheckPermission(id: string) {
   });
 }
 
-export type BulkApplySelection = {
-  mode: "selective" | "all" | "allExcept";
-  ids: string[];
-};
-
-export type BulkApplyScope = {
-  table: "playbooks" | "views";
-  filters?: Record<string, unknown>;
-};
-
-export type BulkApplyPermissionRequest = {
-  action: "allow" | "deny";
-  selection: BulkApplySelection;
-  scope: BulkApplyScope;
-};
-
-export async function bulkApplyPermission(payload: BulkApplyPermissionRequest) {
-  const response = await apiBase.post("/permission/bulk-apply", payload);
-  return response.data;
-}
-
-export type BulkApplyMcpPermissionRequest = {
-  object: "mcp";
-  action: "mcp:use";
-  changes: Array<{
-    user_id: string;
-    effect: "allow" | "deny" | "remove";
-  }>;
-};
-
-export async function bulkApplyMcpPermission(
-  payload: BulkApplyMcpPermissionRequest
-) {
-  const response = await apiBase.post("/permission/bulk-apply", payload);
-  return response.data;
-}
-
 export async function fetchMcpPlaybookPermissions() {
   const response = await IncidentCommander.get<PermissionsSummary[] | null>(
     "/permissions_summary?select=*&action=eq.mcp:run&playbook_id=not.is.null&deleted_at=is.null&limit=5000"
diff --git a/src/components/MCP/PlaybooksTable.tsx b/src/components/MCP/PlaybooksTable.tsx
deleted file mode 100644
index 8e8e245f1c..0000000000
--- a/src/components/MCP/PlaybooksTable.tsx
+++ /dev/null
@@ -1,185 +0,0 @@
-import { bulkApplyMcpPermission } from "@flanksource-ui/api/services/permissions";
-import { PlaybookNames } from "@flanksource-ui/api/types/playbooks";
-import { Button } from "@flanksource-ui/components";
-import {
-  toastError,
-  toastSuccess
-} from "@flanksource-ui/components/Toast/toast";
-import useMrtBulkSelection from "@flanksource-ui/ui/MRTDataTable/Hooks/useMrtBulkSelection";
-import MRTDataTable from "@flanksource-ui/ui/MRTDataTable/MRTDataTable";
-import { MRT_ColumnDef } from "mantine-react-table";
-import { ChangeEvent, useCallback } from "react";
-
-type PlaybooksTableProps = {
-  data: PlaybookNames[];
-  isLoading?: boolean;
-  pageCount?: number;
-  totalRowCount?: number;
-};
-
-const columns: MRT_ColumnDef<PlaybookNames>[] = [
-  {
-    header: "Name",
-    accessorKey: "name"
-  },
-  {
-    header: "Namespace",
-    accessorKey: "namespace"
-  },
-  {
-    header: "Title",
-    accessorKey: "title"
-  },
-  {
-    header: "Category",
-    accessorKey: "category"
-  },
-  {
-    header: "Description",
-    accessorKey: "description"
-  }
-];
-
-export default function PlaybooksTable({
-  data,
-  isLoading,
-  pageCount,
-  totalRowCount = 0
-}: PlaybooksTableProps) {
-  const {
-    rowSelection,
-    hasSelectedRows,
-    selectionSummary,
-    onRowSelectionChange,
-    onSelectAllChange,
-    clearSelection,
-    buildPayload
-  } = useMrtBulkSelection<PlaybookNames, { table: "playbooks" }>({
-    rows: data,
-    totalRowCount,
-    getRowId: (row) => row.id,
-    selectionScope: { table: "playbooks" }
-  });
-
-  const triggerBulkAction = useCallback(
-    async (action: "allow" | "deny") => {
-      const selection = buildPayload();
-
-      if (selection.mode !== "selective") {
-        toastError(
-          "This endpoint only accepts explicit user changes. Please select rows directly instead of using Select All."
-        );
-        return;
-      }
-
-      if (selection.ids.length === 0) {
-        toastError("No rows selected");
-        return;
-      }
-
-      try {
-        await bulkApplyMcpPermission({
-          object: "mcp",
-          action: "mcp:use",
-          changes: selection.ids.map((id) => ({
-            user_id: id,
-            effect: action
-          }))
-        });
-
-        toastSuccess(
-          `Applied ${action} to ${selection.ids.length} selected rows`
-        );
-
-        clearSelection();
-      } catch (error) {
-        toastError(error as any);
-      }
-    },
-    [buildPayload, clearSelection]
-  );
-
-  return (
-    <>
-      <div className="pointer-events-none absolute inset-x-0 top-3 z-50 flex justify-center px-4">
-        <div
-          className={`pointer-events-auto flex flex-row flex-wrap items-center gap-1.5 rounded-xl border border-gray-300 bg-gray-100 px-2.5 py-1.5 shadow-lg transition-all duration-500 ease-out ${
-            hasSelectedRows
-              ? "translate-y-0 opacity-100"
-              : "translate-y-2 opacity-0"
-          }`}
-        >
-          <span className="pr-1 text-xs font-medium text-gray-700">
-            {selectionSummary}
-          </span>
-          <Button
-            size="none"
-            disabled={!hasSelectedRows}
-            className="rounded border border-gray-400 bg-white px-2 py-1 text-xs leading-none text-gray-800 hover:bg-gray-50"
-            onClick={() => triggerBulkAction("allow")}
-          >
-            Allow All
-          </Button>
-          <Button
-            size="none"
-            disabled={!hasSelectedRows}
-            className="rounded border border-gray-400 bg-gray-200 px-2 py-1 text-xs leading-none text-gray-800 hover:bg-gray-300"
-            onClick={() => triggerBulkAction("deny")}
-          >
-            Deny All
-          </Button>
-        </div>
-      </div>
-      <div className="relative flex h-full flex-col">
-        <MRTDataTable
-          columns={columns}
-          data={data}
-          isLoading={isLoading}
-          enableServerSidePagination
-          enableServerSideSorting
-          manualPageCount={pageCount}
-          totalRowCount={totalRowCount}
-          defaultPageSize={50}
-          enableRowSelection
-          enableSelectAll
-          getRowId={(row) => row.id}
-          rowSelection={rowSelection}
-          onRowSelectionChange={onRowSelectionChange}
-          mantineSelectCheckboxProps={{
-            size: "xs",
-            radius: "lg",
-            styles: {
-              icon: {
-                display: "none"
-              },
-              input: {
-                opacity: 0.9,
-                borderWidth: 1,
-                borderColor: "#d1d5db",
-                backgroundColor: "#f9fafb"
-              }
-            }
-          }}
-          mantineSelectAllCheckboxProps={{
-            size: "xs",
-            radius: "lg",
-            onChange: (event: ChangeEvent<HTMLInputElement>) => {
-              onSelectAllChange(event.currentTarget.checked);
-            },
-            styles: {
-              icon: {
-                display: "none"
-              },
-              input: {
-                opacity: 0.9,
-                borderWidth: 1,
-                borderColor: "#d1d5db",
-                backgroundColor: "#f9fafb"
-              }
-            }
-          }}
-        />
-      </div>
-    </>
-  );
-}
diff --git a/src/components/MCP/ViewsTable.tsx b/src/components/MCP/ViewsTable.tsx
deleted file mode 100644
index 7cf311c841..0000000000
--- a/src/components/MCP/ViewsTable.tsx
+++ /dev/null
@@ -1,184 +0,0 @@
-import {
-  bulkApplyPermission,
-  BulkApplyScope
-} from "@flanksource-ui/api/services/permissions";
-import { View } from "@flanksource-ui/api/services/views";
-import { Button } from "@flanksource-ui/components";
-import {
-  toastError,
-  toastSuccess
-} from "@flanksource-ui/components/Toast/toast";
-import useMrtBulkSelection from "@flanksource-ui/ui/MRTDataTable/Hooks/useMrtBulkSelection";
-import { MRTDateCell } from "@flanksource-ui/ui/MRTDataTable/Cells/MRTDateCells";
-import MRTDataTable from "@flanksource-ui/ui/MRTDataTable/MRTDataTable";
-import { MRT_ColumnDef } from "mantine-react-table";
-import { ChangeEvent, useCallback } from "react";
-
-type ViewsTableProps = {
-  data: View[];
-  isLoading?: boolean;
-  pageCount?: number;
-  totalRowCount?: number;
-  filters?: Record<string, unknown>;
-};
-
-const columns: MRT_ColumnDef<View>[] = [
-  {
-    header: "Name",
-    accessorKey: "name"
-  },
-  {
-    header: "Namespace",
-    accessorKey: "namespace"
-  },
-  {
-    header: "Source",
-    accessorKey: "source"
-  },
-  {
-    header: "Created",
-    accessorKey: "created_at",
-    Cell: MRTDateCell,
-    sortingFn: "datetime"
-  },
-  {
-    header: "Updated",
-    accessorKey: "updated_at",
-    Cell: MRTDateCell,
-    sortingFn: "datetime"
-  }
-];
-
-export default function ViewsTable({
-  data,
-  isLoading,
-  pageCount,
-  totalRowCount = 0,
-  filters = {}
-}: ViewsTableProps) {
-  const {
-    rowSelection,
-    hasSelectedRows,
-    selectionSummary,
-    onRowSelectionChange,
-    onSelectAllChange,
-    clearSelection,
-    buildPayload
-  } = useMrtBulkSelection<View, { table: "views" }>({
-    rows: data,
-    totalRowCount,
-    getRowId: (row) => row.id,
-    selectionScope: { table: "views" }
-  });
-
-  const triggerBulkAction = useCallback(
-    async (action: "allow" | "deny") => {
-      const selection = buildPayload();
-      const scope: BulkApplyScope = {
-        table: "views",
-        filters
-      };
-
-      try {
-        await bulkApplyPermission({
-          action,
-          selection,
-          scope
-        });
-
-        toastSuccess(
-          `action=${action}, ids=${selection.ids.join(",") || "none"}, mode=${selection.mode}`
-        );
-
-        clearSelection();
-      } catch (error) {
-        toastError(error as any);
-      }
-    },
-    [buildPayload, clearSelection, filters]
-  );
-
-  return (
-    <>
-      <div className="pointer-events-none absolute inset-x-0 top-3 z-50 flex justify-center px-4">
-        <div
-          className={`pointer-events-auto flex flex-row flex-wrap items-center gap-1.5 rounded-xl border border-gray-300 bg-gray-100 px-2.5 py-1.5 shadow-lg transition-all duration-500 ease-out ${
-            hasSelectedRows
-              ? "translate-y-0 opacity-100"
-              : "translate-y-2 opacity-0"
-          }`}
-        >
-          <span className="pr-1 text-xs font-medium text-gray-700">
-            {selectionSummary}
-          </span>
-          <Button
-            size="none"
-            disabled={!hasSelectedRows}
-            className="rounded border border-gray-400 bg-white px-2 py-1 text-xs leading-none text-gray-800 hover:bg-gray-50"
-            onClick={() => triggerBulkAction("allow")}
-          >
-            Allow All
-          </Button>
-          <Button
-            size="none"
-            disabled={!hasSelectedRows}
-            className="rounded border border-gray-400 bg-gray-200 px-2 py-1 text-xs leading-none text-gray-800 hover:bg-gray-300"
-            onClick={() => triggerBulkAction("deny")}
-          >
-            Deny All
-          </Button>
-        </div>
-      </div>
-      <div className="relative flex h-full flex-col">
-        <MRTDataTable
-          columns={columns}
-          data={data}
-          isLoading={isLoading}
-          enableServerSideSorting
-          enableServerSidePagination
-          manualPageCount={pageCount}
-          totalRowCount={totalRowCount}
-          defaultPageSize={50}
-          enableRowSelection
-          enableSelectAll
-          getRowId={(row) => row.id}
-          rowSelection={rowSelection}
-          onRowSelectionChange={onRowSelectionChange}
-          mantineSelectCheckboxProps={{
-            size: "xs",
-            radius: "lg",
-            styles: {
-              icon: {
-                display: "none"
-              },
-              input: {
-                opacity: 0.9,
-                borderWidth: 1,
-                borderColor: "#d1d5db",
-                backgroundColor: "#f9fafb"
-              }
-            }
-          }}
-          mantineSelectAllCheckboxProps={{
-            size: "xs",
-            radius: "lg",
-            onChange: (event: ChangeEvent<HTMLInputElement>) => {
-              onSelectAllChange(event.currentTarget.checked);
-            },
-            styles: {
-              icon: {
-                display: "none"
-              },
-              input: {
-                opacity: 0.9,
-                borderWidth: 1,
-                borderColor: "#d1d5db",
-                backgroundColor: "#f9fafb"
-              }
-            }
-          }}
-        />
-      </div>
-    </>
-  );
-}

From 8574f7c425735c11472760ee60edeb2ef4cf0736 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 6 Apr 2026 18:09:39 +0545
Subject: [PATCH 03/48] chore: refactor file paths

---
 src/api/services/permissions.ts               |   8 +
 .../PermissionAccessCard.tsx                  |   0
 .../SubjectSelectorModal.tsx                  |   0
 src/pages/Settings/mcp/McpOverviewPage.tsx    | 416 +++++++++++++++++-
 src/pages/Settings/mcp/McpPlaybooksPage.tsx   |   4 +-
 src/pages/Settings/mcp/McpViewsPage.tsx       |   4 +-
 6 files changed, 412 insertions(+), 20 deletions(-)
 rename src/components/{MCP => Permissions}/PermissionAccessCard.tsx (100%)
 rename src/components/{MCP => Permissions}/SubjectSelectorModal.tsx (100%)

diff --git a/src/api/services/permissions.ts b/src/api/services/permissions.ts
index 9bac9ee910..bc11946391 100644
--- a/src/api/services/permissions.ts
+++ b/src/api/services/permissions.ts
@@ -172,6 +172,14 @@ export async function fetchMcpViewPermissions() {
   return response.data ?? [];
 }
 
+export async function fetchMcpUserPermissions() {
+  const response = await IncidentCommander.get<PermissionsSummary[] | null>(
+    "/permissions_summary?select=*&action=eq.mcp:use&person_id=not.is.null&deleted_at=is.null&limit=5000"
+  );
+
+  return response.data ?? [];
+}
+
 export type PermissionSubject = {
   id: string;
   name: string;
diff --git a/src/components/MCP/PermissionAccessCard.tsx b/src/components/Permissions/PermissionAccessCard.tsx
similarity index 100%
rename from src/components/MCP/PermissionAccessCard.tsx
rename to src/components/Permissions/PermissionAccessCard.tsx
diff --git a/src/components/MCP/SubjectSelectorModal.tsx b/src/components/Permissions/SubjectSelectorModal.tsx
similarity index 100%
rename from src/components/MCP/SubjectSelectorModal.tsx
rename to src/components/Permissions/SubjectSelectorModal.tsx
diff --git a/src/pages/Settings/mcp/McpOverviewPage.tsx b/src/pages/Settings/mcp/McpOverviewPage.tsx
index 13176ddb01..69d0da55d5 100644
--- a/src/pages/Settings/mcp/McpOverviewPage.tsx
+++ b/src/pages/Settings/mcp/McpOverviewPage.tsx
@@ -1,30 +1,414 @@
-import PermissionsView from "@flanksource-ui/components/Permissions/PermissionsView";
-import { useRef, useState } from "react";
+import { getPersons } from "@flanksource-ui/api/services/users";
+import {
+  addPermission,
+  deletePermission,
+  fetchMcpUserPermissions,
+  fetchPermissionSubjects,
+  PermissionSubject,
+  updatePermission
+} from "@flanksource-ui/api/services/permissions";
+import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
+import PermissionAccessCard from "@flanksource-ui/components/Permissions/PermissionAccessCard";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
+import SubjectSelectorModal from "@flanksource-ui/components/Permissions/SubjectSelectorModal";
+import {
+  toastError,
+  toastSuccess
+} from "@flanksource-ui/components/Toast/toast";
+import { useUser } from "@flanksource-ui/context";
+import { useMutation, useQuery } from "@tanstack/react-query";
+import { useMemo, useState } from "react";
 
-const MCP_ACTIONS_FILTER = "mcp____run:1,mcp____use:1";
+type PermissionBuckets = {
+  users: PermissionsSummary[];
+  groups: PermissionsSummary[];
+};
+
+const EVERYONE_SUBJECT_ID = "everyone";
+const EVERYONE_SUBJECT_TYPE = "role";
 
 export default function McpOverviewPage() {
-  const [isLoading, setIsLoading] = useState(false);
-  const refetchFunctionRef = useRef<(() => void) | null>(null);
+  const { user } = useUser();
+  const [selectedUserId, setSelectedUserId] = useState<string | null>(null);
+  const [mutatingUserId, setMutatingUserId] = useState<string | null>(null);
+
+  const {
+    data: usersResponse,
+    isLoading: isUsersLoading,
+    refetch: refetchUsers,
+    isRefetching: isUsersRefetching
+  } = useQuery({
+    queryKey: ["mcp", "users", "all"],
+    queryFn: getPersons
+  });
+
+  const users = usersResponse?.data ?? [];
+
+  const {
+    data: userPermissions = [],
+    isLoading: isPermissionsLoading,
+    refetch: refetchPermissions,
+    isRefetching: isPermissionsRefetching
+  } = useQuery({
+    queryKey: ["mcp", "users", "permissions"],
+    queryFn: fetchMcpUserPermissions
+  });
+
+  const { data: permissionSubjects = [] } = useQuery({
+    queryKey: ["mcp", "permission-subjects", "all"],
+    queryFn: fetchPermissionSubjects
+  });
+
+  const subjectLookup = useMemo(() => {
+    return Object.fromEntries(
+      permissionSubjects.map((subject) => [
+        subject.id,
+        { name: subject.name, type: subject.type }
+      ])
+    );
+  }, [permissionSubjects]);
+
+  const { mutate: setGlobalOverride, isLoading: isUpdatingGlobalOverride } =
+    useMutation({
+      mutationFn: async ({
+        personId,
+        override
+      }: {
+        personId: string;
+        override: "allow" | "none" | "deny";
+      }) => {
+        const existingOverrides = userPermissions.filter(
+          (permission) =>
+            permission.person_id === personId &&
+            permission.action === "mcp:use" &&
+            permission.subject_type === EVERYONE_SUBJECT_TYPE &&
+            permission.subject === EVERYONE_SUBJECT_ID &&
+            permission.id &&
+            permission.source === "mcp_settings"
+        );
+
+        if (override === "none") {
+          await Promise.all(
+            existingOverrides.map((permission) =>
+              deletePermission(permission.id)
+            )
+          );
+          return;
+        }
+
+        const targetDeny = override === "deny";
+        const existingOverride = existingOverrides[0];
+
+        if (existingOverride) {
+          if (existingOverride.deny !== targetDeny) {
+            await updatePermission({
+              id: existingOverride.id,
+              deny: targetDeny
+            } as any);
+          }
+          return;
+        }
+
+        await addPermission({
+          person_id: personId,
+          object: "mcp",
+          action: "mcp:use",
+          subject: EVERYONE_SUBJECT_ID,
+          subject_type: EVERYONE_SUBJECT_TYPE,
+          deny: targetDeny,
+          source: "mcp_settings",
+          created_by: user?.id!
+        } as any);
+      },
+      onSuccess: () => {
+        refetchPermissions();
+      },
+      onError: (error) => {
+        toastError(error as any);
+      }
+    });
+
+  const { mutateAsync: allowSelectiveAccess, isLoading: isAllowingSelective } =
+    useMutation({
+      mutationFn: async ({
+        personId,
+        subjects
+      }: {
+        personId: string;
+        subjects: PermissionSubject[];
+      }) => {
+        const normalizeSubject = (subject: PermissionSubject) => {
+          const subjectType =
+            subject.type === "person"
+              ? "person"
+              : subject.type === "team"
+                ? "team"
+                : subject.type === "permission_subject_group"
+                  ? "group"
+                  : null;
+
+          if (!subjectType) {
+            return null;
+          }
+
+          return `${subjectType}:${subject.id}`;
+        };
+
+        const desiredKeys = new Set(
+          subjects.map(normalizeSubject).filter(Boolean) as string[]
+        );
+
+        const existingPermissions = userPermissions.filter(
+          (permission) =>
+            permission.person_id === personId &&
+            permission.action === "mcp:use" &&
+            permission.deny !== true &&
+            permission.subject &&
+            permission.id &&
+            (permission.subject_type === "person" ||
+              permission.subject_type === "team" ||
+              permission.subject_type === "group") &&
+            (permission.source === "mcp_settings" || permission.source === "UI")
+        );
+
+        const existingKeys = new Set(
+          existingPermissions.map(
+            (permission) => `${permission.subject_type}:${permission.subject}`
+          )
+        );
+
+        const payloads = subjects
+          .map((subject) => {
+            const subjectType =
+              subject.type === "person"
+                ? "person"
+                : subject.type === "team"
+                  ? "team"
+                  : subject.type === "permission_subject_group"
+                    ? "group"
+                    : null;
+
+            if (!subjectType) {
+              return null;
+            }
+
+            const key = `${subjectType}:${subject.id}`;
+            if (existingKeys.has(key)) {
+              return null;
+            }
+
+            return {
+              person_id: personId,
+              object: "mcp" as const,
+              action: "mcp:use",
+              subject: subject.id,
+              subject_type: subjectType,
+              deny: false,
+              source: "mcp_settings" as const,
+              created_by: user?.id
+            };
+          })
+          .filter(Boolean);
+
+        const deleteIds = existingPermissions
+          .filter(
+            (permission) =>
+              !desiredKeys.has(
+                `${permission.subject_type}:${permission.subject}`
+              )
+          )
+          .map((permission) => permission.id);
+
+        await Promise.all([
+          ...payloads.map((payload) => addPermission(payload as any)),
+          ...deleteIds.map((id) => deletePermission(id))
+        ]);
+
+        return {
+          added: payloads.length,
+          removed: deleteIds.length
+        };
+      },
+      onSuccess: ({ added, removed }) => {
+        if (added === 0 && removed === 0) {
+          toastSuccess("No permission changes");
+        } else {
+          toastSuccess(`Updated permissions: +${added} / -${removed}`);
+        }
+
+        setSelectedUserId(null);
+        refetchPermissions();
+      },
+      onError: (error) => {
+        toastError(error as any);
+      }
+    });
+
+  const permissionsByUser = useMemo(() => {
+    const map = new Map<string, PermissionBuckets>();
+
+    for (const permission of userPermissions) {
+      if (!permission.person_id || permission.deny === true) {
+        continue;
+      }
+
+      if (
+        permission.subject_type === EVERYONE_SUBJECT_TYPE &&
+        permission.subject === EVERYONE_SUBJECT_ID
+      ) {
+        continue;
+      }
+
+      const current = map.get(permission.person_id) ?? {
+        users: [],
+        groups: []
+      };
+
+      if (permission.subject_type === "person") {
+        current.users.push(permission);
+      } else if (
+        permission.subject_type === "team" ||
+        permission.subject_type === "group"
+      ) {
+        current.groups.push(permission);
+      }
+
+      map.set(permission.person_id, current);
+    }
+
+    return map;
+  }, [userPermissions]);
+
+  const globalOverrideByUser = useMemo(() => {
+    const map = new Map<string, "allow" | "none" | "deny">();
+
+    for (const permission of userPermissions) {
+      if (
+        !permission.person_id ||
+        permission.action !== "mcp:use" ||
+        permission.subject_type !== EVERYONE_SUBJECT_TYPE ||
+        permission.subject !== EVERYONE_SUBJECT_ID
+      ) {
+        continue;
+      }
+
+      map.set(
+        permission.person_id,
+        permission.deny === true ? "deny" : "allow"
+      );
+    }
+
+    return map;
+  }, [userPermissions]);
+
+  const selectedUser = useMemo(() => {
+    return users.find((item) => item.id === selectedUserId);
+  }, [selectedUserId, users]);
+
+  const loading =
+    isUsersLoading ||
+    isPermissionsLoading ||
+    isUsersRefetching ||
+    isPermissionsRefetching ||
+    isUpdatingGlobalOverride ||
+    isAllowingSelective;
 
   return (
     <McpTabsLinks
       activeTab="Overview"
-      loading={isLoading}
-      onRefresh={() => refetchFunctionRef.current?.()}
+      loading={loading}
+      onRefresh={() => {
+        refetchUsers();
+        refetchPermissions();
+      }}
     >
-      <div className="flex h-full w-full flex-1 flex-col p-6 pb-0">
-        <div className="flex min-h-0 flex-1 flex-col">
-          <PermissionsView
-            permissionRequest={{ action: MCP_ACTIONS_FILTER }}
-            setIsLoading={setIsLoading}
-            onRefetch={(refetch) => {
-              refetchFunctionRef.current = refetch;
-            }}
-          />
+      <div className="flex h-full w-full flex-1 flex-col gap-4 p-6 pb-6">
+        <div>
+          <h3 className="text-lg font-semibold text-gray-900">
+            User permissions
+          </h3>
+          <p className="text-sm text-gray-600">
+            Control which users can be used by MCP clients through this gateway.
+          </p>
+        </div>
+
+        <div className="grid min-h-0 flex-1 content-start gap-3 overflow-y-auto [grid-template-columns:repeat(auto-fit,minmax(460px,1fr))]">
+          {users.map((person) => {
+            const permissions = permissionsByUser.get(person.id) ?? {
+              users: [],
+              groups: []
+            };
+
+            return (
+              <PermissionAccessCard
+                key={person.id}
+                entity={{
+                  id: person.id,
+                  name: person.name,
+                  namespace: person.email,
+                  icon: "user"
+                }}
+                users={permissions.users}
+                groups={permissions.groups}
+                subjectLookup={subjectLookup}
+                globalOverride={globalOverrideByUser.get(person.id) ?? "none"}
+                isMutating={mutatingUserId === person.id}
+                onGlobalOverrideChange={(override) => {
+                  setMutatingUserId(person.id);
+                  setGlobalOverride(
+                    { personId: person.id, override },
+                    {
+                      onSettled: () => {
+                        setMutatingUserId((current) =>
+                          current === person.id ? null : current
+                        );
+                      }
+                    }
+                  );
+                }}
+                onAllowSelective={() => setSelectedUserId(person.id)}
+              />
+            );
+          })}
         </div>
       </div>
+
+      <SubjectSelectorModal
+        open={!!selectedUser}
+        onOpenChange={(open) => {
+          if (!open) {
+            setSelectedUserId(null);
+          }
+        }}
+        title={`Allow access: ${selectedUser?.name || ""}`}
+        description="Select users or groups to allow this user for MCP usage."
+        preselectedSubjectIds={
+          selectedUser
+            ? userPermissions
+                .filter(
+                  (permission) =>
+                    permission.person_id === selectedUser.id &&
+                    permission.deny !== true &&
+                    permission.subject &&
+                    (permission.subject_type === "person" ||
+                      permission.subject_type === "team" ||
+                      permission.subject_type === "group")
+                )
+                .map((permission) => permission.subject!)
+            : []
+        }
+        isSubmitting={isAllowingSelective}
+        onAllow={async (subjects) => {
+          if (!selectedUser) {
+            return;
+          }
+
+          await allowSelectiveAccess({
+            personId: selectedUser.id,
+            subjects
+          });
+        }}
+      />
     </McpTabsLinks>
   );
 }
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index 2829448404..2a07b3153a 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -8,8 +8,8 @@ import {
   PermissionSubject
 } from "@flanksource-ui/api/services/permissions";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
-import PermissionAccessCard from "@flanksource-ui/components/MCP/PermissionAccessCard";
-import SubjectSelectorModal from "@flanksource-ui/components/MCP/SubjectSelectorModal";
+import PermissionAccessCard from "@flanksource-ui/components/Permissions/PermissionAccessCard";
+import SubjectSelectorModal from "@flanksource-ui/components/Permissions/SubjectSelectorModal";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
 import {
   toastError,
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index 0e891704f5..07c692046e 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -8,9 +8,9 @@ import {
 } from "@flanksource-ui/api/services/permissions";
 import { getAllViews, View } from "@flanksource-ui/api/services/views";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
-import PermissionAccessCard from "@flanksource-ui/components/MCP/PermissionAccessCard";
+import PermissionAccessCard from "@flanksource-ui/components/Permissions/PermissionAccessCard";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
-import SubjectSelectorModal from "@flanksource-ui/components/MCP/SubjectSelectorModal";
+import SubjectSelectorModal from "@flanksource-ui/components/Permissions/SubjectSelectorModal";
 import {
   toastError,
   toastSuccess

From 7371529eb951a30bd8880bb68f4cd8319369da89 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 6 Apr 2026 18:20:24 +0545
Subject: [PATCH 04/48] fix(permissions): fix SubjectSelectorModal bugs and UX
 issues

- Fix re-render loop: init selected state only on open transition via prevOpenRef, read preselectedSubjectIds through a stable ref so parent re-renders don't wipe user selections
- Fix incomplete onAllow payload: add fetchPermissionSubjectsByIds and seed selectedSubjects upfront so preselected subjects on other pages are always included
- Allow applying empty selection (remove last subject) by disabling Apply only when selection is unchanged from initial, not when count is zero
- Debounce search input with useDebouncedValue(300ms) to avoid per-keystroke API calls
- Remove unnecessary useMemo around selectedCount
- Add PAGE_SIZE to query key
- Replace Avatar with type-appropriate icon for team/group subjects
- Replace typeLabel function with a TYPE_LABELS record map
- Wrap subjects derivation in useMemo to fix exhaustive-deps lint warning
---
 src/api/services/permissions.ts               |  10 ++
 .../Permissions/SubjectSelectorModal.tsx      | 127 ++++++++++++++----
 2 files changed, 112 insertions(+), 25 deletions(-)

diff --git a/src/api/services/permissions.ts b/src/api/services/permissions.ts
index bc11946391..948b1e9d1b 100644
--- a/src/api/services/permissions.ts
+++ b/src/api/services/permissions.ts
@@ -214,6 +214,16 @@ export async function fetchPermissionSubjectsPaginated({
   );
 }
 
+export async function fetchPermissionSubjectsByIds(ids: string[]) {
+  if (ids.length === 0) {
+    return [];
+  }
+  const response = await IncidentCommander.get<PermissionSubject[] | null>(
+    `/permission_subjects?select=id,name,type&id=in.(${ids.join(",")})&limit=${ids.length}`
+  );
+  return response.data ?? [];
+}
+
 export async function fetchPermissionSubjects() {
   const response = await IncidentCommander.get<PermissionSubject[] | null>(
     "/permission_subjects?select=id,name,type&type=neq.role&order=name.asc&limit=5000"
diff --git a/src/components/Permissions/SubjectSelectorModal.tsx b/src/components/Permissions/SubjectSelectorModal.tsx
index 450fe1b75e..5f8ee86f0a 100644
--- a/src/components/Permissions/SubjectSelectorModal.tsx
+++ b/src/components/Permissions/SubjectSelectorModal.tsx
@@ -1,4 +1,5 @@
 import {
+  fetchPermissionSubjectsByIds,
   fetchPermissionSubjectsPaginated,
   PermissionSubject
 } from "@flanksource-ui/api/services/permissions";
@@ -14,12 +15,21 @@ import {
   DialogTitle
 } from "@flanksource-ui/components/ui/dialog";
 import { Input } from "@flanksource-ui/components/ui/input";
+import useDebouncedValue from "@flanksource-ui/hooks/useDebounce";
 import { Avatar } from "@flanksource-ui/ui/Avatar";
 import { useQuery } from "@tanstack/react-query";
-import { useEffect, useMemo, useState } from "react";
+import { useEffect, useMemo, useRef, useState } from "react";
+import { HiUser, HiUserGroup } from "react-icons/hi";
 
 const PAGE_SIZE = 20;
 
+const TYPE_LABELS: Record<PermissionSubject["type"], string> = {
+  person: "person",
+  team: "team",
+  role: "role",
+  permission_subject_group: "group"
+};
+
 type SubjectSelectorModalProps = {
   open: boolean;
   onOpenChange: (open: boolean) => void;
@@ -30,12 +40,21 @@ type SubjectSelectorModalProps = {
   isSubmitting?: boolean;
 };
 
-function typeLabel(type: PermissionSubject["type"]) {
-  if (type === "permission_subject_group") {
-    return "group";
+function SubjectIcon({ subject }: { subject: PermissionSubject }) {
+  if (subject.type === "person") {
+    return <Avatar size="xs" user={{ name: subject.name }} />;
   }
 
-  return type;
+  // teams and groups get a group icon instead of an initials-based avatar
+  return (
+    <span className="flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-indigo-100 text-indigo-600">
+      {subject.type === "team" ? (
+        <HiUserGroup className="h-3 w-3" />
+      ) : (
+        <HiUser className="h-3 w-3" />
+      )}
+    </span>
+  );
 }
 
 export default function SubjectSelectorModal({
@@ -54,11 +73,21 @@ export default function SubjectSelectorModal({
     Record<string, PermissionSubject>
   >({});
 
-  useEffect(() => {
-    setPageIndex(0);
-  }, [search]);
+  // Track previous open value so we only initialise state on the
+  // false → true transition, not on every render.
+  const prevOpenRef = useRef(false);
+  // Keep a stable ref to the latest preselectedSubjectIds so the
+  // open-transition effect below doesn't need it in its dep array.
+  const preselectedSubjectIdsRef = useRef(preselectedSubjectIds);
+  preselectedSubjectIdsRef.current = preselectedSubjectIds;
+  // Snapshot of selected IDs at the moment the modal opened, used to
+  // detect whether the selection has actually changed.
+  const initialSelectedIdsRef = useRef<Record<string, true>>({});
 
   useEffect(() => {
+    const wasOpen = prevOpenRef.current;
+    prevOpenRef.current = open;
+
     if (!open) {
       setSearch("");
       setPageIndex(0);
@@ -67,28 +96,73 @@ export default function SubjectSelectorModal({
       return;
     }
 
-    const preselectedMap: Record<string, true> = {};
-    for (const id of preselectedSubjectIds) {
-      preselectedMap[id] = true;
+    if (!wasOpen) {
+      // Modal just opened — pre-check the supplied IDs. Full subject
+      // objects are fetched separately by the query below; here we
+      // only mark the IDs as selected so checkboxes render correctly
+      // immediately.
+      const idMap: Record<string, true> = {};
+      for (const id of preselectedSubjectIdsRef.current) {
+        idMap[id] = true;
+      }
+      initialSelectedIdsRef.current = idMap;
+      setSelectedIds(idMap);
+    }
+    // Intentionally only depend on `open` — we read preselectedSubjectIds
+    // through a ref to avoid resetting user selections on parent re-renders.
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [open]);
+
+  // Fetch full subject objects for every preselected ID so that
+  // `selectedSubjects` is complete even when those subjects live on a
+  // different page of results.
+  useQuery({
+    queryKey: ["permission-subjects-by-ids", preselectedSubjectIds],
+    queryFn: () => fetchPermissionSubjectsByIds(preselectedSubjectIds),
+    enabled: open && preselectedSubjectIds.length > 0,
+    staleTime: 60_000,
+    onSuccess: (data) => {
+      setSelectedSubjects((prev) => {
+        const next = { ...prev };
+        for (const subject of data) {
+          next[subject.id] = subject;
+        }
+        return next;
+      });
     }
-    setSelectedIds(preselectedMap);
-  }, [open, preselectedSubjectIds]);
+  });
+
+  const debouncedSearch = useDebouncedValue(search, 300) ?? "";
+
+  useEffect(() => {
+    setPageIndex(0);
+  }, [debouncedSearch]);
 
   const { data, isLoading } = useQuery({
-    queryKey: ["mcp", "subject-selector", search, pageIndex],
+    queryKey: [
+      "mcp",
+      "subject-selector",
+      debouncedSearch,
+      pageIndex,
+      PAGE_SIZE
+    ],
     queryFn: async () =>
       fetchPermissionSubjectsPaginated({
-        search,
+        search: debouncedSearch,
         pageIndex,
         pageSize: PAGE_SIZE
       }),
     enabled: open
   });
 
-  const subjects = (data?.data ?? []) as PermissionSubject[];
+  const subjects = useMemo(
+    () => (data?.data ?? []) as PermissionSubject[],
+    [data?.data]
+  );
   const totalEntries = data?.totalEntries ?? 0;
   const pageCount = Math.ceil(totalEntries / PAGE_SIZE);
 
+  // Enrich selectedSubjects as new pages are loaded.
   useEffect(() => {
     if (subjects.length === 0) {
       return;
@@ -105,17 +179,21 @@ export default function SubjectSelectorModal({
     });
   }, [subjects, selectedIds]);
 
-  const selectedCount = useMemo(
-    () => Object.keys(selectedIds).length,
-    [selectedIds]
-  );
+  const selectedCount = Object.keys(selectedIds).length;
+
+  // Apply is a no-op only when the selection is identical to what was
+  // preselected on open (same IDs, same count). Submitting an empty
+  // selection is valid — it means "remove everyone".
+  const initialIds = initialSelectedIdsRef.current;
+  const hasChanged =
+    selectedCount !== Object.keys(initialIds).length ||
+    Object.keys(selectedIds).some((id) => !initialIds[id]);
 
   const toggleSubject = (subject: PermissionSubject, checked: boolean) => {
     setSelectedIds((prev) => {
       if (checked) {
         return { ...prev, [subject.id]: true };
       }
-
       const next = { ...prev };
       delete next[subject.id];
       return next;
@@ -125,7 +203,6 @@ export default function SubjectSelectorModal({
       if (checked) {
         return { ...prev, [subject.id]: subject };
       }
-
       const next = { ...prev };
       delete next[subject.id];
       return next;
@@ -164,7 +241,7 @@ export default function SubjectSelectorModal({
                       toggleSubject(subject, checked === true)
                     }
                   />
-                  <Avatar size="xs" user={{ name: subject.name }} />
+                  <SubjectIcon subject={subject} />
                   <div className="min-w-0 truncate text-sm font-medium text-gray-900">
                     {subject.name}
                   </div>
@@ -172,7 +249,7 @@ export default function SubjectSelectorModal({
 
                 <div className="ml-2 flex shrink-0 items-center">
                   <Badge variant="outline" className="text-[10px] font-normal">
-                    {typeLabel(subject.type)}
+                    {TYPE_LABELS[subject.type] ?? subject.type}
                   </Badge>
                 </div>
               </label>
@@ -223,7 +300,7 @@ export default function SubjectSelectorModal({
           </Button>
           <Button
             type="button"
-            disabled={selectedCount === 0 || isSubmitting}
+            disabled={!hasChanged || isSubmitting}
             onClick={() => onAllow(Object.values(selectedSubjects))}
           >
             Apply

From 1c133c066989d7dd5cf8debc101e4007bfd0fe5e Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 6 Apr 2026 18:27:47 +0545
Subject: [PATCH 05/48] fix(permissions): improve PermissionAccessCard UX and
 correctness

---
 .../Permissions/PermissionAccessCard.tsx      | 151 ++++++++++++------
 src/pages/Settings/mcp/McpPlaybooksPage.tsx   |   2 +-
 src/pages/Settings/mcp/McpViewsPage.tsx       |   2 +-
 3 files changed, 101 insertions(+), 54 deletions(-)

diff --git a/src/components/Permissions/PermissionAccessCard.tsx b/src/components/Permissions/PermissionAccessCard.tsx
index 1a52a0517d..a02fb77e53 100644
--- a/src/components/Permissions/PermissionAccessCard.tsx
+++ b/src/components/Permissions/PermissionAccessCard.tsx
@@ -8,6 +8,7 @@ import {
 import { Avatar } from "@flanksource-ui/ui/Avatar";
 import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
 import { Icon } from "@flanksource-ui/ui/Icons/Icon";
+import { HiUser, HiUserGroup } from "react-icons/hi";
 
 type PermissionAccessCardProps = {
   entity: {
@@ -25,6 +26,14 @@ type PermissionAccessCardProps = {
   isMutating?: boolean;
 };
 
+function DenyBadge() {
+  return (
+    <span className="ml-0.5 rounded bg-red-100 px-1 py-0.5 text-[10px] font-semibold uppercase tracking-wide text-red-600">
+      Denied
+    </span>
+  );
+}
+
 function PermissionGroupItem({
   permission,
   subjectLookup
@@ -32,11 +41,18 @@ function PermissionGroupItem({
   permission: PermissionsSummary;
   subjectLookup?: Record<string, { name: string; type: string }>;
 }) {
+  const isDeny = permission.deny === true;
+
   if (permission.team) {
     return (
-      <div className="inline-flex items-center gap-1 rounded-full bg-indigo-50 px-2 py-1 text-xs font-medium text-indigo-700">
-        <Icon name={permission.team.icon} className="h-3.5 w-3.5" />
-        <span>Team: {permission.team.name}</span>
+      <div className="flex items-center gap-2">
+        <span className="flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-indigo-100 text-indigo-600">
+          <HiUserGroup className="h-3 w-3" />
+        </span>
+        <div className="flex items-center gap-1.5 text-xs text-gray-800">
+          <span className="font-medium">{permission.team.name}</span>
+          {isDeny && <DenyBadge />}
+        </div>
       </div>
     );
   }
@@ -47,21 +63,36 @@ function PermissionGroupItem({
   const groupName = lookup?.name || permission.group?.name || "Unknown group";
 
   return (
-    <div className="inline-flex items-center gap-1 rounded-full bg-purple-50 px-2 py-1 text-xs font-medium text-purple-700">
-      <span>{groupName}</span>
+    <div className="flex items-center gap-2">
+      <span className="flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-indigo-100 text-indigo-600">
+        <HiUser className="h-3 w-3" />
+      </span>
+      <div className="flex items-center gap-1.5 text-xs text-gray-800">
+        <span className="font-medium">{groupName}</span>
+        {isDeny && <DenyBadge />}
+      </div>
     </div>
   );
 }
 
 function PermissionUserItem({
-  permission
+  permission,
+  subjectLookup
 }: {
   permission: PermissionsSummary;
+  subjectLookup?: Record<string, { name: string; type: string }>;
 }) {
+  const isDeny = permission.deny === true;
+
   if (!permission.person) {
+    const resolvedName =
+      (permission.subject && subjectLookup?.[permission.subject]?.name) ||
+      permission.subject ||
+      "Unknown user";
     return (
-      <div className="text-xs text-gray-600">
-        {permission.subject || "Unknown user"}
+      <div className="flex items-center gap-1.5 text-xs text-gray-600">
+        <span>{resolvedName}</span>
+        {isDeny && <DenyBadge />}
       </div>
     );
   }
@@ -74,6 +105,7 @@ function PermissionUserItem({
         {permission.person.email && (
           <span className="text-gray-500">{permission.person.email}</span>
         )}
+        {isDeny && <DenyBadge />}
       </div>
     </div>
   );
@@ -118,6 +150,7 @@ export default function PermissionAccessCard({
             <div className="shrink-0">
               <div
                 className={isMutating ? "pointer-events-none opacity-60" : ""}
+                aria-disabled={isMutating || undefined}
               >
                 <Switch
                   options={["Deny all", "Custom", "Allow all"]}
@@ -155,55 +188,69 @@ export default function PermissionAccessCard({
       </CardHeader>
 
       <CardContent className="mt-4 border-t border-gray-200 p-4 pt-3">
-        <div className="space-y-3">
-          <div>
-            <div className="mb-1 text-[11px] font-semibold uppercase tracking-wide text-gray-500">
-              Groups
-            </div>
-            {groups.length > 0 ? (
-              <div className="flex flex-wrap gap-2">
-                {groups.map((groupPermission) => (
-                  <PermissionGroupItem
-                    key={groupPermission.id}
-                    permission={groupPermission}
-                    subjectLookup={subjectLookup}
-                  />
-                ))}
-              </div>
-            ) : (
-              <div className="text-xs text-gray-500">No groups have access</div>
-            )}
+        {globalOverride !== "none" ? (
+          <div className="rounded-md bg-gray-50 px-3 py-2 text-xs text-gray-500">
+            {globalOverride === "allow"
+              ? "All users are allowed. Switch to Custom to manage individual permissions."
+              : "All users are denied. Switch to Custom to manage individual permissions."}
           </div>
-
-          <div>
-            <div className="mb-1 text-[11px] font-semibold uppercase tracking-wide text-gray-500">
-              Users
+        ) : (
+          <div className="space-y-3">
+            <div>
+              <div className="mb-1 text-[11px] font-semibold uppercase tracking-wide text-gray-500">
+                Groups
+              </div>
+              {groups.length > 0 ? (
+                <div className="space-y-2">
+                  {groups.map((groupPermission, idx) => (
+                    <PermissionGroupItem
+                      key={groupPermission.id || `group-${idx}`}
+                      permission={groupPermission}
+                      subjectLookup={subjectLookup}
+                    />
+                  ))}
+                </div>
+              ) : (
+                <div className="text-xs text-gray-500">
+                  No groups have access
+                </div>
+              )}
             </div>
-            {users.length > 0 ? (
-              <div className="space-y-2">
-                {users.map((userPermission) => (
-                  <PermissionUserItem
-                    key={userPermission.id}
-                    permission={userPermission}
-                  />
-                ))}
+
+            <div>
+              <div className="mb-1 text-[11px] font-semibold uppercase tracking-wide text-gray-500">
+                Users
               </div>
-            ) : (
-              <div className="text-xs text-gray-500">No users have access</div>
-            )}
-          </div>
+              {users.length > 0 ? (
+                <div className="space-y-2">
+                  {users.map((userPermission, idx) => (
+                    <PermissionUserItem
+                      key={userPermission.id || `user-${idx}`}
+                      permission={userPermission}
+                      subjectLookup={subjectLookup}
+                    />
+                  ))}
+                </div>
+              ) : (
+                <div className="text-xs text-gray-500">
+                  No users have access
+                </div>
+              )}
+            </div>
 
-          <div>
-            <Button
-              variant="outline"
-              size="sm"
-              className="h-8"
-              onClick={onAllowSelective}
-            >
-              + Add user or group
-            </Button>
+            <div>
+              <Button
+                variant="outline"
+                size="sm"
+                className="h-8"
+                onClick={onAllowSelective}
+                disabled={isMutating}
+              >
+                + Add user or group
+              </Button>
+            </div>
           </div>
-        </div>
+        )}
       </CardContent>
     </Card>
   );
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index 2a07b3153a..20e6da67b1 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -25,7 +25,7 @@ type PermissionBuckets = {
 };
 
 const EVERYONE_SUBJECT_ID = "everyone";
-const EVERYONE_SUBJECT_TYPE = "role";
+const EVERYONE_SUBJECT_TYPE = "group";
 
 export default function McpPlaybooksPage() {
   const { user } = useUser();
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index 07c692046e..752c3daf64 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -25,7 +25,7 @@ type PermissionBuckets = {
 };
 
 const EVERYONE_SUBJECT_ID = "everyone";
-const EVERYONE_SUBJECT_TYPE = "role";
+const EVERYONE_SUBJECT_TYPE = "group";
 
 function permissionMatchesView(permission: PermissionsSummary, view: View) {
   const viewRefs = permission.object_selector?.views ?? [];

From d65d3331193851bfca6afee52a6de9396412820d Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 6 Apr 2026 19:01:10 +0545
Subject: [PATCH 06/48] feat(mcp): redesign overview subject access controls

---
 src/api/services/permissions.ts               |  10 +-
 src/components/Permissions/UserAccessCard.tsx | 101 ++++
 src/pages/Settings/mcp/McpOverviewPage.tsx    | 431 +++++-------------
 3 files changed, 230 insertions(+), 312 deletions(-)
 create mode 100644 src/components/Permissions/UserAccessCard.tsx

diff --git a/src/api/services/permissions.ts b/src/api/services/permissions.ts
index 948b1e9d1b..ab27a0443b 100644
--- a/src/api/services/permissions.ts
+++ b/src/api/services/permissions.ts
@@ -174,7 +174,7 @@ export async function fetchMcpViewPermissions() {
 
 export async function fetchMcpUserPermissions() {
   const response = await IncidentCommander.get<PermissionsSummary[] | null>(
-    "/permissions_summary?select=*&action=eq.mcp:use&person_id=not.is.null&deleted_at=is.null&limit=5000"
+    "/permissions_summary?select=*&action=eq.mcp:use&object=eq.mcp&deleted_at=is.null&limit=5000"
   );
 
   return response.data ?? [];
@@ -231,3 +231,11 @@ export async function fetchPermissionSubjects() {
 
   return response.data ?? [];
 }
+
+export async function fetchAllPermissionSubjects() {
+  const response = await IncidentCommander.get<PermissionSubject[] | null>(
+    "/permission_subjects?select=id,name,type&order=type.asc,name.asc&limit=5000"
+  );
+
+  return response.data ?? [];
+}
diff --git a/src/components/Permissions/UserAccessCard.tsx b/src/components/Permissions/UserAccessCard.tsx
new file mode 100644
index 0000000000..0afd0509a4
--- /dev/null
+++ b/src/components/Permissions/UserAccessCard.tsx
@@ -0,0 +1,101 @@
+import { Card, CardHeader } from "@flanksource-ui/components/ui/card";
+import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
+import { Avatar } from "@flanksource-ui/ui/Avatar";
+import { HiUser, HiUserGroup } from "react-icons/hi";
+
+type UserAccessCardProps = {
+  user: {
+    id: string;
+    name?: string;
+    email?: string;
+    avatar?: string;
+    type?: "team" | "permission_subject_group" | "person" | "role";
+  };
+  action: string;
+  object: string;
+  access: "deny" | "default" | "allow";
+  onChangeAccess: (access: "deny" | "default" | "allow") => void;
+  isMutating?: boolean;
+};
+
+export default function UserAccessCard({
+  user,
+  action,
+  object,
+  access,
+  onChangeAccess,
+  isMutating = false
+}: UserAccessCardProps) {
+  return (
+    <Card className="rounded-xl border-gray-200 shadow-sm">
+      <CardHeader className="p-4">
+        <div className="flex items-center justify-between gap-3">
+          <div className="flex min-w-0 items-center gap-3">
+            {user.type === "person" || !user.type ? (
+              <Avatar size="sm" user={user} />
+            ) : (
+              <span className="flex h-6 w-6 shrink-0 items-center justify-center rounded-full bg-indigo-100 text-indigo-600">
+                {user.type === "team" ? (
+                  <HiUserGroup className="h-3.5 w-3.5" />
+                ) : (
+                  <HiUser className="h-3.5 w-3.5" />
+                )}
+              </span>
+            )}
+            <div className="min-w-0">
+              <div
+                className="truncate text-sm font-semibold text-gray-900"
+                title={user.name}
+              >
+                {user.name}
+              </div>
+              {user.email ? (
+                <div
+                  className="truncate text-xs text-gray-500"
+                  title={user.email}
+                >
+                  {user.email}
+                </div>
+              ) : null}
+            </div>
+          </div>
+
+          <div
+            className={isMutating ? "pointer-events-none opacity-60" : ""}
+            aria-disabled={isMutating || undefined}
+          >
+            <Switch
+              options={["Deny", "Default", "Allow"]}
+              value={
+                access === "deny"
+                  ? "Deny"
+                  : access === "allow"
+                    ? "Allow"
+                    : "Default"
+              }
+              onChange={(value) => {
+                const mapped =
+                  value === "Deny"
+                    ? "deny"
+                    : value === "Allow"
+                      ? "allow"
+                      : "default";
+                onChangeAccess(mapped);
+              }}
+              className="h-auto"
+              itemsClassName=""
+              aria-label={`${action} on ${object} for ${user.name || user.id}`}
+              getActiveItemClassName={(option) =>
+                option === "Allow"
+                  ? "bg-blue-50 text-blue-700 ring-blue-200"
+                  : option === "Deny"
+                    ? "bg-red-50 text-red-700 ring-red-200"
+                    : "bg-gray-50 text-gray-700 ring-gray-200"
+              }
+            />
+          </div>
+        </div>
+      </CardHeader>
+    </Card>
+  );
+}
diff --git a/src/pages/Settings/mcp/McpOverviewPage.tsx b/src/pages/Settings/mcp/McpOverviewPage.tsx
index 69d0da55d5..cbf92cf1f3 100644
--- a/src/pages/Settings/mcp/McpOverviewPage.tsx
+++ b/src/pages/Settings/mcp/McpOverviewPage.tsx
@@ -1,49 +1,56 @@
-import { getPersons } from "@flanksource-ui/api/services/users";
 import {
   addPermission,
   deletePermission,
+  fetchAllPermissionSubjects,
   fetchMcpUserPermissions,
-  fetchPermissionSubjects,
   PermissionSubject,
   updatePermission
 } from "@flanksource-ui/api/services/permissions";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
-import PermissionAccessCard from "@flanksource-ui/components/Permissions/PermissionAccessCard";
+import UserAccessCard from "@flanksource-ui/components/Permissions/UserAccessCard";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
-import SubjectSelectorModal from "@flanksource-ui/components/Permissions/SubjectSelectorModal";
-import {
-  toastError,
-  toastSuccess
-} from "@flanksource-ui/components/Toast/toast";
+import { toastError } from "@flanksource-ui/components/Toast/toast";
 import { useUser } from "@flanksource-ui/context";
 import { useMutation, useQuery } from "@tanstack/react-query";
 import { useMemo, useState } from "react";
 
-type PermissionBuckets = {
-  users: PermissionsSummary[];
-  groups: PermissionsSummary[];
-};
+const MCP_OBJECT = "mcp";
+const MCP_ACTION = "mcp:use";
+
+function isMcpUserAccessPermission(permission: PermissionsSummary) {
+  return (
+    permission.action === MCP_ACTION &&
+    permission.object === MCP_OBJECT &&
+    !!permission.subject &&
+    !!permission.id &&
+    (permission.source === "mcp_settings" || permission.source === "UI")
+  );
+}
 
-const EVERYONE_SUBJECT_ID = "everyone";
-const EVERYONE_SUBJECT_TYPE = "role";
+function mapPermissionSubjectType(type: PermissionSubject["type"]) {
+  if (type === "permission_subject_group") {
+    return "group" as const;
+  }
+
+  return type;
+}
 
 export default function McpOverviewPage() {
   const { user } = useUser();
-  const [selectedUserId, setSelectedUserId] = useState<string | null>(null);
-  const [mutatingUserId, setMutatingUserId] = useState<string | null>(null);
+  const [mutatingSubjectId, setMutatingSubjectId] = useState<string | null>(
+    null
+  );
 
   const {
-    data: usersResponse,
+    data: subjects = [],
     isLoading: isUsersLoading,
     refetch: refetchUsers,
     isRefetching: isUsersRefetching
   } = useQuery({
-    queryKey: ["mcp", "users", "all"],
-    queryFn: getPersons
+    queryKey: ["mcp", "permission-subjects", "all"],
+    queryFn: fetchAllPermissionSubjects
   });
 
-  const users = usersResponse?.data ?? [];
-
   const {
     data: userPermissions = [],
     isLoading: isPermissionsLoading,
@@ -54,189 +61,80 @@ export default function McpOverviewPage() {
     queryFn: fetchMcpUserPermissions
   });
 
-  const { data: permissionSubjects = [] } = useQuery({
-    queryKey: ["mcp", "permission-subjects", "all"],
-    queryFn: fetchPermissionSubjects
-  });
+  const permissionsByUser = useMemo(() => {
+    const map = new Map<string, PermissionsSummary[]>();
+
+    for (const permission of userPermissions) {
+      if (!isMcpUserAccessPermission(permission)) {
+        continue;
+      }
+
+      const subjectId = permission.subject!;
+      const current = map.get(subjectId) ?? [];
+      current.push(permission);
+      map.set(subjectId, current);
+    }
 
-  const subjectLookup = useMemo(() => {
-    return Object.fromEntries(
-      permissionSubjects.map((subject) => [
-        subject.id,
-        { name: subject.name, type: subject.type }
-      ])
-    );
-  }, [permissionSubjects]);
+    return map;
+  }, [userPermissions]);
 
-  const { mutate: setGlobalOverride, isLoading: isUpdatingGlobalOverride } =
+  const { mutate: setUserAccess, isLoading: isUpdatingUserAccess } =
     useMutation({
       mutationFn: async ({
-        personId,
-        override
+        subjectId,
+        subjectType,
+        access
       }: {
-        personId: string;
-        override: "allow" | "none" | "deny";
+        subjectId: string;
+        subjectType: PermissionSubject["type"];
+        access: "deny" | "default" | "allow";
       }) => {
-        const existingOverrides = userPermissions.filter(
-          (permission) =>
-            permission.person_id === personId &&
-            permission.action === "mcp:use" &&
-            permission.subject_type === EVERYONE_SUBJECT_TYPE &&
-            permission.subject === EVERYONE_SUBJECT_ID &&
-            permission.id &&
-            permission.source === "mcp_settings"
-        );
+        const existingPermissions = (
+          permissionsByUser.get(subjectId) ?? []
+        ).filter((permission) => permission.source === "mcp_settings");
 
-        if (override === "none") {
+        if (access === "default") {
           await Promise.all(
-            existingOverrides.map((permission) =>
-              deletePermission(permission.id)
+            existingPermissions.map((permission) =>
+              deletePermission(permission.id!)
             )
           );
           return;
         }
 
-        const targetDeny = override === "deny";
-        const existingOverride = existingOverrides[0];
+        const targetDeny = access === "deny";
+        const primaryPermission = existingPermissions[0];
+        const duplicatePermissionIds = existingPermissions
+          .slice(1)
+          .map((permission) => permission.id!);
+
+        if (!primaryPermission) {
+          await addPermission({
+            object: MCP_OBJECT,
+            action: MCP_ACTION,
+            subject: subjectId,
+            subject_type: mapPermissionSubjectType(subjectType),
+            deny: targetDeny,
+            source: "mcp_settings",
+            created_by: user?.id!
+          } as any);
 
-        if (existingOverride) {
-          if (existingOverride.deny !== targetDeny) {
-            await updatePermission({
-              id: existingOverride.id,
-              deny: targetDeny
-            } as any);
-          }
           return;
         }
 
-        await addPermission({
-          person_id: personId,
-          object: "mcp",
-          action: "mcp:use",
-          subject: EVERYONE_SUBJECT_ID,
-          subject_type: EVERYONE_SUBJECT_TYPE,
-          deny: targetDeny,
-          source: "mcp_settings",
-          created_by: user?.id!
-        } as any);
-      },
-      onSuccess: () => {
-        refetchPermissions();
-      },
-      onError: (error) => {
-        toastError(error as any);
-      }
-    });
-
-  const { mutateAsync: allowSelectiveAccess, isLoading: isAllowingSelective } =
-    useMutation({
-      mutationFn: async ({
-        personId,
-        subjects
-      }: {
-        personId: string;
-        subjects: PermissionSubject[];
-      }) => {
-        const normalizeSubject = (subject: PermissionSubject) => {
-          const subjectType =
-            subject.type === "person"
-              ? "person"
-              : subject.type === "team"
-                ? "team"
-                : subject.type === "permission_subject_group"
-                  ? "group"
-                  : null;
-
-          if (!subjectType) {
-            return null;
-          }
-
-          return `${subjectType}:${subject.id}`;
-        };
-
-        const desiredKeys = new Set(
-          subjects.map(normalizeSubject).filter(Boolean) as string[]
-        );
-
-        const existingPermissions = userPermissions.filter(
-          (permission) =>
-            permission.person_id === personId &&
-            permission.action === "mcp:use" &&
-            permission.deny !== true &&
-            permission.subject &&
-            permission.id &&
-            (permission.subject_type === "person" ||
-              permission.subject_type === "team" ||
-              permission.subject_type === "group") &&
-            (permission.source === "mcp_settings" || permission.source === "UI")
-        );
-
-        const existingKeys = new Set(
-          existingPermissions.map(
-            (permission) => `${permission.subject_type}:${permission.subject}`
-          )
-        );
-
-        const payloads = subjects
-          .map((subject) => {
-            const subjectType =
-              subject.type === "person"
-                ? "person"
-                : subject.type === "team"
-                  ? "team"
-                  : subject.type === "permission_subject_group"
-                    ? "group"
-                    : null;
-
-            if (!subjectType) {
-              return null;
-            }
-
-            const key = `${subjectType}:${subject.id}`;
-            if (existingKeys.has(key)) {
-              return null;
-            }
-
-            return {
-              person_id: personId,
-              object: "mcp" as const,
-              action: "mcp:use",
-              subject: subject.id,
-              subject_type: subjectType,
-              deny: false,
-              source: "mcp_settings" as const,
-              created_by: user?.id
-            };
-          })
-          .filter(Boolean);
-
-        const deleteIds = existingPermissions
-          .filter(
-            (permission) =>
-              !desiredKeys.has(
-                `${permission.subject_type}:${permission.subject}`
-              )
-          )
-          .map((permission) => permission.id);
-
         await Promise.all([
-          ...payloads.map((payload) => addPermission(payload as any)),
-          ...deleteIds.map((id) => deletePermission(id))
+          ...(primaryPermission.deny !== targetDeny
+            ? [
+                updatePermission({
+                  id: primaryPermission.id,
+                  deny: targetDeny
+                } as any)
+              ]
+            : []),
+          ...duplicatePermissionIds.map((id) => deletePermission(id))
         ]);
-
-        return {
-          added: payloads.length,
-          removed: deleteIds.length
-        };
       },
-      onSuccess: ({ added, removed }) => {
-        if (added === 0 && removed === 0) {
-          toastSuccess("No permission changes");
-        } else {
-          toastSuccess(`Updated permissions: +${added} / -${removed}`);
-        }
-
-        setSelectedUserId(null);
+      onSuccess: () => {
         refetchPermissions();
       },
       onError: (error) => {
@@ -244,74 +142,12 @@ export default function McpOverviewPage() {
       }
     });
 
-  const permissionsByUser = useMemo(() => {
-    const map = new Map<string, PermissionBuckets>();
-
-    for (const permission of userPermissions) {
-      if (!permission.person_id || permission.deny === true) {
-        continue;
-      }
-
-      if (
-        permission.subject_type === EVERYONE_SUBJECT_TYPE &&
-        permission.subject === EVERYONE_SUBJECT_ID
-      ) {
-        continue;
-      }
-
-      const current = map.get(permission.person_id) ?? {
-        users: [],
-        groups: []
-      };
-
-      if (permission.subject_type === "person") {
-        current.users.push(permission);
-      } else if (
-        permission.subject_type === "team" ||
-        permission.subject_type === "group"
-      ) {
-        current.groups.push(permission);
-      }
-
-      map.set(permission.person_id, current);
-    }
-
-    return map;
-  }, [userPermissions]);
-
-  const globalOverrideByUser = useMemo(() => {
-    const map = new Map<string, "allow" | "none" | "deny">();
-
-    for (const permission of userPermissions) {
-      if (
-        !permission.person_id ||
-        permission.action !== "mcp:use" ||
-        permission.subject_type !== EVERYONE_SUBJECT_TYPE ||
-        permission.subject !== EVERYONE_SUBJECT_ID
-      ) {
-        continue;
-      }
-
-      map.set(
-        permission.person_id,
-        permission.deny === true ? "deny" : "allow"
-      );
-    }
-
-    return map;
-  }, [userPermissions]);
-
-  const selectedUser = useMemo(() => {
-    return users.find((item) => item.id === selectedUserId);
-  }, [selectedUserId, users]);
-
   const loading =
     isUsersLoading ||
     isPermissionsLoading ||
     isUsersRefetching ||
     isPermissionsRefetching ||
-    isUpdatingGlobalOverride ||
-    isAllowingSelective;
+    isUpdatingUserAccess;
 
   return (
     <McpTabsLinks
@@ -325,90 +161,63 @@ export default function McpOverviewPage() {
       <div className="flex h-full w-full flex-1 flex-col gap-4 p-6 pb-6">
         <div>
           <h3 className="text-lg font-semibold text-gray-900">
-            User permissions
+            Subject permissions
           </h3>
           <p className="text-sm text-gray-600">
-            Control which users can be used by MCP clients through this gateway.
+            Control which users, teams, groups, or roles can use MCP through
+            this gateway.
           </p>
         </div>
 
-        <div className="grid min-h-0 flex-1 content-start gap-3 overflow-y-auto [grid-template-columns:repeat(auto-fit,minmax(460px,1fr))]">
-          {users.map((person) => {
-            const permissions = permissionsByUser.get(person.id) ?? {
-              users: [],
-              groups: []
-            };
+        <div className="grid min-h-0 flex-1 content-start gap-3 overflow-y-auto [grid-template-columns:repeat(auto-fit,minmax(420px,1fr))]">
+          {subjects.map((subject) => {
+            const permissions = permissionsByUser.get(subject.id) ?? [];
+
+            const activePermission =
+              permissions.find(
+                (permission) => permission.source === "mcp_settings"
+              ) ?? permissions[0];
+
+            const access = !activePermission
+              ? "default"
+              : activePermission.deny === true
+                ? "deny"
+                : "allow";
 
             return (
-              <PermissionAccessCard
-                key={person.id}
-                entity={{
-                  id: person.id,
-                  name: person.name,
-                  namespace: person.email,
-                  icon: "user"
+              <UserAccessCard
+                key={subject.id}
+                user={{
+                  id: subject.id,
+                  name: subject.name,
+                  type: subject.type
                 }}
-                users={permissions.users}
-                groups={permissions.groups}
-                subjectLookup={subjectLookup}
-                globalOverride={globalOverrideByUser.get(person.id) ?? "none"}
-                isMutating={mutatingUserId === person.id}
-                onGlobalOverrideChange={(override) => {
-                  setMutatingUserId(person.id);
-                  setGlobalOverride(
-                    { personId: person.id, override },
+                action={MCP_ACTION}
+                object={MCP_OBJECT}
+                access={access}
+                isMutating={mutatingSubjectId === subject.id}
+                onChangeAccess={(access) => {
+                  setMutatingSubjectId(subject.id);
+                  setUserAccess(
+                    {
+                      subjectId: subject.id,
+                      subjectType: subject.type,
+                      access
+                    },
                     {
                       onSettled: () => {
-                        setMutatingUserId((current) =>
-                          current === person.id ? null : current
+                        setMutatingSubjectId((current) =>
+                          current === subject.id ? null : current
                         );
                       }
                     }
                   );
                 }}
-                onAllowSelective={() => setSelectedUserId(person.id)}
               />
             );
           })}
         </div>
       </div>
-
-      <SubjectSelectorModal
-        open={!!selectedUser}
-        onOpenChange={(open) => {
-          if (!open) {
-            setSelectedUserId(null);
-          }
-        }}
-        title={`Allow access: ${selectedUser?.name || ""}`}
-        description="Select users or groups to allow this user for MCP usage."
-        preselectedSubjectIds={
-          selectedUser
-            ? userPermissions
-                .filter(
-                  (permission) =>
-                    permission.person_id === selectedUser.id &&
-                    permission.deny !== true &&
-                    permission.subject &&
-                    (permission.subject_type === "person" ||
-                      permission.subject_type === "team" ||
-                      permission.subject_type === "group")
-                )
-                .map((permission) => permission.subject!)
-            : []
-        }
-        isSubmitting={isAllowingSelective}
-        onAllow={async (subjects) => {
-          if (!selectedUser) {
-            return;
-          }
-
-          await allowSelectiveAccess({
-            personId: selectedUser.id,
-            subjects
-          });
-        }}
-      />
     </McpTabsLinks>
   );
 }

From 6e4d24c194fdbb45844ad86f920a9294eddc890f Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 6 Apr 2026 19:10:42 +0545
Subject: [PATCH 07/48] fix(mcp): use playbook object selectors and dedupe
 overrides

---
 src/api/services/permissions.ts             |   2 +-
 src/api/types/permissions.ts                |   6 +-
 src/pages/Settings/mcp/McpPlaybooksPage.tsx | 171 +++++++++++++++-----
 src/pages/Settings/mcp/McpViewsPage.tsx     |  22 ++-
 4 files changed, 152 insertions(+), 49 deletions(-)

diff --git a/src/api/services/permissions.ts b/src/api/services/permissions.ts
index ab27a0443b..b42512b381 100644
--- a/src/api/services/permissions.ts
+++ b/src/api/services/permissions.ts
@@ -158,7 +158,7 @@ export function recheckPermission(id: string) {
 
 export async function fetchMcpPlaybookPermissions() {
   const response = await IncidentCommander.get<PermissionsSummary[] | null>(
-    "/permissions_summary?select=*&action=eq.mcp:run&playbook_id=not.is.null&deleted_at=is.null&limit=5000"
+    "/permissions_summary?select=*&action=eq.mcp:run&deleted_at=is.null&limit=5000"
   );
 
   return response.data ?? [];
diff --git a/src/api/types/permissions.ts b/src/api/types/permissions.ts
index 87347ed68f..b5ac311f90 100644
--- a/src/api/types/permissions.ts
+++ b/src/api/types/permissions.ts
@@ -23,7 +23,11 @@ type PermissionObjectSelector = {
   views?: ViewSelector[];
 };
 
-interface Selectors {}
+interface Selectors {
+  id?: string;
+  name?: string;
+  namespace?: string;
+}
 
 interface ScopeSelector {
   namespace?: string;
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index 20e6da67b1..227d9f491b 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -8,6 +8,7 @@ import {
   PermissionSubject
 } from "@flanksource-ui/api/services/permissions";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
+import { PlaybookNames } from "@flanksource-ui/api/types/playbooks";
 import PermissionAccessCard from "@flanksource-ui/components/Permissions/PermissionAccessCard";
 import SubjectSelectorModal from "@flanksource-ui/components/Permissions/SubjectSelectorModal";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
@@ -27,6 +28,28 @@ type PermissionBuckets = {
 const EVERYONE_SUBJECT_ID = "everyone";
 const EVERYONE_SUBJECT_TYPE = "group";
 
+function permissionMatchesPlaybook(
+  permission: PermissionsSummary,
+  playbook: PlaybookNames
+) {
+  const playbookRefs = permission.object_selector?.playbooks ?? [];
+
+  return playbookRefs.some((playbookRef) => {
+    if (!playbookRef?.name) {
+      return false;
+    }
+
+    if (playbookRef.namespace) {
+      return (
+        playbookRef.namespace === playbook.namespace &&
+        playbookRef.name === playbook.name
+      );
+    }
+
+    return playbookRef.name === playbook.name;
+  });
+}
+
 export default function McpPlaybooksPage() {
   const { user } = useUser();
   const [selectedPlaybookId, setSelectedPlaybookId] = useState<string | null>(
@@ -73,25 +96,27 @@ export default function McpPlaybooksPage() {
   const { mutate: setGlobalOverride, isLoading: isUpdatingGlobalOverride } =
     useMutation({
       mutationFn: async ({
-        playbookId,
+        playbook,
         override
       }: {
-        playbookId: string;
+        playbook: PlaybookNames;
         override: "allow" | "none" | "deny";
       }) => {
-        const existingOverrides = playbookPermissions.filter(
+        const latestPermissions = await fetchMcpPlaybookPermissions();
+
+        const matchingOverrides = latestPermissions.filter(
           (permission) =>
-            permission.playbook_id === playbookId &&
             permission.action === "mcp:run" &&
             permission.subject_type === EVERYONE_SUBJECT_TYPE &&
             permission.subject === EVERYONE_SUBJECT_ID &&
             permission.id &&
-            permission.source === "mcp_settings"
+            permission.source === "mcp_settings" &&
+            permissionMatchesPlaybook(permission, playbook)
         );
 
         if (override === "none") {
           await Promise.all(
-            existingOverrides.map((permission) =>
+            matchingOverrides.map((permission) =>
               deletePermission(permission.id)
             )
           );
@@ -99,12 +124,20 @@ export default function McpPlaybooksPage() {
         }
 
         const targetDeny = override === "deny";
-        const existingOverride = existingOverrides[0];
+        const [canonicalOverride, ...duplicateOverrides] = matchingOverrides;
+
+        if (duplicateOverrides.length > 0) {
+          await Promise.all(
+            duplicateOverrides.map((permission) =>
+              deletePermission(permission.id)
+            )
+          );
+        }
 
-        if (existingOverride) {
-          if (existingOverride.deny !== targetDeny) {
+        if (canonicalOverride) {
+          if (canonicalOverride.deny !== targetDeny) {
             await updatePermission({
-              id: existingOverride.id,
+              id: canonicalOverride.id,
               deny: targetDeny
             } as any);
           }
@@ -112,7 +145,9 @@ export default function McpPlaybooksPage() {
         }
 
         await addPermission({
-          playbook_id: playbookId,
+          object_selector: {
+            playbooks: [{ name: playbook.name, namespace: playbook.namespace }]
+          },
           action: "mcp:run",
           subject: EVERYONE_SUBJECT_ID,
           subject_type: EVERYONE_SUBJECT_TYPE,
@@ -132,10 +167,10 @@ export default function McpPlaybooksPage() {
   const { mutateAsync: allowSelectiveAccess, isLoading: isAllowingSelective } =
     useMutation({
       mutationFn: async ({
-        playbookId,
+        playbook,
         subjects
       }: {
-        playbookId: string;
+        playbook: PlaybookNames;
         subjects: PermissionSubject[];
       }) => {
         const normalizeSubject = (subject: PermissionSubject) => {
@@ -161,7 +196,6 @@ export default function McpPlaybooksPage() {
 
         const existingPermissions = playbookPermissions.filter(
           (permission) =>
-            permission.playbook_id === playbookId &&
             permission.action === "mcp:run" &&
             permission.deny !== true &&
             permission.subject &&
@@ -169,7 +203,9 @@ export default function McpPlaybooksPage() {
             (permission.subject_type === "person" ||
               permission.subject_type === "team" ||
               permission.subject_type === "group") &&
-            (permission.source === "mcp_settings" || permission.source === "UI")
+            (permission.source === "mcp_settings" ||
+              permission.source === "UI") &&
+            permissionMatchesPlaybook(permission, playbook)
         );
 
         const existingKeys = new Set(
@@ -178,6 +214,10 @@ export default function McpPlaybooksPage() {
           )
         );
 
+        const playbookSelector = [
+          { name: playbook.name, namespace: playbook.namespace }
+        ];
+
         const payloads = subjects
           .map((subject) => {
             const subjectType =
@@ -199,7 +239,7 @@ export default function McpPlaybooksPage() {
             }
 
             return {
-              playbook_id: playbookId,
+              object_selector: { playbooks: playbookSelector },
               action: "mcp:run",
               subject: subject.id,
               subject_type: subjectType,
@@ -247,8 +287,22 @@ export default function McpPlaybooksPage() {
   const permissionsByPlaybook = useMemo(() => {
     const map = new Map<string, PermissionBuckets>();
 
+    const playbooksByNamespacedRef = new Map<string, PlaybookNames>();
+    const playbooksByName = new Map<string, PlaybookNames[]>();
+
+    for (const playbook of playbooks) {
+      playbooksByNamespacedRef.set(
+        `${playbook.namespace || ""}/${playbook.name}`,
+        playbook
+      );
+
+      const existingPlaybooks = playbooksByName.get(playbook.name) ?? [];
+      existingPlaybooks.push(playbook);
+      playbooksByName.set(playbook.name, existingPlaybooks);
+    }
+
     for (const permission of playbookPermissions) {
-      if (!permission.playbook_id || permission.deny === true) {
+      if (permission.deny === true) {
         continue;
       }
 
@@ -259,32 +313,52 @@ export default function McpPlaybooksPage() {
         continue;
       }
 
-      const current = map.get(permission.playbook_id) ?? {
-        users: [],
-        groups: []
-      };
-
-      if (permission.subject_type === "person") {
-        current.users.push(permission);
-      } else if (
-        permission.subject_type === "team" ||
-        permission.subject_type === "group"
-      ) {
-        current.groups.push(permission);
+      const playbookRefs = permission.object_selector?.playbooks ?? [];
+      if (playbookRefs.length === 0) {
+        continue;
       }
 
-      map.set(permission.playbook_id, current);
+      for (const playbookRef of playbookRefs) {
+        if (!playbookRef.name) {
+          continue;
+        }
+
+        const matchedPlaybook = playbookRef.namespace
+          ? playbooksByNamespacedRef.get(
+              `${playbookRef.namespace}/${playbookRef.name}`
+            )
+          : playbooksByName.get(playbookRef.name)?.[0];
+
+        if (!matchedPlaybook) {
+          continue;
+        }
+
+        const current = map.get(matchedPlaybook.id) ?? {
+          users: [],
+          groups: []
+        };
+
+        if (permission.subject_type === "person") {
+          current.users.push(permission);
+        } else if (
+          permission.subject_type === "team" ||
+          permission.subject_type === "group"
+        ) {
+          current.groups.push(permission);
+        }
+
+        map.set(matchedPlaybook.id, current);
+      }
     }
 
     return map;
-  }, [playbookPermissions]);
+  }, [playbookPermissions, playbooks]);
 
   const globalOverrideByPlaybook = useMemo(() => {
     const map = new Map<string, "allow" | "none" | "deny">();
 
     for (const permission of playbookPermissions) {
       if (
-        !permission.playbook_id ||
         permission.action !== "mcp:run" ||
         permission.subject_type !== EVERYONE_SUBJECT_TYPE ||
         permission.subject !== EVERYONE_SUBJECT_ID
@@ -292,14 +366,29 @@ export default function McpPlaybooksPage() {
         continue;
       }
 
-      map.set(
-        permission.playbook_id,
-        permission.deny === true ? "deny" : "allow"
-      );
+      const playbookRefs = permission.object_selector?.playbooks ?? [];
+
+      for (const playbookRef of playbookRefs) {
+        if (!playbookRef.name) {
+          continue;
+        }
+
+        const playbook = playbooks.find(
+          (p) =>
+            p.name === playbookRef.name &&
+            (playbookRef.namespace
+              ? p.namespace === playbookRef.namespace
+              : true)
+        );
+
+        if (playbook) {
+          map.set(playbook.id, permission.deny === true ? "deny" : "allow");
+        }
+      }
     }
 
     return map;
-  }, [playbookPermissions]);
+  }, [playbookPermissions, playbooks]);
 
   const selectedPlaybook = useMemo(() => {
     return playbooks.find((playbook) => playbook.id === selectedPlaybookId);
@@ -358,7 +447,7 @@ export default function McpPlaybooksPage() {
                 onGlobalOverrideChange={(override) => {
                   setMutatingPlaybookId(playbook.id);
                   setGlobalOverride(
-                    { playbookId: playbook.id, override },
+                    { playbook, override },
                     {
                       onSettled: () => {
                         setMutatingPlaybookId((current) =>
@@ -389,12 +478,12 @@ export default function McpPlaybooksPage() {
             ? playbookPermissions
                 .filter(
                   (permission) =>
-                    permission.playbook_id === selectedPlaybook.id &&
                     permission.deny !== true &&
                     permission.subject &&
                     (permission.subject_type === "person" ||
                       permission.subject_type === "team" ||
-                      permission.subject_type === "group")
+                      permission.subject_type === "group") &&
+                    permissionMatchesPlaybook(permission, selectedPlaybook)
                 )
                 .map((permission) => permission.subject!)
             : []
@@ -406,7 +495,7 @@ export default function McpPlaybooksPage() {
           }
 
           await allowSelectiveAccess({
-            playbookId: selectedPlaybook.id,
+            playbook: selectedPlaybook,
             subjects
           });
         }}
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index 752c3daf64..e34bfda690 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -93,7 +93,9 @@ export default function McpViewsPage() {
         view: View;
         override: "allow" | "none" | "deny";
       }) => {
-        const existingOverrides = viewPermissions.filter(
+        const latestPermissions = await fetchMcpViewPermissions();
+
+        const matchingOverrides = latestPermissions.filter(
           (permission) =>
             permission.action === "mcp:run" &&
             permission.subject_type === EVERYONE_SUBJECT_TYPE &&
@@ -105,7 +107,7 @@ export default function McpViewsPage() {
 
         if (override === "none") {
           await Promise.all(
-            existingOverrides.map((permission) =>
+            matchingOverrides.map((permission) =>
               deletePermission(permission.id)
             )
           );
@@ -113,12 +115,20 @@ export default function McpViewsPage() {
         }
 
         const targetDeny = override === "deny";
-        const existingOverride = existingOverrides[0];
+        const [canonicalOverride, ...duplicateOverrides] = matchingOverrides;
+
+        if (duplicateOverrides.length > 0) {
+          await Promise.all(
+            duplicateOverrides.map((permission) =>
+              deletePermission(permission.id)
+            )
+          );
+        }
 
-        if (existingOverride) {
-          if (existingOverride.deny !== targetDeny) {
+        if (canonicalOverride) {
+          if (canonicalOverride.deny !== targetDeny) {
             await updatePermission({
-              id: existingOverride.id,
+              id: canonicalOverride.id,
               deny: targetDeny
             } as any);
           }

From c02acb576d1375ff08b23e8c3320eb91eaac1fe4 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 6 Apr 2026 21:13:44 +0545
Subject: [PATCH 08/48] fix(mcp): centralize and enforce mcp settings source

---
 src/api/services/permissions.ts             |  3 +++
 src/pages/Settings/mcp/McpOverviewPage.tsx  | 19 +++++++++++--------
 src/pages/Settings/mcp/McpPlaybooksPage.tsx | 13 +++++++------
 src/pages/Settings/mcp/McpViewsPage.tsx     | 13 +++++++------
 4 files changed, 28 insertions(+), 20 deletions(-)

diff --git a/src/api/services/permissions.ts b/src/api/services/permissions.ts
index b42512b381..2656a9f378 100644
--- a/src/api/services/permissions.ts
+++ b/src/api/services/permissions.ts
@@ -156,6 +156,9 @@ export function recheckPermission(id: string) {
   });
 }
 
+// Source marker used by the MCP Settings UI for permissions it creates/manages.
+export const MCP_SETTINGS_PERMISSION_SOURCE = "mcp_settings" as const;
+
 export async function fetchMcpPlaybookPermissions() {
   const response = await IncidentCommander.get<PermissionsSummary[] | null>(
     "/permissions_summary?select=*&action=eq.mcp:run&deleted_at=is.null&limit=5000"
diff --git a/src/pages/Settings/mcp/McpOverviewPage.tsx b/src/pages/Settings/mcp/McpOverviewPage.tsx
index cbf92cf1f3..238af58f4b 100644
--- a/src/pages/Settings/mcp/McpOverviewPage.tsx
+++ b/src/pages/Settings/mcp/McpOverviewPage.tsx
@@ -3,6 +3,7 @@ import {
   deletePermission,
   fetchAllPermissionSubjects,
   fetchMcpUserPermissions,
+  MCP_SETTINGS_PERMISSION_SOURCE,
   PermissionSubject,
   updatePermission
 } from "@flanksource-ui/api/services/permissions";
@@ -23,12 +24,12 @@ function isMcpUserAccessPermission(permission: PermissionsSummary) {
     permission.object === MCP_OBJECT &&
     !!permission.subject &&
     !!permission.id &&
-    (permission.source === "mcp_settings" || permission.source === "UI")
+    permission.source === MCP_SETTINGS_PERMISSION_SOURCE
   );
 }
 
 function mapPermissionSubjectType(type: PermissionSubject["type"]) {
-  if (type === "permission_subject_group") {
+  if (type === "permission_subject_group" || type === "role") {
     return "group" as const;
   }
 
@@ -91,7 +92,9 @@ export default function McpOverviewPage() {
       }) => {
         const existingPermissions = (
           permissionsByUser.get(subjectId) ?? []
-        ).filter((permission) => permission.source === "mcp_settings");
+        ).filter(
+          (permission) => permission.source === MCP_SETTINGS_PERMISSION_SOURCE
+        );
 
         if (access === "default") {
           await Promise.all(
@@ -115,7 +118,7 @@ export default function McpOverviewPage() {
             subject: subjectId,
             subject_type: mapPermissionSubjectType(subjectType),
             deny: targetDeny,
-            source: "mcp_settings",
+            source: MCP_SETTINGS_PERMISSION_SOURCE,
             created_by: user?.id!
           } as any);
 
@@ -173,10 +176,10 @@ export default function McpOverviewPage() {
           {subjects.map((subject) => {
             const permissions = permissionsByUser.get(subject.id) ?? [];
 
-            const activePermission =
-              permissions.find(
-                (permission) => permission.source === "mcp_settings"
-              ) ?? permissions[0];
+            const activePermission = permissions.find(
+              (permission) =>
+                permission.source === MCP_SETTINGS_PERMISSION_SOURCE
+            );
 
             const access = !activePermission
               ? "default"
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index 227d9f491b..c61e7650b6 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -5,6 +5,7 @@ import {
   fetchMcpPlaybookPermissions,
   updatePermission,
   fetchPermissionSubjects,
+  MCP_SETTINGS_PERMISSION_SOURCE,
   PermissionSubject
 } from "@flanksource-ui/api/services/permissions";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
@@ -110,7 +111,7 @@ export default function McpPlaybooksPage() {
             permission.subject_type === EVERYONE_SUBJECT_TYPE &&
             permission.subject === EVERYONE_SUBJECT_ID &&
             permission.id &&
-            permission.source === "mcp_settings" &&
+            permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
             permissionMatchesPlaybook(permission, playbook)
         );
 
@@ -152,7 +153,7 @@ export default function McpPlaybooksPage() {
           subject: EVERYONE_SUBJECT_ID,
           subject_type: EVERYONE_SUBJECT_TYPE,
           deny: targetDeny,
-          source: "mcp_settings",
+          source: MCP_SETTINGS_PERMISSION_SOURCE,
           created_by: user?.id!
         } as any);
       },
@@ -203,8 +204,7 @@ export default function McpPlaybooksPage() {
             (permission.subject_type === "person" ||
               permission.subject_type === "team" ||
               permission.subject_type === "group") &&
-            (permission.source === "mcp_settings" ||
-              permission.source === "UI") &&
+            permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
             permissionMatchesPlaybook(permission, playbook)
         );
 
@@ -244,7 +244,7 @@ export default function McpPlaybooksPage() {
               subject: subject.id,
               subject_type: subjectType,
               deny: false,
-              source: "mcp_settings" as const,
+              source: MCP_SETTINGS_PERMISSION_SOURCE,
               created_by: user?.id
             };
           })
@@ -361,7 +361,8 @@ export default function McpPlaybooksPage() {
       if (
         permission.action !== "mcp:run" ||
         permission.subject_type !== EVERYONE_SUBJECT_TYPE ||
-        permission.subject !== EVERYONE_SUBJECT_ID
+        permission.subject !== EVERYONE_SUBJECT_ID ||
+        permission.source !== MCP_SETTINGS_PERMISSION_SOURCE
       ) {
         continue;
       }
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index e34bfda690..4a1d0131c6 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -4,6 +4,7 @@ import {
   fetchMcpViewPermissions,
   updatePermission,
   fetchPermissionSubjects,
+  MCP_SETTINGS_PERMISSION_SOURCE,
   PermissionSubject
 } from "@flanksource-ui/api/services/permissions";
 import { getAllViews, View } from "@flanksource-ui/api/services/views";
@@ -101,7 +102,7 @@ export default function McpViewsPage() {
             permission.subject_type === EVERYONE_SUBJECT_TYPE &&
             permission.subject === EVERYONE_SUBJECT_ID &&
             permission.id &&
-            permission.source === "mcp_settings" &&
+            permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
             permissionMatchesView(permission, view)
         );
 
@@ -143,7 +144,7 @@ export default function McpViewsPage() {
           subject: EVERYONE_SUBJECT_ID,
           subject_type: EVERYONE_SUBJECT_TYPE,
           deny: targetDeny,
-          source: "mcp_settings",
+          source: MCP_SETTINGS_PERMISSION_SOURCE,
           created_by: user?.id!
         } as any);
       },
@@ -194,8 +195,7 @@ export default function McpViewsPage() {
             (permission.subject_type === "person" ||
               permission.subject_type === "team" ||
               permission.subject_type === "group") &&
-            (permission.source === "mcp_settings" ||
-              permission.source === "UI") &&
+            permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
             permissionMatchesView(permission, view)
         );
 
@@ -233,7 +233,7 @@ export default function McpViewsPage() {
               subject: subject.id,
               subject_type: subjectType,
               deny: false,
-              source: "mcp_settings" as const,
+              source: MCP_SETTINGS_PERMISSION_SOURCE,
               created_by: user?.id
             };
           })
@@ -338,7 +338,8 @@ export default function McpViewsPage() {
       if (
         permission.action !== "mcp:run" ||
         permission.subject_type !== EVERYONE_SUBJECT_TYPE ||
-        permission.subject !== EVERYONE_SUBJECT_ID
+        permission.subject !== EVERYONE_SUBJECT_ID ||
+        permission.source !== MCP_SETTINGS_PERMISSION_SOURCE
       ) {
         continue;
       }

From 52b637a751dd3406140c238f54bc12943bb4617a Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 6 Apr 2026 21:41:38 +0545
Subject: [PATCH 09/48] fix(mcp): resolve ambiguous view-name permission
 matching

---
 src/pages/Settings/mcp/McpViewsPage.tsx | 87 +++++++++++++++++++------
 1 file changed, 66 insertions(+), 21 deletions(-)

diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index 4a1d0131c6..1f6cbb52a0 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -44,6 +44,25 @@ function permissionMatchesView(permission: PermissionsSummary, view: View) {
   });
 }
 
+function resolveViewsForRef(
+  viewRef: { name?: string; namespace?: string },
+  viewsByNamespacedRef: Map<string, View>,
+  viewsByName: Map<string, View[]>
+) {
+  if (!viewRef?.name) {
+    return [];
+  }
+
+  if (viewRef.namespace) {
+    const matchedView = viewsByNamespacedRef.get(
+      `${viewRef.namespace}/${viewRef.name}`
+    );
+    return matchedView ? [matchedView] : [];
+  }
+
+  return viewsByName.get(viewRef.name) ?? [];
+}
+
 export default function McpViewsPage() {
   const { user } = useUser();
   const [selectedViewId, setSelectedViewId] = useState<string | null>(null);
@@ -304,27 +323,35 @@ export default function McpViewsPage() {
         continue;
       }
 
+      const assignedViewIds = new Set<string>();
+
       for (const viewRef of viewRefs) {
-        const matchedView = viewRef.namespace
-          ? viewsByNamespacedRef.get(`${viewRef.namespace}/${viewRef.name}`)
-          : viewsByName.get(viewRef.name)?.[0];
+        const matchedViews = resolveViewsForRef(
+          viewRef,
+          viewsByNamespacedRef,
+          viewsByName
+        );
 
-        if (!matchedView) {
-          continue;
-        }
+        for (const matchedView of matchedViews) {
+          if (assignedViewIds.has(matchedView.id)) {
+            continue;
+          }
 
-        const current = map.get(matchedView.id) ?? { users: [], groups: [] };
+          assignedViewIds.add(matchedView.id);
 
-        if (permission.subject_type === "person") {
-          current.users.push(permission);
-        } else if (
-          permission.subject_type === "team" ||
-          permission.subject_type === "group"
-        ) {
-          current.groups.push(permission);
-        }
+          const current = map.get(matchedView.id) ?? { users: [], groups: [] };
+
+          if (permission.subject_type === "person") {
+            current.users.push(permission);
+          } else if (
+            permission.subject_type === "team" ||
+            permission.subject_type === "group"
+          ) {
+            current.groups.push(permission);
+          }
 
-        map.set(matchedView.id, current);
+          map.set(matchedView.id, current);
+        }
       }
     }
 
@@ -334,6 +361,17 @@ export default function McpViewsPage() {
   const globalOverrideByView = useMemo(() => {
     const map = new Map<string, "allow" | "none" | "deny">();
 
+    const viewsByNamespacedRef = new Map<string, View>();
+    const viewsByName = new Map<string, View[]>();
+
+    for (const view of views) {
+      viewsByNamespacedRef.set(`${view.namespace || ""}/${view.name}`, view);
+
+      const existingViews = viewsByName.get(view.name) ?? [];
+      existingViews.push(view);
+      viewsByName.set(view.name, existingViews);
+    }
+
     for (const permission of viewPermissions) {
       if (
         permission.action !== "mcp:run" ||
@@ -345,14 +383,21 @@ export default function McpViewsPage() {
       }
 
       const viewRefs = permission.object_selector?.views ?? [];
+      const assignedViewIds = new Set<string>();
+
       for (const viewRef of viewRefs) {
-        const view = views.find(
-          (v) =>
-            v.name === viewRef.name &&
-            (viewRef.namespace ? v.namespace === viewRef.namespace : true)
+        const matchedViews = resolveViewsForRef(
+          viewRef,
+          viewsByNamespacedRef,
+          viewsByName
         );
 
-        if (view) {
+        for (const view of matchedViews) {
+          if (assignedViewIds.has(view.id)) {
+            continue;
+          }
+
+          assignedViewIds.add(view.id);
           map.set(view.id, permission.deny === true ? "deny" : "allow");
         }
       }

From 3a3d0d7ee32602aa8ce41b41ce509f3f203e375b Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 6 Apr 2026 22:04:09 +0545
Subject: [PATCH 10/48] chore: refactor access card -> permission matching

---
 .../permissions/mcpPermissionCardMappings.ts  | 183 +++++++++++++++++
 src/pages/Settings/mcp/McpPlaybooksPage.tsx   | 165 +++------------
 src/pages/Settings/mcp/McpViewsPage.tsx       | 188 +++---------------
 3 files changed, 237 insertions(+), 299 deletions(-)
 create mode 100644 src/lib/permissions/mcpPermissionCardMappings.ts

diff --git a/src/lib/permissions/mcpPermissionCardMappings.ts b/src/lib/permissions/mcpPermissionCardMappings.ts
new file mode 100644
index 0000000000..984805becb
--- /dev/null
+++ b/src/lib/permissions/mcpPermissionCardMappings.ts
@@ -0,0 +1,183 @@
+import {
+  PermissionSubject,
+  MCP_SETTINGS_PERMISSION_SOURCE
+} from "@flanksource-ui/api/services/permissions";
+import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
+
+export type NamespacedResource = {
+  id: string;
+  name: string;
+  namespace?: string;
+};
+
+export type NamespacedRef = {
+  name?: string;
+  namespace?: string;
+};
+
+export type PermissionBuckets = {
+  users: PermissionsSummary[];
+  groups: PermissionsSummary[];
+};
+
+export function buildSubjectLookup(subjects: PermissionSubject[]) {
+  return Object.fromEntries(
+    subjects.map((subject) => [
+      subject.id,
+      { name: subject.name, type: subject.type }
+    ])
+  );
+}
+
+export function permissionMatchesResource<TResource extends NamespacedResource>(
+  permission: PermissionsSummary,
+  resource: TResource,
+  getRefs: (permission: PermissionsSummary) => NamespacedRef[]
+) {
+  const refs = getRefs(permission);
+
+  return refs.some((ref) => {
+    if (!ref?.name) {
+      return false;
+    }
+
+    if (ref.namespace) {
+      return ref.namespace === resource.namespace && ref.name === resource.name;
+    }
+
+    return ref.name === resource.name;
+  });
+}
+
+function createResourceIndexes<TResource extends NamespacedResource>(
+  resources: TResource[]
+) {
+  const byNamespacedRef = new Map<string, TResource>();
+  const byName = new Map<string, TResource[]>();
+
+  for (const resource of resources) {
+    byNamespacedRef.set(
+      `${resource.namespace || ""}/${resource.name}`,
+      resource
+    );
+
+    const existing = byName.get(resource.name) ?? [];
+    existing.push(resource);
+    byName.set(resource.name, existing);
+  }
+
+  return { byNamespacedRef, byName };
+}
+
+function resolveResourcesForRef<TResource extends NamespacedResource>(
+  ref: NamespacedRef,
+  indexes: ReturnType<typeof createResourceIndexes<TResource>>
+) {
+  if (!ref?.name) {
+    return [];
+  }
+
+  if (ref.namespace) {
+    const matched = indexes.byNamespacedRef.get(`${ref.namespace}/${ref.name}`);
+    return matched ? [matched] : [];
+  }
+
+  return indexes.byName.get(ref.name) ?? [];
+}
+
+export function buildPermissionAccessCardMaps<
+  TResource extends NamespacedResource
+>({
+  resources,
+  permissions,
+  getRefs,
+  action = "mcp:run",
+  source = MCP_SETTINGS_PERMISSION_SOURCE,
+  everyoneSubjectId = "everyone",
+  everyoneSubjectType = "group"
+}: {
+  resources: TResource[];
+  permissions: PermissionsSummary[];
+  getRefs: (permission: PermissionsSummary) => NamespacedRef[];
+  action?: string;
+  source?: string;
+  everyoneSubjectId?: string;
+  everyoneSubjectType?: string;
+}) {
+  const permissionsByResource = new Map<string, PermissionBuckets>();
+  const globalOverrideByResource = new Map<string, "allow" | "none" | "deny">();
+
+  const indexes = createResourceIndexes(resources);
+
+  for (const permission of permissions) {
+    const refs = getRefs(permission);
+    if (refs.length === 0) {
+      continue;
+    }
+
+    const matchedResources: TResource[] = [];
+    const matchedIds = new Set<string>();
+
+    for (const ref of refs) {
+      const resourcesForRef = resolveResourcesForRef(ref, indexes);
+      for (const resource of resourcesForRef) {
+        if (matchedIds.has(resource.id)) {
+          continue;
+        }
+        matchedIds.add(resource.id);
+        matchedResources.push(resource);
+      }
+    }
+
+    if (matchedResources.length === 0) {
+      continue;
+    }
+
+    const isGlobalOverride =
+      permission.action === action &&
+      permission.subject_type === everyoneSubjectType &&
+      permission.subject === everyoneSubjectId &&
+      permission.source === source;
+
+    if (isGlobalOverride) {
+      for (const resource of matchedResources) {
+        globalOverrideByResource.set(
+          resource.id,
+          permission.deny === true ? "deny" : "allow"
+        );
+      }
+      continue;
+    }
+
+    if (
+      permission.deny === true ||
+      (permission.subject_type === everyoneSubjectType &&
+        permission.subject === everyoneSubjectId)
+    ) {
+      continue;
+    }
+
+    for (const resource of matchedResources) {
+      const current = permissionsByResource.get(resource.id) ?? {
+        users: [],
+        groups: []
+      };
+
+      if (permission.subject_type === "person") {
+        current.users.push(permission);
+      } else if (
+        permission.subject_type === "team" ||
+        permission.subject_type === "group"
+      ) {
+        current.groups.push(permission);
+      }
+
+      permissionsByResource.set(resource.id, current);
+    }
+  }
+
+  return {
+    permissionsByResource,
+    globalOverrideByResource
+  };
+}
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index c61e7650b6..24e639ccf5 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -10,6 +10,11 @@ import {
 } from "@flanksource-ui/api/services/permissions";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
 import { PlaybookNames } from "@flanksource-ui/api/types/playbooks";
+import {
+  buildPermissionAccessCardMaps,
+  buildSubjectLookup,
+  permissionMatchesResource
+} from "@flanksource-ui/lib/permissions/mcpPermissionCardMappings";
 import PermissionAccessCard from "@flanksource-ui/components/Permissions/PermissionAccessCard";
 import SubjectSelectorModal from "@flanksource-ui/components/Permissions/SubjectSelectorModal";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
@@ -21,34 +26,17 @@ import { useUser } from "@flanksource-ui/context";
 import { useMutation, useQuery } from "@tanstack/react-query";
 import { useMemo, useState } from "react";
 
-type PermissionBuckets = {
-  users: PermissionsSummary[];
-  groups: PermissionsSummary[];
-};
-
 const EVERYONE_SUBJECT_ID = "everyone";
 const EVERYONE_SUBJECT_TYPE = "group";
 
+const getPlaybookRefs = (permission: PermissionsSummary) =>
+  permission.object_selector?.playbooks ?? [];
+
 function permissionMatchesPlaybook(
   permission: PermissionsSummary,
   playbook: PlaybookNames
 ) {
-  const playbookRefs = permission.object_selector?.playbooks ?? [];
-
-  return playbookRefs.some((playbookRef) => {
-    if (!playbookRef?.name) {
-      return false;
-    }
-
-    if (playbookRef.namespace) {
-      return (
-        playbookRef.namespace === playbook.namespace &&
-        playbookRef.name === playbook.name
-      );
-    }
-
-    return playbookRef.name === playbook.name;
-  });
+  return permissionMatchesResource(permission, playbook, getPlaybookRefs);
 }
 
 export default function McpPlaybooksPage() {
@@ -85,14 +73,10 @@ export default function McpPlaybooksPage() {
     queryFn: fetchPermissionSubjects
   });
 
-  const subjectLookup = useMemo(() => {
-    return Object.fromEntries(
-      permissionSubjects.map((subject) => [
-        subject.id,
-        { name: subject.name, type: subject.type }
-      ])
-    );
-  }, [permissionSubjects]);
+  const subjectLookup = useMemo(
+    () => buildSubjectLookup(permissionSubjects),
+    [permissionSubjects]
+  );
 
   const { mutate: setGlobalOverride, isLoading: isUpdatingGlobalOverride } =
     useMutation({
@@ -284,113 +268,18 @@ export default function McpPlaybooksPage() {
       }
     });
 
-  const permissionsByPlaybook = useMemo(() => {
-    const map = new Map<string, PermissionBuckets>();
-
-    const playbooksByNamespacedRef = new Map<string, PlaybookNames>();
-    const playbooksByName = new Map<string, PlaybookNames[]>();
-
-    for (const playbook of playbooks) {
-      playbooksByNamespacedRef.set(
-        `${playbook.namespace || ""}/${playbook.name}`,
-        playbook
-      );
-
-      const existingPlaybooks = playbooksByName.get(playbook.name) ?? [];
-      existingPlaybooks.push(playbook);
-      playbooksByName.set(playbook.name, existingPlaybooks);
-    }
-
-    for (const permission of playbookPermissions) {
-      if (permission.deny === true) {
-        continue;
-      }
-
-      if (
-        permission.subject_type === EVERYONE_SUBJECT_TYPE &&
-        permission.subject === EVERYONE_SUBJECT_ID
-      ) {
-        continue;
-      }
-
-      const playbookRefs = permission.object_selector?.playbooks ?? [];
-      if (playbookRefs.length === 0) {
-        continue;
-      }
-
-      for (const playbookRef of playbookRefs) {
-        if (!playbookRef.name) {
-          continue;
-        }
-
-        const matchedPlaybook = playbookRef.namespace
-          ? playbooksByNamespacedRef.get(
-              `${playbookRef.namespace}/${playbookRef.name}`
-            )
-          : playbooksByName.get(playbookRef.name)?.[0];
-
-        if (!matchedPlaybook) {
-          continue;
-        }
-
-        const current = map.get(matchedPlaybook.id) ?? {
-          users: [],
-          groups: []
-        };
-
-        if (permission.subject_type === "person") {
-          current.users.push(permission);
-        } else if (
-          permission.subject_type === "team" ||
-          permission.subject_type === "group"
-        ) {
-          current.groups.push(permission);
-        }
-
-        map.set(matchedPlaybook.id, current);
-      }
-    }
-
-    return map;
-  }, [playbookPermissions, playbooks]);
-
-  const globalOverrideByPlaybook = useMemo(() => {
-    const map = new Map<string, "allow" | "none" | "deny">();
-
-    for (const permission of playbookPermissions) {
-      if (
-        permission.action !== "mcp:run" ||
-        permission.subject_type !== EVERYONE_SUBJECT_TYPE ||
-        permission.subject !== EVERYONE_SUBJECT_ID ||
-        permission.source !== MCP_SETTINGS_PERMISSION_SOURCE
-      ) {
-        continue;
-      }
-
-      const playbookRefs = permission.object_selector?.playbooks ?? [];
-
-      for (const playbookRef of playbookRefs) {
-        if (!playbookRef.name) {
-          continue;
-        }
-
-        const playbook = playbooks.find(
-          (p) =>
-            p.name === playbookRef.name &&
-            (playbookRef.namespace
-              ? p.namespace === playbookRef.namespace
-              : true)
-        );
-
-        if (playbook) {
-          map.set(playbook.id, permission.deny === true ? "deny" : "allow");
-        }
-      }
-    }
-
-    return map;
-  }, [playbookPermissions, playbooks]);
-
+  const { permissionsByResource, globalOverrideByResource } = useMemo(
+    () =>
+      buildPermissionAccessCardMaps({
+        resources: playbooks,
+        permissions: playbookPermissions,
+        getRefs: getPlaybookRefs,
+        source: MCP_SETTINGS_PERMISSION_SOURCE,
+        everyoneSubjectId: EVERYONE_SUBJECT_ID,
+        everyoneSubjectType: EVERYONE_SUBJECT_TYPE
+      }),
+    [playbookPermissions, playbooks]
+  );
   const selectedPlaybook = useMemo(() => {
     return playbooks.find((playbook) => playbook.id === selectedPlaybookId);
   }, [playbooks, selectedPlaybookId]);
@@ -424,7 +313,7 @@ export default function McpPlaybooksPage() {
 
         <div className="grid min-h-0 flex-1 grid-cols-1 content-start gap-3 overflow-y-auto">
           {playbooks.map((playbook) => {
-            const permissions = permissionsByPlaybook.get(playbook.id) ?? {
+            const permissions = permissionsByResource.get(playbook.id) ?? {
               users: [],
               groups: []
             };
@@ -442,7 +331,7 @@ export default function McpPlaybooksPage() {
                 groups={permissions.groups}
                 subjectLookup={subjectLookup}
                 globalOverride={
-                  globalOverrideByPlaybook.get(playbook.id) ?? "none"
+                  globalOverrideByResource.get(playbook.id) ?? "none"
                 }
                 isMutating={mutatingPlaybookId === playbook.id}
                 onGlobalOverrideChange={(override) => {
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index 1f6cbb52a0..720ee3f775 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -9,6 +9,11 @@ import {
 } from "@flanksource-ui/api/services/permissions";
 import { getAllViews, View } from "@flanksource-ui/api/services/views";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
+import {
+  buildPermissionAccessCardMaps,
+  buildSubjectLookup,
+  permissionMatchesResource
+} from "@flanksource-ui/lib/permissions/mcpPermissionCardMappings";
 import PermissionAccessCard from "@flanksource-ui/components/Permissions/PermissionAccessCard";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
 import SubjectSelectorModal from "@flanksource-ui/components/Permissions/SubjectSelectorModal";
@@ -20,47 +25,14 @@ import { useUser } from "@flanksource-ui/context";
 import { useMutation, useQuery } from "@tanstack/react-query";
 import { useMemo, useState } from "react";
 
-type PermissionBuckets = {
-  users: PermissionsSummary[];
-  groups: PermissionsSummary[];
-};
-
 const EVERYONE_SUBJECT_ID = "everyone";
 const EVERYONE_SUBJECT_TYPE = "group";
 
-function permissionMatchesView(permission: PermissionsSummary, view: View) {
-  const viewRefs = permission.object_selector?.views ?? [];
-
-  return viewRefs.some((viewRef) => {
-    if (!viewRef.name) {
-      return false;
-    }
+const getViewRefs = (permission: PermissionsSummary) =>
+  permission.object_selector?.views ?? [];
 
-    if (viewRef.namespace) {
-      return viewRef.namespace === view.namespace && viewRef.name === view.name;
-    }
-
-    return viewRef.name === view.name;
-  });
-}
-
-function resolveViewsForRef(
-  viewRef: { name?: string; namespace?: string },
-  viewsByNamespacedRef: Map<string, View>,
-  viewsByName: Map<string, View[]>
-) {
-  if (!viewRef?.name) {
-    return [];
-  }
-
-  if (viewRef.namespace) {
-    const matchedView = viewsByNamespacedRef.get(
-      `${viewRef.namespace}/${viewRef.name}`
-    );
-    return matchedView ? [matchedView] : [];
-  }
-
-  return viewsByName.get(viewRef.name) ?? [];
+function permissionMatchesView(permission: PermissionsSummary, view: View) {
+  return permissionMatchesResource(permission, view, getViewRefs);
 }
 
 export default function McpViewsPage() {
@@ -95,14 +67,10 @@ export default function McpViewsPage() {
     queryFn: fetchPermissionSubjects
   });
 
-  const subjectLookup = useMemo(() => {
-    return Object.fromEntries(
-      permissionSubjects.map((subject) => [
-        subject.id,
-        { name: subject.name, type: subject.type }
-      ])
-    );
-  }, [permissionSubjects]);
+  const subjectLookup = useMemo(
+    () => buildSubjectLookup(permissionSubjects),
+    [permissionSubjects]
+  );
 
   const { mutate: setGlobalOverride, isLoading: isUpdatingGlobalOverride } =
     useMutation({
@@ -292,120 +260,18 @@ export default function McpViewsPage() {
       }
     });
 
-  const permissionsByView = useMemo(() => {
-    const map = new Map<string, PermissionBuckets>();
-
-    const viewsByNamespacedRef = new Map<string, View>();
-    const viewsByName = new Map<string, View[]>();
-
-    for (const view of views) {
-      viewsByNamespacedRef.set(`${view.namespace || ""}/${view.name}`, view);
-
-      const existingViews = viewsByName.get(view.name) ?? [];
-      existingViews.push(view);
-      viewsByName.set(view.name, existingViews);
-    }
-
-    for (const permission of viewPermissions) {
-      if (permission.deny === true) {
-        continue;
-      }
-
-      if (
-        permission.subject_type === EVERYONE_SUBJECT_TYPE &&
-        permission.subject === EVERYONE_SUBJECT_ID
-      ) {
-        continue;
-      }
-
-      const viewRefs = permission.object_selector?.views ?? [];
-      if (viewRefs.length === 0) {
-        continue;
-      }
-
-      const assignedViewIds = new Set<string>();
-
-      for (const viewRef of viewRefs) {
-        const matchedViews = resolveViewsForRef(
-          viewRef,
-          viewsByNamespacedRef,
-          viewsByName
-        );
-
-        for (const matchedView of matchedViews) {
-          if (assignedViewIds.has(matchedView.id)) {
-            continue;
-          }
-
-          assignedViewIds.add(matchedView.id);
-
-          const current = map.get(matchedView.id) ?? { users: [], groups: [] };
-
-          if (permission.subject_type === "person") {
-            current.users.push(permission);
-          } else if (
-            permission.subject_type === "team" ||
-            permission.subject_type === "group"
-          ) {
-            current.groups.push(permission);
-          }
-
-          map.set(matchedView.id, current);
-        }
-      }
-    }
-
-    return map;
-  }, [viewPermissions, views]);
-
-  const globalOverrideByView = useMemo(() => {
-    const map = new Map<string, "allow" | "none" | "deny">();
-
-    const viewsByNamespacedRef = new Map<string, View>();
-    const viewsByName = new Map<string, View[]>();
-
-    for (const view of views) {
-      viewsByNamespacedRef.set(`${view.namespace || ""}/${view.name}`, view);
-
-      const existingViews = viewsByName.get(view.name) ?? [];
-      existingViews.push(view);
-      viewsByName.set(view.name, existingViews);
-    }
-
-    for (const permission of viewPermissions) {
-      if (
-        permission.action !== "mcp:run" ||
-        permission.subject_type !== EVERYONE_SUBJECT_TYPE ||
-        permission.subject !== EVERYONE_SUBJECT_ID ||
-        permission.source !== MCP_SETTINGS_PERMISSION_SOURCE
-      ) {
-        continue;
-      }
-
-      const viewRefs = permission.object_selector?.views ?? [];
-      const assignedViewIds = new Set<string>();
-
-      for (const viewRef of viewRefs) {
-        const matchedViews = resolveViewsForRef(
-          viewRef,
-          viewsByNamespacedRef,
-          viewsByName
-        );
-
-        for (const view of matchedViews) {
-          if (assignedViewIds.has(view.id)) {
-            continue;
-          }
-
-          assignedViewIds.add(view.id);
-          map.set(view.id, permission.deny === true ? "deny" : "allow");
-        }
-      }
-    }
-
-    return map;
-  }, [viewPermissions, views]);
-
+  const { permissionsByResource, globalOverrideByResource } = useMemo(
+    () =>
+      buildPermissionAccessCardMaps({
+        resources: views,
+        permissions: viewPermissions,
+        getRefs: getViewRefs,
+        source: MCP_SETTINGS_PERMISSION_SOURCE,
+        everyoneSubjectId: EVERYONE_SUBJECT_ID,
+        everyoneSubjectType: EVERYONE_SUBJECT_TYPE
+      }),
+    [viewPermissions, views]
+  );
   const selectedView = useMemo(() => {
     return views.find((view) => view.id === selectedViewId);
   }, [selectedViewId, views]);
@@ -439,7 +305,7 @@ export default function McpViewsPage() {
 
         <div className="grid min-h-0 flex-1 content-start gap-3 overflow-y-auto [grid-template-columns:repeat(auto-fit,minmax(460px,1fr))]">
           {views.map((view) => {
-            const permissions = permissionsByView.get(view.id) ?? {
+            const permissions = permissionsByResource.get(view.id) ?? {
               users: [],
               groups: []
             };
@@ -456,7 +322,7 @@ export default function McpViewsPage() {
                 users={permissions.users}
                 groups={permissions.groups}
                 subjectLookup={subjectLookup}
-                globalOverride={globalOverrideByView.get(view.id) ?? "none"}
+                globalOverride={globalOverrideByResource.get(view.id) ?? "none"}
                 isMutating={mutatingViewId === view.id}
                 onGlobalOverrideChange={(override) => {
                   setMutatingViewId(view.id);

From 7e321fa6c02f1e18abeb13f9be63d8770698b94f Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Tue, 7 Apr 2026 08:57:43 +0545
Subject: [PATCH 11/48] fix(mcp): centralize tab-body loading and avoid blank
 switch

---
 src/App.tsx                                 | 15 +++------------
 src/components/MCP/McpTabsLinks.tsx         | 15 +++++++++++++--
 src/pages/Settings/mcp/McpOverviewPage.tsx  |  5 +++++
 src/pages/Settings/mcp/McpPlaybooksPage.tsx |  5 +++++
 src/pages/Settings/mcp/McpViewsPage.tsx     |  5 +++++
 5 files changed, 31 insertions(+), 14 deletions(-)

diff --git a/src/App.tsx b/src/App.tsx
index b7b5efa31c..54fa2c1a96 100644
--- a/src/App.tsx
+++ b/src/App.tsx
@@ -47,6 +47,9 @@ import { UserAccessStateContextProvider } from "./context/UserAccessContext/User
 import { tables } from "./context/UserAccessContext/permissions";
 
 import { PermissionsPage } from "./pages/Settings/PermissionsPage";
+import McpOverviewPage from "./pages/Settings/mcp/McpOverviewPage";
+import McpPlaybooksPage from "./pages/Settings/mcp/McpPlaybooksPage";
+import McpViewsPage from "./pages/Settings/mcp/McpViewsPage";
 import ScopesPage from "./pages/Settings/ScopesPage";
 import { features } from "./services/permissions/features";
 import { getViewsForSidebar, ViewSummary } from "./api/services/views";
@@ -210,18 +213,6 @@ const NotificationsSilencedPage = dynamic(
     )
 );
 
-const McpOverviewPage = dynamic(
-  () => import("@flanksource-ui/pages/Settings/mcp/McpOverviewPage")
-);
-
-const McpPlaybooksPage = dynamic(
-  () => import("@flanksource-ui/pages/Settings/mcp/McpPlaybooksPage")
-);
-
-const McpViewsPage = dynamic(
-  () => import("@flanksource-ui/pages/Settings/mcp/McpViewsPage")
-);
-
 const UsersPage = dynamic(() =>
   import("@flanksource-ui/pages/UsersPage").then((m) => m.UsersPage)
 );
diff --git a/src/components/MCP/McpTabsLinks.tsx b/src/components/MCP/McpTabsLinks.tsx
index 6c9b6e3762..85a4a06395 100644
--- a/src/components/MCP/McpTabsLinks.tsx
+++ b/src/components/MCP/McpTabsLinks.tsx
@@ -5,6 +5,7 @@ import {
 } from "@flanksource-ui/ui/BreadcrumbNav";
 import { Head } from "@flanksource-ui/ui/Head";
 import { SearchLayout } from "@flanksource-ui/ui/Layout/SearchLayout";
+import { Loading } from "@flanksource-ui/ui/Loading";
 import TabbedLinks from "@flanksource-ui/ui/Tabs/TabbedLinks";
 import clsx from "clsx";
 import { useMemo } from "react";
@@ -18,6 +19,8 @@ type McpTabsLinksProps = {
   className?: string;
   onRefresh?: () => void;
   loading?: boolean;
+  isInitialLoading?: boolean;
+  loadingText?: string;
 };
 
 export default function McpTabsLinks({
@@ -25,7 +28,9 @@ export default function McpTabsLinks({
   children,
   className,
   onRefresh = () => {},
-  loading = false
+  loading = false,
+  isInitialLoading = false,
+  loadingText = "Loading..."
 }: McpTabsLinksProps) {
   const [searchParams] = useSearchParams();
 
@@ -83,7 +88,13 @@ export default function McpTabsLinks({
                 className
               )}
             >
-              <ErrorBoundary>{children}</ErrorBoundary>
+              <ErrorBoundary>
+                {isInitialLoading ? (
+                  <Loading className="h-full w-full py-8" text={loadingText} />
+                ) : (
+                  children
+                )}
+              </ErrorBoundary>
             </TabbedLinks>
           </div>
           <ConfigSidebar />
diff --git a/src/pages/Settings/mcp/McpOverviewPage.tsx b/src/pages/Settings/mcp/McpOverviewPage.tsx
index 238af58f4b..1c8255493c 100644
--- a/src/pages/Settings/mcp/McpOverviewPage.tsx
+++ b/src/pages/Settings/mcp/McpOverviewPage.tsx
@@ -152,10 +152,15 @@ export default function McpOverviewPage() {
     isPermissionsRefetching ||
     isUpdatingUserAccess;
 
+  const isInitialLoading =
+    (isUsersLoading || isPermissionsLoading) && subjects.length === 0;
+
   return (
     <McpTabsLinks
       activeTab="Overview"
       loading={loading}
+      isInitialLoading={isInitialLoading}
+      loadingText="Loading MCP subjects..."
       onRefresh={() => {
         refetchUsers();
         refetchPermissions();
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index 24e639ccf5..0db14fb4fa 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -292,10 +292,15 @@ export default function McpPlaybooksPage() {
     isUpdatingGlobalOverride ||
     isAllowingSelective;
 
+  const isInitialLoading =
+    (isPlaybooksLoading || isPermissionsLoading) && playbooks.length === 0;
+
   return (
     <McpTabsLinks
       activeTab="Playbooks"
       loading={loading}
+      isInitialLoading={isInitialLoading}
+      loadingText="Loading MCP playbooks..."
       onRefresh={() => {
         refetchPlaybooks();
         refetchPermissions();
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index 720ee3f775..fb70423191 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -284,10 +284,15 @@ export default function McpViewsPage() {
     isUpdatingGlobalOverride ||
     isAllowingSelective;
 
+  const isInitialLoading =
+    (isViewsLoading || isPermissionsLoading) && views.length === 0;
+
   return (
     <McpTabsLinks
       activeTab="Views"
       loading={loading}
+      isInitialLoading={isInitialLoading}
+      loadingText="Loading MCP views..."
       onRefresh={() => {
         refetchViews();
         refetchPermissions();

From 47c229278772ed4d4e6af498fde7569970cd6d1f Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Tue, 7 Apr 2026 09:42:18 +0545
Subject: [PATCH 12/48] fix(mcp): cap card subjects and scope queries to mcp
 source

---
 src/api/services/permissions.ts               |   6 +-
 .../Permissions/PermissionAccessCard.tsx      |  36 +++-
 .../Permissions/SubjectSelectorModal.tsx      | 189 +++++++++++-------
 src/pages/Settings/mcp/McpPlaybooksPage.tsx   |  34 ++++
 src/pages/Settings/mcp/McpViewsPage.tsx       |  34 +++-
 5 files changed, 219 insertions(+), 80 deletions(-)

diff --git a/src/api/services/permissions.ts b/src/api/services/permissions.ts
index 2656a9f378..ed99ecb1e6 100644
--- a/src/api/services/permissions.ts
+++ b/src/api/services/permissions.ts
@@ -161,7 +161,7 @@ export const MCP_SETTINGS_PERMISSION_SOURCE = "mcp_settings" as const;
 
 export async function fetchMcpPlaybookPermissions() {
   const response = await IncidentCommander.get<PermissionsSummary[] | null>(
-    "/permissions_summary?select=*&action=eq.mcp:run&deleted_at=is.null&limit=5000"
+    `/permissions_summary?select=*&action=eq.mcp:run&source=eq.${MCP_SETTINGS_PERMISSION_SOURCE}&deleted_at=is.null&limit=5000`
   );
 
   return response.data ?? [];
@@ -169,7 +169,7 @@ export async function fetchMcpPlaybookPermissions() {
 
 export async function fetchMcpViewPermissions() {
   const response = await IncidentCommander.get<PermissionsSummary[] | null>(
-    "/permissions_summary?select=*&action=eq.mcp:run&deleted_at=is.null&limit=5000"
+    `/permissions_summary?select=*&action=eq.mcp:run&source=eq.${MCP_SETTINGS_PERMISSION_SOURCE}&deleted_at=is.null&limit=5000`
   );
 
   return response.data ?? [];
@@ -177,7 +177,7 @@ export async function fetchMcpViewPermissions() {
 
 export async function fetchMcpUserPermissions() {
   const response = await IncidentCommander.get<PermissionsSummary[] | null>(
-    "/permissions_summary?select=*&action=eq.mcp:use&object=eq.mcp&deleted_at=is.null&limit=5000"
+    `/permissions_summary?select=*&action=eq.mcp:use&object=eq.mcp&source=eq.${MCP_SETTINGS_PERMISSION_SOURCE}&deleted_at=is.null&limit=5000`
   );
 
   return response.data ?? [];
diff --git a/src/components/Permissions/PermissionAccessCard.tsx b/src/components/Permissions/PermissionAccessCard.tsx
index a02fb77e53..8b798a024d 100644
--- a/src/components/Permissions/PermissionAccessCard.tsx
+++ b/src/components/Permissions/PermissionAccessCard.tsx
@@ -23,6 +23,7 @@ type PermissionAccessCardProps = {
   globalOverride?: "allow" | "none" | "deny";
   onGlobalOverrideChange: (value: "allow" | "none" | "deny") => void;
   onAllowSelective: () => void;
+  onViewSubjects?: () => void;
   isMutating?: boolean;
 };
 
@@ -119,8 +120,15 @@ export default function PermissionAccessCard({
   globalOverride = "none",
   onGlobalOverrideChange,
   onAllowSelective,
+  onViewSubjects,
   isMutating = false
 }: PermissionAccessCardProps) {
+  const maxVisiblePerSection = 2;
+  const visibleGroups = groups.slice(0, maxVisiblePerSection);
+  const visibleUsers = users.slice(0, maxVisiblePerSection);
+  const hiddenGroupsCount = Math.max(groups.length - maxVisiblePerSection, 0);
+  const hiddenUsersCount = Math.max(users.length - maxVisiblePerSection, 0);
+
   return (
     <Card className="rounded-xl border-gray-200 shadow-sm">
       <CardHeader className="p-4 pb-0">
@@ -187,7 +195,14 @@ export default function PermissionAccessCard({
         </div>
       </CardHeader>
 
-      <CardContent className="mt-4 border-t border-gray-200 p-4 pt-3">
+      <CardContent
+        className={`mt-4 border-t border-gray-200 p-4 pt-3 ${globalOverride === "none" && onViewSubjects ? "cursor-pointer" : ""}`}
+        onClick={() => {
+          if (globalOverride === "none") {
+            onViewSubjects?.();
+          }
+        }}
+      >
         {globalOverride !== "none" ? (
           <div className="rounded-md bg-gray-50 px-3 py-2 text-xs text-gray-500">
             {globalOverride === "allow"
@@ -202,13 +217,18 @@ export default function PermissionAccessCard({
               </div>
               {groups.length > 0 ? (
                 <div className="space-y-2">
-                  {groups.map((groupPermission, idx) => (
+                  {visibleGroups.map((groupPermission, idx) => (
                     <PermissionGroupItem
                       key={groupPermission.id || `group-${idx}`}
                       permission={groupPermission}
                       subjectLookup={subjectLookup}
                     />
                   ))}
+                  {hiddenGroupsCount > 0 ? (
+                    <div className="text-xs text-gray-500">
+                      and {hiddenGroupsCount} more
+                    </div>
+                  ) : null}
                 </div>
               ) : (
                 <div className="text-xs text-gray-500">
@@ -223,13 +243,18 @@ export default function PermissionAccessCard({
               </div>
               {users.length > 0 ? (
                 <div className="space-y-2">
-                  {users.map((userPermission, idx) => (
+                  {visibleUsers.map((userPermission, idx) => (
                     <PermissionUserItem
                       key={userPermission.id || `user-${idx}`}
                       permission={userPermission}
                       subjectLookup={subjectLookup}
                     />
                   ))}
+                  {hiddenUsersCount > 0 ? (
+                    <div className="text-xs text-gray-500">
+                      and {hiddenUsersCount} more
+                    </div>
+                  ) : null}
                 </div>
               ) : (
                 <div className="text-xs text-gray-500">
@@ -243,7 +268,10 @@ export default function PermissionAccessCard({
                 variant="outline"
                 size="sm"
                 className="h-8"
-                onClick={onAllowSelective}
+                onClick={(e) => {
+                  e.stopPropagation();
+                  onAllowSelective();
+                }}
                 disabled={isMutating}
               >
                 + Add user or group
diff --git a/src/components/Permissions/SubjectSelectorModal.tsx b/src/components/Permissions/SubjectSelectorModal.tsx
index 5f8ee86f0a..3374040fcd 100644
--- a/src/components/Permissions/SubjectSelectorModal.tsx
+++ b/src/components/Permissions/SubjectSelectorModal.tsx
@@ -35,9 +35,10 @@ type SubjectSelectorModalProps = {
   onOpenChange: (open: boolean) => void;
   title: string;
   description?: string;
-  onAllow: (selection: PermissionSubject[]) => Promise<void> | void;
+  onAllow?: (selection: PermissionSubject[]) => Promise<void> | void;
   preselectedSubjectIds?: string[];
   isSubmitting?: boolean;
+  mode?: "edit" | "readonly";
 };
 
 function SubjectIcon({ subject }: { subject: PermissionSubject }) {
@@ -64,7 +65,8 @@ export default function SubjectSelectorModal({
   description,
   onAllow,
   preselectedSubjectIds = [],
-  isSubmitting = false
+  isSubmitting = false,
+  mode = "edit"
 }: SubjectSelectorModalProps) {
   const [search, setSearch] = useState("");
   const [pageIndex, setPageIndex] = useState(0);
@@ -116,21 +118,24 @@ export default function SubjectSelectorModal({
   // Fetch full subject objects for every preselected ID so that
   // `selectedSubjects` is complete even when those subjects live on a
   // different page of results.
-  useQuery({
-    queryKey: ["permission-subjects-by-ids", preselectedSubjectIds],
-    queryFn: () => fetchPermissionSubjectsByIds(preselectedSubjectIds),
-    enabled: open && preselectedSubjectIds.length > 0,
-    staleTime: 60_000,
-    onSuccess: (data) => {
-      setSelectedSubjects((prev) => {
-        const next = { ...prev };
-        for (const subject of data) {
-          next[subject.id] = subject;
-        }
-        return next;
-      });
-    }
-  });
+  const shouldFetchSubjectsByIds = open && preselectedSubjectIds.length > 0;
+
+  const { data: subjectsByIds = [], isLoading: isSubjectsByIdsLoading } =
+    useQuery({
+      queryKey: ["permission-subjects-by-ids", preselectedSubjectIds],
+      queryFn: () => fetchPermissionSubjectsByIds(preselectedSubjectIds),
+      enabled: shouldFetchSubjectsByIds,
+      staleTime: 60_000,
+      onSuccess: (data) => {
+        setSelectedSubjects((prev) => {
+          const next = { ...prev };
+          for (const subject of data) {
+            next[subject.id] = subject;
+          }
+          return next;
+        });
+      }
+    });
 
   const debouncedSearch = useDebouncedValue(search, 300) ?? "";
 
@@ -152,15 +157,34 @@ export default function SubjectSelectorModal({
         pageIndex,
         pageSize: PAGE_SIZE
       }),
-    enabled: open
+    enabled: open && mode === "edit"
   });
 
   const subjects = useMemo(
     () => (data?.data ?? []) as PermissionSubject[],
     [data?.data]
   );
-  const totalEntries = data?.totalEntries ?? 0;
-  const pageCount = Math.ceil(totalEntries / PAGE_SIZE);
+  const readonlySubjects = useMemo(() => {
+    const normalizedSearch = debouncedSearch.trim().toLowerCase();
+
+    if (!normalizedSearch) {
+      return subjectsByIds;
+    }
+
+    return subjectsByIds.filter((subject) =>
+      subject.name.toLowerCase().includes(normalizedSearch)
+    );
+  }, [debouncedSearch, subjectsByIds]);
+
+  const displayedSubjects = mode === "readonly" ? readonlySubjects : subjects;
+  const totalEntries =
+    mode === "readonly" ? readonlySubjects.length : (data?.totalEntries ?? 0);
+  const pageCount =
+    mode === "readonly"
+      ? totalEntries > 0
+        ? 1
+        : 0
+      : Math.ceil(totalEntries / PAGE_SIZE);
 
   // Enrich selectedSubjects as new pages are loaded.
   useEffect(() => {
@@ -226,21 +250,27 @@ export default function SubjectSelectorModal({
         />
 
         <div className="min-h-0 flex-1 space-y-1 overflow-y-auto rounded-md border p-2">
-          {isLoading ? (
+          {mode === "readonly" &&
+          shouldFetchSubjectsByIds &&
+          isSubjectsByIdsLoading ? (
             <div className="p-2 text-sm text-gray-500">Loading...</div>
-          ) : subjects.length > 0 ? (
-            subjects.map((subject) => (
+          ) : mode === "edit" && isLoading ? (
+            <div className="p-2 text-sm text-gray-500">Loading...</div>
+          ) : displayedSubjects.length > 0 ? (
+            displayedSubjects.map((subject) => (
               <label
                 key={subject.id}
-                className="flex cursor-pointer items-center justify-between rounded px-2 py-1.5 hover:bg-gray-50"
+                className={`flex items-center justify-between rounded px-2 py-1.5 ${mode === "edit" ? "cursor-pointer hover:bg-gray-50" : ""}`}
               >
                 <div className="flex min-w-0 flex-1 items-center gap-2 pr-2">
-                  <Checkbox
-                    checked={!!selectedIds[subject.id]}
-                    onCheckedChange={(checked) =>
-                      toggleSubject(subject, checked === true)
-                    }
-                  />
+                  {mode === "edit" ? (
+                    <Checkbox
+                      checked={!!selectedIds[subject.id]}
+                      onCheckedChange={(checked) =>
+                        toggleSubject(subject, checked === true)
+                      }
+                    />
+                  ) : null}
                   <SubjectIcon subject={subject} />
                   <div className="min-w-0 truncate text-sm font-medium text-gray-900">
                     {subject.name}
@@ -259,53 +289,68 @@ export default function SubjectSelectorModal({
           )}
         </div>
 
-        <div className="flex items-center justify-between text-xs text-gray-500">
-          <div>
-            Selected: {selectedCount} subject{selectedCount === 1 ? "" : "s"}
-          </div>
-          <div className="flex items-center gap-2">
-            <Button
-              type="button"
-              variant="outline"
-              size="sm"
-              disabled={pageIndex === 0}
-              onClick={() => setPageIndex((p) => Math.max(0, p - 1))}
-            >
-              Previous
-            </Button>
-            <span>
-              Page {pageCount === 0 ? 0 : pageIndex + 1} of {pageCount || 0}
-            </span>
+        {mode === "edit" ? (
+          <>
+            <div className="flex items-center justify-between text-xs text-gray-500">
+              <div>
+                Selected: {selectedCount} subject
+                {selectedCount === 1 ? "" : "s"}
+              </div>
+              <div className="flex items-center gap-2">
+                <Button
+                  type="button"
+                  variant="outline"
+                  size="sm"
+                  disabled={pageIndex === 0}
+                  onClick={() => setPageIndex((p) => Math.max(0, p - 1))}
+                >
+                  Previous
+                </Button>
+                <span>
+                  Page {pageCount === 0 ? 0 : pageIndex + 1} of {pageCount || 0}
+                </span>
+                <Button
+                  type="button"
+                  variant="outline"
+                  size="sm"
+                  disabled={pageCount === 0 || pageIndex + 1 >= pageCount}
+                  onClick={() =>
+                    setPageIndex((p) => (p + 1 < pageCount ? p + 1 : p))
+                  }
+                >
+                  Next
+                </Button>
+              </div>
+            </div>
+
+            <DialogFooter>
+              <Button
+                type="button"
+                variant="outline"
+                onClick={() => onOpenChange(false)}
+              >
+                Cancel
+              </Button>
+              <Button
+                type="button"
+                disabled={!hasChanged || isSubmitting}
+                onClick={() => onAllow?.(Object.values(selectedSubjects))}
+              >
+                Apply
+              </Button>
+            </DialogFooter>
+          </>
+        ) : (
+          <DialogFooter>
             <Button
               type="button"
               variant="outline"
-              size="sm"
-              disabled={pageCount === 0 || pageIndex + 1 >= pageCount}
-              onClick={() =>
-                setPageIndex((p) => (p + 1 < pageCount ? p + 1 : p))
-              }
+              onClick={() => onOpenChange(false)}
             >
-              Next
+              Close
             </Button>
-          </div>
-        </div>
-
-        <DialogFooter>
-          <Button
-            type="button"
-            variant="outline"
-            onClick={() => onOpenChange(false)}
-          >
-            Cancel
-          </Button>
-          <Button
-            type="button"
-            disabled={!hasChanged || isSubmitting}
-            onClick={() => onAllow(Object.values(selectedSubjects))}
-          >
-            Apply
-          </Button>
-        </DialogFooter>
+          </DialogFooter>
+        )}
       </DialogContent>
     </Dialog>
   );
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index 0db14fb4fa..5a5f91361f 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -44,6 +44,7 @@ export default function McpPlaybooksPage() {
   const [selectedPlaybookId, setSelectedPlaybookId] = useState<string | null>(
     null
   );
+  const [viewerPlaybookId, setViewerPlaybookId] = useState<string | null>(null);
   const [mutatingPlaybookId, setMutatingPlaybookId] = useState<string | null>(
     null
   );
@@ -283,6 +284,9 @@ export default function McpPlaybooksPage() {
   const selectedPlaybook = useMemo(() => {
     return playbooks.find((playbook) => playbook.id === selectedPlaybookId);
   }, [playbooks, selectedPlaybookId]);
+  const viewerPlaybook = useMemo(() => {
+    return playbooks.find((playbook) => playbook.id === viewerPlaybookId);
+  }, [playbooks, viewerPlaybookId]);
 
   const loading =
     isPlaybooksLoading ||
@@ -353,6 +357,7 @@ export default function McpPlaybooksPage() {
                   );
                 }}
                 onAllowSelective={() => setSelectedPlaybookId(playbook.id)}
+                onViewSubjects={() => setViewerPlaybookId(playbook.id)}
               />
             );
           })}
@@ -375,6 +380,7 @@ export default function McpPlaybooksPage() {
                   (permission) =>
                     permission.deny !== true &&
                     permission.subject &&
+                    permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
                     (permission.subject_type === "person" ||
                       permission.subject_type === "team" ||
                       permission.subject_type === "group") &&
@@ -395,6 +401,34 @@ export default function McpPlaybooksPage() {
           });
         }}
       />
+
+      <SubjectSelectorModal
+        open={!!viewerPlaybook}
+        onOpenChange={(open) => {
+          if (!open) {
+            setViewerPlaybookId(null);
+          }
+        }}
+        mode="readonly"
+        title={`Allowed subjects: ${viewerPlaybook?.title || viewerPlaybook?.name || ""}`}
+        description="Browse users and groups that currently have MCP access for this playbook."
+        preselectedSubjectIds={
+          viewerPlaybook
+            ? (Array.from(
+                new Set([
+                  ...(permissionsByResource.get(viewerPlaybook.id)?.users ?? [])
+                    .map((permission) => permission.subject)
+                    .filter(Boolean),
+                  ...(
+                    permissionsByResource.get(viewerPlaybook.id)?.groups ?? []
+                  )
+                    .map((permission) => permission.subject)
+                    .filter(Boolean)
+                ])
+              ) as string[])
+            : []
+        }
+      />
     </McpTabsLinks>
   );
 }
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index fb70423191..084984276e 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -38,6 +38,7 @@ function permissionMatchesView(permission: PermissionsSummary, view: View) {
 export default function McpViewsPage() {
   const { user } = useUser();
   const [selectedViewId, setSelectedViewId] = useState<string | null>(null);
+  const [viewerViewId, setViewerViewId] = useState<string | null>(null);
   const [mutatingViewId, setMutatingViewId] = useState<string | null>(null);
 
   const {
@@ -50,7 +51,7 @@ export default function McpViewsPage() {
     queryFn: async () => getAllViews(undefined, 0, 1000)
   });
 
-  const views = viewsResponse?.data ?? [];
+  const views = useMemo(() => viewsResponse?.data ?? [], [viewsResponse?.data]);
 
   const {
     data: viewPermissions = [],
@@ -275,6 +276,9 @@ export default function McpViewsPage() {
   const selectedView = useMemo(() => {
     return views.find((view) => view.id === selectedViewId);
   }, [selectedViewId, views]);
+  const viewerView = useMemo(() => {
+    return views.find((view) => view.id === viewerViewId);
+  }, [viewerViewId, views]);
 
   const loading =
     isViewsLoading ||
@@ -343,6 +347,7 @@ export default function McpViewsPage() {
                   );
                 }}
                 onAllowSelective={() => setSelectedViewId(view.id)}
+                onViewSubjects={() => setViewerViewId(view.id)}
               />
             );
           })}
@@ -365,6 +370,7 @@ export default function McpViewsPage() {
                   (permission) =>
                     permission.deny !== true &&
                     permission.subject &&
+                    permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
                     (permission.subject_type === "person" ||
                       permission.subject_type === "team" ||
                       permission.subject_type === "group") &&
@@ -385,6 +391,32 @@ export default function McpViewsPage() {
           });
         }}
       />
+
+      <SubjectSelectorModal
+        open={!!viewerView}
+        onOpenChange={(open) => {
+          if (!open) {
+            setViewerViewId(null);
+          }
+        }}
+        mode="readonly"
+        title={`Allowed subjects: ${viewerView?.spec?.title || viewerView?.name || ""}`}
+        description="Browse users and groups that currently have MCP access for this view."
+        preselectedSubjectIds={
+          viewerView
+            ? (Array.from(
+                new Set([
+                  ...(permissionsByResource.get(viewerView.id)?.users ?? [])
+                    .map((permission) => permission.subject)
+                    .filter(Boolean),
+                  ...(permissionsByResource.get(viewerView.id)?.groups ?? [])
+                    .map((permission) => permission.subject)
+                    .filter(Boolean)
+                ])
+              ) as string[])
+            : []
+        }
+      />
     </McpTabsLinks>
   );
 }

From f1da0c9977996ffb5d60462002f0da3c71cc4fdf Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Tue, 7 Apr 2026 10:52:50 +0545
Subject: [PATCH 13/48] feat(mcp): show effective access verdicts in subject
 viewer

---
 src/api/services/rbac.ts                      | 49 ++++++++++
 .../Permissions/SubjectSelectorModal.tsx      | 97 ++++++++++++++++++-
 src/pages/Settings/mcp/McpPlaybooksPage.tsx   |  5 +
 3 files changed, 147 insertions(+), 4 deletions(-)

diff --git a/src/api/services/rbac.ts b/src/api/services/rbac.ts
index aa441a09d2..c63f061c0a 100644
--- a/src/api/services/rbac.ts
+++ b/src/api/services/rbac.ts
@@ -54,3 +54,52 @@ export async function getPermissions(id: string): Promise<Permission[]> {
   );
   return response.data.payload ?? [];
 }
+
+export type SubjectAccessReviewResource = {
+  playbook?: string;
+  [key: string]: string | undefined;
+};
+
+export type SubjectAccessReviewRequest = {
+  resource: SubjectAccessReviewResource;
+  action: "mcp:run";
+  subjects: string[];
+};
+
+export type SubjectAccessReviewMatchedPolicy = {
+  subject: string;
+  object: string;
+  action: string;
+  effect: "allow" | "deny";
+  condition?: string;
+  id?: string;
+};
+
+export type SubjectAccessReviewResult = {
+  subject: string;
+  allowed: boolean;
+  reason?: string;
+  trace?: {
+    allow_count: number;
+    deny_count: number;
+    matched_policies: SubjectAccessReviewMatchedPolicy[];
+  };
+  error?: string;
+};
+
+export type SubjectAccessReviewResponse = {
+  resource: SubjectAccessReviewResource;
+  action: "mcp:run";
+  results: SubjectAccessReviewResult[];
+};
+
+export async function reviewSubjectAccess(
+  payload: SubjectAccessReviewRequest
+): Promise<SubjectAccessReviewResponse> {
+  const response = await Rback.post<SubjectAccessReviewResponse>(
+    "/subject-access-reviews",
+    payload
+  );
+
+  return response.data;
+}
diff --git a/src/components/Permissions/SubjectSelectorModal.tsx b/src/components/Permissions/SubjectSelectorModal.tsx
index 3374040fcd..96b9cf6ffd 100644
--- a/src/components/Permissions/SubjectSelectorModal.tsx
+++ b/src/components/Permissions/SubjectSelectorModal.tsx
@@ -3,6 +3,11 @@ import {
   fetchPermissionSubjectsPaginated,
   PermissionSubject
 } from "@flanksource-ui/api/services/permissions";
+import {
+  reviewSubjectAccess,
+  SubjectAccessReviewResource,
+  SubjectAccessReviewResult
+} from "@flanksource-ui/api/services/rbac";
 import { Badge } from "@flanksource-ui/components/ui/badge";
 import { Button } from "@flanksource-ui/components/ui/button";
 import { Checkbox } from "@flanksource-ui/components/ui/checkbox";
@@ -39,6 +44,10 @@ type SubjectSelectorModalProps = {
   preselectedSubjectIds?: string[];
   isSubmitting?: boolean;
   mode?: "edit" | "readonly";
+  accessReview?: {
+    resource: SubjectAccessReviewResource;
+    action: "mcp:run";
+  };
 };
 
 function SubjectIcon({ subject }: { subject: PermissionSubject }) {
@@ -66,7 +75,8 @@ export default function SubjectSelectorModal({
   onAllow,
   preselectedSubjectIds = [],
   isSubmitting = false,
-  mode = "edit"
+  mode = "edit",
+  accessReview
 }: SubjectSelectorModalProps) {
   const [search, setSearch] = useState("");
   const [pageIndex, setPageIndex] = useState(0);
@@ -177,6 +187,55 @@ export default function SubjectSelectorModal({
   }, [debouncedSearch, subjectsByIds]);
 
   const displayedSubjects = mode === "readonly" ? readonlySubjects : subjects;
+
+  const reviewedSubjectIds = useMemo(() => {
+    if (mode !== "readonly") {
+      return [] as string[];
+    }
+
+    return Array.from(new Set(preselectedSubjectIds));
+  }, [mode, preselectedSubjectIds]);
+
+  const shouldRunAccessReview =
+    open &&
+    mode === "readonly" &&
+    !!accessReview &&
+    reviewedSubjectIds.length > 0;
+
+  const accessReviewResourceKey = useMemo(
+    () => JSON.stringify(accessReview?.resource ?? {}),
+    [accessReview?.resource]
+  );
+
+  const { data: accessReviewResponse, isLoading: isAccessReviewLoading } =
+    useQuery({
+      queryKey: [
+        "mcp",
+        "subject-access-reviews",
+        accessReviewResourceKey,
+        accessReview?.action,
+        reviewedSubjectIds
+      ],
+      queryFn: async () =>
+        reviewSubjectAccess({
+          resource: accessReview!.resource,
+          action: accessReview!.action,
+          subjects: reviewedSubjectIds
+        }),
+      enabled: shouldRunAccessReview,
+      staleTime: 5_000,
+      cacheTime: 5_000
+    });
+
+  const accessReviewBySubject = useMemo(() => {
+    const map = new Map<string, SubjectAccessReviewResult>();
+
+    for (const result of accessReviewResponse?.results ?? []) {
+      map.set(result.subject, result);
+    }
+
+    return map;
+  }, [accessReviewResponse?.results]);
   const totalEntries =
     mode === "readonly" ? readonlySubjects.length : (data?.totalEntries ?? 0);
   const pageCount =
@@ -251,8 +310,8 @@ export default function SubjectSelectorModal({
 
         <div className="min-h-0 flex-1 space-y-1 overflow-y-auto rounded-md border p-2">
           {mode === "readonly" &&
-          shouldFetchSubjectsByIds &&
-          isSubjectsByIdsLoading ? (
+          ((shouldFetchSubjectsByIds && isSubjectsByIdsLoading) ||
+            (shouldRunAccessReview && isAccessReviewLoading)) ? (
             <div className="p-2 text-sm text-gray-500">Loading...</div>
           ) : mode === "edit" && isLoading ? (
             <div className="p-2 text-sm text-gray-500">Loading...</div>
@@ -277,10 +336,40 @@ export default function SubjectSelectorModal({
                   </div>
                 </div>
 
-                <div className="ml-2 flex shrink-0 items-center">
+                <div className="ml-2 flex shrink-0 items-center gap-2">
                   <Badge variant="outline" className="text-[10px] font-normal">
                     {TYPE_LABELS[subject.type] ?? subject.type}
                   </Badge>
+                  {mode === "readonly" && accessReview
+                    ? (() => {
+                        const review = accessReviewBySubject.get(subject.id);
+
+                        if (!review) {
+                          return (
+                            <Badge
+                              variant="outline"
+                              className="text-[10px] font-normal text-gray-500"
+                            >
+                              Unknown
+                            </Badge>
+                          );
+                        }
+
+                        return (
+                          <Badge
+                            variant="outline"
+                            title={review.reason || review.error || undefined}
+                            className={`text-[10px] font-semibold ${
+                              review.allowed
+                                ? "border-green-200 text-green-700"
+                                : "border-red-200 text-red-700"
+                            }`}
+                          >
+                            {review.allowed ? "Allowed" : "Denied"}
+                          </Badge>
+                        );
+                      })()
+                    : null}
                 </div>
               </label>
             ))
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index 5a5f91361f..38c50deef8 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -410,6 +410,11 @@ export default function McpPlaybooksPage() {
           }
         }}
         mode="readonly"
+        accessReview={
+          viewerPlaybook
+            ? { resource: { playbook: viewerPlaybook.id }, action: "mcp:run" }
+            : undefined
+        }
         title={`Allowed subjects: ${viewerPlaybook?.title || viewerPlaybook?.name || ""}`}
         description="Browse users and groups that currently have MCP access for this playbook."
         preselectedSubjectIds={

From 6d366b177a6ef8ce7213049a967541935acfcf5e Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Tue, 7 Apr 2026 18:21:43 +0545
Subject: [PATCH 14/48] modify subject selector access modal

---
 package-lock.json                             | 103 +++++-
 package.json                                  |   1 +
 src/api/services/permissions.ts               |   3 +-
 .../Permissions/SubjectSelectorModal.tsx      | 332 ++++++------------
 src/components/ui/switch.tsx                  |  27 ++
 src/pages/Settings/mcp/McpPlaybooksPage.tsx   |  41 +--
 src/pages/Settings/mcp/McpViewsPage.tsx       |  32 +-
 7 files changed, 249 insertions(+), 290 deletions(-)
 create mode 100644 src/components/ui/switch.tsx

diff --git a/package-lock.json b/package-lock.json
index 21ab7c45ee..35cc5d4b1e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -6,7 +6,7 @@
   "packages": {
     "": {
       "name": "@flanksource/flanksource-ui",
-      "version": "1.4.218",
+      "version": "1.4.232",
       "dependencies": {
         "@ai-sdk/anthropic": "^3.0.1",
         "@ai-sdk/mcp": "^1.0.1",
@@ -40,6 +40,7 @@
         "@radix-ui/react-select": "^2.2.6",
         "@radix-ui/react-separator": "^1.1.8",
         "@radix-ui/react-slot": "^1.2.4",
+        "@radix-ui/react-switch": "^1.2.6",
         "@radix-ui/react-tooltip": "^1.2.8",
         "@radix-ui/react-use-controllable-state": "^1.2.2",
         "@storybook/client-api": "^7.6.17",
@@ -7655,6 +7656,106 @@
         }
       }
     },
+    "node_modules/@radix-ui/react-switch": {
+      "version": "1.2.6",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-switch/-/react-switch-1.2.6.tgz",
+      "integrity": "sha512-bByzr1+ep1zk4VubeEVViV592vu2lHE2BZY5OnzehZqOOgogN80+mNtCqPkhn2gklJqOpxWgPoYTSnhBCqpOXQ==",
+      "dependencies": {
+        "@radix-ui/primitive": "1.1.3",
+        "@radix-ui/react-compose-refs": "1.1.2",
+        "@radix-ui/react-context": "1.1.2",
+        "@radix-ui/react-primitive": "2.1.3",
+        "@radix-ui/react-use-controllable-state": "1.2.2",
+        "@radix-ui/react-use-previous": "1.1.1",
+        "@radix-ui/react-use-size": "1.1.1"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-switch/node_modules/@radix-ui/primitive": {
+      "version": "1.1.3",
+      "resolved": "https://registry.npmjs.org/@radix-ui/primitive/-/primitive-1.1.3.tgz",
+      "integrity": "sha512-JTF99U/6XIjCBo0wqkU5sK10glYe27MRRsfwoiq5zzOEZLHU3A3KCMa5X/azekYRCJ0HlwI0crAXS/5dEHTzDg=="
+    },
+    "node_modules/@radix-ui/react-switch/node_modules/@radix-ui/react-compose-refs": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-compose-refs/-/react-compose-refs-1.1.2.tgz",
+      "integrity": "sha512-z4eqJvfiNnFMHIIvXP3CY57y2WJs5g2v3X0zm9mEJkrkNv4rDxu+sg9Jh8EkXyeqBkB7SOcboo9dMVqhyrACIg==",
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-switch/node_modules/@radix-ui/react-context": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-context/-/react-context-1.1.2.tgz",
+      "integrity": "sha512-jCi/QKUM2r1Ju5a3J64TH2A5SpKAgh0LpknyqdQ4m6DCV0xJ2HG1xARRwNGPQfi1SLdLWZ1OJz6F4OMBBNiGJA==",
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-switch/node_modules/@radix-ui/react-primitive": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-primitive/-/react-primitive-2.1.3.tgz",
+      "integrity": "sha512-m9gTwRkhy2lvCPe6QJp4d3G1TYEUHn/FzJUtq9MjH46an1wJU+GdoGC5VLof8RX8Ft/DlpshApkhswDLZzHIcQ==",
+      "dependencies": {
+        "@radix-ui/react-slot": "1.2.3"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "@types/react-dom": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc",
+        "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        },
+        "@types/react-dom": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@radix-ui/react-switch/node_modules/@radix-ui/react-slot": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/@radix-ui/react-slot/-/react-slot-1.2.3.tgz",
+      "integrity": "sha512-aeNmHnBxbi2St0au6VBVC7JXFlhLlOnvIIlePNniyUNAClzmtAUEY8/pBiK3iHjufOlwA+c20/8jngo7xcrg8A==",
+      "dependencies": {
+        "@radix-ui/react-compose-refs": "1.1.2"
+      },
+      "peerDependencies": {
+        "@types/react": "*",
+        "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc"
+      },
+      "peerDependenciesMeta": {
+        "@types/react": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/@radix-ui/react-toggle": {
       "version": "1.0.3",
       "resolved": "https://registry.npmjs.org/@radix-ui/react-toggle/-/react-toggle-1.0.3.tgz",
diff --git a/package.json b/package.json
index 38571882d0..8ae4587b81 100644
--- a/package.json
+++ b/package.json
@@ -40,6 +40,7 @@
     "@radix-ui/react-select": "^2.2.6",
     "@radix-ui/react-separator": "^1.1.8",
     "@radix-ui/react-slot": "^1.2.4",
+    "@radix-ui/react-switch": "^1.2.6",
     "@radix-ui/react-tooltip": "^1.2.8",
     "@radix-ui/react-use-controllable-state": "^1.2.2",
     "@storybook/client-api": "^7.6.17",
diff --git a/src/api/services/permissions.ts b/src/api/services/permissions.ts
index ed99ecb1e6..2deda93cbe 100644
--- a/src/api/services/permissions.ts
+++ b/src/api/services/permissions.ts
@@ -200,8 +200,7 @@ export async function fetchPermissionSubjectsPaginated({
 }) {
   const query = search.trim();
 
-  let url =
-    "/permission_subjects?select=id,name,type&type=neq.role&order=name.asc";
+  let url = "/permission_subjects?select=id,name,type&order=name.asc";
   url += `&limit=${pageSize}&offset=${pageIndex * pageSize}`;
 
   if (query) {
diff --git a/src/components/Permissions/SubjectSelectorModal.tsx b/src/components/Permissions/SubjectSelectorModal.tsx
index 96b9cf6ffd..93d0670a4d 100644
--- a/src/components/Permissions/SubjectSelectorModal.tsx
+++ b/src/components/Permissions/SubjectSelectorModal.tsx
@@ -3,14 +3,8 @@ import {
   fetchPermissionSubjectsPaginated,
   PermissionSubject
 } from "@flanksource-ui/api/services/permissions";
-import {
-  reviewSubjectAccess,
-  SubjectAccessReviewResource,
-  SubjectAccessReviewResult
-} from "@flanksource-ui/api/services/rbac";
-import { Badge } from "@flanksource-ui/components/ui/badge";
 import { Button } from "@flanksource-ui/components/ui/button";
-import { Checkbox } from "@flanksource-ui/components/ui/checkbox";
+import { Switch } from "@flanksource-ui/components/ui/switch";
 import {
   Dialog,
   DialogContent,
@@ -35,6 +29,13 @@ const TYPE_LABELS: Record<PermissionSubject["type"], string> = {
   permission_subject_group: "group"
 };
 
+const SUBJECT_TYPE_ORDER: Record<PermissionSubject["type"], number> = {
+  role: 0,
+  permission_subject_group: 1,
+  team: 2,
+  person: 3
+};
+
 type SubjectSelectorModalProps = {
   open: boolean;
   onOpenChange: (open: boolean) => void;
@@ -43,11 +44,6 @@ type SubjectSelectorModalProps = {
   onAllow?: (selection: PermissionSubject[]) => Promise<void> | void;
   preselectedSubjectIds?: string[];
   isSubmitting?: boolean;
-  mode?: "edit" | "readonly";
-  accessReview?: {
-    resource: SubjectAccessReviewResource;
-    action: "mcp:run";
-  };
 };
 
 function SubjectIcon({ subject }: { subject: PermissionSubject }) {
@@ -55,7 +51,6 @@ function SubjectIcon({ subject }: { subject: PermissionSubject }) {
     return <Avatar size="xs" user={{ name: subject.name }} />;
   }
 
-  // teams and groups get a group icon instead of an initials-based avatar
   return (
     <span className="flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-indigo-100 text-indigo-600">
       {subject.type === "team" ? (
@@ -74,9 +69,7 @@ export default function SubjectSelectorModal({
   description,
   onAllow,
   preselectedSubjectIds = [],
-  isSubmitting = false,
-  mode = "edit",
-  accessReview
+  isSubmitting = false
 }: SubjectSelectorModalProps) {
   const [search, setSearch] = useState("");
   const [pageIndex, setPageIndex] = useState(0);
@@ -85,15 +78,9 @@ export default function SubjectSelectorModal({
     Record<string, PermissionSubject>
   >({});
 
-  // Track previous open value so we only initialise state on the
-  // false → true transition, not on every render.
   const prevOpenRef = useRef(false);
-  // Keep a stable ref to the latest preselectedSubjectIds so the
-  // open-transition effect below doesn't need it in its dep array.
   const preselectedSubjectIdsRef = useRef(preselectedSubjectIds);
   preselectedSubjectIdsRef.current = preselectedSubjectIds;
-  // Snapshot of selected IDs at the moment the modal opened, used to
-  // detect whether the selection has actually changed.
   const initialSelectedIdsRef = useRef<Record<string, true>>({});
 
   useEffect(() => {
@@ -109,10 +96,6 @@ export default function SubjectSelectorModal({
     }
 
     if (!wasOpen) {
-      // Modal just opened — pre-check the supplied IDs. Full subject
-      // objects are fetched separately by the query below; here we
-      // only mark the IDs as selected so checkboxes render correctly
-      // immediately.
       const idMap: Record<string, true> = {};
       for (const id of preselectedSubjectIdsRef.current) {
         idMap[id] = true;
@@ -120,14 +103,9 @@ export default function SubjectSelectorModal({
       initialSelectedIdsRef.current = idMap;
       setSelectedIds(idMap);
     }
-    // Intentionally only depend on `open` — we read preselectedSubjectIds
-    // through a ref to avoid resetting user selections on parent re-renders.
     // eslint-disable-next-line react-hooks/exhaustive-deps
   }, [open]);
 
-  // Fetch full subject objects for every preselected ID so that
-  // `selectedSubjects` is complete even when those subjects live on a
-  // different page of results.
   const shouldFetchSubjectsByIds = open && preselectedSubjectIds.length > 0;
 
   const { data: subjectsByIds = [], isLoading: isSubjectsByIdsLoading } =
@@ -167,106 +145,75 @@ export default function SubjectSelectorModal({
         pageIndex,
         pageSize: PAGE_SIZE
       }),
-    enabled: open && mode === "edit"
+    enabled: open
   });
 
-  const subjects = useMemo(
+  const displayedSubjects = useMemo(
     () => (data?.data ?? []) as PermissionSubject[],
     [data?.data]
   );
-  const readonlySubjects = useMemo(() => {
-    const normalizedSearch = debouncedSearch.trim().toLowerCase();
-
-    if (!normalizedSearch) {
-      return subjectsByIds;
-    }
 
-    return subjectsByIds.filter((subject) =>
-      subject.name.toLowerCase().includes(normalizedSearch)
-    );
-  }, [debouncedSearch, subjectsByIds]);
+  const groupedDisplayedSubjects = useMemo(() => {
+    const seen = new Set<string>();
+    const grouped = new Map<PermissionSubject["type"], PermissionSubject[]>();
 
-  const displayedSubjects = mode === "readonly" ? readonlySubjects : subjects;
+    for (const subject of displayedSubjects) {
+      if (seen.has(subject.id)) {
+        continue;
+      }
+      seen.add(subject.id);
 
-  const reviewedSubjectIds = useMemo(() => {
-    if (mode !== "readonly") {
-      return [] as string[];
+      const list = grouped.get(subject.type) ?? [];
+      list.push(subject);
+      grouped.set(subject.type, list);
     }
 
-    return Array.from(new Set(preselectedSubjectIds));
-  }, [mode, preselectedSubjectIds]);
+    return Array.from(grouped.entries())
+      .sort((a, b) => SUBJECT_TYPE_ORDER[a[0]] - SUBJECT_TYPE_ORDER[b[0]])
+      .map(([type, groupedSubjects]) => ({
+        type,
+        subjects: groupedSubjects.sort((a, b) =>
+          a.name.localeCompare(b.name, undefined, { sensitivity: "base" })
+        )
+      }));
+  }, [displayedSubjects]);
 
-  const shouldRunAccessReview =
-    open &&
-    mode === "readonly" &&
-    !!accessReview &&
-    reviewedSubjectIds.length > 0;
+  const totalEntries = data?.totalEntries ?? 0;
+  const pageCount = Math.ceil(totalEntries / PAGE_SIZE);
 
-  const accessReviewResourceKey = useMemo(
-    () => JSON.stringify(accessReview?.resource ?? {}),
-    [accessReview?.resource]
-  );
+  useEffect(() => {
+    if (subjectsByIds.length === 0) {
+      return;
+    }
 
-  const { data: accessReviewResponse, isLoading: isAccessReviewLoading } =
-    useQuery({
-      queryKey: [
-        "mcp",
-        "subject-access-reviews",
-        accessReviewResourceKey,
-        accessReview?.action,
-        reviewedSubjectIds
-      ],
-      queryFn: async () =>
-        reviewSubjectAccess({
-          resource: accessReview!.resource,
-          action: accessReview!.action,
-          subjects: reviewedSubjectIds
-        }),
-      enabled: shouldRunAccessReview,
-      staleTime: 5_000,
-      cacheTime: 5_000
+    setSelectedSubjects((prev) => {
+      const next = { ...prev };
+      for (const subject of subjectsByIds) {
+        if (selectedIds[subject.id]) {
+          next[subject.id] = subject;
+        }
+      }
+      return next;
     });
+  }, [selectedIds, subjectsByIds]);
 
-  const accessReviewBySubject = useMemo(() => {
-    const map = new Map<string, SubjectAccessReviewResult>();
-
-    for (const result of accessReviewResponse?.results ?? []) {
-      map.set(result.subject, result);
-    }
-
-    return map;
-  }, [accessReviewResponse?.results]);
-  const totalEntries =
-    mode === "readonly" ? readonlySubjects.length : (data?.totalEntries ?? 0);
-  const pageCount =
-    mode === "readonly"
-      ? totalEntries > 0
-        ? 1
-        : 0
-      : Math.ceil(totalEntries / PAGE_SIZE);
-
-  // Enrich selectedSubjects as new pages are loaded.
   useEffect(() => {
-    if (subjects.length === 0) {
+    if (displayedSubjects.length === 0) {
       return;
     }
 
     setSelectedSubjects((prev) => {
       const next = { ...prev };
-      for (const subject of subjects) {
+      for (const subject of displayedSubjects) {
         if (selectedIds[subject.id]) {
           next[subject.id] = subject;
         }
       }
       return next;
     });
-  }, [subjects, selectedIds]);
+  }, [displayedSubjects, selectedIds]);
 
   const selectedCount = Object.keys(selectedIds).length;
-
-  // Apply is a no-op only when the selection is identical to what was
-  // preselected on open (same IDs, same count). Submitting an empty
-  // selection is valid — it means "remove everyone".
   const initialIds = initialSelectedIdsRef.current;
   const hasChanged =
     selectedCount !== Object.keys(initialIds).length ||
@@ -294,7 +241,7 @@ export default function SubjectSelectorModal({
 
   return (
     <Dialog open={open} onOpenChange={onOpenChange}>
-      <DialogContent className="flex h-[640px] max-w-2xl flex-col">
+      <DialogContent className="flex h-[70vh] max-h-[70vh] max-w-3xl flex-col">
         <DialogHeader>
           <DialogTitle>{title}</DialogTitle>
           {description ? (
@@ -308,138 +255,89 @@ export default function SubjectSelectorModal({
           onChange={(event) => setSearch(event.target.value)}
         />
 
-        <div className="min-h-0 flex-1 space-y-1 overflow-y-auto rounded-md border p-2">
-          {mode === "readonly" &&
-          ((shouldFetchSubjectsByIds && isSubjectsByIdsLoading) ||
-            (shouldRunAccessReview && isAccessReviewLoading)) ? (
-            <div className="p-2 text-sm text-gray-500">Loading...</div>
-          ) : mode === "edit" && isLoading ? (
+        <div className="min-h-0 flex-1 space-y-4 overflow-y-auto rounded-md border p-2">
+          {(shouldFetchSubjectsByIds && isSubjectsByIdsLoading) || isLoading ? (
             <div className="p-2 text-sm text-gray-500">Loading...</div>
           ) : displayedSubjects.length > 0 ? (
-            displayedSubjects.map((subject) => (
-              <label
-                key={subject.id}
-                className={`flex items-center justify-between rounded px-2 py-1.5 ${mode === "edit" ? "cursor-pointer hover:bg-gray-50" : ""}`}
-              >
-                <div className="flex min-w-0 flex-1 items-center gap-2 pr-2">
-                  {mode === "edit" ? (
-                    <Checkbox
+            groupedDisplayedSubjects.map((group) => (
+              <div key={group.type} className="space-y-1">
+                <div className="px-2 pt-2 text-xs font-semibold uppercase tracking-wide text-gray-500 first:pt-0">
+                  {TYPE_LABELS[group.type] ?? group.type}
+                </div>
+                {group.subjects.map((subject) => (
+                  <div
+                    key={subject.id}
+                    className="flex items-center justify-between rounded px-2 py-1.5 hover:bg-gray-50"
+                  >
+                    <div className="flex min-w-0 flex-1 items-center gap-2 pr-2">
+                      <SubjectIcon subject={subject} />
+                      <div className="min-w-0 truncate text-sm font-medium text-gray-900">
+                        {subject.name}
+                      </div>
+                    </div>
+                    <Switch
                       checked={!!selectedIds[subject.id]}
                       onCheckedChange={(checked) =>
-                        toggleSubject(subject, checked === true)
+                        toggleSubject(subject, checked)
                       }
                     />
-                  ) : null}
-                  <SubjectIcon subject={subject} />
-                  <div className="min-w-0 truncate text-sm font-medium text-gray-900">
-                    {subject.name}
                   </div>
-                </div>
-
-                <div className="ml-2 flex shrink-0 items-center gap-2">
-                  <Badge variant="outline" className="text-[10px] font-normal">
-                    {TYPE_LABELS[subject.type] ?? subject.type}
-                  </Badge>
-                  {mode === "readonly" && accessReview
-                    ? (() => {
-                        const review = accessReviewBySubject.get(subject.id);
-
-                        if (!review) {
-                          return (
-                            <Badge
-                              variant="outline"
-                              className="text-[10px] font-normal text-gray-500"
-                            >
-                              Unknown
-                            </Badge>
-                          );
-                        }
-
-                        return (
-                          <Badge
-                            variant="outline"
-                            title={review.reason || review.error || undefined}
-                            className={`text-[10px] font-semibold ${
-                              review.allowed
-                                ? "border-green-200 text-green-700"
-                                : "border-red-200 text-red-700"
-                            }`}
-                          >
-                            {review.allowed ? "Allowed" : "Denied"}
-                          </Badge>
-                        );
-                      })()
-                    : null}
-                </div>
-              </label>
+                ))}
+              </div>
             ))
           ) : (
             <div className="p-2 text-sm text-gray-500">No subjects found</div>
           )}
         </div>
 
-        {mode === "edit" ? (
-          <>
-            <div className="flex items-center justify-between text-xs text-gray-500">
-              <div>
-                Selected: {selectedCount} subject
-                {selectedCount === 1 ? "" : "s"}
-              </div>
-              <div className="flex items-center gap-2">
-                <Button
-                  type="button"
-                  variant="outline"
-                  size="sm"
-                  disabled={pageIndex === 0}
-                  onClick={() => setPageIndex((p) => Math.max(0, p - 1))}
-                >
-                  Previous
-                </Button>
-                <span>
-                  Page {pageCount === 0 ? 0 : pageIndex + 1} of {pageCount || 0}
-                </span>
-                <Button
-                  type="button"
-                  variant="outline"
-                  size="sm"
-                  disabled={pageCount === 0 || pageIndex + 1 >= pageCount}
-                  onClick={() =>
-                    setPageIndex((p) => (p + 1 < pageCount ? p + 1 : p))
-                  }
-                >
-                  Next
-                </Button>
-              </div>
-            </div>
-
-            <DialogFooter>
-              <Button
-                type="button"
-                variant="outline"
-                onClick={() => onOpenChange(false)}
-              >
-                Cancel
-              </Button>
-              <Button
-                type="button"
-                disabled={!hasChanged || isSubmitting}
-                onClick={() => onAllow?.(Object.values(selectedSubjects))}
-              >
-                Apply
-              </Button>
-            </DialogFooter>
-          </>
-        ) : (
-          <DialogFooter>
+        <div className="flex items-center justify-between text-xs text-gray-500">
+          <div>
+            Selected: {selectedCount} subject
+            {selectedCount === 1 ? "" : "s"}
+          </div>
+          <div className="flex items-center gap-2">
             <Button
               type="button"
               variant="outline"
-              onClick={() => onOpenChange(false)}
+              size="sm"
+              disabled={pageIndex === 0}
+              onClick={() => setPageIndex((p) => Math.max(0, p - 1))}
             >
-              Close
+              Previous
             </Button>
-          </DialogFooter>
-        )}
+            <span>
+              Page {pageCount === 0 ? 0 : pageIndex + 1} of {pageCount || 0}
+            </span>
+            <Button
+              type="button"
+              variant="outline"
+              size="sm"
+              disabled={pageCount === 0 || pageIndex + 1 >= pageCount}
+              onClick={() =>
+                setPageIndex((p) => (p + 1 < pageCount ? p + 1 : p))
+              }
+            >
+              Next
+            </Button>
+          </div>
+        </div>
+
+        <DialogFooter>
+          <Button
+            type="button"
+            variant="outline"
+            onClick={() => onOpenChange(false)}
+          >
+            Cancel
+          </Button>
+          <Button
+            type="button"
+            disabled={!hasChanged || isSubmitting}
+            onClick={() => onAllow?.(Object.values(selectedSubjects))}
+          >
+            Apply
+          </Button>
+        </DialogFooter>
       </DialogContent>
     </Dialog>
   );
diff --git a/src/components/ui/switch.tsx b/src/components/ui/switch.tsx
new file mode 100644
index 0000000000..5efd5052a5
--- /dev/null
+++ b/src/components/ui/switch.tsx
@@ -0,0 +1,27 @@
+import * as React from "react";
+import * as SwitchPrimitives from "@radix-ui/react-switch";
+
+import { cn } from "@flanksource-ui/lib/utils";
+
+const Switch = React.forwardRef<
+  React.ElementRef<typeof SwitchPrimitives.Root>,
+  React.ComponentPropsWithoutRef<typeof SwitchPrimitives.Root>
+>(({ className, ...props }, ref) => (
+  <SwitchPrimitives.Root
+    className={cn(
+      "peer inline-flex h-5 w-9 shrink-0 cursor-pointer items-center rounded-full border-2 border-transparent shadow-sm transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 focus-visible:ring-offset-background disabled:cursor-not-allowed disabled:opacity-50 data-[state=checked]:bg-primary data-[state=unchecked]:bg-input",
+      className
+    )}
+    {...props}
+    ref={ref}
+  >
+    <SwitchPrimitives.Thumb
+      className={cn(
+        "pointer-events-none block h-4 w-4 rounded-full bg-background shadow-lg ring-0 transition-transform data-[state=checked]:translate-x-4 data-[state=unchecked]:translate-x-0"
+      )}
+    />
+  </SwitchPrimitives.Root>
+));
+Switch.displayName = SwitchPrimitives.Root.displayName;
+
+export { Switch };
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index 38c50deef8..b1541afafc 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -44,7 +44,6 @@ export default function McpPlaybooksPage() {
   const [selectedPlaybookId, setSelectedPlaybookId] = useState<string | null>(
     null
   );
-  const [viewerPlaybookId, setViewerPlaybookId] = useState<string | null>(null);
   const [mutatingPlaybookId, setMutatingPlaybookId] = useState<string | null>(
     null
   );
@@ -284,9 +283,6 @@ export default function McpPlaybooksPage() {
   const selectedPlaybook = useMemo(() => {
     return playbooks.find((playbook) => playbook.id === selectedPlaybookId);
   }, [playbooks, selectedPlaybookId]);
-  const viewerPlaybook = useMemo(() => {
-    return playbooks.find((playbook) => playbook.id === viewerPlaybookId);
-  }, [playbooks, viewerPlaybookId]);
 
   const loading =
     isPlaybooksLoading ||
@@ -357,7 +353,7 @@ export default function McpPlaybooksPage() {
                   );
                 }}
                 onAllowSelective={() => setSelectedPlaybookId(playbook.id)}
-                onViewSubjects={() => setViewerPlaybookId(playbook.id)}
+                onViewSubjects={() => setSelectedPlaybookId(playbook.id)}
               />
             );
           })}
@@ -371,7 +367,7 @@ export default function McpPlaybooksPage() {
             setSelectedPlaybookId(null);
           }
         }}
-        title={`Allow access: ${selectedPlaybook?.title || selectedPlaybook?.name || ""}`}
+        title={`Allow mcp:run to ${selectedPlaybook?.title || selectedPlaybook?.name || ""}`}
         description="Select users or groups to allow this playbook for MCP usage."
         preselectedSubjectIds={
           selectedPlaybook
@@ -401,39 +397,6 @@ export default function McpPlaybooksPage() {
           });
         }}
       />
-
-      <SubjectSelectorModal
-        open={!!viewerPlaybook}
-        onOpenChange={(open) => {
-          if (!open) {
-            setViewerPlaybookId(null);
-          }
-        }}
-        mode="readonly"
-        accessReview={
-          viewerPlaybook
-            ? { resource: { playbook: viewerPlaybook.id }, action: "mcp:run" }
-            : undefined
-        }
-        title={`Allowed subjects: ${viewerPlaybook?.title || viewerPlaybook?.name || ""}`}
-        description="Browse users and groups that currently have MCP access for this playbook."
-        preselectedSubjectIds={
-          viewerPlaybook
-            ? (Array.from(
-                new Set([
-                  ...(permissionsByResource.get(viewerPlaybook.id)?.users ?? [])
-                    .map((permission) => permission.subject)
-                    .filter(Boolean),
-                  ...(
-                    permissionsByResource.get(viewerPlaybook.id)?.groups ?? []
-                  )
-                    .map((permission) => permission.subject)
-                    .filter(Boolean)
-                ])
-              ) as string[])
-            : []
-        }
-      />
     </McpTabsLinks>
   );
 }
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index 084984276e..47894ed4e8 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -38,7 +38,6 @@ function permissionMatchesView(permission: PermissionsSummary, view: View) {
 export default function McpViewsPage() {
   const { user } = useUser();
   const [selectedViewId, setSelectedViewId] = useState<string | null>(null);
-  const [viewerViewId, setViewerViewId] = useState<string | null>(null);
   const [mutatingViewId, setMutatingViewId] = useState<string | null>(null);
 
   const {
@@ -276,9 +275,6 @@ export default function McpViewsPage() {
   const selectedView = useMemo(() => {
     return views.find((view) => view.id === selectedViewId);
   }, [selectedViewId, views]);
-  const viewerView = useMemo(() => {
-    return views.find((view) => view.id === viewerViewId);
-  }, [viewerViewId, views]);
 
   const loading =
     isViewsLoading ||
@@ -347,7 +343,7 @@ export default function McpViewsPage() {
                   );
                 }}
                 onAllowSelective={() => setSelectedViewId(view.id)}
-                onViewSubjects={() => setViewerViewId(view.id)}
+                onViewSubjects={() => setSelectedViewId(view.id)}
               />
             );
           })}
@@ -391,32 +387,6 @@ export default function McpViewsPage() {
           });
         }}
       />
-
-      <SubjectSelectorModal
-        open={!!viewerView}
-        onOpenChange={(open) => {
-          if (!open) {
-            setViewerViewId(null);
-          }
-        }}
-        mode="readonly"
-        title={`Allowed subjects: ${viewerView?.spec?.title || viewerView?.name || ""}`}
-        description="Browse users and groups that currently have MCP access for this view."
-        preselectedSubjectIds={
-          viewerView
-            ? (Array.from(
-                new Set([
-                  ...(permissionsByResource.get(viewerView.id)?.users ?? [])
-                    .map((permission) => permission.subject)
-                    .filter(Boolean),
-                  ...(permissionsByResource.get(viewerView.id)?.groups ?? [])
-                    .map((permission) => permission.subject)
-                    .filter(Boolean)
-                ])
-              ) as string[])
-            : []
-        }
-      />
     </McpTabsLinks>
   );
 }

From ed701bc910f891e751c54f6e351208b21290f51c Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Tue, 7 Apr 2026 18:32:07 +0545
Subject: [PATCH 15/48] remove card design

---
 .../Permissions/PermissionAccessCard.tsx      | 307 ++++--------------
 src/pages/Settings/mcp/McpPlaybooksPage.tsx   |   3 +-
 src/pages/Settings/mcp/McpViewsPage.tsx       |   3 +-
 3 files changed, 63 insertions(+), 250 deletions(-)

diff --git a/src/components/Permissions/PermissionAccessCard.tsx b/src/components/Permissions/PermissionAccessCard.tsx
index 8b798a024d..4c5d90328e 100644
--- a/src/components/Permissions/PermissionAccessCard.tsx
+++ b/src/components/Permissions/PermissionAccessCard.tsx
@@ -1,14 +1,6 @@
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
-import { Button } from "@flanksource-ui/components/ui/button";
-import {
-  Card,
-  CardContent,
-  CardHeader
-} from "@flanksource-ui/components/ui/card";
-import { Avatar } from "@flanksource-ui/ui/Avatar";
-import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
 import { Icon } from "@flanksource-ui/ui/Icons/Icon";
-import { HiUser, HiUserGroup } from "react-icons/hi";
+import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
 
 type PermissionAccessCardProps = {
   entity: {
@@ -22,264 +14,87 @@ type PermissionAccessCardProps = {
   subjectLookup?: Record<string, { name: string; type: string }>;
   globalOverride?: "allow" | "none" | "deny";
   onGlobalOverrideChange: (value: "allow" | "none" | "deny") => void;
-  onAllowSelective: () => void;
   onViewSubjects?: () => void;
   isMutating?: boolean;
 };
 
-function DenyBadge() {
-  return (
-    <span className="ml-0.5 rounded bg-red-100 px-1 py-0.5 text-[10px] font-semibold uppercase tracking-wide text-red-600">
-      Denied
-    </span>
-  );
-}
-
-function PermissionGroupItem({
-  permission,
-  subjectLookup
-}: {
-  permission: PermissionsSummary;
-  subjectLookup?: Record<string, { name: string; type: string }>;
-}) {
-  const isDeny = permission.deny === true;
-
-  if (permission.team) {
-    return (
-      <div className="flex items-center gap-2">
-        <span className="flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-indigo-100 text-indigo-600">
-          <HiUserGroup className="h-3 w-3" />
-        </span>
-        <div className="flex items-center gap-1.5 text-xs text-gray-800">
-          <span className="font-medium">{permission.team.name}</span>
-          {isDeny && <DenyBadge />}
-        </div>
-      </div>
-    );
-  }
-
-  const lookup = permission.subject
-    ? subjectLookup?.[permission.subject]
-    : undefined;
-  const groupName = lookup?.name || permission.group?.name || "Unknown group";
-
-  return (
-    <div className="flex items-center gap-2">
-      <span className="flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-indigo-100 text-indigo-600">
-        <HiUser className="h-3 w-3" />
-      </span>
-      <div className="flex items-center gap-1.5 text-xs text-gray-800">
-        <span className="font-medium">{groupName}</span>
-        {isDeny && <DenyBadge />}
-      </div>
-    </div>
-  );
-}
-
-function PermissionUserItem({
-  permission,
-  subjectLookup
-}: {
-  permission: PermissionsSummary;
-  subjectLookup?: Record<string, { name: string; type: string }>;
-}) {
-  const isDeny = permission.deny === true;
-
-  if (!permission.person) {
-    const resolvedName =
-      (permission.subject && subjectLookup?.[permission.subject]?.name) ||
-      permission.subject ||
-      "Unknown user";
-    return (
-      <div className="flex items-center gap-1.5 text-xs text-gray-600">
-        <span>{resolvedName}</span>
-        {isDeny && <DenyBadge />}
-      </div>
-    );
-  }
-
-  return (
-    <div className="flex items-center gap-2">
-      <Avatar size="xs" user={permission.person} />
-      <div className="flex items-center gap-1.5 text-xs text-gray-800">
-        <span className="font-medium">{permission.person.name}</span>
-        {permission.person.email && (
-          <span className="text-gray-500">{permission.person.email}</span>
-        )}
-        {isDeny && <DenyBadge />}
-      </div>
-    </div>
-  );
-}
-
 export default function PermissionAccessCard({
   entity,
-  users,
-  groups,
-  subjectLookup,
   globalOverride = "none",
   onGlobalOverrideChange,
-  onAllowSelective,
   onViewSubjects,
   isMutating = false
 }: PermissionAccessCardProps) {
-  const maxVisiblePerSection = 2;
-  const visibleGroups = groups.slice(0, maxVisiblePerSection);
-  const visibleUsers = users.slice(0, maxVisiblePerSection);
-  const hiddenGroupsCount = Math.max(groups.length - maxVisiblePerSection, 0);
-  const hiddenUsersCount = Math.max(users.length - maxVisiblePerSection, 0);
-
   return (
-    <Card className="rounded-xl border-gray-200 shadow-sm">
-      <CardHeader className="p-4 pb-0">
-        <div className="flex items-start gap-3">
-          <div className="flex h-9 w-9 shrink-0 items-center justify-center rounded-md bg-gray-100 text-xs font-semibold text-gray-700">
-            <Icon name={entity.icon || "playbook"} className="h-5 w-5" />
-          </div>
+    <div
+      className={`w-full max-w-4xl border-b border-gray-200 py-3 ${globalOverride === "none" && onViewSubjects ? "cursor-pointer" : ""}`}
+      onClick={() => {
+        if (globalOverride === "none") {
+          onViewSubjects?.();
+        }
+      }}
+    >
+      <div className="flex items-start gap-3">
+        <div className="flex h-8 w-8 shrink-0 items-center justify-center rounded-md bg-gray-100 text-xs font-semibold text-gray-700">
+          <Icon name={entity.icon || "playbook"} className="h-4 w-4" />
+        </div>
 
-          <div className="flex min-w-0 flex-1 items-start justify-between gap-2">
-            <div className="min-w-0">
-              <div
-                className="truncate text-sm font-semibold text-gray-900"
-                title={entity.name}
-              >
-                {entity.name}
-              </div>
-              {entity.namespace ? (
-                <div
-                  className="mt-0.5 truncate text-xs text-gray-500"
-                  title={entity.namespace}
-                >
-                  {entity.namespace}
-                </div>
-              ) : null}
+        <div className="flex min-w-0 flex-1 items-start justify-between gap-2">
+          <div className="min-w-0">
+            <div
+              className="truncate text-sm font-semibold text-gray-900"
+              title={entity.name}
+            >
+              {entity.name}
             </div>
-
-            <div className="shrink-0">
+            {entity.namespace ? (
               <div
-                className={isMutating ? "pointer-events-none opacity-60" : ""}
-                aria-disabled={isMutating || undefined}
+                className="mt-0.5 truncate text-xs text-gray-500"
+                title={entity.namespace}
               >
-                <Switch
-                  options={["Deny all", "Custom", "Allow all"]}
-                  value={
-                    globalOverride === "deny"
-                      ? "Deny all"
-                      : globalOverride === "allow"
-                        ? "Allow all"
-                        : "Custom"
-                  }
-                  onChange={(value) => {
-                    const mappedValue =
-                      value === "Deny all"
-                        ? "deny"
-                        : value === "Allow all"
-                          ? "allow"
-                          : "none";
-
-                    onGlobalOverrideChange(mappedValue);
-                  }}
-                  className="h-auto"
-                  itemsClassName=""
-                  getActiveItemClassName={(option) =>
-                    option === "Allow all"
-                      ? "bg-blue-50 text-blue-700 ring-blue-200"
-                      : option === "Deny all"
-                        ? "bg-red-50 text-red-700 ring-red-200"
-                        : undefined
-                  }
-                />
+                {entity.namespace}
               </div>
-            </div>
+            ) : null}
           </div>
-        </div>
-      </CardHeader>
-
-      <CardContent
-        className={`mt-4 border-t border-gray-200 p-4 pt-3 ${globalOverride === "none" && onViewSubjects ? "cursor-pointer" : ""}`}
-        onClick={() => {
-          if (globalOverride === "none") {
-            onViewSubjects?.();
-          }
-        }}
-      >
-        {globalOverride !== "none" ? (
-          <div className="rounded-md bg-gray-50 px-3 py-2 text-xs text-gray-500">
-            {globalOverride === "allow"
-              ? "All users are allowed. Switch to Custom to manage individual permissions."
-              : "All users are denied. Switch to Custom to manage individual permissions."}
-          </div>
-        ) : (
-          <div className="space-y-3">
-            <div>
-              <div className="mb-1 text-[11px] font-semibold uppercase tracking-wide text-gray-500">
-                Groups
-              </div>
-              {groups.length > 0 ? (
-                <div className="space-y-2">
-                  {visibleGroups.map((groupPermission, idx) => (
-                    <PermissionGroupItem
-                      key={groupPermission.id || `group-${idx}`}
-                      permission={groupPermission}
-                      subjectLookup={subjectLookup}
-                    />
-                  ))}
-                  {hiddenGroupsCount > 0 ? (
-                    <div className="text-xs text-gray-500">
-                      and {hiddenGroupsCount} more
-                    </div>
-                  ) : null}
-                </div>
-              ) : (
-                <div className="text-xs text-gray-500">
-                  No groups have access
-                </div>
-              )}
-            </div>
-
-            <div>
-              <div className="mb-1 text-[11px] font-semibold uppercase tracking-wide text-gray-500">
-                Users
-              </div>
-              {users.length > 0 ? (
-                <div className="space-y-2">
-                  {visibleUsers.map((userPermission, idx) => (
-                    <PermissionUserItem
-                      key={userPermission.id || `user-${idx}`}
-                      permission={userPermission}
-                      subjectLookup={subjectLookup}
-                    />
-                  ))}
-                  {hiddenUsersCount > 0 ? (
-                    <div className="text-xs text-gray-500">
-                      and {hiddenUsersCount} more
-                    </div>
-                  ) : null}
-                </div>
-              ) : (
-                <div className="text-xs text-gray-500">
-                  No users have access
-                </div>
-              )}
-            </div>
 
-            <div>
-              <Button
-                variant="outline"
-                size="sm"
-                className="h-8"
-                onClick={(e) => {
-                  e.stopPropagation();
-                  onAllowSelective();
+          <div className="shrink-0" onClick={(e) => e.stopPropagation()}>
+            <div
+              className={isMutating ? "pointer-events-none opacity-60" : ""}
+              aria-disabled={isMutating || undefined}
+            >
+              <Switch
+                options={["Deny all", "Custom", "Allow all"]}
+                value={
+                  globalOverride === "deny"
+                    ? "Deny all"
+                    : globalOverride === "allow"
+                      ? "Allow all"
+                      : "Custom"
+                }
+                onChange={(value) => {
+                  const mappedValue =
+                    value === "Deny all"
+                      ? "deny"
+                      : value === "Allow all"
+                        ? "allow"
+                        : "none";
+
+                  onGlobalOverrideChange(mappedValue);
                 }}
-                disabled={isMutating}
-              >
-                + Add user or group
-              </Button>
+                className="h-auto"
+                itemsClassName=""
+                getActiveItemClassName={(option) =>
+                  option === "Allow all"
+                    ? "bg-blue-50 text-blue-700 ring-blue-200"
+                    : option === "Deny all"
+                      ? "bg-red-50 text-red-700 ring-red-200"
+                      : undefined
+                }
+              />
             </div>
           </div>
-        )}
-      </CardContent>
-    </Card>
+        </div>
+      </div>
+    </div>
   );
 }
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index b1541afafc..46c35cde8c 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -316,7 +316,7 @@ export default function McpPlaybooksPage() {
           </p>
         </div>
 
-        <div className="grid min-h-0 flex-1 grid-cols-1 content-start gap-3 overflow-y-auto">
+        <div className="min-h-0 flex-1 overflow-y-auto">
           {playbooks.map((playbook) => {
             const permissions = permissionsByResource.get(playbook.id) ?? {
               users: [],
@@ -352,7 +352,6 @@ export default function McpPlaybooksPage() {
                     }
                   );
                 }}
-                onAllowSelective={() => setSelectedPlaybookId(playbook.id)}
                 onViewSubjects={() => setSelectedPlaybookId(playbook.id)}
               />
             );
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index 47894ed4e8..951423a339 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -308,7 +308,7 @@ export default function McpViewsPage() {
           </p>
         </div>
 
-        <div className="grid min-h-0 flex-1 content-start gap-3 overflow-y-auto [grid-template-columns:repeat(auto-fit,minmax(460px,1fr))]">
+        <div className="min-h-0 flex-1 overflow-y-auto">
           {views.map((view) => {
             const permissions = permissionsByResource.get(view.id) ?? {
               users: [],
@@ -342,7 +342,6 @@ export default function McpViewsPage() {
                     }
                   );
                 }}
-                onAllowSelective={() => setSelectedViewId(view.id)}
                 onViewSubjects={() => setSelectedViewId(view.id)}
               />
             );

From 10a6a544b3b6e545088f3f8cf3d056955fca7180 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Tue, 7 Apr 2026 18:38:56 +0545
Subject: [PATCH 16/48] feat(permissions): compact MCP access rows and add
 switch sizes

---
 .../Permissions/PermissionAccessCard.tsx      |  3 +-
 src/pages/Settings/mcp/McpPlaybooksPage.tsx   |  2 +-
 src/pages/Settings/mcp/McpViewsPage.tsx       |  2 +-
 src/ui/FormControls/Switch.tsx                | 43 ++++++++++++++++---
 4 files changed, 41 insertions(+), 9 deletions(-)

diff --git a/src/components/Permissions/PermissionAccessCard.tsx b/src/components/Permissions/PermissionAccessCard.tsx
index 4c5d90328e..36e4ba9761 100644
--- a/src/components/Permissions/PermissionAccessCard.tsx
+++ b/src/components/Permissions/PermissionAccessCard.tsx
@@ -27,7 +27,7 @@ export default function PermissionAccessCard({
 }: PermissionAccessCardProps) {
   return (
     <div
-      className={`w-full max-w-4xl border-b border-gray-200 py-3 ${globalOverride === "none" && onViewSubjects ? "cursor-pointer" : ""}`}
+      className={`w-full max-w-4xl ${globalOverride === "none" && onViewSubjects ? "cursor-pointer" : ""}`}
       onClick={() => {
         if (globalOverride === "none") {
           onViewSubjects?.();
@@ -63,6 +63,7 @@ export default function PermissionAccessCard({
               aria-disabled={isMutating || undefined}
             >
               <Switch
+                size="sm"
                 options={["Deny all", "Custom", "Allow all"]}
                 value={
                   globalOverride === "deny"
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index 46c35cde8c..4a0fcd53bb 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -316,7 +316,7 @@ export default function McpPlaybooksPage() {
           </p>
         </div>
 
-        <div className="min-h-0 flex-1 overflow-y-auto">
+        <div className="min-h-0 flex-1 overflow-y-auto [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
           {playbooks.map((playbook) => {
             const permissions = permissionsByResource.get(playbook.id) ?? {
               users: [],
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index 951423a339..90a5327700 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -308,7 +308,7 @@ export default function McpViewsPage() {
           </p>
         </div>
 
-        <div className="min-h-0 flex-1 overflow-y-auto">
+        <div className="min-h-0 flex-1 overflow-y-auto [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
           {views.map((view) => {
             const permissions = permissionsByResource.get(view.id) ?? {
               users: [],
diff --git a/src/ui/FormControls/Switch.tsx b/src/ui/FormControls/Switch.tsx
index 69260d71f7..81655b93ee 100644
--- a/src/ui/FormControls/Switch.tsx
+++ b/src/ui/FormControls/Switch.tsx
@@ -1,10 +1,13 @@
 import clsx from "clsx";
 import { useEffect, useState } from "react";
 
+type SwitchSize = "default" | "sm" | "lg";
+
 type Props<T extends string | number | boolean> = {
   value?: T;
   onChange?: (value: T) => void;
   options: T[];
+  size?: SwitchSize;
   className?: string;
   itemsClassName?: string;
   activeItemClassName?: string;
@@ -15,6 +18,7 @@ export function Switch<T extends string | number | boolean>({
   onChange = () => {},
   options,
   value,
+  size = "default",
   className,
   itemsClassName = "flex-1",
   activeItemClassName,
@@ -25,10 +29,36 @@ export function Switch<T extends string | number | boolean>({
   const [activeOption, setActiveOption] = useState(
     () => value ?? fallbackOption
   );
-  const activeClasses =
-    "p-1.5 lg:pl-2.5 lg:pr-3.5 rounded-md flex items-center text-sm font-medium bg-white shadow-sm ring-1 ring-black ring-opacity-5";
-  const inActiveClasses =
-    "p-1.5 lg:pl-2.5 lg:pr-3.5 rounded-md flex items-center text-sm font-medium";
+  const sizeClasses: Record<
+    SwitchSize,
+    { container: string; item: string; activeItem: string }
+  > = {
+    sm: {
+      container: "rounded-md p-0.5",
+      item: "px-2 py-1 text-xs",
+      activeItem: "shadow-sm"
+    },
+    default: {
+      container: "rounded-lg p-0.5",
+      item: "p-1.5 lg:pl-2.5 lg:pr-3.5 text-sm",
+      activeItem: "shadow-sm"
+    },
+    lg: {
+      container: "rounded-lg p-1",
+      item: "px-3 py-2 text-sm lg:px-4 lg:py-2.5",
+      activeItem: "shadow"
+    }
+  };
+
+  const activeClasses = clsx(
+    "rounded-md flex items-center font-medium bg-white ring-1 ring-black ring-opacity-5",
+    sizeClasses[size].item,
+    sizeClasses[size].activeItem
+  );
+  const inActiveClasses = clsx(
+    "rounded-md flex items-center font-medium",
+    sizeClasses[size].item
+  );
 
   function handleClick(view: T) {
     onChange(view);
@@ -41,7 +71,8 @@ export function Switch<T extends string | number | boolean>({
   return (
     <div
       className={clsx(
-        "group flex flex-row rounded-lg bg-gray-100 p-0.5 hover:bg-gray-200",
+        "group flex flex-row bg-gray-100 hover:bg-gray-200",
+        sizeClasses[size].container,
         className
       )}
       {...props}
@@ -52,7 +83,7 @@ export function Switch<T extends string | number | boolean>({
             type="button"
             className={`${itemsClassName} items-center whitespace-nowrap rounded-md text-sm font-medium text-gray-600 focus:outline-none focus-visible:ring-2 focus-visible:ring-blue-500 focus-visible:ring-offset-2 focus-visible:ring-offset-gray-100`}
             tabIndex={0}
-            onClick={(e) => handleClick(option)}
+            onClick={() => handleClick(option)}
             key={option.toString()}
           >
             <span

From ce68b9999b1f4e7ae26021a91f8619afb8c5b518 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Tue, 7 Apr 2026 18:50:32 +0545
Subject: [PATCH 17/48] feat(mcp): move subject selector to sticky side panel

---
 ...ctorModal.tsx => SubjectSelectorPanel.tsx} | 254 ++++++++----------
 src/pages/Settings/mcp/McpPlaybooksPage.tsx   | 149 +++++-----
 src/pages/Settings/mcp/McpViewsPage.tsx       | 149 +++++-----
 3 files changed, 265 insertions(+), 287 deletions(-)
 rename src/components/Permissions/{SubjectSelectorModal.tsx => SubjectSelectorPanel.tsx} (52%)

diff --git a/src/components/Permissions/SubjectSelectorModal.tsx b/src/components/Permissions/SubjectSelectorPanel.tsx
similarity index 52%
rename from src/components/Permissions/SubjectSelectorModal.tsx
rename to src/components/Permissions/SubjectSelectorPanel.tsx
index 93d0670a4d..1308059178 100644
--- a/src/components/Permissions/SubjectSelectorModal.tsx
+++ b/src/components/Permissions/SubjectSelectorPanel.tsx
@@ -5,19 +5,11 @@ import {
 } from "@flanksource-ui/api/services/permissions";
 import { Button } from "@flanksource-ui/components/ui/button";
 import { Switch } from "@flanksource-ui/components/ui/switch";
-import {
-  Dialog,
-  DialogContent,
-  DialogDescription,
-  DialogFooter,
-  DialogHeader,
-  DialogTitle
-} from "@flanksource-ui/components/ui/dialog";
 import { Input } from "@flanksource-ui/components/ui/input";
 import useDebouncedValue from "@flanksource-ui/hooks/useDebounce";
 import { Avatar } from "@flanksource-ui/ui/Avatar";
 import { useQuery } from "@tanstack/react-query";
-import { useEffect, useMemo, useRef, useState } from "react";
+import { useEffect, useMemo, useState } from "react";
 import { HiUser, HiUserGroup } from "react-icons/hi";
 
 const PAGE_SIZE = 20;
@@ -36,14 +28,12 @@ const SUBJECT_TYPE_ORDER: Record<PermissionSubject["type"], number> = {
   person: 3
 };
 
-type SubjectSelectorModalProps = {
-  open: boolean;
-  onOpenChange: (open: boolean) => void;
-  title: string;
+type SubjectSelectorPanelProps = {
   description?: string;
   onAllow?: (selection: PermissionSubject[]) => Promise<void> | void;
   preselectedSubjectIds?: string[];
   isSubmitting?: boolean;
+  onClose?: () => void;
 };
 
 function SubjectIcon({ subject }: { subject: PermissionSubject }) {
@@ -62,56 +52,56 @@ function SubjectIcon({ subject }: { subject: PermissionSubject }) {
   );
 }
 
-export default function SubjectSelectorModal({
-  open,
-  onOpenChange,
-  title,
+export default function SubjectSelectorPanel({
   description,
   onAllow,
   preselectedSubjectIds = [],
-  isSubmitting = false
-}: SubjectSelectorModalProps) {
+  isSubmitting = false,
+  onClose
+}: SubjectSelectorPanelProps) {
   const [search, setSearch] = useState("");
   const [pageIndex, setPageIndex] = useState(0);
   const [selectedIds, setSelectedIds] = useState<Record<string, true>>({});
   const [selectedSubjects, setSelectedSubjects] = useState<
     Record<string, PermissionSubject>
   >({});
+  const [initialSelectedIds, setInitialSelectedIds] = useState<
+    Record<string, true>
+  >({});
 
-  const prevOpenRef = useRef(false);
-  const preselectedSubjectIdsRef = useRef(preselectedSubjectIds);
-  preselectedSubjectIdsRef.current = preselectedSubjectIds;
-  const initialSelectedIdsRef = useRef<Record<string, true>>({});
+  const normalizedPreselectedSubjectIds = useMemo(
+    () => [...new Set(preselectedSubjectIds)].sort(),
+    [preselectedSubjectIds]
+  );
+  const preselectedSubjectIdsSignature = useMemo(
+    () => normalizedPreselectedSubjectIds.join("|"),
+    [normalizedPreselectedSubjectIds]
+  );
 
   useEffect(() => {
-    const wasOpen = prevOpenRef.current;
-    prevOpenRef.current = open;
-
-    if (!open) {
-      setSearch("");
-      setPageIndex(0);
-      setSelectedIds({});
-      setSelectedSubjects({});
-      return;
-    }
+    const ids = preselectedSubjectIdsSignature
+      ? preselectedSubjectIdsSignature.split("|")
+      : [];
 
-    if (!wasOpen) {
-      const idMap: Record<string, true> = {};
-      for (const id of preselectedSubjectIdsRef.current) {
-        idMap[id] = true;
-      }
-      initialSelectedIdsRef.current = idMap;
-      setSelectedIds(idMap);
+    const idMap: Record<string, true> = {};
+    for (const id of ids) {
+      idMap[id] = true;
     }
-    // eslint-disable-next-line react-hooks/exhaustive-deps
-  }, [open]);
 
-  const shouldFetchSubjectsByIds = open && preselectedSubjectIds.length > 0;
+    setSearch("");
+    setPageIndex(0);
+    setSelectedIds(idMap);
+    setSelectedSubjects({});
+    setInitialSelectedIds(idMap);
+  }, [preselectedSubjectIdsSignature]);
+
+  const shouldFetchSubjectsByIds = normalizedPreselectedSubjectIds.length > 0;
 
   const { data: subjectsByIds = [], isLoading: isSubjectsByIdsLoading } =
     useQuery({
-      queryKey: ["permission-subjects-by-ids", preselectedSubjectIds],
-      queryFn: () => fetchPermissionSubjectsByIds(preselectedSubjectIds),
+      queryKey: ["permission-subjects-by-ids", normalizedPreselectedSubjectIds],
+      queryFn: () =>
+        fetchPermissionSubjectsByIds(normalizedPreselectedSubjectIds),
       enabled: shouldFetchSubjectsByIds,
       staleTime: 60_000,
       onSuccess: (data) => {
@@ -144,8 +134,7 @@ export default function SubjectSelectorModal({
         search: debouncedSearch,
         pageIndex,
         pageSize: PAGE_SIZE
-      }),
-    enabled: open
+      })
   });
 
   const displayedSubjects = useMemo(
@@ -214,10 +203,9 @@ export default function SubjectSelectorModal({
   }, [displayedSubjects, selectedIds]);
 
   const selectedCount = Object.keys(selectedIds).length;
-  const initialIds = initialSelectedIdsRef.current;
   const hasChanged =
-    selectedCount !== Object.keys(initialIds).length ||
-    Object.keys(selectedIds).some((id) => !initialIds[id]);
+    selectedCount !== Object.keys(initialSelectedIds).length ||
+    Object.keys(selectedIds).some((id) => !initialSelectedIds[id]);
 
   const toggleSubject = (subject: PermissionSubject, checked: boolean) => {
     setSelectedIds((prev) => {
@@ -240,105 +228,99 @@ export default function SubjectSelectorModal({
   };
 
   return (
-    <Dialog open={open} onOpenChange={onOpenChange}>
-      <DialogContent className="flex h-[70vh] max-h-[70vh] max-w-3xl flex-col">
-        <DialogHeader>
-          <DialogTitle>{title}</DialogTitle>
+    <div className="flex max-h-[calc(100vh-8rem)] min-h-0 flex-col overflow-hidden rounded-md border border-gray-200 bg-white p-3">
+      <div className="mb-3 flex items-start justify-between gap-2">
+        <div>
           {description ? (
-            <DialogDescription>{description}</DialogDescription>
+            <div className="mt-0.5 text-xs text-gray-500">{description}</div>
           ) : null}
-        </DialogHeader>
-
-        <Input
-          placeholder="Search users or groups"
-          value={search}
-          onChange={(event) => setSearch(event.target.value)}
-        />
-
-        <div className="min-h-0 flex-1 space-y-4 overflow-y-auto rounded-md border p-2">
-          {(shouldFetchSubjectsByIds && isSubjectsByIdsLoading) || isLoading ? (
-            <div className="p-2 text-sm text-gray-500">Loading...</div>
-          ) : displayedSubjects.length > 0 ? (
-            groupedDisplayedSubjects.map((group) => (
-              <div key={group.type} className="space-y-1">
-                <div className="px-2 pt-2 text-xs font-semibold uppercase tracking-wide text-gray-500 first:pt-0">
-                  {TYPE_LABELS[group.type] ?? group.type}
-                </div>
-                {group.subjects.map((subject) => (
-                  <div
-                    key={subject.id}
-                    className="flex items-center justify-between rounded px-2 py-1.5 hover:bg-gray-50"
-                  >
-                    <div className="flex min-w-0 flex-1 items-center gap-2 pr-2">
-                      <SubjectIcon subject={subject} />
-                      <div className="min-w-0 truncate text-sm font-medium text-gray-900">
-                        {subject.name}
-                      </div>
+        </div>
+      </div>
+
+      <Input
+        placeholder="Search users or groups"
+        value={search}
+        onChange={(event) => setSearch(event.target.value)}
+      />
+
+      <div className="mt-3 min-h-0 flex-1 space-y-4 overflow-y-auto rounded-md border p-2">
+        {(shouldFetchSubjectsByIds && isSubjectsByIdsLoading) || isLoading ? (
+          <div className="p-2 text-sm text-gray-500">Loading...</div>
+        ) : displayedSubjects.length > 0 ? (
+          groupedDisplayedSubjects.map((group) => (
+            <div key={group.type} className="space-y-1">
+              <div className="px-2 pt-2 text-xs font-semibold uppercase tracking-wide text-gray-500 first:pt-0">
+                {TYPE_LABELS[group.type] ?? group.type}
+              </div>
+              {group.subjects.map((subject) => (
+                <div
+                  key={subject.id}
+                  className="flex items-center justify-between rounded px-2 py-1.5 hover:bg-gray-50"
+                >
+                  <div className="flex min-w-0 flex-1 items-center gap-2 pr-2">
+                    <SubjectIcon subject={subject} />
+                    <div className="min-w-0 truncate text-sm font-medium text-gray-900">
+                      {subject.name}
                     </div>
-                    <Switch
-                      checked={!!selectedIds[subject.id]}
-                      onCheckedChange={(checked) =>
-                        toggleSubject(subject, checked)
-                      }
-                    />
                   </div>
-                ))}
-              </div>
-            ))
-          ) : (
-            <div className="p-2 text-sm text-gray-500">No subjects found</div>
-          )}
-        </div>
-
-        <div className="flex items-center justify-between text-xs text-gray-500">
-          <div>
-            Selected: {selectedCount} subject
-            {selectedCount === 1 ? "" : "s"}
-          </div>
-          <div className="flex items-center gap-2">
-            <Button
-              type="button"
-              variant="outline"
-              size="sm"
-              disabled={pageIndex === 0}
-              onClick={() => setPageIndex((p) => Math.max(0, p - 1))}
-            >
-              Previous
-            </Button>
-            <span>
-              Page {pageCount === 0 ? 0 : pageIndex + 1} of {pageCount || 0}
-            </span>
-            <Button
-              type="button"
-              variant="outline"
-              size="sm"
-              disabled={pageCount === 0 || pageIndex + 1 >= pageCount}
-              onClick={() =>
-                setPageIndex((p) => (p + 1 < pageCount ? p + 1 : p))
-              }
-            >
-              Next
-            </Button>
-          </div>
+                  <Switch
+                    checked={!!selectedIds[subject.id]}
+                    onCheckedChange={(checked) =>
+                      toggleSubject(subject, checked)
+                    }
+                  />
+                </div>
+              ))}
+            </div>
+          ))
+        ) : (
+          <div className="p-2 text-sm text-gray-500">No subjects found</div>
+        )}
+      </div>
+
+      <div className="mt-3 flex items-center justify-between text-xs text-gray-500">
+        <div>
+          Selected: {selectedCount} subject{selectedCount === 1 ? "" : "s"}
         </div>
-
-        <DialogFooter>
+        <div className="flex items-center gap-2">
           <Button
             type="button"
             variant="outline"
-            onClick={() => onOpenChange(false)}
+            size="sm"
+            disabled={pageIndex === 0}
+            onClick={() => setPageIndex((p) => Math.max(0, p - 1))}
           >
-            Cancel
+            Previous
           </Button>
+          <span>
+            Page {pageCount === 0 ? 0 : pageIndex + 1} of {pageCount || 0}
+          </span>
           <Button
             type="button"
-            disabled={!hasChanged || isSubmitting}
-            onClick={() => onAllow?.(Object.values(selectedSubjects))}
+            variant="outline"
+            size="sm"
+            disabled={pageCount === 0 || pageIndex + 1 >= pageCount}
+            onClick={() => setPageIndex((p) => (p + 1 < pageCount ? p + 1 : p))}
           >
-            Apply
+            Next
+          </Button>
+        </div>
+      </div>
+
+      <div className="mt-3 flex justify-end gap-2">
+        {onClose ? (
+          <Button type="button" variant="outline" onClick={onClose}>
+            Cancel
           </Button>
-        </DialogFooter>
-      </DialogContent>
-    </Dialog>
+        ) : null}
+        <Button
+          type="button"
+          disabled={!hasChanged || isSubmitting}
+          onClick={() => onAllow?.(Object.values(selectedSubjects))}
+        >
+          Apply
+        </Button>
+      </div>
+    </div>
   );
 }
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index 4a0fcd53bb..e358ab9d14 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -16,7 +16,7 @@ import {
   permissionMatchesResource
 } from "@flanksource-ui/lib/permissions/mcpPermissionCardMappings";
 import PermissionAccessCard from "@flanksource-ui/components/Permissions/PermissionAccessCard";
-import SubjectSelectorModal from "@flanksource-ui/components/Permissions/SubjectSelectorModal";
+import SubjectSelectorPanel from "@flanksource-ui/components/Permissions/SubjectSelectorPanel";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
 import {
   toastError,
@@ -316,86 +316,83 @@ export default function McpPlaybooksPage() {
           </p>
         </div>
 
-        <div className="min-h-0 flex-1 overflow-y-auto [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
-          {playbooks.map((playbook) => {
-            const permissions = permissionsByResource.get(playbook.id) ?? {
-              users: [],
-              groups: []
-            };
-
-            return (
-              <PermissionAccessCard
-                key={playbook.id}
-                entity={{
-                  id: playbook.id,
-                  name: playbook.title || playbook.name,
-                  namespace: playbook.namespace,
-                  icon: playbook.icon
-                }}
-                users={permissions.users}
-                groups={permissions.groups}
-                subjectLookup={subjectLookup}
-                globalOverride={
-                  globalOverrideByResource.get(playbook.id) ?? "none"
-                }
-                isMutating={mutatingPlaybookId === playbook.id}
-                onGlobalOverrideChange={(override) => {
-                  setMutatingPlaybookId(playbook.id);
-                  setGlobalOverride(
-                    { playbook, override },
-                    {
-                      onSettled: () => {
-                        setMutatingPlaybookId((current) =>
-                          current === playbook.id ? null : current
-                        );
+        <div className="flex min-h-0 flex-1 flex-col gap-4 lg:flex-row">
+          <div className="min-h-0 flex-1 lg:w-[56rem] lg:flex-none [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
+            {playbooks.map((playbook) => {
+              const permissions = permissionsByResource.get(playbook.id) ?? {
+                users: [],
+                groups: []
+              };
+
+              return (
+                <PermissionAccessCard
+                  key={playbook.id}
+                  entity={{
+                    id: playbook.id,
+                    name: playbook.title || playbook.name,
+                    namespace: playbook.namespace,
+                    icon: playbook.icon
+                  }}
+                  users={permissions.users}
+                  groups={permissions.groups}
+                  subjectLookup={subjectLookup}
+                  globalOverride={
+                    globalOverrideByResource.get(playbook.id) ?? "none"
+                  }
+                  isMutating={mutatingPlaybookId === playbook.id}
+                  onGlobalOverrideChange={(override) => {
+                    setMutatingPlaybookId(playbook.id);
+                    setGlobalOverride(
+                      { playbook, override },
+                      {
+                        onSettled: () => {
+                          setMutatingPlaybookId((current) =>
+                            current === playbook.id ? null : current
+                          );
+                        }
                       }
-                    }
-                  );
+                    );
+                  }}
+                  onViewSubjects={() => setSelectedPlaybookId(playbook.id)}
+                />
+              );
+            })}
+          </div>
+
+          <div className="min-h-0 w-full shrink-0 lg:sticky lg:top-6 lg:w-[420px] lg:self-start">
+            {selectedPlaybook ? (
+              <SubjectSelectorPanel
+                key={selectedPlaybook.id}
+                description="Select users or groups to allow this playbook for MCP usage."
+                preselectedSubjectIds={playbookPermissions
+                  .filter(
+                    (permission) =>
+                      permission.deny !== true &&
+                      permission.subject &&
+                      permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
+                      (permission.subject_type === "person" ||
+                        permission.subject_type === "team" ||
+                        permission.subject_type === "group") &&
+                      permissionMatchesPlaybook(permission, selectedPlaybook)
+                  )
+                  .map((permission) => permission.subject!)}
+                isSubmitting={isAllowingSelective}
+                onClose={() => setSelectedPlaybookId(null)}
+                onAllow={async (subjects) => {
+                  await allowSelectiveAccess({
+                    playbook: selectedPlaybook,
+                    subjects
+                  });
                 }}
-                onViewSubjects={() => setSelectedPlaybookId(playbook.id)}
               />
-            );
-          })}
+            ) : (
+              <div className="flex h-full items-center justify-center rounded-md border border-dashed border-gray-200 p-4 text-sm text-gray-500">
+                Select a playbook row to manage custom subject access.
+              </div>
+            )}
+          </div>
         </div>
       </div>
-
-      <SubjectSelectorModal
-        open={!!selectedPlaybook}
-        onOpenChange={(open) => {
-          if (!open) {
-            setSelectedPlaybookId(null);
-          }
-        }}
-        title={`Allow mcp:run to ${selectedPlaybook?.title || selectedPlaybook?.name || ""}`}
-        description="Select users or groups to allow this playbook for MCP usage."
-        preselectedSubjectIds={
-          selectedPlaybook
-            ? playbookPermissions
-                .filter(
-                  (permission) =>
-                    permission.deny !== true &&
-                    permission.subject &&
-                    permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
-                    (permission.subject_type === "person" ||
-                      permission.subject_type === "team" ||
-                      permission.subject_type === "group") &&
-                    permissionMatchesPlaybook(permission, selectedPlaybook)
-                )
-                .map((permission) => permission.subject!)
-            : []
-        }
-        isSubmitting={isAllowingSelective}
-        onAllow={async (subjects) => {
-          if (!selectedPlaybook) {
-            return;
-          }
-
-          await allowSelectiveAccess({
-            playbook: selectedPlaybook,
-            subjects
-          });
-        }}
-      />
     </McpTabsLinks>
   );
 }
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index 90a5327700..b517985bd7 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -16,7 +16,7 @@ import {
 } from "@flanksource-ui/lib/permissions/mcpPermissionCardMappings";
 import PermissionAccessCard from "@flanksource-ui/components/Permissions/PermissionAccessCard";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
-import SubjectSelectorModal from "@flanksource-ui/components/Permissions/SubjectSelectorModal";
+import SubjectSelectorPanel from "@flanksource-ui/components/Permissions/SubjectSelectorPanel";
 import {
   toastError,
   toastSuccess
@@ -47,7 +47,7 @@ export default function McpViewsPage() {
     isRefetching: isViewsRefetching
   } = useQuery({
     queryKey: ["mcp", "views", "all"],
-    queryFn: async () => getAllViews(undefined, 0, 1000)
+    queryFn: async () => getAllViews([{ id: "name", desc: false }], 0, 1000)
   });
 
   const views = useMemo(() => viewsResponse?.data ?? [], [viewsResponse?.data]);
@@ -308,84 +308,83 @@ export default function McpViewsPage() {
           </p>
         </div>
 
-        <div className="min-h-0 flex-1 overflow-y-auto [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
-          {views.map((view) => {
-            const permissions = permissionsByResource.get(view.id) ?? {
-              users: [],
-              groups: []
-            };
-
-            return (
-              <PermissionAccessCard
-                key={view.id}
-                entity={{
-                  id: view.id,
-                  name: view.spec?.title || view.name,
-                  namespace: view.namespace,
-                  icon: view.spec?.icon || "workflow"
-                }}
-                users={permissions.users}
-                groups={permissions.groups}
-                subjectLookup={subjectLookup}
-                globalOverride={globalOverrideByResource.get(view.id) ?? "none"}
-                isMutating={mutatingViewId === view.id}
-                onGlobalOverrideChange={(override) => {
-                  setMutatingViewId(view.id);
-                  setGlobalOverride(
-                    { view, override },
-                    {
-                      onSettled: () => {
-                        setMutatingViewId((current) =>
-                          current === view.id ? null : current
-                        );
+        <div className="flex min-h-0 flex-1 flex-col gap-4 lg:flex-row">
+          <div className="min-h-0 flex-1 lg:w-[56rem] lg:flex-none [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
+            {views.map((view) => {
+              const permissions = permissionsByResource.get(view.id) ?? {
+                users: [],
+                groups: []
+              };
+
+              return (
+                <PermissionAccessCard
+                  key={view.id}
+                  entity={{
+                    id: view.id,
+                    name: view.spec?.title || view.name,
+                    namespace: view.namespace,
+                    icon: view.spec?.icon || "workflow"
+                  }}
+                  users={permissions.users}
+                  groups={permissions.groups}
+                  subjectLookup={subjectLookup}
+                  globalOverride={
+                    globalOverrideByResource.get(view.id) ?? "none"
+                  }
+                  isMutating={mutatingViewId === view.id}
+                  onGlobalOverrideChange={(override) => {
+                    setMutatingViewId(view.id);
+                    setGlobalOverride(
+                      { view, override },
+                      {
+                        onSettled: () => {
+                          setMutatingViewId((current) =>
+                            current === view.id ? null : current
+                          );
+                        }
                       }
-                    }
-                  );
+                    );
+                  }}
+                  onViewSubjects={() => setSelectedViewId(view.id)}
+                />
+              );
+            })}
+          </div>
+
+          <div className="min-h-0 w-full shrink-0 lg:sticky lg:top-6 lg:w-[420px] lg:self-start">
+            {selectedView ? (
+              <SubjectSelectorPanel
+                key={selectedView.id}
+                description="Select users or groups to allow this view for MCP usage."
+                preselectedSubjectIds={viewPermissions
+                  .filter(
+                    (permission) =>
+                      permission.deny !== true &&
+                      permission.subject &&
+                      permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
+                      (permission.subject_type === "person" ||
+                        permission.subject_type === "team" ||
+                        permission.subject_type === "group") &&
+                      permissionMatchesView(permission, selectedView)
+                  )
+                  .map((permission) => permission.subject!)}
+                isSubmitting={isAllowingSelective}
+                onClose={() => setSelectedViewId(null)}
+                onAllow={async (subjects) => {
+                  await allowSelectiveAccess({
+                    view: selectedView,
+                    subjects
+                  });
                 }}
-                onViewSubjects={() => setSelectedViewId(view.id)}
               />
-            );
-          })}
+            ) : (
+              <div className="flex h-full items-center justify-center rounded-md border border-dashed border-gray-200 p-4 text-sm text-gray-500">
+                Select a view row to manage custom subject access.
+              </div>
+            )}
+          </div>
         </div>
       </div>
-
-      <SubjectSelectorModal
-        open={!!selectedView}
-        onOpenChange={(open) => {
-          if (!open) {
-            setSelectedViewId(null);
-          }
-        }}
-        title={`Allow access: ${selectedView?.spec?.title || selectedView?.name || ""}`}
-        description="Select users or groups to allow this view for MCP usage."
-        preselectedSubjectIds={
-          selectedView
-            ? viewPermissions
-                .filter(
-                  (permission) =>
-                    permission.deny !== true &&
-                    permission.subject &&
-                    permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
-                    (permission.subject_type === "person" ||
-                      permission.subject_type === "team" ||
-                      permission.subject_type === "group") &&
-                    permissionMatchesView(permission, selectedView)
-                )
-                .map((permission) => permission.subject!)
-            : []
-        }
-        isSubmitting={isAllowingSelective}
-        onAllow={async (subjects) => {
-          if (!selectedView) {
-            return;
-          }
-
-          await allowSelectiveAccess({
-            view: selectedView,
-            subjects
-          });
-        }}
-      />
     </McpTabsLinks>
   );
 }

From 1374bd07a7faefa48445f31c70f3d1f3e9bbdc40 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Tue, 7 Apr 2026 19:18:15 +0545
Subject: [PATCH 18/48] fix: mcp overview page

---
 .../Permissions/SubjectSelectorPanel.tsx      |   3 +-
 src/components/Permissions/UserAccessCard.tsx | 126 ++++++++--------
 src/pages/Settings/mcp/McpOverviewPage.tsx    | 139 ++++++++++++------
 3 files changed, 157 insertions(+), 111 deletions(-)

diff --git a/src/components/Permissions/SubjectSelectorPanel.tsx b/src/components/Permissions/SubjectSelectorPanel.tsx
index 1308059178..e7f2bf841f 100644
--- a/src/components/Permissions/SubjectSelectorPanel.tsx
+++ b/src/components/Permissions/SubjectSelectorPanel.tsx
@@ -43,7 +43,8 @@ function SubjectIcon({ subject }: { subject: PermissionSubject }) {
 
   return (
     <span className="flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-indigo-100 text-indigo-600">
-      {subject.type === "team" ? (
+      {subject.type === "team" ||
+      subject.type === "permission_subject_group" ? (
         <HiUserGroup className="h-3 w-3" />
       ) : (
         <HiUser className="h-3 w-3" />
diff --git a/src/components/Permissions/UserAccessCard.tsx b/src/components/Permissions/UserAccessCard.tsx
index 0afd0509a4..7f37e2373d 100644
--- a/src/components/Permissions/UserAccessCard.tsx
+++ b/src/components/Permissions/UserAccessCard.tsx
@@ -1,6 +1,4 @@
-import { Card, CardHeader } from "@flanksource-ui/components/ui/card";
 import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
-import { Avatar } from "@flanksource-ui/ui/Avatar";
 import { HiUser, HiUserGroup } from "react-icons/hi";
 
 type UserAccessCardProps = {
@@ -27,75 +25,73 @@ export default function UserAccessCard({
   isMutating = false
 }: UserAccessCardProps) {
   return (
-    <Card className="rounded-xl border-gray-200 shadow-sm">
-      <CardHeader className="p-4">
-        <div className="flex items-center justify-between gap-3">
-          <div className="flex min-w-0 items-center gap-3">
-            {user.type === "person" || !user.type ? (
-              <Avatar size="sm" user={user} />
-            ) : (
-              <span className="flex h-6 w-6 shrink-0 items-center justify-center rounded-full bg-indigo-100 text-indigo-600">
-                {user.type === "team" ? (
-                  <HiUserGroup className="h-3.5 w-3.5" />
-                ) : (
-                  <HiUser className="h-3.5 w-3.5" />
-                )}
-              </span>
-            )}
-            <div className="min-w-0">
+    <div className="w-full max-w-4xl">
+      <div className="flex items-start gap-3">
+        <div className="flex h-8 w-8 shrink-0 items-center justify-center rounded-md bg-gray-100 text-xs font-semibold text-gray-700">
+          {user.type === "team" || user.type === "permission_subject_group" ? (
+            <HiUserGroup className="h-4 w-4" />
+          ) : (
+            <HiUser className="h-4 w-4" />
+          )}
+        </div>
+
+        <div className="flex min-w-0 flex-1 items-start justify-between gap-2">
+          <div className="min-w-0">
+            <div
+              className="truncate text-sm font-semibold text-gray-900"
+              title={user.name}
+            >
+              {user.name}
+            </div>
+            {user.email ? (
               <div
-                className="truncate text-sm font-semibold text-gray-900"
-                title={user.name}
+                className="mt-0.5 truncate text-xs text-gray-500"
+                title={user.email}
               >
-                {user.name}
+                {user.email}
               </div>
-              {user.email ? (
-                <div
-                  className="truncate text-xs text-gray-500"
-                  title={user.email}
-                >
-                  {user.email}
-                </div>
-              ) : null}
-            </div>
+            ) : null}
           </div>
 
-          <div
-            className={isMutating ? "pointer-events-none opacity-60" : ""}
-            aria-disabled={isMutating || undefined}
-          >
-            <Switch
-              options={["Deny", "Default", "Allow"]}
-              value={
-                access === "deny"
-                  ? "Deny"
-                  : access === "allow"
-                    ? "Allow"
-                    : "Default"
-              }
-              onChange={(value) => {
-                const mapped =
-                  value === "Deny"
-                    ? "deny"
-                    : value === "Allow"
-                      ? "allow"
-                      : "default";
-                onChangeAccess(mapped);
-              }}
-              className="h-auto"
-              itemsClassName=""
-              aria-label={`${action} on ${object} for ${user.name || user.id}`}
-              getActiveItemClassName={(option) =>
-                option === "Allow"
-                  ? "bg-blue-50 text-blue-700 ring-blue-200"
-                  : option === "Deny"
-                    ? "bg-red-50 text-red-700 ring-red-200"
-                    : "bg-gray-50 text-gray-700 ring-gray-200"
-              }
-            />
+          <div className="shrink-0">
+            <div
+              className={isMutating ? "pointer-events-none opacity-60" : ""}
+              aria-disabled={isMutating || undefined}
+            >
+              <Switch
+                size="sm"
+                options={["Deny", "Default", "Allow"]}
+                value={
+                  access === "deny"
+                    ? "Deny"
+                    : access === "allow"
+                      ? "Allow"
+                      : "Default"
+                }
+                onChange={(value) => {
+                  const mapped =
+                    value === "Deny"
+                      ? "deny"
+                      : value === "Allow"
+                        ? "allow"
+                        : "default";
+                  onChangeAccess(mapped);
+                }}
+                className="h-auto"
+                itemsClassName=""
+                aria-label={`${action} on ${object} for ${user.name || user.id}`}
+                getActiveItemClassName={(option) =>
+                  option === "Allow"
+                    ? "bg-blue-50 text-blue-700 ring-blue-200"
+                    : option === "Deny"
+                      ? "bg-red-50 text-red-700 ring-red-200"
+                      : undefined
+                }
+              />
+            </div>
           </div>
         </div>
-      </CardHeader>
-    </Card>
+      </div>
+    </div>
   );
 }
diff --git a/src/pages/Settings/mcp/McpOverviewPage.tsx b/src/pages/Settings/mcp/McpOverviewPage.tsx
index 1c8255493c..8e57a09d49 100644
--- a/src/pages/Settings/mcp/McpOverviewPage.tsx
+++ b/src/pages/Settings/mcp/McpOverviewPage.tsx
@@ -18,6 +18,20 @@ import { useMemo, useState } from "react";
 const MCP_OBJECT = "mcp";
 const MCP_ACTION = "mcp:use";
 
+const TYPE_LABELS: Record<PermissionSubject["type"], string> = {
+  person: "person",
+  team: "team",
+  role: "role",
+  permission_subject_group: "group"
+};
+
+const SUBJECT_TYPE_ORDER: Record<PermissionSubject["type"], number> = {
+  role: 0,
+  permission_subject_group: 1,
+  team: 2,
+  person: 3
+};
+
 function isMcpUserAccessPermission(permission: PermissionsSummary) {
   return (
     permission.action === MCP_ACTION &&
@@ -79,6 +93,31 @@ export default function McpOverviewPage() {
     return map;
   }, [userPermissions]);
 
+  const groupedSubjects = useMemo(() => {
+    const seen = new Set<string>();
+    const grouped = new Map<PermissionSubject["type"], PermissionSubject[]>();
+
+    for (const subject of subjects) {
+      if (seen.has(subject.id)) {
+        continue;
+      }
+      seen.add(subject.id);
+
+      const list = grouped.get(subject.type) ?? [];
+      list.push(subject);
+      grouped.set(subject.type, list);
+    }
+
+    return Array.from(grouped.entries())
+      .sort((a, b) => SUBJECT_TYPE_ORDER[a[0]] - SUBJECT_TYPE_ORDER[b[0]])
+      .map(([type, groupedItems]) => ({
+        type,
+        subjects: groupedItems.sort((a, b) =>
+          a.name.localeCompare(b.name, undefined, { sensitivity: "base" })
+        )
+      }));
+  }, [subjects]);
+
   const { mutate: setUserAccess, isLoading: isUpdatingUserAccess } =
     useMutation({
       mutationFn: async ({
@@ -177,53 +216,63 @@ export default function McpOverviewPage() {
           </p>
         </div>
 
-        <div className="grid min-h-0 flex-1 content-start gap-3 overflow-y-auto [grid-template-columns:repeat(auto-fit,minmax(420px,1fr))]">
-          {subjects.map((subject) => {
-            const permissions = permissionsByUser.get(subject.id) ?? [];
-
-            const activePermission = permissions.find(
-              (permission) =>
-                permission.source === MCP_SETTINGS_PERMISSION_SOURCE
-            );
-
-            const access = !activePermission
-              ? "default"
-              : activePermission.deny === true
-                ? "deny"
-                : "allow";
-
-            return (
-              <UserAccessCard
-                key={subject.id}
-                user={{
-                  id: subject.id,
-                  name: subject.name,
-                  type: subject.type
-                }}
-                action={MCP_ACTION}
-                object={MCP_OBJECT}
-                access={access}
-                isMutating={mutatingSubjectId === subject.id}
-                onChangeAccess={(access) => {
-                  setMutatingSubjectId(subject.id);
-                  setUserAccess(
-                    {
-                      subjectId: subject.id,
-                      subjectType: subject.type,
-                      access
-                    },
-                    {
-                      onSettled: () => {
-                        setMutatingSubjectId((current) =>
-                          current === subject.id ? null : current
+        <div className="min-h-0 flex-1 space-y-4 overflow-y-auto rounded-md border p-2">
+          {groupedSubjects.map((group) => (
+            <div key={group.type} className="space-y-1">
+              <div className="pt-2 text-xs font-semibold uppercase tracking-wide text-gray-500 first:pt-0">
+                {TYPE_LABELS[group.type] ?? group.type}
+              </div>
+
+              <div className="[&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
+                {group.subjects.map((subject) => {
+                  const permissions = permissionsByUser.get(subject.id) ?? [];
+
+                  const activePermission = permissions.find(
+                    (permission) =>
+                      permission.source === MCP_SETTINGS_PERMISSION_SOURCE
+                  );
+
+                  const access = !activePermission
+                    ? "default"
+                    : activePermission.deny === true
+                      ? "deny"
+                      : "allow";
+
+                  return (
+                    <UserAccessCard
+                      key={subject.id}
+                      user={{
+                        id: subject.id,
+                        name: subject.name,
+                        type: subject.type
+                      }}
+                      action={MCP_ACTION}
+                      object={MCP_OBJECT}
+                      access={access}
+                      isMutating={mutatingSubjectId === subject.id}
+                      onChangeAccess={(access) => {
+                        setMutatingSubjectId(subject.id);
+                        setUserAccess(
+                          {
+                            subjectId: subject.id,
+                            subjectType: subject.type,
+                            access
+                          },
+                          {
+                            onSettled: () => {
+                              setMutatingSubjectId((current) =>
+                                current === subject.id ? null : current
+                              );
+                            }
+                          }
                         );
-                      }
-                    }
+                      }}
+                    />
                   );
-                }}
-              />
-            );
-          })}
+                })}
+              </div>
+            </div>
+          ))}
         </div>
       </div>
     </McpTabsLinks>

From 50e48dba488215aa58d65599eeda7ac9f2aba55d Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Tue, 7 Apr 2026 19:28:52 +0545
Subject: [PATCH 19/48] fix: width of cards

---
 src/components/Permissions/PermissionAccessCard.tsx | 2 +-
 src/components/Permissions/UserAccessCard.tsx       | 2 +-
 src/pages/Settings/mcp/McpPlaybooksPage.tsx         | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/components/Permissions/PermissionAccessCard.tsx b/src/components/Permissions/PermissionAccessCard.tsx
index 36e4ba9761..33e2622a74 100644
--- a/src/components/Permissions/PermissionAccessCard.tsx
+++ b/src/components/Permissions/PermissionAccessCard.tsx
@@ -27,7 +27,7 @@ export default function PermissionAccessCard({
 }: PermissionAccessCardProps) {
   return (
     <div
-      className={`w-full max-w-4xl ${globalOverride === "none" && onViewSubjects ? "cursor-pointer" : ""}`}
+      className={`w-full max-w-3xl ${globalOverride === "none" && onViewSubjects ? "cursor-pointer" : ""}`}
       onClick={() => {
         if (globalOverride === "none") {
           onViewSubjects?.();
diff --git a/src/components/Permissions/UserAccessCard.tsx b/src/components/Permissions/UserAccessCard.tsx
index 7f37e2373d..bdcc80912d 100644
--- a/src/components/Permissions/UserAccessCard.tsx
+++ b/src/components/Permissions/UserAccessCard.tsx
@@ -25,7 +25,7 @@ export default function UserAccessCard({
   isMutating = false
 }: UserAccessCardProps) {
   return (
-    <div className="w-full max-w-4xl">
+    <div className="w-full max-w-3xl">
       <div className="flex items-start gap-3">
         <div className="flex h-8 w-8 shrink-0 items-center justify-center rounded-md bg-gray-100 text-xs font-semibold text-gray-700">
           {user.type === "team" || user.type === "permission_subject_group" ? (
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index e358ab9d14..0f3f426dd1 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -317,7 +317,7 @@ export default function McpPlaybooksPage() {
         </div>
 
         <div className="flex min-h-0 flex-1 flex-col gap-4 lg:flex-row">
-          <div className="min-h-0 flex-1 lg:w-[56rem] lg:flex-none [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
+          <div className="min-h-0 min-w-0 flex-1 lg:max-w-3xl [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
             {playbooks.map((playbook) => {
               const permissions = permissionsByResource.get(playbook.id) ?? {
                 users: [],

From 22ab392076dd2235bf645177f67b5990553c0e53 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Tue, 7 Apr 2026 19:35:36 +0545
Subject: [PATCH 20/48] fix: type error in test

---
 .../Sidebar/__tests__/ConfigDetails.unit.test.tsx        | 5 ++---
 .../Connections/__tests__/ConnectionsList.unit.test.tsx  | 9 ++++-----
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/src/components/Configs/Sidebar/__tests__/ConfigDetails.unit.test.tsx b/src/components/Configs/Sidebar/__tests__/ConfigDetails.unit.test.tsx
index 1291a3b746..5601943f27 100644
--- a/src/components/Configs/Sidebar/__tests__/ConfigDetails.unit.test.tsx
+++ b/src/components/Configs/Sidebar/__tests__/ConfigDetails.unit.test.tsx
@@ -1,5 +1,5 @@
 import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
-import { render, screen, waitFor } from "@testing-library/react";
+import { render, screen } from "@testing-library/react";
 import { MemoryRouter } from "react-router-dom";
 import { ConfigDetails } from "./../ConfigDetails";
 import { Provider as JotaiProvider } from "jotai";
@@ -46,8 +46,7 @@ const renderWithProviders = (component: React.ReactElement) => {
   const queryClient = new QueryClient({
     defaultOptions: {
       queries: {
-        retry: false,
-        gcTime: 0
+        retry: false
       }
     }
   });
diff --git a/src/components/Connections/__tests__/ConnectionsList.unit.test.tsx b/src/components/Connections/__tests__/ConnectionsList.unit.test.tsx
index e6c1d5a784..7ea6305418 100644
--- a/src/components/Connections/__tests__/ConnectionsList.unit.test.tsx
+++ b/src/components/Connections/__tests__/ConnectionsList.unit.test.tsx
@@ -1,6 +1,7 @@
 import { render, screen } from "@testing-library/react";
 import { Connection } from "../ConnectionFormModal";
 import { ConnectionList } from "../ConnectionsList";
+import { ConnectionValueType } from "../connectionTypes";
 
 // Mock the CRDSource component
 jest.mock("../../Settings/CRDSource", () => {
@@ -71,16 +72,14 @@ describe("ConnectionsList", () => {
   const mockConnectionWithCRD: Connection = {
     id: "conn-123",
     name: "Test CRD Connection",
-    type: "postgres",
-    source: "KubernetesCRD",
-    created_by: { id: "user-1", name: "User One" }
+    type: ConnectionValueType.Postgres,
+    source: "KubernetesCRD"
   };
 
   const mockConnectionWithUser: Connection = {
     id: "conn-456",
     name: "Test User Connection",
-    type: "mysql",
-    created_by: { id: "user-2", name: "User Two" }
+    type: ConnectionValueType.MySQL
   };
 
   it("should display CRD component when source is KubernetesCRD", () => {

From df187c58e386d4ec75df5af574efd1368e9bf567 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Tue, 7 Apr 2026 19:38:32 +0545
Subject: [PATCH 21/48] fix: review

---
 src/App.tsx                                   |  6 +--
 src/api/services/permissions.ts               |  2 +-
 .../Permissions/SubjectSelectorPanel.tsx      |  2 +-
 .../permissions/mcpPermissionCardMappings.ts  |  3 +-
 src/pages/Settings/mcp/McpPlaybooksPage.tsx   | 47 ++++++++-----------
 src/pages/Settings/mcp/McpViewsPage.tsx       | 47 ++++++++-----------
 6 files changed, 45 insertions(+), 62 deletions(-)

diff --git a/src/App.tsx b/src/App.tsx
index 54fa2c1a96..5ff64226c4 100644
--- a/src/App.tsx
+++ b/src/App.tsx
@@ -860,7 +860,7 @@ export function IncidentManagerRoutes({ sidebar }: { sidebar: ReactNode }) {
             element={withAuthorizationAccessCheck(
               <McpOverviewPage />,
               tables.database,
-              "read",
+              "write",
               true
             )}
           />
@@ -869,7 +869,7 @@ export function IncidentManagerRoutes({ sidebar }: { sidebar: ReactNode }) {
             element={withAuthorizationAccessCheck(
               <McpPlaybooksPage />,
               tables.database,
-              "read",
+              "write",
               true
             )}
           />
@@ -878,7 +878,7 @@ export function IncidentManagerRoutes({ sidebar }: { sidebar: ReactNode }) {
             element={withAuthorizationAccessCheck(
               <McpViewsPage />,
               tables.database,
-              "read",
+              "write",
               true
             )}
           />
diff --git a/src/api/services/permissions.ts b/src/api/services/permissions.ts
index 2deda93cbe..9d7f8474b5 100644
--- a/src/api/services/permissions.ts
+++ b/src/api/services/permissions.ts
@@ -228,7 +228,7 @@ export async function fetchPermissionSubjectsByIds(ids: string[]) {
 
 export async function fetchPermissionSubjects() {
   const response = await IncidentCommander.get<PermissionSubject[] | null>(
-    "/permission_subjects?select=id,name,type&type=neq.role&order=name.asc&limit=5000"
+    "/permission_subjects?select=id,name,type&order=name.asc&limit=5000"
   );
 
   return response.data ?? [];
diff --git a/src/components/Permissions/SubjectSelectorPanel.tsx b/src/components/Permissions/SubjectSelectorPanel.tsx
index e7f2bf841f..385072cef1 100644
--- a/src/components/Permissions/SubjectSelectorPanel.tsx
+++ b/src/components/Permissions/SubjectSelectorPanel.tsx
@@ -239,7 +239,7 @@ export default function SubjectSelectorPanel({
       </div>
 
       <Input
-        placeholder="Search users or groups"
+        placeholder="Search users, teams, groups, or roles"
         value={search}
         onChange={(event) => setSearch(event.target.value)}
       />
diff --git a/src/lib/permissions/mcpPermissionCardMappings.ts b/src/lib/permissions/mcpPermissionCardMappings.ts
index 984805becb..011cd833d3 100644
--- a/src/lib/permissions/mcpPermissionCardMappings.ts
+++ b/src/lib/permissions/mcpPermissionCardMappings.ts
@@ -167,7 +167,8 @@ export function buildPermissionAccessCardMaps<
         current.users.push(permission);
       } else if (
         permission.subject_type === "team" ||
-        permission.subject_type === "group"
+        permission.subject_type === "group" ||
+        permission.subject_type === "role"
       ) {
         current.groups.push(permission);
       }
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index 0f3f426dd1..b8b2dbbb7b 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -39,6 +39,18 @@ function permissionMatchesPlaybook(
   return permissionMatchesResource(permission, playbook, getPlaybookRefs);
 }
 
+function mapSubjectType(type: PermissionSubject["type"]) {
+  if (type === "permission_subject_group") {
+    return "group" as const;
+  }
+
+  if (type === "role") {
+    return "role" as const;
+  }
+
+  return type;
+}
+
 export default function McpPlaybooksPage() {
   const { user } = useUser();
   const [selectedPlaybookId, setSelectedPlaybookId] = useState<string | null>(
@@ -159,19 +171,7 @@ export default function McpPlaybooksPage() {
         subjects: PermissionSubject[];
       }) => {
         const normalizeSubject = (subject: PermissionSubject) => {
-          const subjectType =
-            subject.type === "person"
-              ? "person"
-              : subject.type === "team"
-                ? "team"
-                : subject.type === "permission_subject_group"
-                  ? "group"
-                  : null;
-
-          if (!subjectType) {
-            return null;
-          }
-
+          const subjectType = mapSubjectType(subject.type);
           return `${subjectType}:${subject.id}`;
         };
 
@@ -187,7 +187,8 @@ export default function McpPlaybooksPage() {
             permission.id &&
             (permission.subject_type === "person" ||
               permission.subject_type === "team" ||
-              permission.subject_type === "group") &&
+              permission.subject_type === "group" ||
+              permission.subject_type === "role") &&
             permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
             permissionMatchesPlaybook(permission, playbook)
         );
@@ -204,18 +205,7 @@ export default function McpPlaybooksPage() {
 
         const payloads = subjects
           .map((subject) => {
-            const subjectType =
-              subject.type === "person"
-                ? "person"
-                : subject.type === "team"
-                  ? "team"
-                  : subject.type === "permission_subject_group"
-                    ? "group"
-                    : null;
-
-            if (!subjectType) {
-              return null;
-            }
+            const subjectType = mapSubjectType(subject.type);
 
             const key = `${subjectType}:${subject.id}`;
             if (existingKeys.has(key)) {
@@ -363,7 +353,7 @@ export default function McpPlaybooksPage() {
             {selectedPlaybook ? (
               <SubjectSelectorPanel
                 key={selectedPlaybook.id}
-                description="Select users or groups to allow this playbook for MCP usage."
+                description="Select users, teams, groups, or roles to allow this playbook for MCP usage."
                 preselectedSubjectIds={playbookPermissions
                   .filter(
                     (permission) =>
@@ -372,7 +362,8 @@ export default function McpPlaybooksPage() {
                       permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
                       (permission.subject_type === "person" ||
                         permission.subject_type === "team" ||
-                        permission.subject_type === "group") &&
+                        permission.subject_type === "group" ||
+                        permission.subject_type === "role") &&
                       permissionMatchesPlaybook(permission, selectedPlaybook)
                   )
                   .map((permission) => permission.subject!)}
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index b517985bd7..025b2e82a5 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -35,6 +35,18 @@ function permissionMatchesView(permission: PermissionsSummary, view: View) {
   return permissionMatchesResource(permission, view, getViewRefs);
 }
 
+function mapSubjectType(type: PermissionSubject["type"]) {
+  if (type === "permission_subject_group") {
+    return "group" as const;
+  }
+
+  if (type === "role") {
+    return "role" as const;
+  }
+
+  return type;
+}
+
 export default function McpViewsPage() {
   const { user } = useUser();
   const [selectedViewId, setSelectedViewId] = useState<string | null>(null);
@@ -153,19 +165,7 @@ export default function McpViewsPage() {
         subjects: PermissionSubject[];
       }) => {
         const normalizeSubject = (subject: PermissionSubject) => {
-          const subjectType =
-            subject.type === "person"
-              ? "person"
-              : subject.type === "team"
-                ? "team"
-                : subject.type === "permission_subject_group"
-                  ? "group"
-                  : null;
-
-          if (!subjectType) {
-            return null;
-          }
-
+          const subjectType = mapSubjectType(subject.type);
           return `${subjectType}:${subject.id}`;
         };
 
@@ -181,7 +181,8 @@ export default function McpViewsPage() {
             permission.id &&
             (permission.subject_type === "person" ||
               permission.subject_type === "team" ||
-              permission.subject_type === "group") &&
+              permission.subject_type === "group" ||
+              permission.subject_type === "role") &&
             permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
             permissionMatchesView(permission, view)
         );
@@ -196,18 +197,7 @@ export default function McpViewsPage() {
 
         const payloads = subjects
           .map((subject) => {
-            const subjectType =
-              subject.type === "person"
-                ? "person"
-                : subject.type === "team"
-                  ? "team"
-                  : subject.type === "permission_subject_group"
-                    ? "group"
-                    : null;
-
-            if (!subjectType) {
-              return null;
-            }
+            const subjectType = mapSubjectType(subject.type);
 
             const key = `${subjectType}:${subject.id}`;
             if (existingKeys.has(key)) {
@@ -355,7 +345,7 @@ export default function McpViewsPage() {
             {selectedView ? (
               <SubjectSelectorPanel
                 key={selectedView.id}
-                description="Select users or groups to allow this view for MCP usage."
+                description="Select users, teams, groups, or roles to allow this view for MCP usage."
                 preselectedSubjectIds={viewPermissions
                   .filter(
                     (permission) =>
@@ -364,7 +354,8 @@ export default function McpViewsPage() {
                       permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
                       (permission.subject_type === "person" ||
                         permission.subject_type === "team" ||
-                        permission.subject_type === "group") &&
+                        permission.subject_type === "group" ||
+                        permission.subject_type === "role") &&
                       permissionMatchesView(permission, selectedView)
                   )
                   .map((permission) => permission.subject!)}

From f9c3b86e2f959c09a61c809de9839f56e095a68f Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Tue, 7 Apr 2026 19:45:38 +0545
Subject: [PATCH 22/48] chore: refactor

---
 src/api/services/permissions.ts               |  10 +-
 .../Permissions/PermissionAccessCard.tsx      |   4 -
 .../Permissions/SubjectSelectorPanel.tsx      |  23 +-
 .../permissions/mcpPermissionCardMappings.ts  |  18 +
 .../permissions/useMcpResourcePermissions.ts  | 316 ++++++++++++++++
 src/pages/Settings/mcp/McpOverviewPage.tsx    |  14 +-
 src/pages/Settings/mcp/McpPlaybooksPage.tsx   | 347 ++----------------
 src/pages/Settings/mcp/McpViewsPage.tsx       | 342 +++--------------
 8 files changed, 437 insertions(+), 637 deletions(-)
 create mode 100644 src/lib/permissions/useMcpResourcePermissions.ts

diff --git a/src/api/services/permissions.ts b/src/api/services/permissions.ts
index 9d7f8474b5..7777f4ffb7 100644
--- a/src/api/services/permissions.ts
+++ b/src/api/services/permissions.ts
@@ -159,15 +159,7 @@ export function recheckPermission(id: string) {
 // Source marker used by the MCP Settings UI for permissions it creates/manages.
 export const MCP_SETTINGS_PERMISSION_SOURCE = "mcp_settings" as const;
 
-export async function fetchMcpPlaybookPermissions() {
-  const response = await IncidentCommander.get<PermissionsSummary[] | null>(
-    `/permissions_summary?select=*&action=eq.mcp:run&source=eq.${MCP_SETTINGS_PERMISSION_SOURCE}&deleted_at=is.null&limit=5000`
-  );
-
-  return response.data ?? [];
-}
-
-export async function fetchMcpViewPermissions() {
+export async function fetchMcpRunPermissions() {
   const response = await IncidentCommander.get<PermissionsSummary[] | null>(
     `/permissions_summary?select=*&action=eq.mcp:run&source=eq.${MCP_SETTINGS_PERMISSION_SOURCE}&deleted_at=is.null&limit=5000`
   );
diff --git a/src/components/Permissions/PermissionAccessCard.tsx b/src/components/Permissions/PermissionAccessCard.tsx
index 33e2622a74..aa9251e2cf 100644
--- a/src/components/Permissions/PermissionAccessCard.tsx
+++ b/src/components/Permissions/PermissionAccessCard.tsx
@@ -1,4 +1,3 @@
-import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
 import { Icon } from "@flanksource-ui/ui/Icons/Icon";
 import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
 
@@ -9,9 +8,6 @@ type PermissionAccessCardProps = {
     namespace?: string;
     icon?: string;
   };
-  users: PermissionsSummary[];
-  groups: PermissionsSummary[];
-  subjectLookup?: Record<string, { name: string; type: string }>;
   globalOverride?: "allow" | "none" | "deny";
   onGlobalOverrideChange: (value: "allow" | "none" | "deny") => void;
   onViewSubjects?: () => void;
diff --git a/src/components/Permissions/SubjectSelectorPanel.tsx b/src/components/Permissions/SubjectSelectorPanel.tsx
index 385072cef1..5b3f94aec6 100644
--- a/src/components/Permissions/SubjectSelectorPanel.tsx
+++ b/src/components/Permissions/SubjectSelectorPanel.tsx
@@ -104,17 +104,22 @@ export default function SubjectSelectorPanel({
       queryFn: () =>
         fetchPermissionSubjectsByIds(normalizedPreselectedSubjectIds),
       enabled: shouldFetchSubjectsByIds,
-      staleTime: 60_000,
-      onSuccess: (data) => {
-        setSelectedSubjects((prev) => {
-          const next = { ...prev };
-          for (const subject of data) {
-            next[subject.id] = subject;
-          }
-          return next;
-        });
+      staleTime: 60_000
+    });
+
+  useEffect(() => {
+    if (subjectsByIds.length === 0) {
+      return;
+    }
+
+    setSelectedSubjects((prev) => {
+      const next = { ...prev };
+      for (const subject of subjectsByIds) {
+        next[subject.id] = subject;
       }
+      return next;
     });
+  }, [subjectsByIds]);
 
   const debouncedSearch = useDebouncedValue(search, 300) ?? "";
 
diff --git a/src/lib/permissions/mcpPermissionCardMappings.ts b/src/lib/permissions/mcpPermissionCardMappings.ts
index 011cd833d3..692bf7188f 100644
--- a/src/lib/permissions/mcpPermissionCardMappings.ts
+++ b/src/lib/permissions/mcpPermissionCardMappings.ts
@@ -4,6 +4,24 @@ import {
 } from "@flanksource-ui/api/services/permissions";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
 
+export const EVERYONE_SUBJECT_ID = "everyone";
+export const EVERYONE_SUBJECT_TYPE = "group";
+
+/**
+ * Map a PermissionSubject type to the subject_type used in permission records.
+ */
+export function mapSubjectType(type: PermissionSubject["type"]) {
+  if (type === "permission_subject_group") {
+    return "group" as const;
+  }
+
+  if (type === "role") {
+    return "role" as const;
+  }
+
+  return type;
+}
+
 export type NamespacedResource = {
   id: string;
   name: string;
diff --git a/src/lib/permissions/useMcpResourcePermissions.ts b/src/lib/permissions/useMcpResourcePermissions.ts
new file mode 100644
index 0000000000..0d6ee47e2f
--- /dev/null
+++ b/src/lib/permissions/useMcpResourcePermissions.ts
@@ -0,0 +1,316 @@
+import {
+  addPermission,
+  deletePermission,
+  MCP_SETTINGS_PERMISSION_SOURCE,
+  PermissionSubject,
+  updatePermission
+} from "@flanksource-ui/api/services/permissions";
+import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
+import {
+  toastError,
+  toastSuccess
+} from "@flanksource-ui/components/Toast/toast";
+import { useUser } from "@flanksource-ui/context";
+import { useMutation, useQuery } from "@tanstack/react-query";
+import { useMemo, useState } from "react";
+import {
+  buildPermissionAccessCardMaps,
+  EVERYONE_SUBJECT_ID,
+  EVERYONE_SUBJECT_TYPE,
+  mapSubjectType,
+  NamespacedRef,
+  NamespacedResource,
+  permissionMatchesResource
+} from "./mcpPermissionCardMappings";
+
+export type McpResourcePermissionsConfig<TResource extends NamespacedResource> =
+  {
+    resources: TResource[];
+    isResourcesLoading: boolean;
+    isResourcesRefetching: boolean;
+    refetchResources: () => void;
+    permissionsQueryKey: string[];
+    fetchPermissions: () => Promise<PermissionsSummary[]>;
+    getRefs: (permission: PermissionsSummary) => NamespacedRef[];
+    /** Key used in `object_selector` payloads, e.g. `"playbooks"` or `"views"`. */
+    objectSelectorKey: string;
+  };
+
+export function useMcpResourcePermissions<
+  TResource extends NamespacedResource
+>({
+  resources,
+  isResourcesLoading,
+  isResourcesRefetching,
+  refetchResources,
+  permissionsQueryKey,
+  fetchPermissions,
+  getRefs,
+  objectSelectorKey
+}: McpResourcePermissionsConfig<TResource>) {
+  const { user } = useUser();
+  const [selectedResourceId, setSelectedResourceId] = useState<string | null>(
+    null
+  );
+  const [mutatingResourceId, setMutatingResourceId] = useState<string | null>(
+    null
+  );
+
+  // ── Queries ──────────────────────────────────────────────────────────
+
+  const {
+    data: permissions = [],
+    isLoading: isPermissionsLoading,
+    refetch: refetchPermissions,
+    isRefetching: isPermissionsRefetching
+  } = useQuery({
+    queryKey: permissionsQueryKey,
+    queryFn: fetchPermissions
+  });
+
+  // ── Derived data ────────────────────────────────────────────────────
+
+  const { permissionsByResource, globalOverrideByResource } = useMemo(
+    () =>
+      buildPermissionAccessCardMaps({
+        resources,
+        permissions,
+        getRefs,
+        source: MCP_SETTINGS_PERMISSION_SOURCE,
+        everyoneSubjectId: EVERYONE_SUBJECT_ID,
+        everyoneSubjectType: EVERYONE_SUBJECT_TYPE
+      }),
+    [permissions, resources, getRefs]
+  );
+
+  const selectedResource = useMemo(
+    () => resources.find((r) => r.id === selectedResourceId),
+    [resources, selectedResourceId]
+  );
+
+  const preselectedSubjectIds = useMemo(() => {
+    if (!selectedResource) return [];
+    return permissions
+      .filter(
+        (p) =>
+          p.deny !== true &&
+          p.subject &&
+          p.source === MCP_SETTINGS_PERMISSION_SOURCE &&
+          (p.subject_type === "person" ||
+            p.subject_type === "team" ||
+            p.subject_type === "group" ||
+            p.subject_type === "role") &&
+          permissionMatchesResource(p, selectedResource, getRefs)
+      )
+      .map((p) => p.subject!);
+  }, [permissions, selectedResource, getRefs]);
+
+  // ── Mutations ───────────────────────────────────────────────────────
+
+  const {
+    mutate: setGlobalOverrideMutation,
+    isLoading: isUpdatingGlobalOverride
+  } = useMutation({
+    mutationFn: async ({
+      resource,
+      override
+    }: {
+      resource: TResource;
+      override: "allow" | "none" | "deny";
+    }) => {
+      const latestPermissions = await fetchPermissions();
+
+      const matchingOverrides = latestPermissions.filter(
+        (p) =>
+          p.action === "mcp:run" &&
+          p.subject_type === EVERYONE_SUBJECT_TYPE &&
+          p.subject === EVERYONE_SUBJECT_ID &&
+          p.id &&
+          p.source === MCP_SETTINGS_PERMISSION_SOURCE &&
+          permissionMatchesResource(p, resource, getRefs)
+      );
+
+      if (override === "none") {
+        await Promise.all(matchingOverrides.map((p) => deletePermission(p.id)));
+        return;
+      }
+
+      const targetDeny = override === "deny";
+      const [canonicalOverride, ...duplicateOverrides] = matchingOverrides;
+
+      if (duplicateOverrides.length > 0) {
+        await Promise.all(
+          duplicateOverrides.map((p) => deletePermission(p.id))
+        );
+      }
+
+      if (canonicalOverride) {
+        if (canonicalOverride.deny !== targetDeny) {
+          await updatePermission({
+            id: canonicalOverride.id,
+            deny: targetDeny
+          } as any);
+        }
+        return;
+      }
+
+      await addPermission({
+        object_selector: {
+          [objectSelectorKey]: [
+            { name: resource.name, namespace: resource.namespace }
+          ]
+        },
+        action: "mcp:run",
+        subject: EVERYONE_SUBJECT_ID,
+        subject_type: EVERYONE_SUBJECT_TYPE,
+        deny: targetDeny,
+        source: MCP_SETTINGS_PERMISSION_SOURCE,
+        created_by: user?.id
+      } as any);
+    },
+    onSuccess: () => {
+      refetchPermissions();
+    },
+    onError: (error) => {
+      toastError(error as any);
+    }
+  });
+
+  const {
+    mutateAsync: allowSelectiveAccessMutation,
+    isLoading: isAllowingSelective
+  } = useMutation({
+    mutationFn: async ({
+      resource,
+      subjects
+    }: {
+      resource: TResource;
+      subjects: PermissionSubject[];
+    }) => {
+      // Re-fetch to avoid acting on stale data from the render closure
+      const latestPermissions = await fetchPermissions();
+
+      const desiredKeys = new Set(
+        subjects.map((s) => `${mapSubjectType(s.type)}:${s.id}`)
+      );
+
+      const existingPermissions = latestPermissions.filter(
+        (p) =>
+          p.action === "mcp:run" &&
+          p.deny !== true &&
+          p.subject &&
+          p.id &&
+          (p.subject_type === "person" ||
+            p.subject_type === "team" ||
+            p.subject_type === "group" ||
+            p.subject_type === "role") &&
+          p.source === MCP_SETTINGS_PERMISSION_SOURCE &&
+          permissionMatchesResource(p, resource, getRefs)
+      );
+
+      const existingKeys = new Set(
+        existingPermissions.map((p) => `${p.subject_type}:${p.subject}`)
+      );
+
+      const resourceSelector = [
+        { name: resource.name, namespace: resource.namespace }
+      ];
+
+      const payloads = subjects
+        .map((subject) => {
+          const subjectType = mapSubjectType(subject.type);
+          if (existingKeys.has(`${subjectType}:${subject.id}`)) {
+            return null;
+          }
+          return {
+            object_selector: { [objectSelectorKey]: resourceSelector },
+            action: "mcp:run",
+            subject: subject.id,
+            subject_type: subjectType,
+            deny: false,
+            source: MCP_SETTINGS_PERMISSION_SOURCE,
+            created_by: user?.id
+          };
+        })
+        .filter(Boolean);
+
+      const deleteIds = existingPermissions
+        .filter((p) => !desiredKeys.has(`${p.subject_type}:${p.subject}`))
+        .map((p) => p.id);
+
+      await Promise.all([
+        ...payloads.map((payload) => addPermission(payload as any)),
+        ...deleteIds.map((id) => deletePermission(id))
+      ]);
+
+      return { added: payloads.length, removed: deleteIds.length };
+    },
+    onSuccess: ({ added, removed }) => {
+      if (added === 0 && removed === 0) {
+        toastSuccess("No permission changes");
+      } else {
+        toastSuccess(`Updated permissions: +${added} / -${removed}`);
+      }
+      setSelectedResourceId(null);
+      refetchPermissions();
+    },
+    onError: (error) => {
+      toastError(error as any);
+    }
+  });
+
+  // ── Wrapped handlers (manage mutating-id state internally) ──────────
+
+  const setGlobalOverride = (
+    resource: TResource,
+    override: "allow" | "none" | "deny"
+  ) => {
+    setMutatingResourceId(resource.id);
+    setGlobalOverrideMutation(
+      { resource, override },
+      {
+        onSettled: () => {
+          setMutatingResourceId((cur) => (cur === resource.id ? null : cur));
+        }
+      }
+    );
+  };
+
+  const allowSelectiveAccess = async (
+    resource: TResource,
+    subjects: PermissionSubject[]
+  ) => {
+    await allowSelectiveAccessMutation({ resource, subjects });
+  };
+
+  // ── Loading state ───────────────────────────────────────────────────
+
+  const loading =
+    isResourcesLoading ||
+    isPermissionsLoading ||
+    isResourcesRefetching ||
+    isPermissionsRefetching ||
+    isUpdatingGlobalOverride ||
+    isAllowingSelective;
+
+  const isInitialLoading =
+    (isResourcesLoading || isPermissionsLoading) && resources.length === 0;
+
+  return {
+    permissionsByResource,
+    globalOverrideByResource,
+    selectedResource,
+    setSelectedResourceId,
+    mutatingResourceId,
+    setGlobalOverride,
+    allowSelectiveAccess,
+    isAllowingSelective,
+    loading,
+    isInitialLoading,
+    preselectedSubjectIds,
+    refetch: () => {
+      refetchResources();
+      refetchPermissions();
+    }
+  };
+}
diff --git a/src/pages/Settings/mcp/McpOverviewPage.tsx b/src/pages/Settings/mcp/McpOverviewPage.tsx
index 8e57a09d49..0158c04001 100644
--- a/src/pages/Settings/mcp/McpOverviewPage.tsx
+++ b/src/pages/Settings/mcp/McpOverviewPage.tsx
@@ -129,11 +129,15 @@ export default function McpOverviewPage() {
         subjectType: PermissionSubject["type"];
         access: "deny" | "default" | "allow";
       }) => {
-        const existingPermissions = (
-          permissionsByUser.get(subjectId) ?? []
-        ).filter(
-          (permission) => permission.source === MCP_SETTINGS_PERMISSION_SOURCE
-        );
+        // Re-fetch to avoid acting on stale data from the render closure
+        const latestPermissions = await fetchMcpUserPermissions();
+        const existingPermissions = latestPermissions
+          .filter(isMcpUserAccessPermission)
+          .filter(
+            (permission) =>
+              permission.subject === subjectId &&
+              permission.source === MCP_SETTINGS_PERMISSION_SOURCE
+          );
 
         if (access === "default") {
           await Promise.all(
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index b8b2dbbb7b..db47459b70 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -1,300 +1,57 @@
 import { getAllPlaybookNames } from "@flanksource-ui/api/services/playbooks";
-import {
-  addPermission,
-  deletePermission,
-  fetchMcpPlaybookPermissions,
-  updatePermission,
-  fetchPermissionSubjects,
-  MCP_SETTINGS_PERMISSION_SOURCE,
-  PermissionSubject
-} from "@flanksource-ui/api/services/permissions";
+import { fetchMcpRunPermissions } from "@flanksource-ui/api/services/permissions";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
-import { PlaybookNames } from "@flanksource-ui/api/types/playbooks";
-import {
-  buildPermissionAccessCardMaps,
-  buildSubjectLookup,
-  permissionMatchesResource
-} from "@flanksource-ui/lib/permissions/mcpPermissionCardMappings";
+import { useMcpResourcePermissions } from "@flanksource-ui/lib/permissions/useMcpResourcePermissions";
 import PermissionAccessCard from "@flanksource-ui/components/Permissions/PermissionAccessCard";
 import SubjectSelectorPanel from "@flanksource-ui/components/Permissions/SubjectSelectorPanel";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
-import {
-  toastError,
-  toastSuccess
-} from "@flanksource-ui/components/Toast/toast";
-import { useUser } from "@flanksource-ui/context";
-import { useMutation, useQuery } from "@tanstack/react-query";
-import { useMemo, useState } from "react";
-
-const EVERYONE_SUBJECT_ID = "everyone";
-const EVERYONE_SUBJECT_TYPE = "group";
+import { useQuery } from "@tanstack/react-query";
 
 const getPlaybookRefs = (permission: PermissionsSummary) =>
   permission.object_selector?.playbooks ?? [];
 
-function permissionMatchesPlaybook(
-  permission: PermissionsSummary,
-  playbook: PlaybookNames
-) {
-  return permissionMatchesResource(permission, playbook, getPlaybookRefs);
-}
-
-function mapSubjectType(type: PermissionSubject["type"]) {
-  if (type === "permission_subject_group") {
-    return "group" as const;
-  }
-
-  if (type === "role") {
-    return "role" as const;
-  }
-
-  return type;
-}
-
 export default function McpPlaybooksPage() {
-  const { user } = useUser();
-  const [selectedPlaybookId, setSelectedPlaybookId] = useState<string | null>(
-    null
-  );
-  const [mutatingPlaybookId, setMutatingPlaybookId] = useState<string | null>(
-    null
-  );
-
   const {
     data: playbooks = [],
-    isLoading: isPlaybooksLoading,
-    refetch: refetchPlaybooks,
-    isRefetching: isPlaybooksRefetching
+    isLoading,
+    refetch,
+    isRefetching
   } = useQuery({
     queryKey: ["mcp", "playbooks", "all"],
     queryFn: getAllPlaybookNames
   });
 
   const {
-    data: playbookPermissions = [],
-    isLoading: isPermissionsLoading,
-    refetch: refetchPermissions,
-    isRefetching: isPermissionsRefetching
-  } = useQuery({
-    queryKey: ["mcp", "playbooks", "permissions"],
-    queryFn: fetchMcpPlaybookPermissions
-  });
-
-  const { data: permissionSubjects = [] } = useQuery({
-    queryKey: ["mcp", "permission-subjects", "all"],
-    queryFn: fetchPermissionSubjects
+    permissionsByResource,
+    globalOverrideByResource,
+    selectedResource: selectedPlaybook,
+    setSelectedResourceId,
+    mutatingResourceId,
+    setGlobalOverride,
+    allowSelectiveAccess,
+    isAllowingSelective,
+    loading,
+    isInitialLoading,
+    preselectedSubjectIds,
+    refetch: refetchAll
+  } = useMcpResourcePermissions({
+    resources: playbooks,
+    isResourcesLoading: isLoading,
+    isResourcesRefetching: isRefetching,
+    refetchResources: refetch,
+    permissionsQueryKey: ["mcp", "playbooks", "permissions"],
+    fetchPermissions: fetchMcpRunPermissions,
+    getRefs: getPlaybookRefs,
+    objectSelectorKey: "playbooks"
   });
 
-  const subjectLookup = useMemo(
-    () => buildSubjectLookup(permissionSubjects),
-    [permissionSubjects]
-  );
-
-  const { mutate: setGlobalOverride, isLoading: isUpdatingGlobalOverride } =
-    useMutation({
-      mutationFn: async ({
-        playbook,
-        override
-      }: {
-        playbook: PlaybookNames;
-        override: "allow" | "none" | "deny";
-      }) => {
-        const latestPermissions = await fetchMcpPlaybookPermissions();
-
-        const matchingOverrides = latestPermissions.filter(
-          (permission) =>
-            permission.action === "mcp:run" &&
-            permission.subject_type === EVERYONE_SUBJECT_TYPE &&
-            permission.subject === EVERYONE_SUBJECT_ID &&
-            permission.id &&
-            permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
-            permissionMatchesPlaybook(permission, playbook)
-        );
-
-        if (override === "none") {
-          await Promise.all(
-            matchingOverrides.map((permission) =>
-              deletePermission(permission.id)
-            )
-          );
-          return;
-        }
-
-        const targetDeny = override === "deny";
-        const [canonicalOverride, ...duplicateOverrides] = matchingOverrides;
-
-        if (duplicateOverrides.length > 0) {
-          await Promise.all(
-            duplicateOverrides.map((permission) =>
-              deletePermission(permission.id)
-            )
-          );
-        }
-
-        if (canonicalOverride) {
-          if (canonicalOverride.deny !== targetDeny) {
-            await updatePermission({
-              id: canonicalOverride.id,
-              deny: targetDeny
-            } as any);
-          }
-          return;
-        }
-
-        await addPermission({
-          object_selector: {
-            playbooks: [{ name: playbook.name, namespace: playbook.namespace }]
-          },
-          action: "mcp:run",
-          subject: EVERYONE_SUBJECT_ID,
-          subject_type: EVERYONE_SUBJECT_TYPE,
-          deny: targetDeny,
-          source: MCP_SETTINGS_PERMISSION_SOURCE,
-          created_by: user?.id!
-        } as any);
-      },
-      onSuccess: () => {
-        refetchPermissions();
-      },
-      onError: (error) => {
-        toastError(error as any);
-      }
-    });
-
-  const { mutateAsync: allowSelectiveAccess, isLoading: isAllowingSelective } =
-    useMutation({
-      mutationFn: async ({
-        playbook,
-        subjects
-      }: {
-        playbook: PlaybookNames;
-        subjects: PermissionSubject[];
-      }) => {
-        const normalizeSubject = (subject: PermissionSubject) => {
-          const subjectType = mapSubjectType(subject.type);
-          return `${subjectType}:${subject.id}`;
-        };
-
-        const desiredKeys = new Set(
-          subjects.map(normalizeSubject).filter(Boolean) as string[]
-        );
-
-        const existingPermissions = playbookPermissions.filter(
-          (permission) =>
-            permission.action === "mcp:run" &&
-            permission.deny !== true &&
-            permission.subject &&
-            permission.id &&
-            (permission.subject_type === "person" ||
-              permission.subject_type === "team" ||
-              permission.subject_type === "group" ||
-              permission.subject_type === "role") &&
-            permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
-            permissionMatchesPlaybook(permission, playbook)
-        );
-
-        const existingKeys = new Set(
-          existingPermissions.map(
-            (permission) => `${permission.subject_type}:${permission.subject}`
-          )
-        );
-
-        const playbookSelector = [
-          { name: playbook.name, namespace: playbook.namespace }
-        ];
-
-        const payloads = subjects
-          .map((subject) => {
-            const subjectType = mapSubjectType(subject.type);
-
-            const key = `${subjectType}:${subject.id}`;
-            if (existingKeys.has(key)) {
-              return null;
-            }
-
-            return {
-              object_selector: { playbooks: playbookSelector },
-              action: "mcp:run",
-              subject: subject.id,
-              subject_type: subjectType,
-              deny: false,
-              source: MCP_SETTINGS_PERMISSION_SOURCE,
-              created_by: user?.id
-            };
-          })
-          .filter(Boolean);
-
-        const deleteIds = existingPermissions
-          .filter(
-            (permission) =>
-              !desiredKeys.has(
-                `${permission.subject_type}:${permission.subject}`
-              )
-          )
-          .map((permission) => permission.id);
-
-        await Promise.all([
-          ...payloads.map((payload) => addPermission(payload as any)),
-          ...deleteIds.map((id) => deletePermission(id))
-        ]);
-
-        return {
-          added: payloads.length,
-          removed: deleteIds.length
-        };
-      },
-      onSuccess: ({ added, removed }) => {
-        if (added === 0 && removed === 0) {
-          toastSuccess("No permission changes");
-        } else {
-          toastSuccess(`Updated permissions: +${added} / -${removed}`);
-        }
-
-        setSelectedPlaybookId(null);
-        refetchPermissions();
-      },
-      onError: (error) => {
-        toastError(error as any);
-      }
-    });
-
-  const { permissionsByResource, globalOverrideByResource } = useMemo(
-    () =>
-      buildPermissionAccessCardMaps({
-        resources: playbooks,
-        permissions: playbookPermissions,
-        getRefs: getPlaybookRefs,
-        source: MCP_SETTINGS_PERMISSION_SOURCE,
-        everyoneSubjectId: EVERYONE_SUBJECT_ID,
-        everyoneSubjectType: EVERYONE_SUBJECT_TYPE
-      }),
-    [playbookPermissions, playbooks]
-  );
-  const selectedPlaybook = useMemo(() => {
-    return playbooks.find((playbook) => playbook.id === selectedPlaybookId);
-  }, [playbooks, selectedPlaybookId]);
-
-  const loading =
-    isPlaybooksLoading ||
-    isPermissionsLoading ||
-    isPlaybooksRefetching ||
-    isPermissionsRefetching ||
-    isUpdatingGlobalOverride ||
-    isAllowingSelective;
-
-  const isInitialLoading =
-    (isPlaybooksLoading || isPermissionsLoading) && playbooks.length === 0;
-
   return (
     <McpTabsLinks
       activeTab="Playbooks"
       loading={loading}
       isInitialLoading={isInitialLoading}
       loadingText="Loading MCP playbooks..."
-      onRefresh={() => {
-        refetchPlaybooks();
-        refetchPermissions();
-      }}
+      onRefresh={refetchAll}
     >
       <div className="flex h-full w-full flex-1 flex-col gap-4 p-6 pb-6">
         <div>
@@ -323,27 +80,14 @@ export default function McpPlaybooksPage() {
                     namespace: playbook.namespace,
                     icon: playbook.icon
                   }}
-                  users={permissions.users}
-                  groups={permissions.groups}
-                  subjectLookup={subjectLookup}
                   globalOverride={
                     globalOverrideByResource.get(playbook.id) ?? "none"
                   }
-                  isMutating={mutatingPlaybookId === playbook.id}
-                  onGlobalOverrideChange={(override) => {
-                    setMutatingPlaybookId(playbook.id);
-                    setGlobalOverride(
-                      { playbook, override },
-                      {
-                        onSettled: () => {
-                          setMutatingPlaybookId((current) =>
-                            current === playbook.id ? null : current
-                          );
-                        }
-                      }
-                    );
-                  }}
-                  onViewSubjects={() => setSelectedPlaybookId(playbook.id)}
+                  isMutating={mutatingResourceId === playbook.id}
+                  onGlobalOverrideChange={(override) =>
+                    setGlobalOverride(playbook, override)
+                  }
+                  onViewSubjects={() => setSelectedResourceId(playbook.id)}
                 />
               );
             })}
@@ -354,27 +98,12 @@ export default function McpPlaybooksPage() {
               <SubjectSelectorPanel
                 key={selectedPlaybook.id}
                 description="Select users, teams, groups, or roles to allow this playbook for MCP usage."
-                preselectedSubjectIds={playbookPermissions
-                  .filter(
-                    (permission) =>
-                      permission.deny !== true &&
-                      permission.subject &&
-                      permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
-                      (permission.subject_type === "person" ||
-                        permission.subject_type === "team" ||
-                        permission.subject_type === "group" ||
-                        permission.subject_type === "role") &&
-                      permissionMatchesPlaybook(permission, selectedPlaybook)
-                  )
-                  .map((permission) => permission.subject!)}
+                preselectedSubjectIds={preselectedSubjectIds}
                 isSubmitting={isAllowingSelective}
-                onClose={() => setSelectedPlaybookId(null)}
-                onAllow={async (subjects) => {
-                  await allowSelectiveAccess({
-                    playbook: selectedPlaybook,
-                    subjects
-                  });
-                }}
+                onClose={() => setSelectedResourceId(null)}
+                onAllow={(subjects) =>
+                  allowSelectiveAccess(selectedPlaybook, subjects)
+                }
               />
             ) : (
               <div className="flex h-full items-center justify-center rounded-md border border-dashed border-gray-200 p-4 text-sm text-gray-500">
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index 025b2e82a5..a68f268b98 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -1,62 +1,22 @@
-import {
-  addPermission,
-  deletePermission,
-  fetchMcpViewPermissions,
-  updatePermission,
-  fetchPermissionSubjects,
-  MCP_SETTINGS_PERMISSION_SOURCE,
-  PermissionSubject
-} from "@flanksource-ui/api/services/permissions";
-import { getAllViews, View } from "@flanksource-ui/api/services/views";
+import { fetchMcpRunPermissions } from "@flanksource-ui/api/services/permissions";
+import { getAllViews } from "@flanksource-ui/api/services/views";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
-import {
-  buildPermissionAccessCardMaps,
-  buildSubjectLookup,
-  permissionMatchesResource
-} from "@flanksource-ui/lib/permissions/mcpPermissionCardMappings";
+import { useMcpResourcePermissions } from "@flanksource-ui/lib/permissions/useMcpResourcePermissions";
 import PermissionAccessCard from "@flanksource-ui/components/Permissions/PermissionAccessCard";
-import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
 import SubjectSelectorPanel from "@flanksource-ui/components/Permissions/SubjectSelectorPanel";
-import {
-  toastError,
-  toastSuccess
-} from "@flanksource-ui/components/Toast/toast";
-import { useUser } from "@flanksource-ui/context";
-import { useMutation, useQuery } from "@tanstack/react-query";
-import { useMemo, useState } from "react";
-
-const EVERYONE_SUBJECT_ID = "everyone";
-const EVERYONE_SUBJECT_TYPE = "group";
+import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
+import { useQuery } from "@tanstack/react-query";
+import { useMemo } from "react";
 
 const getViewRefs = (permission: PermissionsSummary) =>
   permission.object_selector?.views ?? [];
 
-function permissionMatchesView(permission: PermissionsSummary, view: View) {
-  return permissionMatchesResource(permission, view, getViewRefs);
-}
-
-function mapSubjectType(type: PermissionSubject["type"]) {
-  if (type === "permission_subject_group") {
-    return "group" as const;
-  }
-
-  if (type === "role") {
-    return "role" as const;
-  }
-
-  return type;
-}
-
 export default function McpViewsPage() {
-  const { user } = useUser();
-  const [selectedViewId, setSelectedViewId] = useState<string | null>(null);
-  const [mutatingViewId, setMutatingViewId] = useState<string | null>(null);
-
   const {
-    isLoading: isViewsLoading,
+    isLoading,
     data: viewsResponse,
-    refetch: refetchViews,
-    isRefetching: isViewsRefetching
+    refetch,
+    isRefetching
   } = useQuery({
     queryKey: ["mcp", "views", "all"],
     queryFn: async () => getAllViews([{ id: "name", desc: false }], 0, 1000)
@@ -65,228 +25,36 @@ export default function McpViewsPage() {
   const views = useMemo(() => viewsResponse?.data ?? [], [viewsResponse?.data]);
 
   const {
-    data: viewPermissions = [],
-    isLoading: isPermissionsLoading,
-    refetch: refetchPermissions,
-    isRefetching: isPermissionsRefetching
-  } = useQuery({
-    queryKey: ["mcp", "views", "permissions"],
-    queryFn: fetchMcpViewPermissions
-  });
-
-  const { data: permissionSubjects = [] } = useQuery({
-    queryKey: ["mcp", "permission-subjects", "all"],
-    queryFn: fetchPermissionSubjects
+    permissionsByResource,
+    globalOverrideByResource,
+    selectedResource: selectedView,
+    setSelectedResourceId,
+    mutatingResourceId,
+    setGlobalOverride,
+    allowSelectiveAccess,
+    isAllowingSelective,
+    loading,
+    isInitialLoading,
+    preselectedSubjectIds,
+    refetch: refetchAll
+  } = useMcpResourcePermissions({
+    resources: views,
+    isResourcesLoading: isLoading,
+    isResourcesRefetching: isRefetching,
+    refetchResources: refetch,
+    permissionsQueryKey: ["mcp", "views", "permissions"],
+    fetchPermissions: fetchMcpRunPermissions,
+    getRefs: getViewRefs,
+    objectSelectorKey: "views"
   });
 
-  const subjectLookup = useMemo(
-    () => buildSubjectLookup(permissionSubjects),
-    [permissionSubjects]
-  );
-
-  const { mutate: setGlobalOverride, isLoading: isUpdatingGlobalOverride } =
-    useMutation({
-      mutationFn: async ({
-        view,
-        override
-      }: {
-        view: View;
-        override: "allow" | "none" | "deny";
-      }) => {
-        const latestPermissions = await fetchMcpViewPermissions();
-
-        const matchingOverrides = latestPermissions.filter(
-          (permission) =>
-            permission.action === "mcp:run" &&
-            permission.subject_type === EVERYONE_SUBJECT_TYPE &&
-            permission.subject === EVERYONE_SUBJECT_ID &&
-            permission.id &&
-            permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
-            permissionMatchesView(permission, view)
-        );
-
-        if (override === "none") {
-          await Promise.all(
-            matchingOverrides.map((permission) =>
-              deletePermission(permission.id)
-            )
-          );
-          return;
-        }
-
-        const targetDeny = override === "deny";
-        const [canonicalOverride, ...duplicateOverrides] = matchingOverrides;
-
-        if (duplicateOverrides.length > 0) {
-          await Promise.all(
-            duplicateOverrides.map((permission) =>
-              deletePermission(permission.id)
-            )
-          );
-        }
-
-        if (canonicalOverride) {
-          if (canonicalOverride.deny !== targetDeny) {
-            await updatePermission({
-              id: canonicalOverride.id,
-              deny: targetDeny
-            } as any);
-          }
-          return;
-        }
-
-        await addPermission({
-          object_selector: {
-            views: [{ name: view.name, namespace: view.namespace }]
-          },
-          action: "mcp:run",
-          subject: EVERYONE_SUBJECT_ID,
-          subject_type: EVERYONE_SUBJECT_TYPE,
-          deny: targetDeny,
-          source: MCP_SETTINGS_PERMISSION_SOURCE,
-          created_by: user?.id!
-        } as any);
-      },
-      onSuccess: () => {
-        refetchPermissions();
-      },
-      onError: (error) => {
-        toastError(error as any);
-      }
-    });
-
-  const { mutateAsync: allowSelectiveAccess, isLoading: isAllowingSelective } =
-    useMutation({
-      mutationFn: async ({
-        view,
-        subjects
-      }: {
-        view: View;
-        subjects: PermissionSubject[];
-      }) => {
-        const normalizeSubject = (subject: PermissionSubject) => {
-          const subjectType = mapSubjectType(subject.type);
-          return `${subjectType}:${subject.id}`;
-        };
-
-        const desiredKeys = new Set(
-          subjects.map(normalizeSubject).filter(Boolean) as string[]
-        );
-
-        const existingPermissions = viewPermissions.filter(
-          (permission) =>
-            permission.action === "mcp:run" &&
-            permission.deny !== true &&
-            permission.subject &&
-            permission.id &&
-            (permission.subject_type === "person" ||
-              permission.subject_type === "team" ||
-              permission.subject_type === "group" ||
-              permission.subject_type === "role") &&
-            permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
-            permissionMatchesView(permission, view)
-        );
-
-        const existingKeys = new Set(
-          existingPermissions.map(
-            (permission) => `${permission.subject_type}:${permission.subject}`
-          )
-        );
-
-        const viewSelector = [{ name: view.name, namespace: view.namespace }];
-
-        const payloads = subjects
-          .map((subject) => {
-            const subjectType = mapSubjectType(subject.type);
-
-            const key = `${subjectType}:${subject.id}`;
-            if (existingKeys.has(key)) {
-              return null;
-            }
-
-            return {
-              object_selector: { views: viewSelector },
-              action: "mcp:run",
-              subject: subject.id,
-              subject_type: subjectType,
-              deny: false,
-              source: MCP_SETTINGS_PERMISSION_SOURCE,
-              created_by: user?.id
-            };
-          })
-          .filter(Boolean);
-
-        const deleteIds = existingPermissions
-          .filter(
-            (permission) =>
-              !desiredKeys.has(
-                `${permission.subject_type}:${permission.subject}`
-              )
-          )
-          .map((permission) => permission.id);
-
-        await Promise.all([
-          ...payloads.map((payload) => addPermission(payload as any)),
-          ...deleteIds.map((id) => deletePermission(id))
-        ]);
-
-        return {
-          added: payloads.length,
-          removed: deleteIds.length
-        };
-      },
-      onSuccess: ({ added, removed }) => {
-        if (added === 0 && removed === 0) {
-          toastSuccess("No permission changes");
-        } else {
-          toastSuccess(`Updated permissions: +${added} / -${removed}`);
-        }
-
-        setSelectedViewId(null);
-        refetchPermissions();
-      },
-      onError: (error) => {
-        toastError(error as any);
-      }
-    });
-
-  const { permissionsByResource, globalOverrideByResource } = useMemo(
-    () =>
-      buildPermissionAccessCardMaps({
-        resources: views,
-        permissions: viewPermissions,
-        getRefs: getViewRefs,
-        source: MCP_SETTINGS_PERMISSION_SOURCE,
-        everyoneSubjectId: EVERYONE_SUBJECT_ID,
-        everyoneSubjectType: EVERYONE_SUBJECT_TYPE
-      }),
-    [viewPermissions, views]
-  );
-  const selectedView = useMemo(() => {
-    return views.find((view) => view.id === selectedViewId);
-  }, [selectedViewId, views]);
-
-  const loading =
-    isViewsLoading ||
-    isPermissionsLoading ||
-    isViewsRefetching ||
-    isPermissionsRefetching ||
-    isUpdatingGlobalOverride ||
-    isAllowingSelective;
-
-  const isInitialLoading =
-    (isViewsLoading || isPermissionsLoading) && views.length === 0;
-
   return (
     <McpTabsLinks
       activeTab="Views"
       loading={loading}
       isInitialLoading={isInitialLoading}
       loadingText="Loading MCP views..."
-      onRefresh={() => {
-        refetchViews();
-        refetchPermissions();
-      }}
+      onRefresh={refetchAll}
     >
       <div className="flex h-full w-full flex-1 flex-col gap-4 p-6 pb-6">
         <div>
@@ -315,27 +83,14 @@ export default function McpViewsPage() {
                     namespace: view.namespace,
                     icon: view.spec?.icon || "workflow"
                   }}
-                  users={permissions.users}
-                  groups={permissions.groups}
-                  subjectLookup={subjectLookup}
                   globalOverride={
                     globalOverrideByResource.get(view.id) ?? "none"
                   }
-                  isMutating={mutatingViewId === view.id}
-                  onGlobalOverrideChange={(override) => {
-                    setMutatingViewId(view.id);
-                    setGlobalOverride(
-                      { view, override },
-                      {
-                        onSettled: () => {
-                          setMutatingViewId((current) =>
-                            current === view.id ? null : current
-                          );
-                        }
-                      }
-                    );
-                  }}
-                  onViewSubjects={() => setSelectedViewId(view.id)}
+                  isMutating={mutatingResourceId === view.id}
+                  onGlobalOverrideChange={(override) =>
+                    setGlobalOverride(view, override)
+                  }
+                  onViewSubjects={() => setSelectedResourceId(view.id)}
                 />
               );
             })}
@@ -346,27 +101,12 @@ export default function McpViewsPage() {
               <SubjectSelectorPanel
                 key={selectedView.id}
                 description="Select users, teams, groups, or roles to allow this view for MCP usage."
-                preselectedSubjectIds={viewPermissions
-                  .filter(
-                    (permission) =>
-                      permission.deny !== true &&
-                      permission.subject &&
-                      permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
-                      (permission.subject_type === "person" ||
-                        permission.subject_type === "team" ||
-                        permission.subject_type === "group" ||
-                        permission.subject_type === "role") &&
-                      permissionMatchesView(permission, selectedView)
-                  )
-                  .map((permission) => permission.subject!)}
+                preselectedSubjectIds={preselectedSubjectIds}
                 isSubmitting={isAllowingSelective}
-                onClose={() => setSelectedViewId(null)}
-                onAllow={async (subjects) => {
-                  await allowSelectiveAccess({
-                    view: selectedView,
-                    subjects
-                  });
-                }}
+                onClose={() => setSelectedResourceId(null)}
+                onAllow={(subjects) =>
+                  allowSelectiveAccess(selectedView, subjects)
+                }
               />
             ) : (
               <div className="flex h-full items-center justify-center rounded-md border border-dashed border-gray-200 p-4 text-sm text-gray-500">

From 98175273fac5c789d9351ded854ac89f10f73893 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Tue, 7 Apr 2026 20:10:21 +0545
Subject: [PATCH 23/48] feat: Display setup MCP token button in mcp settings

---
 src/components/MCP/McpTabsLinks.tsx           |  7 ++-
 .../Permissions/SubjectSelectorPanel.tsx      |  2 +-
 src/components/Tokens/Add/CreateTokenForm.tsx |  8 +--
 .../Tokens/Add/TokenScopeFieldsGroup.tsx      |  3 +-
 src/components/Users/SetupMcpModal.tsx        | 17 +++---
 src/pages/Settings/mcp/McpOverviewPage.tsx    | 19 ++++++-
 src/pages/Settings/mcp/McpPlaybooksPage.tsx   |  9 +--
 src/pages/Settings/mcp/McpViewsPage.tsx       |  9 +--
 src/ui/Modal/index.tsx                        | 56 ++++++++++++++-----
 9 files changed, 86 insertions(+), 44 deletions(-)

diff --git a/src/components/MCP/McpTabsLinks.tsx b/src/components/MCP/McpTabsLinks.tsx
index 85a4a06395..d20b753f07 100644
--- a/src/components/MCP/McpTabsLinks.tsx
+++ b/src/components/MCP/McpTabsLinks.tsx
@@ -21,6 +21,7 @@ type McpTabsLinksProps = {
   loading?: boolean;
   isInitialLoading?: boolean;
   loadingText?: string;
+  headerAction?: React.ReactNode;
 };
 
 export default function McpTabsLinks({
@@ -30,7 +31,8 @@ export default function McpTabsLinks({
   onRefresh = () => {},
   loading = false,
   isInitialLoading = false,
-  loadingText = "Loading..."
+  loadingText = "Loading...",
+  headerAction
 }: McpTabsLinksProps) {
   const [searchParams] = useSearchParams();
 
@@ -70,7 +72,8 @@ export default function McpTabsLinks({
               <BreadcrumbRoot key="mcp" link="/settings/mcp/overview">
                 MCP
               </BreadcrumbRoot>,
-              <BreadcrumbChild key={activeTab}>{activeTab}</BreadcrumbChild>
+              <BreadcrumbChild key={activeTab}>{activeTab}</BreadcrumbChild>,
+              ...(headerAction ? [headerAction] : [])
             ]}
           />
         }
diff --git a/src/components/Permissions/SubjectSelectorPanel.tsx b/src/components/Permissions/SubjectSelectorPanel.tsx
index 5b3f94aec6..4f7d0da803 100644
--- a/src/components/Permissions/SubjectSelectorPanel.tsx
+++ b/src/components/Permissions/SubjectSelectorPanel.tsx
@@ -234,7 +234,7 @@ export default function SubjectSelectorPanel({
   };
 
   return (
-    <div className="flex max-h-[calc(100vh-8rem)] min-h-0 flex-col overflow-hidden rounded-md border border-gray-200 bg-white p-3">
+    <div className="flex h-full min-h-0 flex-col overflow-hidden rounded-md border border-gray-200 bg-white p-3">
       <div className="mb-3 flex items-start justify-between gap-2">
         <div>
           {description ? (
diff --git a/src/components/Tokens/Add/CreateTokenForm.tsx b/src/components/Tokens/Add/CreateTokenForm.tsx
index 60cc4c92d5..9bd70e9a4e 100644
--- a/src/components/Tokens/Add/CreateTokenForm.tsx
+++ b/src/components/Tokens/Add/CreateTokenForm.tsx
@@ -149,12 +149,12 @@ export function CreateTokenFormContent({
       {({ handleSubmit, isValid }) => (
         <Form
           id={formId}
-          className="flex flex-1 flex-col overflow-y-auto"
+          className="flex flex-1 flex-col"
           onSubmit={handleSubmit}
         >
-          <div className={clsx("my-2 flex h-full flex-col overflow-y-auto")}>
-            <div className={clsx("mb-2 flex flex-col overflow-y-auto px-2")}>
-              <div className="flex flex-col space-y-4 overflow-y-auto p-4">
+          <div className={clsx("my-2 flex h-full flex-col")}>
+            <div className={clsx("mb-2 flex flex-col px-2")}>
+              <div className="flex flex-col space-y-4 p-4">
                 <FormikTextInput
                   name="name"
                   label="Name"
diff --git a/src/components/Tokens/Add/TokenScopeFieldsGroup.tsx b/src/components/Tokens/Add/TokenScopeFieldsGroup.tsx
index 077d8cfa09..d5168fb364 100644
--- a/src/components/Tokens/Add/TokenScopeFieldsGroup.tsx
+++ b/src/components/Tokens/Add/TokenScopeFieldsGroup.tsx
@@ -260,6 +260,7 @@ function ObjectPermissionSwitch({
       </label>
       <div className="flex flex-row items-center space-x-2">
         <Switch
+          size="sm"
           options={getOptionsForObject()}
           defaultValue="None"
           value={selectedPermission as string}
@@ -405,7 +406,7 @@ export default function TokenScopeFieldsGroup({
       </div>
 
       {selectedScope === "Custom" && (
-        <div className="max-h-64 space-y-4 overflow-y-auto rounded-md border bg-gray-50 p-4">
+        <div className="space-y-4 rounded-md border bg-gray-50 p-4">
           {OBJECTS.map((object) => (
             <ObjectPermissionSwitch
               key={object}
diff --git a/src/components/Users/SetupMcpModal.tsx b/src/components/Users/SetupMcpModal.tsx
index 9cfbd1b661..496bded592 100644
--- a/src/components/Users/SetupMcpModal.tsx
+++ b/src/components/Users/SetupMcpModal.tsx
@@ -77,9 +77,10 @@ export default function SetupMcpModal({ isOpen, onClose }: Props) {
       title="Setup MCP"
       onClose={handleClose}
       open={isOpen}
-      bodyClass="flex h-[70vh] min-h-[620px] max-h-[70vh] w-full flex-1 flex-col overflow-hidden"
+      allowBodyScroll
+      bodyClass="flex w-full flex-col"
     >
-      <div className="flex h-full flex-1 flex-col gap-4 overflow-hidden p-4">
+      <div className="flex w-full flex-col gap-4 p-4">
         <div className="rounded-md border border-gray-200 bg-gray-50 p-4">
           <h3 className="text-base font-semibold text-gray-900">
             Choose how MCP should authenticate
@@ -90,16 +91,16 @@ export default function SetupMcpModal({ isOpen, onClose }: Props) {
           </p>
         </div>
 
-        <div className="flex min-h-0 flex-1 flex-col">
+        <div className="flex flex-col">
           <Tabs
             activeTab={mode}
             onSelectTab={(tab) => setMode(tab as SetupMode)}
-            contentClassName="flex min-h-0 flex-1 flex-col overflow-y-auto border border-t-0 border-gray-300 bg-white"
+            contentClassName="flex flex-col border border-t-0 border-gray-300 bg-white"
           >
             <Tab
               value="as-user"
               label="As me (full user permissions)"
-              className="h-full overflow-y-auto p-4"
+              className="h-full p-4"
             >
               <Tabs
                 activeTab={activeClient}
@@ -108,7 +109,7 @@ export default function SetupMcpModal({ isOpen, onClose }: Props) {
                 {Object.entries(asUserConfigs).map(
                   ([key, { label, config }]) => (
                     <Tab key={key} label={label} value={key} className="p-4">
-                      <div className="max-h-64 overflow-y-auto">
+                      <div className="max-h-80 overflow-y-auto">
                         <JSONViewer
                           code={config}
                           format="json"
@@ -122,7 +123,7 @@ export default function SetupMcpModal({ isOpen, onClose }: Props) {
               </Tabs>
 
               {mcpUsageInstructionsByClient[activeClient] && (
-                <div className="rounded-md border border-blue-200 bg-blue-50 p-3 text-sm text-blue-800">
+                <div className="mt-2 rounded-md border border-blue-200 bg-blue-50 p-3 text-sm text-blue-800">
                   {mcpUsageInstructionsByClient[activeClient]}
                 </div>
               )}
@@ -131,7 +132,7 @@ export default function SetupMcpModal({ isOpen, onClose }: Props) {
             <Tab
               value="access-token"
               label="Access token (restricted permissions)"
-              className="h-full overflow-y-auto p-4"
+              className="h-full p-4"
             >
               {mcpTokenResponse ? (
                 <TokenDisplayContent
diff --git a/src/pages/Settings/mcp/McpOverviewPage.tsx b/src/pages/Settings/mcp/McpOverviewPage.tsx
index 0158c04001..c58e422504 100644
--- a/src/pages/Settings/mcp/McpOverviewPage.tsx
+++ b/src/pages/Settings/mcp/McpOverviewPage.tsx
@@ -8,12 +8,14 @@ import {
   updatePermission
 } from "@flanksource-ui/api/services/permissions";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
-import UserAccessCard from "@flanksource-ui/components/Permissions/UserAccessCard";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
+import UserAccessCard from "@flanksource-ui/components/Permissions/UserAccessCard";
 import { toastError } from "@flanksource-ui/components/Toast/toast";
+import SetupMcpModal from "@flanksource-ui/components/Users/SetupMcpModal";
 import { useUser } from "@flanksource-ui/context";
 import { useMutation, useQuery } from "@tanstack/react-query";
 import { useMemo, useState } from "react";
+import { AiFillPlusCircle } from "react-icons/ai";
 
 const MCP_OBJECT = "mcp";
 const MCP_ACTION = "mcp:use";
@@ -55,6 +57,7 @@ export default function McpOverviewPage() {
   const [mutatingSubjectId, setMutatingSubjectId] = useState<string | null>(
     null
   );
+  const [isSetupMcpModalOpen, setIsSetupMcpModalOpen] = useState(false);
 
   const {
     data: subjects = [],
@@ -204,6 +207,16 @@ export default function McpOverviewPage() {
       loading={loading}
       isInitialLoading={isInitialLoading}
       loadingText="Loading MCP subjects..."
+      headerAction={
+        <button
+          key="setup-mcp"
+          type="button"
+          title="Setup MCP"
+          onClick={() => setIsSetupMcpModalOpen(true)}
+        >
+          <AiFillPlusCircle size={32} className="text-blue-600" />
+        </button>
+      }
       onRefresh={() => {
         refetchUsers();
         refetchPermissions();
@@ -279,6 +292,10 @@ export default function McpOverviewPage() {
           ))}
         </div>
       </div>
+      <SetupMcpModal
+        isOpen={isSetupMcpModalOpen}
+        onClose={() => setIsSetupMcpModalOpen(false)}
+      />
     </McpTabsLinks>
   );
 }
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index db47459b70..c203df0dc1 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -64,13 +64,8 @@ export default function McpPlaybooksPage() {
         </div>
 
         <div className="flex min-h-0 flex-1 flex-col gap-4 lg:flex-row">
-          <div className="min-h-0 min-w-0 flex-1 lg:max-w-3xl [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
+          <div className="min-h-0 min-w-0 flex-1 overflow-y-auto lg:max-w-3xl [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
             {playbooks.map((playbook) => {
-              const permissions = permissionsByResource.get(playbook.id) ?? {
-                users: [],
-                groups: []
-              };
-
               return (
                 <PermissionAccessCard
                   key={playbook.id}
@@ -93,7 +88,7 @@ export default function McpPlaybooksPage() {
             })}
           </div>
 
-          <div className="min-h-0 w-full shrink-0 lg:sticky lg:top-6 lg:w-[420px] lg:self-start">
+          <div className="min-h-0 w-full shrink-0 lg:w-[420px]">
             {selectedPlaybook ? (
               <SubjectSelectorPanel
                 key={selectedPlaybook.id}
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index a68f268b98..ed15150a74 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -67,13 +67,8 @@ export default function McpViewsPage() {
         </div>
 
         <div className="flex min-h-0 flex-1 flex-col gap-4 lg:flex-row">
-          <div className="min-h-0 flex-1 lg:w-[56rem] lg:flex-none [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
+          <div className="min-h-0 min-w-0 flex-1 overflow-y-auto lg:max-w-3xl [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
             {views.map((view) => {
-              const permissions = permissionsByResource.get(view.id) ?? {
-                users: [],
-                groups: []
-              };
-
               return (
                 <PermissionAccessCard
                   key={view.id}
@@ -96,7 +91,7 @@ export default function McpViewsPage() {
             })}
           </div>
 
-          <div className="min-h-0 w-full shrink-0 lg:sticky lg:top-6 lg:w-[420px] lg:self-start">
+          <div className="min-h-0 w-full shrink-0 lg:w-[420px]">
             {selectedView ? (
               <SubjectSelectorPanel
                 key={selectedView.id}
diff --git a/src/ui/Modal/index.tsx b/src/ui/Modal/index.tsx
index 027b631006..6ca4a0b41d 100644
--- a/src/ui/Modal/index.tsx
+++ b/src/ui/Modal/index.tsx
@@ -2,7 +2,7 @@ import { Dialog, DialogBackdrop, DialogPanel } from "@headlessui/react";
 import { XIcon } from "@heroicons/react/solid";
 import clsx from "clsx";
 import { atom, useAtom } from "jotai";
-import React, { useState } from "react";
+import React, { useEffect, useState } from "react";
 import { BsArrowsFullscreen, BsFullscreenExit } from "react-icons/bs";
 import { useWindowSize } from "react-use-size";
 import DialogButton from "../Buttons/DialogButton";
@@ -44,6 +44,7 @@ export interface IModalProps {
   children?: React.ReactNode;
   containerClassName?: string;
   dialogClassName?: string;
+  allowBodyScroll?: boolean;
 }
 
 export function useDialogSize(size?: string): {
@@ -142,6 +143,7 @@ export function Modal({
   containerClassName = "overflow-auto max-h-full",
   dialogClassName = "fixed z-50 inset-0 overflow-y-auto min-h-2xl:my-20 py-4",
   helpLink: helpLinkProps,
+  allowBodyScroll = false,
   ...rest
 }: IModalProps) {
   const [_helpLink, setHelpLink] = useAtom(modalHelpLinkAtom);
@@ -150,13 +152,44 @@ export function Modal({
   const isSmall = _size === "very-small" || _size === "small";
 
   const helpLink = _helpLink || helpLinkProps;
+  const resolvedDialogClassName = allowBodyScroll
+    ? "fixed z-50 inset-0 overflow-y-auto py-4"
+    : dialogClassName;
+  const resolvedDialogPanelClassName = clsx(
+    "flex justify-center",
+    allowBodyScroll ? "items-start" : "items-center",
+    allowBodyScroll ? "mx-auto" : sizeClass.classNames,
+    sizeClass.width
+  );
+
+  useEffect(() => {
+    if (!open || !allowBodyScroll) {
+      return;
+    }
+
+    const html = document.documentElement;
+    const body = document.body;
+    const prevHtmlOverflow = html.style.overflow;
+    const prevBodyOverflow = body.style.overflow;
+    const prevBodyPaddingRight = body.style.paddingRight;
+
+    html.style.overflow = "auto";
+    body.style.overflow = "auto";
+    body.style.paddingRight = "0px";
+
+    return () => {
+      html.style.overflow = prevHtmlOverflow;
+      body.style.overflow = prevBodyOverflow;
+      body.style.paddingRight = prevBodyPaddingRight;
+    };
+  }, [allowBodyScroll, open]);
 
   return (
     <Dialog
       as="div"
       open={open}
       auto-reopen="true"
-      className={dialogClassName}
+      className={resolvedDialogClassName}
       onClose={() => {
         // reset the help link when the modal is closed, this is to ensure
         // that the help link is not displayed when the modal is reopened and
@@ -173,21 +206,18 @@ export function Modal({
         transition
         className="fixed inset-0 bg-black/30 duration-300 ease-out data-[closed]:opacity-0"
       />
-      <DialogPanel
-        transition
-        className={clsx(
-          "flex items-center justify-center",
-          sizeClass.classNames,
-          sizeClass.width
-        )}
-      >
+      <DialogPanel transition className={resolvedDialogPanelClassName}>
         <div
           className={clsx(
-            !isSmall && "mb-10 mt-10 justify-between overflow-auto",
+            !isSmall &&
+              clsx(
+                "mb-10 mt-10 justify-between",
+                !allowBodyScroll && "overflow-auto"
+              ),
             !isSmall && childClassName,
             "flex transform flex-col rounded-lg bg-white text-left shadow-xl transition-all",
             isSmall && "mx-4 my-0 w-full max-w-prose",
-            sizeClass.height
+            !allowBodyScroll && sizeClass.height
           )}
         >
           <div
@@ -230,7 +260,7 @@ export function Modal({
             className={clsx(
               !isSmall && "mb-auto flex flex-1 flex-col",
               bodyClass,
-              `max-h-[${sizeClass.windowHeight - 50}px]`
+              !allowBodyScroll && `max-h-[${sizeClass.windowHeight - 50}px]`
             )}
           >
             {children}

From cf3810db27db89ff6d4f24342839e0375e6f5a5f Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Tue, 7 Apr 2026 21:14:34 +0545
Subject: [PATCH 24/48] fix(permissions): address PR review issues in MCP
 permission UI

---
 .../Permissions/SubjectSelectorPanel.tsx      | 106 +++++++++---------
 src/components/Permissions/UserAccessCard.tsx |   4 +-
 .../permissions/mcpPermissionCardMappings.ts  |   4 +-
 .../permissions/useMcpResourcePermissions.ts  |  43 +++++--
 src/pages/Settings/mcp/McpOverviewPage.tsx    |   6 +-
 5 files changed, 101 insertions(+), 62 deletions(-)

diff --git a/src/components/Permissions/SubjectSelectorPanel.tsx b/src/components/Permissions/SubjectSelectorPanel.tsx
index 4f7d0da803..cd091e1bb8 100644
--- a/src/components/Permissions/SubjectSelectorPanel.tsx
+++ b/src/components/Permissions/SubjectSelectorPanel.tsx
@@ -44,7 +44,8 @@ function SubjectIcon({ subject }: { subject: PermissionSubject }) {
   return (
     <span className="flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-indigo-100 text-indigo-600">
       {subject.type === "team" ||
-      subject.type === "permission_subject_group" ? (
+      subject.type === "permission_subject_group" ||
+      subject.type === "role" ? (
         <HiUserGroup className="h-3 w-3" />
       ) : (
         <HiUser className="h-3 w-3" />
@@ -107,20 +108,6 @@ export default function SubjectSelectorPanel({
       staleTime: 60_000
     });
 
-  useEffect(() => {
-    if (subjectsByIds.length === 0) {
-      return;
-    }
-
-    setSelectedSubjects((prev) => {
-      const next = { ...prev };
-      for (const subject of subjectsByIds) {
-        next[subject.id] = subject;
-      }
-      return next;
-    });
-  }, [subjectsByIds]);
-
   const debouncedSearch = useDebouncedValue(search, 300) ?? "";
 
   useEffect(() => {
@@ -143,11 +130,61 @@ export default function SubjectSelectorPanel({
       })
   });
 
-  const displayedSubjects = useMemo(
+  const pagedSubjects = useMemo(
     () => (data?.data ?? []) as PermissionSubject[],
     [data?.data]
   );
 
+  useEffect(() => {
+    setSelectedSubjects((prev) => {
+      const next: Record<string, PermissionSubject> = {};
+
+      for (const id of Object.keys(selectedIds)) {
+        if (prev[id]) {
+          next[id] = prev[id];
+        }
+      }
+
+      for (const subject of subjectsByIds) {
+        if (selectedIds[subject.id]) {
+          next[subject.id] = subject;
+        }
+      }
+
+      for (const subject of pagedSubjects) {
+        if (selectedIds[subject.id]) {
+          next[subject.id] = subject;
+        }
+      }
+
+      return next;
+    });
+  }, [pagedSubjects, selectedIds, subjectsByIds]);
+
+  const selectedHydratedSubjects = useMemo(
+    () =>
+      Object.keys(selectedIds)
+        .map((id) => selectedSubjects[id])
+        .filter((subject): subject is PermissionSubject => !!subject),
+    [selectedIds, selectedSubjects]
+  );
+
+  const displayedSubjects = useMemo(() => {
+    const merged = new Map<string, PermissionSubject>();
+
+    for (const subject of selectedHydratedSubjects) {
+      merged.set(subject.id, subject);
+    }
+
+    for (const subject of pagedSubjects) {
+      if (!merged.has(subject.id)) {
+        merged.set(subject.id, subject);
+      }
+    }
+
+    return Array.from(merged.values());
+  }, [pagedSubjects, selectedHydratedSubjects]);
+
   const groupedDisplayedSubjects = useMemo(() => {
     const seen = new Set<string>();
     const grouped = new Map<PermissionSubject["type"], PermissionSubject[]>();
@@ -176,42 +213,11 @@ export default function SubjectSelectorPanel({
   const totalEntries = data?.totalEntries ?? 0;
   const pageCount = Math.ceil(totalEntries / PAGE_SIZE);
 
-  useEffect(() => {
-    if (subjectsByIds.length === 0) {
-      return;
-    }
-
-    setSelectedSubjects((prev) => {
-      const next = { ...prev };
-      for (const subject of subjectsByIds) {
-        if (selectedIds[subject.id]) {
-          next[subject.id] = subject;
-        }
-      }
-      return next;
-    });
-  }, [selectedIds, subjectsByIds]);
-
-  useEffect(() => {
-    if (displayedSubjects.length === 0) {
-      return;
-    }
-
-    setSelectedSubjects((prev) => {
-      const next = { ...prev };
-      for (const subject of displayedSubjects) {
-        if (selectedIds[subject.id]) {
-          next[subject.id] = subject;
-        }
-      }
-      return next;
-    });
-  }, [displayedSubjects, selectedIds]);
-
   const selectedCount = Object.keys(selectedIds).length;
   const hasChanged =
     selectedCount !== Object.keys(initialSelectedIds).length ||
     Object.keys(selectedIds).some((id) => !initialSelectedIds[id]);
+  const allSelectedHydrated = selectedHydratedSubjects.length === selectedCount;
 
   const toggleSubject = (subject: PermissionSubject, checked: boolean) => {
     setSelectedIds((prev) => {
@@ -321,8 +327,8 @@ export default function SubjectSelectorPanel({
         ) : null}
         <Button
           type="button"
-          disabled={!hasChanged || isSubmitting}
-          onClick={() => onAllow?.(Object.values(selectedSubjects))}
+          disabled={!hasChanged || isSubmitting || !allSelectedHydrated}
+          onClick={() => onAllow?.(selectedHydratedSubjects)}
         >
           Apply
         </Button>
diff --git a/src/components/Permissions/UserAccessCard.tsx b/src/components/Permissions/UserAccessCard.tsx
index bdcc80912d..0bf48b8022 100644
--- a/src/components/Permissions/UserAccessCard.tsx
+++ b/src/components/Permissions/UserAccessCard.tsx
@@ -28,7 +28,9 @@ export default function UserAccessCard({
     <div className="w-full max-w-3xl">
       <div className="flex items-start gap-3">
         <div className="flex h-8 w-8 shrink-0 items-center justify-center rounded-md bg-gray-100 text-xs font-semibold text-gray-700">
-          {user.type === "team" || user.type === "permission_subject_group" ? (
+          {user.type === "team" ||
+          user.type === "permission_subject_group" ||
+          user.type === "role" ? (
             <HiUserGroup className="h-4 w-4" />
           ) : (
             <HiUser className="h-4 w-4" />
diff --git a/src/lib/permissions/mcpPermissionCardMappings.ts b/src/lib/permissions/mcpPermissionCardMappings.ts
index 692bf7188f..23391ea790 100644
--- a/src/lib/permissions/mcpPermissionCardMappings.ts
+++ b/src/lib/permissions/mcpPermissionCardMappings.ts
@@ -159,9 +159,11 @@ export function buildPermissionAccessCardMaps<
 
     if (isGlobalOverride) {
       for (const resource of matchedResources) {
+        const next = permission.deny === true ? "deny" : "allow";
+        const current = globalOverrideByResource.get(resource.id);
         globalOverrideByResource.set(
           resource.id,
-          permission.deny === true ? "deny" : "allow"
+          current === "deny" || next === "deny" ? "deny" : "allow"
         );
       }
       continue;
diff --git a/src/lib/permissions/useMcpResourcePermissions.ts b/src/lib/permissions/useMcpResourcePermissions.ts
index 0d6ee47e2f..feecf515bc 100644
--- a/src/lib/permissions/useMcpResourcePermissions.ts
+++ b/src/lib/permissions/useMcpResourcePermissions.ts
@@ -216,7 +216,7 @@ export function useMcpResourcePermissions<
         { name: resource.name, namespace: resource.namespace }
       ];
 
-      const payloads = subjects
+      const payloadsToAdd = subjects
         .map((subject) => {
           const subjectType = mapSubjectType(subject.type);
           if (existingKeys.has(`${subjectType}:${subject.id}`)) {
@@ -232,18 +232,41 @@ export function useMcpResourcePermissions<
             created_by: user?.id
           };
         })
-        .filter(Boolean);
+        .filter((payload): payload is NonNullable<typeof payload> => !!payload)
+        .sort((a, b) =>
+          `${a.subject_type}:${a.subject}`.localeCompare(
+            `${b.subject_type}:${b.subject}`
+          )
+        );
 
       const deleteIds = existingPermissions
         .filter((p) => !desiredKeys.has(`${p.subject_type}:${p.subject}`))
-        .map((p) => p.id);
+        .map((p) => p.id!)
+        .sort((a, b) => a.localeCompare(b));
+
+      const addedPermissionIds: string[] = [];
 
-      await Promise.all([
-        ...payloads.map((payload) => addPermission(payload as any)),
-        ...deleteIds.map((id) => deletePermission(id))
-      ]);
+      try {
+        for (const payload of payloadsToAdd) {
+          const created = await addPermission(payload as any);
+          if (created?.data?.id) {
+            addedPermissionIds.push(created.data.id);
+          }
+        }
 
-      return { added: payloads.length, removed: deleteIds.length };
+        for (const id of deleteIds) {
+          await deletePermission(id);
+        }
+      } catch (error) {
+        if (addedPermissionIds.length > 0) {
+          await Promise.allSettled(
+            addedPermissionIds.map((id) => deletePermission(id))
+          );
+        }
+        throw error;
+      }
+
+      return { added: payloadsToAdd.length, removed: deleteIds.length };
     },
     onSuccess: ({ added, removed }) => {
       if (added === 0 && removed === 0) {
@@ -252,10 +275,12 @@ export function useMcpResourcePermissions<
         toastSuccess(`Updated permissions: +${added} / -${removed}`);
       }
       setSelectedResourceId(null);
-      refetchPermissions();
     },
     onError: (error) => {
       toastError(error as any);
+    },
+    onSettled: () => {
+      refetchPermissions();
     }
   });
 
diff --git a/src/pages/Settings/mcp/McpOverviewPage.tsx b/src/pages/Settings/mcp/McpOverviewPage.tsx
index c58e422504..702afdf528 100644
--- a/src/pages/Settings/mcp/McpOverviewPage.tsx
+++ b/src/pages/Settings/mcp/McpOverviewPage.tsx
@@ -158,6 +158,10 @@ export default function McpOverviewPage() {
           .map((permission) => permission.id!);
 
         if (!primaryPermission) {
+          if (!user?.id) {
+            throw new Error("User must be logged in to create permissions");
+          }
+
           await addPermission({
             object: MCP_OBJECT,
             action: MCP_ACTION,
@@ -165,7 +169,7 @@ export default function McpOverviewPage() {
             subject_type: mapPermissionSubjectType(subjectType),
             deny: targetDeny,
             source: MCP_SETTINGS_PERMISSION_SOURCE,
-            created_by: user?.id!
+            created_by: user.id
           } as any);
 
           return;

From 3e2fd4b200e702af6c1773b5f0f841efeb61c8af Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Tue, 7 Apr 2026 21:46:49 +0545
Subject: [PATCH 25/48] fix(permissions): handle missing subjects and always
 refetch overrides

---
 .../Permissions/SubjectSelectorPanel.tsx      | 103 +++++++++++++-----
 .../permissions/useMcpResourcePermissions.ts  |   2 +-
 2 files changed, 74 insertions(+), 31 deletions(-)

diff --git a/src/components/Permissions/SubjectSelectorPanel.tsx b/src/components/Permissions/SubjectSelectorPanel.tsx
index cd091e1bb8..17ba74a167 100644
--- a/src/components/Permissions/SubjectSelectorPanel.tsx
+++ b/src/components/Permissions/SubjectSelectorPanel.tsx
@@ -169,6 +169,11 @@ export default function SubjectSelectorPanel({
     [selectedIds, selectedSubjects]
   );
 
+  const unresolvedSelectedIds = useMemo(
+    () => Object.keys(selectedIds).filter((id) => !selectedSubjects[id]),
+    [selectedIds, selectedSubjects]
+  );
+
   const displayedSubjects = useMemo(() => {
     const merged = new Map<string, PermissionSubject>();
 
@@ -219,26 +224,36 @@ export default function SubjectSelectorPanel({
     Object.keys(selectedIds).some((id) => !initialSelectedIds[id]);
   const allSelectedHydrated = selectedHydratedSubjects.length === selectedCount;
 
-  const toggleSubject = (subject: PermissionSubject, checked: boolean) => {
+  const removeSelectedId = (id: string) => {
     setSelectedIds((prev) => {
-      if (checked) {
-        return { ...prev, [subject.id]: true };
+      if (!prev[id]) {
+        return prev;
       }
       const next = { ...prev };
-      delete next[subject.id];
+      delete next[id];
       return next;
     });
 
     setSelectedSubjects((prev) => {
-      if (checked) {
-        return { ...prev, [subject.id]: subject };
+      if (!prev[id]) {
+        return prev;
       }
       const next = { ...prev };
-      delete next[subject.id];
+      delete next[id];
       return next;
     });
   };
 
+  const toggleSubject = (subject: PermissionSubject, checked: boolean) => {
+    if (checked) {
+      setSelectedIds((prev) => ({ ...prev, [subject.id]: true }));
+      setSelectedSubjects((prev) => ({ ...prev, [subject.id]: subject }));
+      return;
+    }
+
+    removeSelectedId(subject.id);
+  };
+
   return (
     <div className="flex h-full min-h-0 flex-col overflow-hidden rounded-md border border-gray-200 bg-white p-3">
       <div className="mb-3 flex items-start justify-between gap-2">
@@ -258,33 +273,61 @@ export default function SubjectSelectorPanel({
       <div className="mt-3 min-h-0 flex-1 space-y-4 overflow-y-auto rounded-md border p-2">
         {(shouldFetchSubjectsByIds && isSubjectsByIdsLoading) || isLoading ? (
           <div className="p-2 text-sm text-gray-500">Loading...</div>
-        ) : displayedSubjects.length > 0 ? (
-          groupedDisplayedSubjects.map((group) => (
-            <div key={group.type} className="space-y-1">
-              <div className="px-2 pt-2 text-xs font-semibold uppercase tracking-wide text-gray-500 first:pt-0">
-                {TYPE_LABELS[group.type] ?? group.type}
-              </div>
-              {group.subjects.map((subject) => (
-                <div
-                  key={subject.id}
-                  className="flex items-center justify-between rounded px-2 py-1.5 hover:bg-gray-50"
-                >
-                  <div className="flex min-w-0 flex-1 items-center gap-2 pr-2">
-                    <SubjectIcon subject={subject} />
+        ) : displayedSubjects.length > 0 || unresolvedSelectedIds.length > 0 ? (
+          <>
+            {unresolvedSelectedIds.length > 0 ? (
+              <div className="space-y-1">
+                <div className="px-2 pt-2 text-xs font-semibold uppercase tracking-wide text-amber-600 first:pt-0">
+                  Missing
+                </div>
+                {unresolvedSelectedIds.map((id) => (
+                  <div
+                    key={id}
+                    className="flex items-center justify-between rounded px-2 py-1.5 hover:bg-gray-50"
+                  >
                     <div className="min-w-0 truncate text-sm font-medium text-gray-900">
-                      {subject.name}
+                      Missing subject ({id})
                     </div>
+                    <Button
+                      type="button"
+                      variant="outline"
+                      size="sm"
+                      onClick={() => removeSelectedId(id)}
+                    >
+                      Remove
+                    </Button>
                   </div>
-                  <Switch
-                    checked={!!selectedIds[subject.id]}
-                    onCheckedChange={(checked) =>
-                      toggleSubject(subject, checked)
-                    }
-                  />
+                ))}
+              </div>
+            ) : null}
+
+            {groupedDisplayedSubjects.map((group) => (
+              <div key={group.type} className="space-y-1">
+                <div className="px-2 pt-2 text-xs font-semibold uppercase tracking-wide text-gray-500 first:pt-0">
+                  {TYPE_LABELS[group.type] ?? group.type}
                 </div>
-              ))}
-            </div>
-          ))
+                {group.subjects.map((subject) => (
+                  <div
+                    key={subject.id}
+                    className="flex items-center justify-between rounded px-2 py-1.5 hover:bg-gray-50"
+                  >
+                    <div className="flex min-w-0 flex-1 items-center gap-2 pr-2">
+                      <SubjectIcon subject={subject} />
+                      <div className="min-w-0 truncate text-sm font-medium text-gray-900">
+                        {subject.name}
+                      </div>
+                    </div>
+                    <Switch
+                      checked={!!selectedIds[subject.id]}
+                      onCheckedChange={(checked) =>
+                        toggleSubject(subject, checked)
+                      }
+                    />
+                  </div>
+                ))}
+              </div>
+            ))}
+          </>
         ) : (
           <div className="p-2 text-sm text-gray-500">No subjects found</div>
         )}
diff --git a/src/lib/permissions/useMcpResourcePermissions.ts b/src/lib/permissions/useMcpResourcePermissions.ts
index feecf515bc..a68d53bc68 100644
--- a/src/lib/permissions/useMcpResourcePermissions.ts
+++ b/src/lib/permissions/useMcpResourcePermissions.ts
@@ -168,7 +168,7 @@ export function useMcpResourcePermissions<
         created_by: user?.id
       } as any);
     },
-    onSuccess: () => {
+    onSettled: () => {
       refetchPermissions();
     },
     onError: (error) => {

From e0ef0f4e97aeb42d4212f581e60e4bf1130a3d22 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Wed, 8 Apr 2026 12:14:51 +0545
Subject: [PATCH 26/48] fix: show MCP token creation error inside the modal

---
 src/components/MCP/UserList.tsx               |  83 ++++++++++++
 .../Permissions/PermissionAccessCard.tsx      |  97 -------------
 .../Permissions/ResourceAccessCard.tsx        | 128 ++++++++++++++++++
 .../Permissions/SubjectAccessCard.tsx         | 100 ++++++++++++++
 src/components/Permissions/UserAccessCard.tsx |  99 --------------
 src/components/Tokens/Add/CreateTokenForm.tsx |  18 ++-
 src/pages/Settings/mcp/McpOverviewPage.tsx    |  99 +++-----------
 src/pages/Settings/mcp/McpPlaybooksPage.tsx   |   6 +-
 src/pages/Settings/mcp/McpViewsPage.tsx       |   6 +-
 9 files changed, 351 insertions(+), 285 deletions(-)
 create mode 100644 src/components/MCP/UserList.tsx
 delete mode 100644 src/components/Permissions/PermissionAccessCard.tsx
 create mode 100644 src/components/Permissions/ResourceAccessCard.tsx
 create mode 100644 src/components/Permissions/SubjectAccessCard.tsx
 delete mode 100644 src/components/Permissions/UserAccessCard.tsx

diff --git a/src/components/MCP/UserList.tsx b/src/components/MCP/UserList.tsx
new file mode 100644
index 0000000000..410df1ca00
--- /dev/null
+++ b/src/components/MCP/UserList.tsx
@@ -0,0 +1,83 @@
+import {
+  MCP_SETTINGS_PERMISSION_SOURCE,
+  PermissionSubject
+} from "@flanksource-ui/api/services/permissions";
+import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
+import SubjectAccessCard from "@flanksource-ui/components/Permissions/SubjectAccessCard";
+
+const MCP_OBJECT = "mcp";
+const MCP_ACTION = "mcp:use";
+
+const TYPE_LABELS: Record<PermissionSubject["type"], string> = {
+  person: "person",
+  team: "team",
+  role: "role",
+  permission_subject_group: "group"
+};
+
+type GroupedSubject = {
+  type: PermissionSubject["type"];
+  subjects: PermissionSubject[];
+};
+
+type Props = {
+  groupedSubjects: GroupedSubject[];
+  permissionsByUser: Map<string, PermissionsSummary[]>;
+  mutatingSubjectId: string | null;
+  onChangeAccess: (
+    subject: PermissionSubject,
+    access: "allow" | "deny" | "default"
+  ) => void;
+};
+
+export default function UserList({
+  groupedSubjects,
+  permissionsByUser,
+  mutatingSubjectId,
+  onChangeAccess
+}: Props) {
+  return (
+    <div className="flex h-full w-full flex-1 flex-col gap-4 p-6 pb-6">
+      {groupedSubjects.map((group) => (
+        <div key={group.type} className="space-y-1">
+          <div className="pt-2 text-xs font-semibold uppercase tracking-wide text-gray-500 first:pt-0">
+            {TYPE_LABELS[group.type] ?? group.type}
+          </div>
+
+          <div className="[&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
+            {group.subjects.map((subject) => {
+              const permissions = permissionsByUser.get(subject.id) ?? [];
+
+              const activePermission = permissions.find(
+                (permission) =>
+                  permission.source === MCP_SETTINGS_PERMISSION_SOURCE
+              );
+
+              const access = !activePermission
+                ? "default"
+                : activePermission.deny === true
+                  ? "deny"
+                  : "allow";
+
+              return (
+                <SubjectAccessCard
+                  key={subject.id}
+                  user={{
+                    id: subject.id,
+                    name: subject.name,
+                    type: subject.type
+                  }}
+                  action={MCP_ACTION}
+                  object={MCP_OBJECT}
+                  access={access}
+                  isMutating={mutatingSubjectId === subject.id}
+                  onChangeAccess={(access) => onChangeAccess(subject, access)}
+                />
+              );
+            })}
+          </div>
+        </div>
+      ))}
+    </div>
+  );
+}
diff --git a/src/components/Permissions/PermissionAccessCard.tsx b/src/components/Permissions/PermissionAccessCard.tsx
deleted file mode 100644
index aa9251e2cf..0000000000
--- a/src/components/Permissions/PermissionAccessCard.tsx
+++ /dev/null
@@ -1,97 +0,0 @@
-import { Icon } from "@flanksource-ui/ui/Icons/Icon";
-import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
-
-type PermissionAccessCardProps = {
-  entity: {
-    id: string;
-    name: string;
-    namespace?: string;
-    icon?: string;
-  };
-  globalOverride?: "allow" | "none" | "deny";
-  onGlobalOverrideChange: (value: "allow" | "none" | "deny") => void;
-  onViewSubjects?: () => void;
-  isMutating?: boolean;
-};
-
-export default function PermissionAccessCard({
-  entity,
-  globalOverride = "none",
-  onGlobalOverrideChange,
-  onViewSubjects,
-  isMutating = false
-}: PermissionAccessCardProps) {
-  return (
-    <div
-      className={`w-full max-w-3xl ${globalOverride === "none" && onViewSubjects ? "cursor-pointer" : ""}`}
-      onClick={() => {
-        if (globalOverride === "none") {
-          onViewSubjects?.();
-        }
-      }}
-    >
-      <div className="flex items-start gap-3">
-        <div className="flex h-8 w-8 shrink-0 items-center justify-center rounded-md bg-gray-100 text-xs font-semibold text-gray-700">
-          <Icon name={entity.icon || "playbook"} className="h-4 w-4" />
-        </div>
-
-        <div className="flex min-w-0 flex-1 items-start justify-between gap-2">
-          <div className="min-w-0">
-            <div
-              className="truncate text-sm font-semibold text-gray-900"
-              title={entity.name}
-            >
-              {entity.name}
-            </div>
-            {entity.namespace ? (
-              <div
-                className="mt-0.5 truncate text-xs text-gray-500"
-                title={entity.namespace}
-              >
-                {entity.namespace}
-              </div>
-            ) : null}
-          </div>
-
-          <div className="shrink-0" onClick={(e) => e.stopPropagation()}>
-            <div
-              className={isMutating ? "pointer-events-none opacity-60" : ""}
-              aria-disabled={isMutating || undefined}
-            >
-              <Switch
-                size="sm"
-                options={["Deny all", "Custom", "Allow all"]}
-                value={
-                  globalOverride === "deny"
-                    ? "Deny all"
-                    : globalOverride === "allow"
-                      ? "Allow all"
-                      : "Custom"
-                }
-                onChange={(value) => {
-                  const mappedValue =
-                    value === "Deny all"
-                      ? "deny"
-                      : value === "Allow all"
-                        ? "allow"
-                        : "none";
-
-                  onGlobalOverrideChange(mappedValue);
-                }}
-                className="h-auto"
-                itemsClassName=""
-                getActiveItemClassName={(option) =>
-                  option === "Allow all"
-                    ? "bg-blue-50 text-blue-700 ring-blue-200"
-                    : option === "Deny all"
-                      ? "bg-red-50 text-red-700 ring-red-200"
-                      : undefined
-                }
-              />
-            </div>
-          </div>
-        </div>
-      </div>
-    </div>
-  );
-}
diff --git a/src/components/Permissions/ResourceAccessCard.tsx b/src/components/Permissions/ResourceAccessCard.tsx
new file mode 100644
index 0000000000..33cafb22e9
--- /dev/null
+++ b/src/components/Permissions/ResourceAccessCard.tsx
@@ -0,0 +1,128 @@
+import { Icon } from "@flanksource-ui/ui/Icons/Icon";
+import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
+
+type GlobalOverride = "allow" | "none" | "deny";
+
+type Entity = {
+  id: string;
+  name: string;
+  namespace?: string;
+  icon?: string;
+};
+
+type PermissionAccessCardProps = {
+  entity: Entity;
+  globalOverride?: GlobalOverride;
+  onGlobalOverrideChange: (value: GlobalOverride) => void;
+  onViewSubjects?: () => void;
+  isMutating?: boolean;
+};
+
+const SWITCH_OPTIONS = ["Deny all", "Custom", "Allow all"];
+type SwitchOption = "Deny all" | "Custom" | "Allow all";
+
+function toSwitchOption(value: GlobalOverride): SwitchOption {
+  switch (value) {
+    case "deny":
+      return "Deny all";
+    case "allow":
+      return "Allow all";
+    default:
+      return "Custom";
+  }
+}
+
+function toGlobalOverride(value: string): GlobalOverride {
+  switch (value) {
+    case "Deny all":
+      return "deny";
+    case "Allow all":
+      return "allow";
+    default:
+      return "none";
+  }
+}
+
+export default function ResourceAccessCard({
+  entity,
+  globalOverride = "none",
+  onGlobalOverrideChange,
+  onViewSubjects,
+  isMutating = false
+}: PermissionAccessCardProps) {
+  const canOpenSubjects = globalOverride === "none" && Boolean(onViewSubjects);
+
+  const handleCardClick = () => {
+    if (!canOpenSubjects) {
+      return;
+    }
+
+    onViewSubjects?.();
+  };
+
+  return (
+    <div
+      className={`w-full max-w-3xl ${canOpenSubjects ? "cursor-pointer" : ""}`}
+      onClick={handleCardClick}
+    >
+      <div className="flex items-start gap-3">
+        <div className="flex h-8 w-8 shrink-0 items-center justify-center rounded-md bg-gray-100 text-xs font-semibold text-gray-700">
+          <Icon name={entity.icon ?? "playbook"} className="h-4 w-4" />
+        </div>
+
+        <div className="flex min-w-0 flex-1 items-start justify-between gap-2">
+          <div className="min-w-0">
+            <div
+              className="truncate text-sm font-semibold text-gray-900"
+              title={entity.name}
+            >
+              {entity.name}
+            </div>
+            {entity.namespace && (
+              <div
+                className="mt-0.5 truncate text-xs text-gray-500"
+                title={entity.namespace}
+              >
+                {entity.namespace}
+              </div>
+            )}
+          </div>
+
+          <div
+            className="shrink-0"
+            onClick={(event) => event.stopPropagation()}
+          >
+            <div
+              className={
+                isMutating ? "pointer-events-none opacity-60" : undefined
+              }
+              aria-disabled={isMutating || undefined}
+            >
+              <Switch
+                size="sm"
+                options={SWITCH_OPTIONS}
+                value={toSwitchOption(globalOverride)}
+                onChange={(value) =>
+                  onGlobalOverrideChange(toGlobalOverride(value))
+                }
+                className="h-auto"
+                itemsClassName=""
+                getActiveItemClassName={(option) => {
+                  if (option === "Allow all") {
+                    return "bg-blue-50 text-blue-700 ring-blue-200";
+                  }
+
+                  if (option === "Deny all") {
+                    return "bg-red-50 text-red-700 ring-red-200";
+                  }
+
+                  return undefined;
+                }}
+              />
+            </div>
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/src/components/Permissions/SubjectAccessCard.tsx b/src/components/Permissions/SubjectAccessCard.tsx
new file mode 100644
index 0000000000..06dfac7f4f
--- /dev/null
+++ b/src/components/Permissions/SubjectAccessCard.tsx
@@ -0,0 +1,100 @@
+import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
+import { HiUser, HiUserGroup } from "react-icons/hi";
+
+type AccessLevel = "deny" | "default" | "allow";
+type SwitchOption = "Deny" | "Default" | "Allow";
+
+const ACCESS_TO_OPTION: Record<AccessLevel, SwitchOption> = {
+  deny: "Deny",
+  default: "Default",
+  allow: "Allow"
+};
+
+const OPTION_TO_ACCESS: Record<SwitchOption, AccessLevel> = {
+  Deny: "deny",
+  Default: "default",
+  Allow: "allow"
+};
+
+const SWITCH_OPTIONS: SwitchOption[] = ["Deny", "Default", "Allow"];
+
+const GROUP_TYPES = new Set(["team", "permission_subject_group", "role"]);
+
+type SubjectAccessCardProps = {
+  user: {
+    id: string;
+    name?: string;
+    email?: string;
+    avatar?: string;
+    type?: "team" | "permission_subject_group" | "person" | "role";
+  };
+  action: string;
+  object: string;
+  access: AccessLevel;
+  onChangeAccess: (access: AccessLevel) => void;
+  isMutating?: boolean;
+};
+
+export default function SubjectAccessCard({
+  user,
+  action,
+  object,
+  access,
+  onChangeAccess,
+  isMutating = false
+}: SubjectAccessCardProps) {
+  const isGroup = user.type ? GROUP_TYPES.has(user.type) : false;
+
+  return (
+    <div className="w-full max-w-3xl">
+      <div className="flex items-center gap-3">
+        <div className="flex h-8 w-8 shrink-0 items-center justify-center rounded-md bg-gray-100 text-xs font-semibold text-gray-700">
+          {isGroup ? (
+            <HiUserGroup className="h-4 w-4" />
+          ) : (
+            <HiUser className="h-4 w-4" />
+          )}
+        </div>
+
+        <div className="flex min-w-0 flex-1 items-center justify-between gap-2">
+          <div className="min-w-0">
+            <div
+              className="truncate text-sm font-semibold text-gray-900"
+              title={user.name}
+            >
+              {user.name}
+            </div>
+            {user.email && (
+              <div
+                className="mt-0.5 truncate text-xs text-gray-500"
+                title={user.email}
+              >
+                {user.email}
+              </div>
+            )}
+          </div>
+
+          <div
+            className={`shrink-0 ${isMutating ? "pointer-events-none opacity-60" : ""}`}
+            aria-disabled={isMutating || undefined}
+          >
+            <Switch
+              size="sm"
+              options={SWITCH_OPTIONS}
+              value={ACCESS_TO_OPTION[access]}
+              onChange={(option) => onChangeAccess(OPTION_TO_ACCESS[option])}
+              aria-label={`${action} on ${object} for ${user.name ?? user.id}`}
+              getActiveItemClassName={(option) =>
+                option === "Allow"
+                  ? "bg-blue-50 text-blue-700 ring-blue-200"
+                  : option === "Deny"
+                    ? "bg-red-50 text-red-700 ring-red-200"
+                    : undefined
+              }
+            />
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/src/components/Permissions/UserAccessCard.tsx b/src/components/Permissions/UserAccessCard.tsx
deleted file mode 100644
index 0bf48b8022..0000000000
--- a/src/components/Permissions/UserAccessCard.tsx
+++ /dev/null
@@ -1,99 +0,0 @@
-import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
-import { HiUser, HiUserGroup } from "react-icons/hi";
-
-type UserAccessCardProps = {
-  user: {
-    id: string;
-    name?: string;
-    email?: string;
-    avatar?: string;
-    type?: "team" | "permission_subject_group" | "person" | "role";
-  };
-  action: string;
-  object: string;
-  access: "deny" | "default" | "allow";
-  onChangeAccess: (access: "deny" | "default" | "allow") => void;
-  isMutating?: boolean;
-};
-
-export default function UserAccessCard({
-  user,
-  action,
-  object,
-  access,
-  onChangeAccess,
-  isMutating = false
-}: UserAccessCardProps) {
-  return (
-    <div className="w-full max-w-3xl">
-      <div className="flex items-start gap-3">
-        <div className="flex h-8 w-8 shrink-0 items-center justify-center rounded-md bg-gray-100 text-xs font-semibold text-gray-700">
-          {user.type === "team" ||
-          user.type === "permission_subject_group" ||
-          user.type === "role" ? (
-            <HiUserGroup className="h-4 w-4" />
-          ) : (
-            <HiUser className="h-4 w-4" />
-          )}
-        </div>
-
-        <div className="flex min-w-0 flex-1 items-start justify-between gap-2">
-          <div className="min-w-0">
-            <div
-              className="truncate text-sm font-semibold text-gray-900"
-              title={user.name}
-            >
-              {user.name}
-            </div>
-            {user.email ? (
-              <div
-                className="mt-0.5 truncate text-xs text-gray-500"
-                title={user.email}
-              >
-                {user.email}
-              </div>
-            ) : null}
-          </div>
-
-          <div className="shrink-0">
-            <div
-              className={isMutating ? "pointer-events-none opacity-60" : ""}
-              aria-disabled={isMutating || undefined}
-            >
-              <Switch
-                size="sm"
-                options={["Deny", "Default", "Allow"]}
-                value={
-                  access === "deny"
-                    ? "Deny"
-                    : access === "allow"
-                      ? "Allow"
-                      : "Default"
-                }
-                onChange={(value) => {
-                  const mapped =
-                    value === "Deny"
-                      ? "deny"
-                      : value === "Allow"
-                        ? "allow"
-                        : "default";
-                  onChangeAccess(mapped);
-                }}
-                className="h-auto"
-                itemsClassName=""
-                aria-label={`${action} on ${object} for ${user.name || user.id}`}
-                getActiveItemClassName={(option) =>
-                  option === "Allow"
-                    ? "bg-blue-50 text-blue-700 ring-blue-200"
-                    : option === "Deny"
-                      ? "bg-red-50 text-red-700 ring-red-200"
-                      : undefined
-                }
-              />
-            </div>
-          </div>
-        </div>
-      </div>
-    </div>
-  );
-}
diff --git a/src/components/Tokens/Add/CreateTokenForm.tsx b/src/components/Tokens/Add/CreateTokenForm.tsx
index 9bd70e9a4e..99cf9ec875 100644
--- a/src/components/Tokens/Add/CreateTokenForm.tsx
+++ b/src/components/Tokens/Add/CreateTokenForm.tsx
@@ -1,6 +1,7 @@
 import { useMutation } from "@tanstack/react-query";
 import clsx from "clsx";
 import { Form, Formik } from "formik";
+import { useState } from "react";
 import { FaSpinner } from "react-icons/fa";
 import {
   createToken,
@@ -12,7 +13,7 @@ import { Button } from "../../../ui/Buttons/Button";
 import { Modal } from "../../../ui/Modal";
 import FormikTextInput from "../../Forms/Formik/FormikTextInput";
 import FormikSelectDropdown from "../../Forms/Formik/FormikSelectDropdown";
-import { toastError, toastSuccess } from "../../Toast/toast";
+import { toastSuccess } from "../../Toast/toast";
 import {
   OBJECTS,
   getActionsForObject,
@@ -20,6 +21,7 @@ import {
 } from "../tokenUtils";
 import TokenScopeFieldsGroup from "./TokenScopeFieldsGroup";
 import FormikCheckbox from "@flanksource-ui/components/Forms/Formik/FormikCheckbox";
+import { ErrorViewer } from "@flanksource-ui/components/ErrorViewer";
 
 export type TokenFormValues = CreateTokenRequest & {
   objectActions: Record<string, boolean>;
@@ -59,13 +61,16 @@ export function CreateTokenFormContent({
   showFooter = true,
   formId
 }: CreateTokenFormContentProps) {
+  const [submitError, setSubmitError] = useState<unknown>(null);
+
   const { mutate: createTokenMutation, isLoading } = useMutation({
     mutationFn: createToken,
-    onSuccess: (data) => {
+    onSuccess: () => {
+      setSubmitError(null);
       toastSuccess("Token created successfully");
     },
-    onError: (error: any) => {
-      toastError(error.message || "Failed to create token");
+    onError: (error: unknown) => {
+      setSubmitError(error);
     }
   });
 
@@ -121,6 +126,8 @@ export function CreateTokenFormContent({
       scope: selectedScopes
     };
 
+    setSubmitError(null);
+
     createTokenMutation(tokenRequest, {
       onSuccess: (data) => {
         onSuccess(data, values);
@@ -178,6 +185,9 @@ export function CreateTokenFormContent({
               </div>
             </div>
           </div>
+          {submitError != null && (
+            <ErrorViewer error={submitError} className="mx-6 mb-4" />
+          )}
           {showFooter && (
             <div
               className={clsx(
diff --git a/src/pages/Settings/mcp/McpOverviewPage.tsx b/src/pages/Settings/mcp/McpOverviewPage.tsx
index 702afdf528..c65e4ba0b5 100644
--- a/src/pages/Settings/mcp/McpOverviewPage.tsx
+++ b/src/pages/Settings/mcp/McpOverviewPage.tsx
@@ -9,7 +9,7 @@ import {
 } from "@flanksource-ui/api/services/permissions";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
-import UserAccessCard from "@flanksource-ui/components/Permissions/UserAccessCard";
+import UserList from "@flanksource-ui/components/MCP/UserList";
 import { toastError } from "@flanksource-ui/components/Toast/toast";
 import SetupMcpModal from "@flanksource-ui/components/Users/SetupMcpModal";
 import { useUser } from "@flanksource-ui/context";
@@ -20,13 +20,6 @@ import { AiFillPlusCircle } from "react-icons/ai";
 const MCP_OBJECT = "mcp";
 const MCP_ACTION = "mcp:use";
 
-const TYPE_LABELS: Record<PermissionSubject["type"], string> = {
-  person: "person",
-  team: "team",
-  role: "role",
-  permission_subject_group: "group"
-};
-
 const SUBJECT_TYPE_ORDER: Record<PermissionSubject["type"], number> = {
   role: 0,
   permission_subject_group: 1,
@@ -218,7 +211,7 @@ export default function McpOverviewPage() {
           title="Setup MCP"
           onClick={() => setIsSetupMcpModalOpen(true)}
         >
-          <AiFillPlusCircle size={32} className="text-blue-600" />
+          <AiFillPlusCircle size={24} className="text-blue-600" />
         </button>
       }
       onRefresh={() => {
@@ -226,76 +219,24 @@ export default function McpOverviewPage() {
         refetchPermissions();
       }}
     >
-      <div className="flex h-full w-full flex-1 flex-col gap-4 p-6 pb-6">
-        <div>
-          <h3 className="text-lg font-semibold text-gray-900">
-            Subject permissions
-          </h3>
-          <p className="text-sm text-gray-600">
-            Control which users, teams, groups, or roles can use MCP through
-            this gateway.
-          </p>
-        </div>
-
-        <div className="min-h-0 flex-1 space-y-4 overflow-y-auto rounded-md border p-2">
-          {groupedSubjects.map((group) => (
-            <div key={group.type} className="space-y-1">
-              <div className="pt-2 text-xs font-semibold uppercase tracking-wide text-gray-500 first:pt-0">
-                {TYPE_LABELS[group.type] ?? group.type}
-              </div>
-
-              <div className="[&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
-                {group.subjects.map((subject) => {
-                  const permissions = permissionsByUser.get(subject.id) ?? [];
-
-                  const activePermission = permissions.find(
-                    (permission) =>
-                      permission.source === MCP_SETTINGS_PERMISSION_SOURCE
-                  );
-
-                  const access = !activePermission
-                    ? "default"
-                    : activePermission.deny === true
-                      ? "deny"
-                      : "allow";
-
-                  return (
-                    <UserAccessCard
-                      key={subject.id}
-                      user={{
-                        id: subject.id,
-                        name: subject.name,
-                        type: subject.type
-                      }}
-                      action={MCP_ACTION}
-                      object={MCP_OBJECT}
-                      access={access}
-                      isMutating={mutatingSubjectId === subject.id}
-                      onChangeAccess={(access) => {
-                        setMutatingSubjectId(subject.id);
-                        setUserAccess(
-                          {
-                            subjectId: subject.id,
-                            subjectType: subject.type,
-                            access
-                          },
-                          {
-                            onSettled: () => {
-                              setMutatingSubjectId((current) =>
-                                current === subject.id ? null : current
-                              );
-                            }
-                          }
-                        );
-                      }}
-                    />
-                  );
-                })}
-              </div>
-            </div>
-          ))}
-        </div>
-      </div>
+      <UserList
+        groupedSubjects={groupedSubjects}
+        permissionsByUser={permissionsByUser}
+        mutatingSubjectId={mutatingSubjectId}
+        onChangeAccess={(subject, access) => {
+          setMutatingSubjectId(subject.id);
+          setUserAccess(
+            { subjectId: subject.id, subjectType: subject.type, access },
+            {
+              onSettled: () => {
+                setMutatingSubjectId((current) =>
+                  current === subject.id ? null : current
+                );
+              }
+            }
+          );
+        }}
+      />
       <SetupMcpModal
         isOpen={isSetupMcpModalOpen}
         onClose={() => setIsSetupMcpModalOpen(false)}
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index c203df0dc1..7557a824b5 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -2,7 +2,7 @@ import { getAllPlaybookNames } from "@flanksource-ui/api/services/playbooks";
 import { fetchMcpRunPermissions } from "@flanksource-ui/api/services/permissions";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
 import { useMcpResourcePermissions } from "@flanksource-ui/lib/permissions/useMcpResourcePermissions";
-import PermissionAccessCard from "@flanksource-ui/components/Permissions/PermissionAccessCard";
+import ResourceAccessCard from "@flanksource-ui/components/Permissions/ResourceAccessCard";
 import SubjectSelectorPanel from "@flanksource-ui/components/Permissions/SubjectSelectorPanel";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
 import { useQuery } from "@tanstack/react-query";
@@ -64,10 +64,10 @@ export default function McpPlaybooksPage() {
         </div>
 
         <div className="flex min-h-0 flex-1 flex-col gap-4 lg:flex-row">
-          <div className="min-h-0 min-w-0 flex-1 overflow-y-auto lg:max-w-3xl [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
+          <div className="min-h-0 min-w-0 flex-1 overflow-y-auto pr-3 lg:max-w-3xl [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
             {playbooks.map((playbook) => {
               return (
-                <PermissionAccessCard
+                <ResourceAccessCard
                   key={playbook.id}
                   entity={{
                     id: playbook.id,
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index ed15150a74..b577c5c7d2 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -2,7 +2,7 @@ import { fetchMcpRunPermissions } from "@flanksource-ui/api/services/permissions
 import { getAllViews } from "@flanksource-ui/api/services/views";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
 import { useMcpResourcePermissions } from "@flanksource-ui/lib/permissions/useMcpResourcePermissions";
-import PermissionAccessCard from "@flanksource-ui/components/Permissions/PermissionAccessCard";
+import ResourceAccessCard from "@flanksource-ui/components/Permissions/ResourceAccessCard";
 import SubjectSelectorPanel from "@flanksource-ui/components/Permissions/SubjectSelectorPanel";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
 import { useQuery } from "@tanstack/react-query";
@@ -67,10 +67,10 @@ export default function McpViewsPage() {
         </div>
 
         <div className="flex min-h-0 flex-1 flex-col gap-4 lg:flex-row">
-          <div className="min-h-0 min-w-0 flex-1 overflow-y-auto lg:max-w-3xl [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
+          <div className="min-h-0 min-w-0 flex-1 overflow-y-auto pr-3 lg:max-w-3xl [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
             {views.map((view) => {
               return (
-                <PermissionAccessCard
+                <ResourceAccessCard
                   key={view.id}
                   entity={{
                     id: view.id,

From 5e7c4c648778011a3e242427798cd7f50847ecf1 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Thu, 9 Apr 2026 10:44:15 +0545
Subject: [PATCH 27/48] Add playbook permission access check modal with shared
 resource selector

---
 src/api/services/rbac.ts                      |  14 +-
 .../PermissionAccessCheckModal.tsx            | 354 ++++++++++++++++++
 .../Permissions/PermissionsView.tsx           |  41 +-
 .../Settings/PlaybookPermissionsModal.tsx     |  19 +
 4 files changed, 418 insertions(+), 10 deletions(-)
 create mode 100644 src/components/Permissions/PermissionAccessCheckModal.tsx

diff --git a/src/api/services/rbac.ts b/src/api/services/rbac.ts
index c63f061c0a..1d84f18ea6 100644
--- a/src/api/services/rbac.ts
+++ b/src/api/services/rbac.ts
@@ -57,12 +57,22 @@ export async function getPermissions(id: string): Promise<Permission[]> {
 
 export type SubjectAccessReviewResource = {
   playbook?: string;
+  view?: string;
+  config?: string;
+  check?: string;
   [key: string]: string | undefined;
 };
 
+export type SubjectAccessReviewAction =
+  | "read"
+  | "mcp:run"
+  | "playbook:run"
+  | "playbook:cancel"
+  | "playbook:approve";
+
 export type SubjectAccessReviewRequest = {
   resource: SubjectAccessReviewResource;
-  action: "mcp:run";
+  action: SubjectAccessReviewAction;
   subjects: string[];
 };
 
@@ -89,7 +99,7 @@ export type SubjectAccessReviewResult = {
 
 export type SubjectAccessReviewResponse = {
   resource: SubjectAccessReviewResource;
-  action: "mcp:run";
+  action: SubjectAccessReviewAction;
   results: SubjectAccessReviewResult[];
 };
 
diff --git a/src/components/Permissions/PermissionAccessCheckModal.tsx b/src/components/Permissions/PermissionAccessCheckModal.tsx
new file mode 100644
index 0000000000..9610b75903
--- /dev/null
+++ b/src/components/Permissions/PermissionAccessCheckModal.tsx
@@ -0,0 +1,354 @@
+import {
+  fetchPermissionSubjects,
+  PermissionSubject
+} from "@flanksource-ui/api/services/permissions";
+import {
+  reviewSubjectAccess,
+  SubjectAccessReviewAction
+} from "@flanksource-ui/api/services/rbac";
+import { getErrorMessage } from "@flanksource-ui/api/types/error";
+import FormikResourceSelectorDropdown from "@flanksource-ui/components/Forms/Formik/FormikResourceSelectorDropdown";
+import { Button } from "@flanksource-ui/components/ui/button";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle
+} from "@flanksource-ui/components/ui/dialog";
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue
+} from "@flanksource-ui/components/ui/select";
+import { Avatar } from "@flanksource-ui/ui/Avatar";
+import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
+import { useMutation, useQuery } from "@tanstack/react-query";
+import { Form, Formik } from "formik";
+import { useEffect, useMemo, useState } from "react";
+import { HiUser, HiUserGroup } from "react-icons/hi";
+
+export type PermissionAccessCheckConfig = {
+  resource: {
+    type: "playbook" | "view";
+    id: string;
+    name?: string;
+  };
+  actions: SubjectAccessReviewAction[];
+  title?: string;
+  description?: string;
+};
+
+type PermissionAccessCheckModalProps = {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  config: PermissionAccessCheckConfig;
+};
+
+type ResourceScopeLabel = "Configs" | "Checks";
+
+type PermissionAccessCheckFormValues = {
+  subjectId: string;
+  action: SubjectAccessReviewAction | "";
+  targetResourceId: string;
+};
+
+function SubjectIcon({ subject }: { subject: PermissionSubject }) {
+  if (subject.type === "person") {
+    return <Avatar size="xs" user={{ name: subject.name }} />;
+  }
+
+  return (
+    <span className="flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-indigo-100 text-indigo-600">
+      {subject.type === "team" ||
+      subject.type === "permission_subject_group" ||
+      subject.type === "role" ? (
+        <HiUserGroup className="h-3 w-3" />
+      ) : (
+        <HiUser className="h-3 w-3" />
+      )}
+    </span>
+  );
+}
+
+export default function PermissionAccessCheckModal({
+  open,
+  onOpenChange,
+  config
+}: PermissionAccessCheckModalProps) {
+  const [resourceScope, setResourceScope] =
+    useState<ResourceScopeLabel>("Configs");
+  const [result, setResult] = useState<{
+    allowed: boolean;
+    error?: string;
+  }>();
+  const [requestError, setRequestError] = useState<string>();
+
+  const { data: subjects = [], isLoading: isLoadingSubjects } = useQuery({
+    queryKey: ["permission-subjects", "access-check-modal"],
+    queryFn: fetchPermissionSubjects,
+    enabled: open
+  });
+
+  const { mutateAsync: checkAccess, isLoading: isCheckingAccess } = useMutation(
+    {
+      mutationKey: [
+        "subject-access-review",
+        config.resource.type,
+        config.resource.id
+      ],
+      mutationFn: reviewSubjectAccess
+    }
+  );
+
+  useEffect(() => {
+    if (!open) {
+      setResourceScope("Configs");
+      setResult(undefined);
+      setRequestError(undefined);
+    }
+  }, [open]);
+
+  const initialValues: PermissionAccessCheckFormValues = useMemo(
+    () => ({
+      subjectId: "",
+      action: config.actions[0] ?? "",
+      targetResourceId: ""
+    }),
+    [config.actions]
+  );
+
+  return (
+    <Dialog open={open} onOpenChange={onOpenChange}>
+      <DialogContent>
+        <DialogHeader>
+          <DialogTitle>{config.title ?? "Permission Access Check"}</DialogTitle>
+          <DialogDescription>
+            {config.description ??
+              "Select a subject and action to check access for this resource."}
+          </DialogDescription>
+        </DialogHeader>
+
+        <Formik<PermissionAccessCheckFormValues>
+          initialValues={initialValues}
+          enableReinitialize
+          onSubmit={async (values, helpers) => {
+            if (!values.subjectId) {
+              helpers.setFieldError("subjectId", "Subject is required");
+              return;
+            }
+
+            if (!values.action) {
+              helpers.setFieldError("action", "Action is required");
+              return;
+            }
+
+            setRequestError(undefined);
+            setResult(undefined);
+
+            try {
+              const response = await checkAccess({
+                resource:
+                  config.resource.type === "playbook"
+                    ? {
+                        playbook: config.resource.id,
+                        ...(resourceScope === "Configs" &&
+                        values.targetResourceId
+                          ? { config: values.targetResourceId }
+                          : {}),
+                        ...(resourceScope === "Checks" &&
+                        values.targetResourceId
+                          ? { check: values.targetResourceId }
+                          : {})
+                      }
+                    : { view: config.resource.id },
+                action: values.action,
+                subjects: [values.subjectId]
+              });
+
+              const firstResult = response?.results?.[0];
+              setResult(
+                firstResult
+                  ? { allowed: firstResult.allowed, error: firstResult.error }
+                  : undefined
+              );
+            } catch (error) {
+              setRequestError(getErrorMessage(error));
+              setResult(undefined);
+            } finally {
+              helpers.setSubmitting(false);
+            }
+          }}
+        >
+          {({ values, setFieldValue, errors, isSubmitting }) => {
+            const selectedSubject = subjects.find(
+              (subject) => subject.id === values.subjectId
+            );
+
+            const isCheckDisabled =
+              !values.subjectId ||
+              !values.action ||
+              isCheckingAccess ||
+              isSubmitting;
+
+            return (
+              <Form className="space-y-4">
+                <div className="space-y-1">
+                  <p className="text-sm font-medium">Resource</p>
+                  <p className="rounded-md border bg-muted px-3 py-2 text-sm">
+                    {config.resource.name ?? config.resource.id}
+                  </p>
+                </div>
+
+                <div className="space-y-2">
+                  <p className="text-sm font-medium">Subject</p>
+                  <Select
+                    value={values.subjectId || undefined}
+                    onValueChange={(value) => {
+                      setFieldValue("subjectId", value);
+                      setResult(undefined);
+                      setRequestError(undefined);
+                    }}
+                  >
+                    <SelectTrigger>
+                      {selectedSubject ? (
+                        <div className="flex min-w-0 items-center gap-2">
+                          <SubjectIcon subject={selectedSubject} />
+                          <span className="truncate">
+                            {selectedSubject.name}
+                          </span>
+                        </div>
+                      ) : (
+                        <SelectValue
+                          placeholder={
+                            isLoadingSubjects
+                              ? "Loading subjects..."
+                              : "Select a subject"
+                          }
+                        />
+                      )}
+                    </SelectTrigger>
+                    <SelectContent>
+                      {subjects.map((subject) => (
+                        <SelectItem key={subject.id} value={subject.id}>
+                          <div className="flex items-center gap-2">
+                            <SubjectIcon subject={subject} />
+                            <span>{subject.name}</span>
+                          </div>
+                        </SelectItem>
+                      ))}
+                    </SelectContent>
+                  </Select>
+                  {errors.subjectId ? (
+                    <p className="text-sm text-red-500">{errors.subjectId}</p>
+                  ) : null}
+                </div>
+
+                {config.resource.type === "playbook" ? (
+                  <div className="space-y-2">
+                    <p className="text-sm font-medium">Target Resource</p>
+                    <Switch<ResourceScopeLabel>
+                      options={["Configs", "Checks"]}
+                      value={resourceScope}
+                      onChange={(value) => {
+                        setResourceScope(value);
+                        setFieldValue("targetResourceId", "");
+                        setResult(undefined);
+                        setRequestError(undefined);
+                      }}
+                      className="w-full"
+                    />
+                    {resourceScope === "Configs" ? (
+                      <FormikResourceSelectorDropdown
+                        name="targetResourceId"
+                        label="Config"
+                        hintLink
+                        configResourceSelector={[{}]}
+                        className="flex flex-col space-y-2"
+                      />
+                    ) : (
+                      <FormikResourceSelectorDropdown
+                        name="targetResourceId"
+                        label="Check"
+                        hintLink
+                        checkResourceSelector={[{}]}
+                        className="flex flex-col space-y-2"
+                      />
+                    )}
+                    <p className="text-xs text-gray-500">
+                      Optional: narrow the access review to a specific config or
+                      check.
+                    </p>
+                  </div>
+                ) : null}
+
+                <div className="space-y-2">
+                  <p className="text-sm font-medium">Action</p>
+                  <Select
+                    value={values.action || undefined}
+                    onValueChange={(value) => {
+                      setFieldValue("action", value);
+                      setResult(undefined);
+                      setRequestError(undefined);
+                    }}
+                  >
+                    <SelectTrigger>
+                      <SelectValue placeholder="Select an action" />
+                    </SelectTrigger>
+                    <SelectContent>
+                      {config.actions.map((option) => (
+                        <SelectItem key={option} value={option}>
+                          {option}
+                        </SelectItem>
+                      ))}
+                    </SelectContent>
+                  </Select>
+                  {errors.action ? (
+                    <p className="text-sm text-red-500">{errors.action}</p>
+                  ) : null}
+                </div>
+
+                {requestError ? (
+                  <div className="rounded-md border border-red-200 bg-red-50 p-2 text-sm text-red-700">
+                    {requestError}
+                  </div>
+                ) : null}
+
+                {result ? (
+                  <div
+                    className={
+                      result.allowed
+                        ? "rounded-md border border-emerald-200 bg-emerald-50 p-2 text-sm text-emerald-700"
+                        : "rounded-md border border-amber-200 bg-amber-50 p-2 text-sm text-amber-700"
+                    }
+                  >
+                    {selectedSubject?.name ?? "Subject"} is
+                    {result.allowed ? " allowed " : " not allowed "}
+                    to perform <strong>{values.action}</strong>
+                    {result.error ? ` (${result.error})` : ""}
+                  </div>
+                ) : null}
+
+                <DialogFooter>
+                  <Button
+                    type="button"
+                    variant="outline"
+                    onClick={() => onOpenChange(false)}
+                  >
+                    Cancel
+                  </Button>
+                  <Button type="submit" disabled={isCheckDisabled}>
+                    {isCheckingAccess ? "Checking..." : "Check Access"}
+                  </Button>
+                </DialogFooter>
+              </Form>
+            );
+          }}
+        </Formik>
+      </DialogContent>
+    </Dialog>
+  );
+}
diff --git a/src/components/Permissions/PermissionsView.tsx b/src/components/Permissions/PermissionsView.tsx
index d552e84a7f..616ea43c59 100644
--- a/src/components/Permissions/PermissionsView.tsx
+++ b/src/components/Permissions/PermissionsView.tsx
@@ -15,6 +15,9 @@ import { useEffect, useState } from "react";
 import { Button } from "..";
 import { FormikSelectDropdownOption } from "../Forms/Formik/FormikSelectDropdown";
 import PermissionForm from "./ManagePermissions/Forms/PermissionForm";
+import PermissionAccessCheckModal, {
+  PermissionAccessCheckConfig
+} from "./PermissionAccessCheckModal";
 import PermissionsTable from "./PermissionsTable";
 
 // Source: github.com/flanksource/duty/rbac/policy/policy.go
@@ -82,6 +85,7 @@ type PermissionsViewProps = {
   newPermissionData?: Partial<PermissionTable>;
   showAddPermission?: boolean;
   onRefetch?: (refetch: () => void) => void;
+  accessCheckConfig?: PermissionAccessCheckConfig;
 };
 
 export default function PermissionsView({
@@ -91,13 +95,15 @@ export default function PermissionsView({
   hideSubjectColumn = false,
   newPermissionData,
   showAddPermission = false,
-  onRefetch
+  onRefetch,
+  accessCheckConfig
 }: PermissionsViewProps) {
   const [selectedPermission, setSelectedPermission] =
     useState<PermissionsSummary>();
   const { pageSize, pageIndex } = useReactTablePaginationState();
   const [sortState] = useReactTableSortState();
   const [isPermissionModalOpen, setIsPermissionModalOpen] = useState(false);
+  const [isAccessCheckModalOpen, setIsAccessCheckModalOpen] = useState(false);
 
   const mappedSortBy =
     sortState[0]?.id === "created"
@@ -153,13 +159,25 @@ export default function PermissionsView({
     <div className="flex h-full min-h-0 flex-1 flex-col">
       {showAddPermission && (
         <div className="flex shrink-0 flex-row items-center justify-between py-2">
-          <Button
-            onClick={() => {
-              setIsPermissionModalOpen(true);
-            }}
-          >
-            Add Permission
-          </Button>
+          <div className="flex items-center gap-2">
+            <Button
+              onClick={() => {
+                setIsPermissionModalOpen(true);
+              }}
+            >
+              Add Permission
+            </Button>
+            {accessCheckConfig ? (
+              <Button
+                className="btn-secondary"
+                onClick={() => {
+                  setIsAccessCheckModalOpen(true);
+                }}
+              >
+                Check Access
+              </Button>
+            ) : null}
+          </div>
         </div>
       )}
       <div className="flex min-h-0 flex-1 flex-col">
@@ -193,6 +211,13 @@ export default function PermissionsView({
           }}
         />
       )}
+      {accessCheckConfig ? (
+        <PermissionAccessCheckModal
+          open={isAccessCheckModalOpen}
+          onOpenChange={setIsAccessCheckModalOpen}
+          config={accessCheckConfig}
+        />
+      ) : null}
     </div>
   );
 }
diff --git a/src/components/Playbooks/Settings/PlaybookPermissionsModal.tsx b/src/components/Playbooks/Settings/PlaybookPermissionsModal.tsx
index 14af3d5d24..fee2589995 100644
--- a/src/components/Playbooks/Settings/PlaybookPermissionsModal.tsx
+++ b/src/components/Playbooks/Settings/PlaybookPermissionsModal.tsx
@@ -1,3 +1,4 @@
+import { SubjectAccessReviewAction } from "@flanksource-ui/api/services/rbac";
 import { PlaybookSpec } from "@flanksource-ui/api/types/playbooks";
 import PermissionsView from "@flanksource-ui/components/Permissions/PermissionsView";
 import { Modal } from "@flanksource-ui/ui/Modal";
@@ -12,6 +13,13 @@ type PlaybookPermissionsModalProps = {
   onClose: () => void;
 };
 
+const playbookAccessReviewActions: SubjectAccessReviewAction[] = [
+  "read",
+  "playbook:run",
+  "playbook:cancel",
+  "playbook:approve"
+];
+
 export default function PlaybookPermissionsModal({
   playbook,
   isOpen,
@@ -99,6 +107,17 @@ export default function PlaybookPermissionsModal({
                 hideResourceColumn
                 permissionRequest={inboundPermissionRequest}
                 showAddPermission
+                accessCheckConfig={{
+                  resource: {
+                    type: "playbook",
+                    id: playbook.id,
+                    name: `${playbook.namespace}/${playbook.name}`
+                  },
+                  actions: playbookAccessReviewActions,
+                  title: "Playbook Access Check",
+                  description:
+                    "Select a subject and action to check access for this playbook."
+                }}
                 newPermissionData={{
                   playbook_id: playbook.id
                 }}

From b651f606f07e7237f98448f9b5f1fce0d5e4586a Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Thu, 9 Apr 2026 11:20:03 +0545
Subject: [PATCH 28/48] fix(permissions): allow mouse selection in access-check
 modal

---
 .../Forms/Formik/FormikResourceSelectorDropdown.tsx  | 12 +++++++++---
 .../Permissions/PermissionAccessCheckModal.tsx       |  2 ++
 src/pages/Settings/mcp/McpOverviewPage.tsx           |  3 ++-
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/components/Forms/Formik/FormikResourceSelectorDropdown.tsx b/src/components/Forms/Formik/FormikResourceSelectorDropdown.tsx
index 901ef2ab72..557532ad4f 100644
--- a/src/components/Forms/Formik/FormikResourceSelectorDropdown.tsx
+++ b/src/components/Forms/Formik/FormikResourceSelectorDropdown.tsx
@@ -28,6 +28,7 @@ type FormikConfigsDropdownProps = {
   className?: string;
   valueField?: "id" | "name";
   disabled?: boolean;
+  renderMenuInPortal?: boolean;
 };
 
 export default function FormikResourceSelectorDropdown({
@@ -43,7 +44,8 @@ export default function FormikResourceSelectorDropdown({
   playbookResourceSelector,
   className = "flex flex-col space-y-2 py-2",
   valueField = "id",
-  disabled = false
+  disabled = false,
+  renderMenuInPortal = true
 }: FormikConfigsDropdownProps) {
   const [inputText, setInputText] = useState<string>("");
   const [searchText, setSearchText] = useState<string>("");
@@ -332,11 +334,15 @@ export default function FormikResourceSelectorDropdown({
         }}
         onInputChange={handleInputChange}
         inputValue={inputText ?? value}
-        menuPortalTarget={document.body}
+        menuPortalTarget={
+          renderMenuInPortal && typeof window !== "undefined"
+            ? document.body
+            : undefined
+        }
         styles={{
           menuPortal: (base) => ({ ...base, zIndex: 9999 })
         }}
-        menuPosition={"fixed"}
+        menuPosition={renderMenuInPortal ? "fixed" : "absolute"}
         menuShouldBlockScroll={true}
         onBlur={(event) => {
           field.onBlur(event);
diff --git a/src/components/Permissions/PermissionAccessCheckModal.tsx b/src/components/Permissions/PermissionAccessCheckModal.tsx
index 9610b75903..5fbb326992 100644
--- a/src/components/Permissions/PermissionAccessCheckModal.tsx
+++ b/src/components/Permissions/PermissionAccessCheckModal.tsx
@@ -268,6 +268,7 @@ export default function PermissionAccessCheckModal({
                         hintLink
                         configResourceSelector={[{}]}
                         className="flex flex-col space-y-2"
+                        renderMenuInPortal={false}
                       />
                     ) : (
                       <FormikResourceSelectorDropdown
@@ -276,6 +277,7 @@ export default function PermissionAccessCheckModal({
                         hintLink
                         checkResourceSelector={[{}]}
                         className="flex flex-col space-y-2"
+                        renderMenuInPortal={false}
                       />
                     )}
                     <p className="text-xs text-gray-500">
diff --git a/src/pages/Settings/mcp/McpOverviewPage.tsx b/src/pages/Settings/mcp/McpOverviewPage.tsx
index c65e4ba0b5..575000637a 100644
--- a/src/pages/Settings/mcp/McpOverviewPage.tsx
+++ b/src/pages/Settings/mcp/McpOverviewPage.tsx
@@ -180,7 +180,7 @@ export default function McpOverviewPage() {
           ...duplicatePermissionIds.map((id) => deletePermission(id))
         ]);
       },
-      onSuccess: () => {
+      onSettled: () => {
         refetchPermissions();
       },
       onError: (error) => {
@@ -208,6 +208,7 @@ export default function McpOverviewPage() {
         <button
           key="setup-mcp"
           type="button"
+          aria-label="Setup MCP"
           title="Setup MCP"
           onClick={() => setIsSetupMcpModalOpen(true)}
         >

From 88789b4223c2b1e324ffd8d8da3e153cfb5fcb51 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Thu, 9 Apr 2026 13:27:01 +0545
Subject: [PATCH 29/48] refactor(permissions): centralize subject avatar
 rendering

---
 .../PermissionAccessCheckModal.tsx            | 30 +------
 .../Permissions/SubjectAccessCard.tsx         | 21 ++---
 src/components/Permissions/SubjectAvatar.tsx  | 87 +++++++++++++++++++
 .../Permissions/SubjectSelectorPanel.tsx      | 23 +----
 4 files changed, 101 insertions(+), 60 deletions(-)
 create mode 100644 src/components/Permissions/SubjectAvatar.tsx

diff --git a/src/components/Permissions/PermissionAccessCheckModal.tsx b/src/components/Permissions/PermissionAccessCheckModal.tsx
index 5fbb326992..e4d9931674 100644
--- a/src/components/Permissions/PermissionAccessCheckModal.tsx
+++ b/src/components/Permissions/PermissionAccessCheckModal.tsx
@@ -1,7 +1,4 @@
-import {
-  fetchPermissionSubjects,
-  PermissionSubject
-} from "@flanksource-ui/api/services/permissions";
+import { fetchPermissionSubjects } from "@flanksource-ui/api/services/permissions";
 import {
   reviewSubjectAccess,
   SubjectAccessReviewAction
@@ -24,12 +21,11 @@ import {
   SelectTrigger,
   SelectValue
 } from "@flanksource-ui/components/ui/select";
-import { Avatar } from "@flanksource-ui/ui/Avatar";
+import SubjectAvatar from "@flanksource-ui/components/Permissions/SubjectAvatar";
 import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
 import { useMutation, useQuery } from "@tanstack/react-query";
 import { Form, Formik } from "formik";
 import { useEffect, useMemo, useState } from "react";
-import { HiUser, HiUserGroup } from "react-icons/hi";
 
 export type PermissionAccessCheckConfig = {
   resource: {
@@ -56,24 +52,6 @@ type PermissionAccessCheckFormValues = {
   targetResourceId: string;
 };
 
-function SubjectIcon({ subject }: { subject: PermissionSubject }) {
-  if (subject.type === "person") {
-    return <Avatar size="xs" user={{ name: subject.name }} />;
-  }
-
-  return (
-    <span className="flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-indigo-100 text-indigo-600">
-      {subject.type === "team" ||
-      subject.type === "permission_subject_group" ||
-      subject.type === "role" ? (
-        <HiUserGroup className="h-3 w-3" />
-      ) : (
-        <HiUser className="h-3 w-3" />
-      )}
-    </span>
-  );
-}
-
 export default function PermissionAccessCheckModal({
   open,
   onOpenChange,
@@ -216,7 +194,7 @@ export default function PermissionAccessCheckModal({
                     <SelectTrigger>
                       {selectedSubject ? (
                         <div className="flex min-w-0 items-center gap-2">
-                          <SubjectIcon subject={selectedSubject} />
+                          <SubjectAvatar subject={selectedSubject} size="xs" />
                           <span className="truncate">
                             {selectedSubject.name}
                           </span>
@@ -235,7 +213,7 @@ export default function PermissionAccessCheckModal({
                       {subjects.map((subject) => (
                         <SelectItem key={subject.id} value={subject.id}>
                           <div className="flex items-center gap-2">
-                            <SubjectIcon subject={subject} />
+                            <SubjectAvatar subject={subject} size="xs" />
                             <span>{subject.name}</span>
                           </div>
                         </SelectItem>
diff --git a/src/components/Permissions/SubjectAccessCard.tsx b/src/components/Permissions/SubjectAccessCard.tsx
index 06dfac7f4f..17e143251c 100644
--- a/src/components/Permissions/SubjectAccessCard.tsx
+++ b/src/components/Permissions/SubjectAccessCard.tsx
@@ -1,5 +1,7 @@
+import SubjectAvatar, {
+  PermissionSubjectType
+} from "@flanksource-ui/components/Permissions/SubjectAvatar";
 import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
-import { HiUser, HiUserGroup } from "react-icons/hi";
 
 type AccessLevel = "deny" | "default" | "allow";
 type SwitchOption = "Deny" | "Default" | "Allow";
@@ -18,15 +20,13 @@ const OPTION_TO_ACCESS: Record<SwitchOption, AccessLevel> = {
 
 const SWITCH_OPTIONS: SwitchOption[] = ["Deny", "Default", "Allow"];
 
-const GROUP_TYPES = new Set(["team", "permission_subject_group", "role"]);
-
 type SubjectAccessCardProps = {
   user: {
     id: string;
     name?: string;
     email?: string;
     avatar?: string;
-    type?: "team" | "permission_subject_group" | "person" | "role";
+    type?: PermissionSubjectType;
   };
   action: string;
   object: string;
@@ -43,18 +43,13 @@ export default function SubjectAccessCard({
   onChangeAccess,
   isMutating = false
 }: SubjectAccessCardProps) {
-  const isGroup = user.type ? GROUP_TYPES.has(user.type) : false;
-
   return (
     <div className="w-full max-w-3xl">
       <div className="flex items-center gap-3">
-        <div className="flex h-8 w-8 shrink-0 items-center justify-center rounded-md bg-gray-100 text-xs font-semibold text-gray-700">
-          {isGroup ? (
-            <HiUserGroup className="h-4 w-4" />
-          ) : (
-            <HiUser className="h-4 w-4" />
-          )}
-        </div>
+        <SubjectAvatar
+          subject={{ name: user.name ?? user.id, type: user.type ?? "person" }}
+          size="md"
+        />
 
         <div className="flex min-w-0 flex-1 items-center justify-between gap-2">
           <div className="min-w-0">
diff --git a/src/components/Permissions/SubjectAvatar.tsx b/src/components/Permissions/SubjectAvatar.tsx
new file mode 100644
index 0000000000..713f5cfc92
--- /dev/null
+++ b/src/components/Permissions/SubjectAvatar.tsx
@@ -0,0 +1,87 @@
+import { PermissionSubject } from "@flanksource-ui/api/services/permissions";
+import { Avatar } from "@flanksource-ui/ui/Avatar";
+import clsx from "clsx";
+import { IconType } from "react-icons";
+import { HiBadgeCheck, HiUserGroup, HiUsers } from "react-icons/hi";
+
+export type PermissionSubjectType = PermissionSubject["type"];
+
+type SubjectAvatarSize = "xs" | "md";
+
+type SubjectAvatarProps = {
+  subject: Pick<PermissionSubject, "name" | "type">;
+  size?: SubjectAvatarSize;
+  className?: string;
+};
+
+const SUBJECT_TYPE_ICON_CONFIG: Record<
+  Exclude<PermissionSubjectType, "person">,
+  {
+    Icon: IconType;
+    colors: string;
+  }
+> = {
+  team: {
+    Icon: HiUserGroup,
+    colors: "bg-blue-100 text-blue-700"
+  },
+  permission_subject_group: {
+    Icon: HiUsers,
+    colors: "bg-violet-100 text-violet-700"
+  },
+  role: {
+    Icon: HiBadgeCheck,
+    colors: "bg-indigo-50 text-indigo-700"
+  }
+};
+
+const SIZE_CLASSNAMES: Record<
+  SubjectAvatarSize,
+  { wrapper: string; icon: string }
+> = {
+  xs: {
+    wrapper: "h-5 w-5 rounded-full",
+    icon: "h-3 w-3"
+  },
+  md: {
+    wrapper: "h-8 w-8 rounded-md",
+    icon: "h-4 w-4"
+  }
+};
+
+export default function SubjectAvatar({
+  subject,
+  size = "xs",
+  className
+}: SubjectAvatarProps) {
+  if (subject.type === "person") {
+    return (
+      <Avatar
+        size={size === "md" ? "md" : "xs"}
+        user={{ name: subject.name }}
+        containerProps={{
+          className: clsx(
+            size === "md" ? "[&>span]:!text-[10px]" : "[&>span]:!text-[10px]",
+            className
+          )
+        }}
+      />
+    );
+  }
+
+  const { Icon, colors } = SUBJECT_TYPE_ICON_CONFIG[subject.type];
+  const sizeClassName = SIZE_CLASSNAMES[size];
+
+  return (
+    <span
+      className={clsx(
+        "flex shrink-0 items-center justify-center",
+        colors,
+        sizeClassName.wrapper,
+        className
+      )}
+    >
+      <Icon className={sizeClassName.icon} />
+    </span>
+  );
+}
diff --git a/src/components/Permissions/SubjectSelectorPanel.tsx b/src/components/Permissions/SubjectSelectorPanel.tsx
index 17ba74a167..93d67a40ec 100644
--- a/src/components/Permissions/SubjectSelectorPanel.tsx
+++ b/src/components/Permissions/SubjectSelectorPanel.tsx
@@ -7,10 +7,9 @@ import { Button } from "@flanksource-ui/components/ui/button";
 import { Switch } from "@flanksource-ui/components/ui/switch";
 import { Input } from "@flanksource-ui/components/ui/input";
 import useDebouncedValue from "@flanksource-ui/hooks/useDebounce";
-import { Avatar } from "@flanksource-ui/ui/Avatar";
+import SubjectAvatar from "@flanksource-ui/components/Permissions/SubjectAvatar";
 import { useQuery } from "@tanstack/react-query";
 import { useEffect, useMemo, useState } from "react";
-import { HiUser, HiUserGroup } from "react-icons/hi";
 
 const PAGE_SIZE = 20;
 
@@ -36,24 +35,6 @@ type SubjectSelectorPanelProps = {
   onClose?: () => void;
 };
 
-function SubjectIcon({ subject }: { subject: PermissionSubject }) {
-  if (subject.type === "person") {
-    return <Avatar size="xs" user={{ name: subject.name }} />;
-  }
-
-  return (
-    <span className="flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-indigo-100 text-indigo-600">
-      {subject.type === "team" ||
-      subject.type === "permission_subject_group" ||
-      subject.type === "role" ? (
-        <HiUserGroup className="h-3 w-3" />
-      ) : (
-        <HiUser className="h-3 w-3" />
-      )}
-    </span>
-  );
-}
-
 export default function SubjectSelectorPanel({
   description,
   onAllow,
@@ -312,7 +293,7 @@ export default function SubjectSelectorPanel({
                     className="flex items-center justify-between rounded px-2 py-1.5 hover:bg-gray-50"
                   >
                     <div className="flex min-w-0 flex-1 items-center gap-2 pr-2">
-                      <SubjectIcon subject={subject} />
+                      <SubjectAvatar subject={subject} size="xs" />
                       <div className="min-w-0 truncate text-sm font-medium text-gray-900">
                         {subject.name}
                       </div>

From cf23edcc2f4e85acf2e3e61f54d10031b5cbd825 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Thu, 9 Apr 2026 13:39:10 +0545
Subject: [PATCH 30/48] fix: highlight selected rows

---
 src/components/Permissions/ResourceAccessCard.tsx | 8 +++++---
 src/pages/Settings/mcp/McpPlaybooksPage.tsx       | 3 ++-
 src/pages/Settings/mcp/McpViewsPage.tsx           | 3 ++-
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/components/Permissions/ResourceAccessCard.tsx b/src/components/Permissions/ResourceAccessCard.tsx
index 33cafb22e9..7801c5f321 100644
--- a/src/components/Permissions/ResourceAccessCard.tsx
+++ b/src/components/Permissions/ResourceAccessCard.tsx
@@ -16,6 +16,7 @@ type PermissionAccessCardProps = {
   onGlobalOverrideChange: (value: GlobalOverride) => void;
   onViewSubjects?: () => void;
   isMutating?: boolean;
+  isSelected?: boolean;
 };
 
 const SWITCH_OPTIONS = ["Deny all", "Custom", "Allow all"];
@@ -48,7 +49,8 @@ export default function ResourceAccessCard({
   globalOverride = "none",
   onGlobalOverrideChange,
   onViewSubjects,
-  isMutating = false
+  isMutating = false,
+  isSelected = false
 }: PermissionAccessCardProps) {
   const canOpenSubjects = globalOverride === "none" && Boolean(onViewSubjects);
 
@@ -62,11 +64,11 @@ export default function ResourceAccessCard({
 
   return (
     <div
-      className={`w-full max-w-3xl ${canOpenSubjects ? "cursor-pointer" : ""}`}
+      className={`w-full max-w-3xl ${canOpenSubjects ? "cursor-pointer" : ""} ${isSelected ? "rounded-md bg-blue-50 ring-1 ring-inset ring-blue-200" : ""}`}
       onClick={handleCardClick}
     >
       <div className="flex items-start gap-3">
-        <div className="flex h-8 w-8 shrink-0 items-center justify-center rounded-md bg-gray-100 text-xs font-semibold text-gray-700">
+        <div className="ml-2 flex h-8 w-8 shrink-0 items-center justify-center rounded-md text-xs font-semibold text-gray-700">
           <Icon name={entity.icon ?? "playbook"} className="h-4 w-4" />
         </div>
 
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index 7557a824b5..a1347ed7f8 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -64,7 +64,7 @@ export default function McpPlaybooksPage() {
         </div>
 
         <div className="flex min-h-0 flex-1 flex-col gap-4 lg:flex-row">
-          <div className="min-h-0 min-w-0 flex-1 overflow-y-auto pr-3 lg:max-w-3xl [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
+          <div className="min-h-0 min-w-0 flex-1 overflow-y-auto pr-3 lg:max-w-3xl [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*]:pb-2 [&>*]:pt-2">
             {playbooks.map((playbook) => {
               return (
                 <ResourceAccessCard
@@ -79,6 +79,7 @@ export default function McpPlaybooksPage() {
                     globalOverrideByResource.get(playbook.id) ?? "none"
                   }
                   isMutating={mutatingResourceId === playbook.id}
+                  isSelected={selectedPlaybook?.id === playbook.id}
                   onGlobalOverrideChange={(override) =>
                     setGlobalOverride(playbook, override)
                   }
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index b577c5c7d2..e005cc363d 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -67,7 +67,7 @@ export default function McpViewsPage() {
         </div>
 
         <div className="flex min-h-0 flex-1 flex-col gap-4 lg:flex-row">
-          <div className="min-h-0 min-w-0 flex-1 overflow-y-auto pr-3 lg:max-w-3xl [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*+*]:pt-2 [&>*]:pb-2">
+          <div className="min-h-0 min-w-0 flex-1 overflow-y-auto pr-3 lg:max-w-3xl [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*]:pb-2 [&>*]:pt-2">
             {views.map((view) => {
               return (
                 <ResourceAccessCard
@@ -82,6 +82,7 @@ export default function McpViewsPage() {
                     globalOverrideByResource.get(view.id) ?? "none"
                   }
                   isMutating={mutatingResourceId === view.id}
+                  isSelected={selectedView?.id === view.id}
                   onGlobalOverrideChange={(override) =>
                     setGlobalOverride(view, override)
                   }

From b0684f4f8f3f2eac0fac08b6fe3f8bf4b8425133 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Thu, 9 Apr 2026 13:44:59 +0545
Subject: [PATCH 31/48] feat: grouping playbooks by category

---
 .../Permissions/ResourceAccessCard.tsx        |  4 +-
 .../Permissions/SubjectSelectorPanel.tsx      |  2 +-
 src/pages/Settings/mcp/McpPlaybooksPage.tsx   | 96 ++++++++++++++-----
 3 files changed, 75 insertions(+), 27 deletions(-)

diff --git a/src/components/Permissions/ResourceAccessCard.tsx b/src/components/Permissions/ResourceAccessCard.tsx
index 7801c5f321..cf192d8020 100644
--- a/src/components/Permissions/ResourceAccessCard.tsx
+++ b/src/components/Permissions/ResourceAccessCard.tsx
@@ -64,7 +64,7 @@ export default function ResourceAccessCard({
 
   return (
     <div
-      className={`w-full max-w-3xl ${canOpenSubjects ? "cursor-pointer" : ""} ${isSelected ? "rounded-md bg-blue-50 ring-1 ring-inset ring-blue-200" : ""}`}
+      className={`w-full max-w-3xl ${canOpenSubjects ? "cursor-pointer" : ""} ${isSelected ? "rounded-md bg-gray-50 ring-1 ring-inset ring-gray-300" : ""}`}
       onClick={handleCardClick}
     >
       <div className="flex items-start gap-3">
@@ -107,7 +107,7 @@ export default function ResourceAccessCard({
                 onChange={(value) =>
                   onGlobalOverrideChange(toGlobalOverride(value))
                 }
-                className="h-auto"
+                className="mr-2 h-auto"
                 itemsClassName=""
                 getActiveItemClassName={(option) => {
                   if (option === "Allow all") {
diff --git a/src/components/Permissions/SubjectSelectorPanel.tsx b/src/components/Permissions/SubjectSelectorPanel.tsx
index 93d67a40ec..8f1416d1a4 100644
--- a/src/components/Permissions/SubjectSelectorPanel.tsx
+++ b/src/components/Permissions/SubjectSelectorPanel.tsx
@@ -251,7 +251,7 @@ export default function SubjectSelectorPanel({
         onChange={(event) => setSearch(event.target.value)}
       />
 
-      <div className="mt-3 min-h-0 flex-1 space-y-4 overflow-y-auto rounded-md border p-2">
+      <div className="mt-3 min-h-0 flex-1 space-y-4 overflow-y-auto rounded-md">
         {(shouldFetchSubjectsByIds && isSubjectsByIdsLoading) || isLoading ? (
           <div className="p-2 text-sm text-gray-500">Loading...</div>
         ) : displayedSubjects.length > 0 || unresolvedSelectedIds.length > 0 ? (
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index a1347ed7f8..5f80a85d04 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -6,6 +6,7 @@ import ResourceAccessCard from "@flanksource-ui/components/Permissions/ResourceA
 import SubjectSelectorPanel from "@flanksource-ui/components/Permissions/SubjectSelectorPanel";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
 import { useQuery } from "@tanstack/react-query";
+import { useMemo } from "react";
 
 const getPlaybookRefs = (permission: PermissionsSummary) =>
   permission.object_selector?.playbooks ?? [];
@@ -22,7 +23,6 @@ export default function McpPlaybooksPage() {
   });
 
   const {
-    permissionsByResource,
     globalOverrideByResource,
     selectedResource: selectedPlaybook,
     setSelectedResourceId,
@@ -45,6 +45,37 @@ export default function McpPlaybooksPage() {
     objectSelectorKey: "playbooks"
   });
 
+  const groupedPlaybooks = useMemo(() => {
+    const grouped = new Map<string, typeof playbooks>();
+
+    for (const playbook of playbooks) {
+      const category = playbook.category?.trim() || "Other";
+      const categoryPlaybooks = grouped.get(category) ?? [];
+      categoryPlaybooks.push(playbook);
+      grouped.set(category, categoryPlaybooks);
+    }
+
+    return Array.from(grouped.entries())
+      .sort(([a], [b]) => {
+        if (a === "Other") {
+          return 1;
+        }
+        if (b === "Other") {
+          return -1;
+        }
+
+        return a.localeCompare(b, undefined, { sensitivity: "base" });
+      })
+      .map(([category, categoryPlaybooks]) => ({
+        category,
+        playbooks: categoryPlaybooks.sort((a, b) =>
+          (a.title || a.name).localeCompare(b.title || b.name, undefined, {
+            sensitivity: "base"
+          })
+        )
+      }));
+  }, [playbooks]);
+
   return (
     <McpTabsLinks
       activeTab="Playbooks"
@@ -64,29 +95,46 @@ export default function McpPlaybooksPage() {
         </div>
 
         <div className="flex min-h-0 flex-1 flex-col gap-4 lg:flex-row">
-          <div className="min-h-0 min-w-0 flex-1 overflow-y-auto pr-3 lg:max-w-3xl [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*]:pb-2 [&>*]:pt-2">
-            {playbooks.map((playbook) => {
-              return (
-                <ResourceAccessCard
-                  key={playbook.id}
-                  entity={{
-                    id: playbook.id,
-                    name: playbook.title || playbook.name,
-                    namespace: playbook.namespace,
-                    icon: playbook.icon
-                  }}
-                  globalOverride={
-                    globalOverrideByResource.get(playbook.id) ?? "none"
-                  }
-                  isMutating={mutatingResourceId === playbook.id}
-                  isSelected={selectedPlaybook?.id === playbook.id}
-                  onGlobalOverrideChange={(override) =>
-                    setGlobalOverride(playbook, override)
-                  }
-                  onViewSubjects={() => setSelectedResourceId(playbook.id)}
-                />
-              );
-            })}
+          <div className="min-h-0 min-w-0 flex-1 overflow-y-auto pr-3 lg:max-w-3xl">
+            <div className="space-y-4">
+              {groupedPlaybooks.map((group) => {
+                return (
+                  <div key={group.category} className="space-y-2">
+                    <h4 className="text-sm font-semibold text-gray-700">
+                      {group.category}
+                    </h4>
+
+                    <div className="[&>*+*]:border-t [&>*+*]:border-gray-200 [&>*]:pb-2 [&>*]:pt-2">
+                      {group.playbooks.map((playbook) => {
+                        return (
+                          <ResourceAccessCard
+                            key={playbook.id}
+                            entity={{
+                              id: playbook.id,
+                              name: playbook.title || playbook.name,
+                              namespace: playbook.namespace,
+                              icon: playbook.icon
+                            }}
+                            globalOverride={
+                              globalOverrideByResource.get(playbook.id) ??
+                              "none"
+                            }
+                            isMutating={mutatingResourceId === playbook.id}
+                            isSelected={selectedPlaybook?.id === playbook.id}
+                            onGlobalOverrideChange={(override) =>
+                              setGlobalOverride(playbook, override)
+                            }
+                            onViewSubjects={() =>
+                              setSelectedResourceId(playbook.id)
+                            }
+                          />
+                        );
+                      })}
+                    </div>
+                  </div>
+                );
+              })}
+            </div>
           </div>
 
           <div className="min-h-0 w-full shrink-0 lg:w-[420px]">

From 53b6046be3f2cc4719222c49cfcc7b049bdc5ee0 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Thu, 9 Apr 2026 14:22:58 +0545
Subject: [PATCH 32/48] fix(mcp-permissions): improve subject selector switch
 feedback

---
 .../Permissions/SubjectSelectorPanel.tsx      | 53 ++++++++++++++-----
 src/pages/Settings/mcp/McpPlaybooksPage.tsx   | 49 +++++++++++++----
 2 files changed, 79 insertions(+), 23 deletions(-)

diff --git a/src/components/Permissions/SubjectSelectorPanel.tsx b/src/components/Permissions/SubjectSelectorPanel.tsx
index 8f1416d1a4..d747de8b00 100644
--- a/src/components/Permissions/SubjectSelectorPanel.tsx
+++ b/src/components/Permissions/SubjectSelectorPanel.tsx
@@ -28,6 +28,7 @@ const SUBJECT_TYPE_ORDER: Record<PermissionSubject["type"], number> = {
 };
 
 type SubjectSelectorPanelProps = {
+  title?: string;
   description?: string;
   onAllow?: (selection: PermissionSubject[]) => Promise<void> | void;
   preselectedSubjectIds?: string[];
@@ -36,6 +37,7 @@ type SubjectSelectorPanelProps = {
 };
 
 export default function SubjectSelectorPanel({
+  title,
   description,
   onAllow,
   preselectedSubjectIds = [],
@@ -80,14 +82,17 @@ export default function SubjectSelectorPanel({
 
   const shouldFetchSubjectsByIds = normalizedPreselectedSubjectIds.length > 0;
 
-  const { data: subjectsByIds = [], isLoading: isSubjectsByIdsLoading } =
-    useQuery({
-      queryKey: ["permission-subjects-by-ids", normalizedPreselectedSubjectIds],
-      queryFn: () =>
-        fetchPermissionSubjectsByIds(normalizedPreselectedSubjectIds),
-      enabled: shouldFetchSubjectsByIds,
-      staleTime: 60_000
-    });
+  const {
+    data: subjectsByIds = [],
+    isLoading: isSubjectsByIdsLoading,
+    isFetching: isSubjectsByIdsFetching
+  } = useQuery({
+    queryKey: ["permission-subjects-by-ids", normalizedPreselectedSubjectIds],
+    queryFn: () =>
+      fetchPermissionSubjectsByIds(normalizedPreselectedSubjectIds),
+    enabled: shouldFetchSubjectsByIds,
+    staleTime: 60_000
+  });
 
   const debouncedSearch = useDebouncedValue(search, 300) ?? "";
 
@@ -95,7 +100,7 @@ export default function SubjectSelectorPanel({
     setPageIndex(0);
   }, [debouncedSearch]);
 
-  const { data, isLoading } = useQuery({
+  const { data, isLoading, isFetching } = useQuery({
     queryKey: [
       "mcp",
       "subject-selector",
@@ -205,6 +210,17 @@ export default function SubjectSelectorPanel({
     Object.keys(selectedIds).some((id) => !initialSelectedIds[id]);
   const allSelectedHydrated = selectedHydratedSubjects.length === selectedCount;
 
+  const isPanelFetching =
+    isLoading ||
+    isFetching ||
+    (shouldFetchSubjectsByIds &&
+      (isSubjectsByIdsLoading || isSubjectsByIdsFetching));
+
+  const showFullLoadingState =
+    isPanelFetching &&
+    displayedSubjects.length === 0 &&
+    unresolvedSelectedIds.length === 0;
+
   const removeSelectedId = (id: string) => {
     setSelectedIds((prev) => {
       if (!prev[id]) {
@@ -239,6 +255,9 @@ export default function SubjectSelectorPanel({
     <div className="flex h-full min-h-0 flex-col overflow-hidden rounded-md border border-gray-200 bg-white p-3">
       <div className="mb-3 flex items-start justify-between gap-2">
         <div>
+          {title ? (
+            <div className="text-sm font-semibold text-gray-900">{title}</div>
+          ) : null}
           {description ? (
             <div className="mt-0.5 text-xs text-gray-500">{description}</div>
           ) : null}
@@ -251,9 +270,12 @@ export default function SubjectSelectorPanel({
         onChange={(event) => setSearch(event.target.value)}
       />
 
-      <div className="mt-3 min-h-0 flex-1 space-y-4 overflow-y-auto rounded-md">
-        {(shouldFetchSubjectsByIds && isSubjectsByIdsLoading) || isLoading ? (
-          <div className="p-2 text-sm text-gray-500">Loading...</div>
+      <div className="relative mt-3 min-h-0 flex-1 space-y-4 overflow-y-auto rounded-md">
+        {showFullLoadingState ? (
+          <div className="flex items-center gap-2 p-2 text-sm text-gray-500">
+            <div className="h-4 w-4 animate-spin rounded-full border-2 border-gray-300 border-t-gray-600" />
+            Loading subjects...
+          </div>
         ) : displayedSubjects.length > 0 || unresolvedSelectedIds.length > 0 ? (
           <>
             {unresolvedSelectedIds.length > 0 ? (
@@ -312,6 +334,13 @@ export default function SubjectSelectorPanel({
         ) : (
           <div className="p-2 text-sm text-gray-500">No subjects found</div>
         )}
+
+        {isPanelFetching && !showFullLoadingState ? (
+          <div className="pointer-events-none absolute right-2 top-2 z-10 flex items-center gap-2 rounded-md border border-gray-200 bg-white/90 px-2 py-1 text-xs text-gray-500 shadow-sm backdrop-blur-sm">
+            <div className="h-3 w-3 animate-spin rounded-full border-2 border-gray-300 border-t-gray-600" />
+            Updating...
+          </div>
+        ) : null}
       </div>
 
       <div className="mt-3 flex items-center justify-between text-xs text-gray-500">
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index 5f80a85d04..a33c7d1033 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -6,7 +6,7 @@ import ResourceAccessCard from "@flanksource-ui/components/Permissions/ResourceA
 import SubjectSelectorPanel from "@flanksource-ui/components/Permissions/SubjectSelectorPanel";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
 import { useQuery } from "@tanstack/react-query";
-import { useMemo } from "react";
+import { useEffect, useMemo, useState } from "react";
 
 const getPlaybookRefs = (permission: PermissionsSummary) =>
   permission.object_selector?.playbooks ?? [];
@@ -45,6 +45,24 @@ export default function McpPlaybooksPage() {
     objectSelectorKey: "playbooks"
   });
 
+  const [isSubjectPanelSwitching, setIsSubjectPanelSwitching] = useState(false);
+
+  useEffect(() => {
+    if (!selectedPlaybook) {
+      setIsSubjectPanelSwitching(false);
+      return;
+    }
+
+    setIsSubjectPanelSwitching(true);
+    const timer = setTimeout(() => {
+      setIsSubjectPanelSwitching(false);
+    }, 220);
+
+    return () => {
+      clearTimeout(timer);
+    };
+  }, [selectedPlaybook?.id]);
+
   const groupedPlaybooks = useMemo(() => {
     const grouped = new Map<string, typeof playbooks>();
 
@@ -139,16 +157,25 @@ export default function McpPlaybooksPage() {
 
           <div className="min-h-0 w-full shrink-0 lg:w-[420px]">
             {selectedPlaybook ? (
-              <SubjectSelectorPanel
-                key={selectedPlaybook.id}
-                description="Select users, teams, groups, or roles to allow this playbook for MCP usage."
-                preselectedSubjectIds={preselectedSubjectIds}
-                isSubmitting={isAllowingSelective}
-                onClose={() => setSelectedResourceId(null)}
-                onAllow={(subjects) =>
-                  allowSelectiveAccess(selectedPlaybook, subjects)
-                }
-              />
+              <div className="relative h-full">
+                <SubjectSelectorPanel
+                  key={selectedPlaybook.id}
+                  title={`Subject access for ${
+                    selectedPlaybook.title || selectedPlaybook.name
+                  }`}
+                  description="Select users, teams, groups, or roles to allow this playbook for MCP usage."
+                  preselectedSubjectIds={preselectedSubjectIds}
+                  isSubmitting={isAllowingSelective}
+                  onClose={() => setSelectedResourceId(null)}
+                  onAllow={(subjects) =>
+                    allowSelectiveAccess(selectedPlaybook, subjects)
+                  }
+                />
+
+                {isSubjectPanelSwitching ? (
+                  <div className="pointer-events-none absolute inset-0 z-10 rounded-md bg-white/20 backdrop-blur-[1.5px]" />
+                ) : null}
+              </div>
             ) : (
               <div className="flex h-full items-center justify-center rounded-md border border-dashed border-gray-200 p-4 text-sm text-gray-500">
                 Select a playbook row to manage custom subject access.

From 665d5683c7495f26342bda20e0f5f8b0c32383ce Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Thu, 9 Apr 2026 18:01:41 +0545
Subject: [PATCH 33/48] feat(mcp): add check access tab with conditional
 resources

---
 src/App.tsx                                   |  10 +
 src/api/services/rbac.ts                      |   2 +
 src/components/MCP/McpTabsLinks.tsx           |   8 +-
 .../PermissionAccessCheckModal.tsx            | 764 ++++++++++++------
 src/pages/Settings/mcp/McpCheckAccessPage.tsx |  42 +
 5 files changed, 575 insertions(+), 251 deletions(-)
 create mode 100644 src/pages/Settings/mcp/McpCheckAccessPage.tsx

diff --git a/src/App.tsx b/src/App.tsx
index 5ff64226c4..9a3c0896c2 100644
--- a/src/App.tsx
+++ b/src/App.tsx
@@ -50,6 +50,7 @@ import { PermissionsPage } from "./pages/Settings/PermissionsPage";
 import McpOverviewPage from "./pages/Settings/mcp/McpOverviewPage";
 import McpPlaybooksPage from "./pages/Settings/mcp/McpPlaybooksPage";
 import McpViewsPage from "./pages/Settings/mcp/McpViewsPage";
+import McpCheckAccessPage from "./pages/Settings/mcp/McpCheckAccessPage";
 import ScopesPage from "./pages/Settings/ScopesPage";
 import { features } from "./services/permissions/features";
 import { getViewsForSidebar, ViewSummary } from "./api/services/views";
@@ -882,6 +883,15 @@ export function IncidentManagerRoutes({ sidebar }: { sidebar: ReactNode }) {
               true
             )}
           />
+          <Route
+            path="check-access"
+            element={withAuthorizationAccessCheck(
+              <McpCheckAccessPage />,
+              tables.database,
+              "write",
+              true
+            )}
+          />
         </Route>
 
         {settingsNav.submenu
diff --git a/src/api/services/rbac.ts b/src/api/services/rbac.ts
index 1d84f18ea6..c5da50707f 100644
--- a/src/api/services/rbac.ts
+++ b/src/api/services/rbac.ts
@@ -60,12 +60,14 @@ export type SubjectAccessReviewResource = {
   view?: string;
   config?: string;
   check?: string;
+  global?: string;
   [key: string]: string | undefined;
 };
 
 export type SubjectAccessReviewAction =
   | "read"
   | "mcp:run"
+  | "mcp:use"
   | "playbook:run"
   | "playbook:cancel"
   | "playbook:approve";
diff --git a/src/components/MCP/McpTabsLinks.tsx b/src/components/MCP/McpTabsLinks.tsx
index d20b753f07..a0f885f2c8 100644
--- a/src/components/MCP/McpTabsLinks.tsx
+++ b/src/components/MCP/McpTabsLinks.tsx
@@ -14,7 +14,7 @@ import ConfigSidebar from "../Configs/Sidebar/ConfigSidebar";
 import { ErrorBoundary } from "../ErrorBoundary";
 
 type McpTabsLinksProps = {
-  activeTab: "Overview" | "Playbooks" | "Views";
+  activeTab: "Overview" | "Playbooks" | "Views" | "Check Access";
   children: React.ReactNode;
   className?: string;
   onRefresh?: () => void;
@@ -58,6 +58,12 @@ export default function McpTabsLinks({
         path: "/settings/mcp/views",
         key: "Views",
         search
+      },
+      {
+        label: "Check Access",
+        path: "/settings/mcp/check-access",
+        key: "Check Access",
+        search
       }
     ];
   }, [searchParams]);
diff --git a/src/components/Permissions/PermissionAccessCheckModal.tsx b/src/components/Permissions/PermissionAccessCheckModal.tsx
index e4d9931674..14fe9eda4e 100644
--- a/src/components/Permissions/PermissionAccessCheckModal.tsx
+++ b/src/components/Permissions/PermissionAccessCheckModal.tsx
@@ -1,23 +1,27 @@
 import { fetchPermissionSubjects } from "@flanksource-ui/api/services/permissions";
+import { getAllPlaybookNames } from "@flanksource-ui/api/services/playbooks";
 import {
   reviewSubjectAccess,
-  SubjectAccessReviewAction
+  SubjectAccessReviewAction,
+  SubjectAccessReviewResource
 } from "@flanksource-ui/api/services/rbac";
 import { getErrorMessage } from "@flanksource-ui/api/types/error";
-import FormikResourceSelectorDropdown from "@flanksource-ui/components/Forms/Formik/FormikResourceSelectorDropdown";
+import { getAllViews } from "@flanksource-ui/api/services/views";
+import { Badge } from "@flanksource-ui/components/ui/badge";
 import { Button } from "@flanksource-ui/components/ui/button";
 import {
   Dialog,
   DialogContent,
   DialogDescription,
-  DialogFooter,
   DialogHeader,
   DialogTitle
 } from "@flanksource-ui/components/ui/dialog";
 import {
   Select,
   SelectContent,
+  SelectGroup,
   SelectItem,
+  SelectLabel,
   SelectTrigger,
   SelectValue
 } from "@flanksource-ui/components/ui/select";
@@ -27,15 +31,25 @@ import { useMutation, useQuery } from "@tanstack/react-query";
 import { Form, Formik } from "formik";
 import { useEffect, useMemo, useState } from "react";
 
+export type PermissionAccessCheckResourceType = "playbook" | "view";
+
+export type PermissionAccessCheckResource = {
+  type: PermissionAccessCheckResourceType;
+  id: string;
+  name?: string;
+};
+
 export type PermissionAccessCheckConfig = {
-  resource: {
-    type: "playbook" | "view";
-    id: string;
-    name?: string;
-  };
   actions: SubjectAccessReviewAction[];
   title?: string;
   description?: string;
+  resource?: PermissionAccessCheckResource;
+  lockedResource?: PermissionAccessCheckResource;
+  allowedResourceTypes?: PermissionAccessCheckResourceType[];
+  hideResourceForActions?: SubjectAccessReviewAction[];
+  resourceOverrideByAction?: Partial<
+    Record<SubjectAccessReviewAction, SubjectAccessReviewResource>
+  >;
 };
 
 type PermissionAccessCheckModalProps = {
@@ -44,61 +58,524 @@ type PermissionAccessCheckModalProps = {
   config: PermissionAccessCheckConfig;
 };
 
-type ResourceScopeLabel = "Configs" | "Checks";
-
 type PermissionAccessCheckFormValues = {
+  resourceType: PermissionAccessCheckResourceType;
+  resourceId: string;
   subjectId: string;
   action: SubjectAccessReviewAction | "";
-  targetResourceId: string;
 };
 
-export default function PermissionAccessCheckModal({
-  open,
-  onOpenChange,
-  config
-}: PermissionAccessCheckModalProps) {
-  const [resourceScope, setResourceScope] =
-    useState<ResourceScopeLabel>("Configs");
+type PermissionAccessCheckFormProps = {
+  config: PermissionAccessCheckConfig;
+  isActive?: boolean;
+  onCancel?: () => void;
+};
+
+type PermissionAccessResourceSelectorProps = {
+  resourceType: PermissionAccessCheckResourceType;
+  resourceId: string;
+  setFieldValue: (field: string, value: unknown) => void;
+  clearResult: () => void;
+  lockedResource?: PermissionAccessCheckResource;
+  allowedResourceTypes: PermissionAccessCheckResourceType[];
+  isActive: boolean;
+};
+
+function PermissionAccessResourceSelector({
+  resourceType,
+  resourceId,
+  setFieldValue,
+  clearResult,
+  lockedResource,
+  allowedResourceTypes,
+  isActive
+}: PermissionAccessResourceSelectorProps) {
+  const shouldLoadPlaybooks = allowedResourceTypes.includes("playbook");
+  const shouldLoadViews = allowedResourceTypes.includes("view");
+
+  const { data: playbooks = [] } = useQuery({
+    queryKey: ["permission-access-check", "playbooks"],
+    queryFn: getAllPlaybookNames,
+    enabled: isActive && shouldLoadPlaybooks
+  });
+
+  const { data: viewsResponse } = useQuery({
+    queryKey: ["permission-access-check", "views"],
+    queryFn: async () => getAllViews([{ id: "name", desc: false }], 0, 1000),
+    enabled: isActive && shouldLoadViews
+  });
+
+  const sortedPlaybooks = useMemo(
+    () =>
+      [...playbooks].sort((a, b) =>
+        a.name.localeCompare(b.name, undefined, { sensitivity: "base" })
+      ),
+    [playbooks]
+  );
+
+  const groupedPlaybooks = useMemo(() => {
+    const grouped = new Map<string, typeof sortedPlaybooks>();
+
+    for (const playbook of sortedPlaybooks) {
+      const category = playbook.category?.trim() || "Other";
+      const list = grouped.get(category) ?? [];
+      list.push(playbook);
+      grouped.set(category, list);
+    }
+
+    return Array.from(grouped.entries()).sort(([a], [b]) => {
+      if (a === "Other") {
+        return 1;
+      }
+      if (b === "Other") {
+        return -1;
+      }
+      return a.localeCompare(b, undefined, { sensitivity: "base" });
+    });
+  }, [sortedPlaybooks]);
+
+  const sortedViews = useMemo(() => {
+    const views = viewsResponse?.data ?? [];
+
+    return [...views].sort((a, b) =>
+      a.name.localeCompare(b.name, undefined, { sensitivity: "base" })
+    );
+  }, [viewsResponse?.data]);
+
+  useEffect(() => {
+    if (lockedResource) {
+      return;
+    }
+
+    if (resourceType === "playbook") {
+      if (!resourceId && sortedPlaybooks.length > 0) {
+        setFieldValue("resourceId", sortedPlaybooks[0].id);
+        clearResult();
+      }
+      return;
+    }
+
+    if (!resourceId && sortedViews.length > 0) {
+      setFieldValue("resourceId", sortedViews[0].id);
+      clearResult();
+    }
+  }, [
+    clearResult,
+    lockedResource,
+    resourceId,
+    resourceType,
+    setFieldValue,
+    sortedPlaybooks,
+    sortedViews
+  ]);
+
+  const selectedPlaybook = useMemo(
+    () => sortedPlaybooks.find((item) => item.id === resourceId),
+    [resourceId, sortedPlaybooks]
+  );
+
+  const selectedView = useMemo(
+    () => sortedViews.find((item) => item.id === resourceId),
+    [resourceId, sortedViews]
+  );
+
+  const selectedName =
+    resourceType === "playbook"
+      ? (selectedPlaybook?.name ?? lockedResource?.name)
+      : (selectedView?.name ?? lockedResource?.name);
+  const selectedNamespace =
+    resourceType === "playbook"
+      ? selectedPlaybook?.namespace
+      : selectedView?.namespace;
+
+  return (
+    <div className="space-y-4">
+      {allowedResourceTypes.length > 1 ? (
+        <div className="space-y-2">
+          <p className="text-sm font-medium">Resource Type</p>
+          <Switch<PermissionAccessCheckResourceType>
+            options={allowedResourceTypes}
+            value={resourceType}
+            onChange={(value) => {
+              if (lockedResource) {
+                return;
+              }
+
+              setFieldValue("resourceType", value);
+              setFieldValue("resourceId", "");
+              clearResult();
+            }}
+            className="w-full"
+          />
+        </div>
+      ) : null}
+
+      <div className="space-y-2">
+        <p className="text-sm font-medium">Resource</p>
+        <Select
+          value={resourceId || undefined}
+          onValueChange={(value) => {
+            if (lockedResource) {
+              return;
+            }
+
+            setFieldValue("resourceId", value);
+            clearResult();
+          }}
+          disabled={!!lockedResource}
+        >
+          <SelectTrigger>
+            {selectedName ? (
+              <div className="flex w-full items-center gap-2">
+                <span className="truncate">{selectedName}</span>
+                {selectedNamespace ? (
+                  <Badge
+                    variant="secondary"
+                    className="ml-auto px-1.5 py-0 text-[10px] font-medium"
+                  >
+                    {selectedNamespace}
+                  </Badge>
+                ) : null}
+              </div>
+            ) : (
+              <SelectValue placeholder="Select a resource" />
+            )}
+          </SelectTrigger>
+          <SelectContent>
+            {resourceType === "playbook"
+              ? groupedPlaybooks.map(([category, categoryPlaybooks]) => (
+                  <SelectGroup key={category}>
+                    <SelectLabel>{category}</SelectLabel>
+                    {categoryPlaybooks.map((playbook) => (
+                      <SelectItem
+                        key={playbook.id}
+                        value={playbook.id}
+                        className="pr-2 [&>span.absolute]:hidden [&>span]:block [&>span]:w-full"
+                      >
+                        <div className="flex w-full items-center gap-2">
+                          <span className="truncate">{playbook.name}</span>
+                          {playbook.namespace ? (
+                            <Badge
+                              variant="secondary"
+                              className="ml-auto px-1.5 py-0 text-[10px] font-medium"
+                            >
+                              {playbook.namespace}
+                            </Badge>
+                          ) : null}
+                        </div>
+                      </SelectItem>
+                    ))}
+                  </SelectGroup>
+                ))
+              : sortedViews.map((view) => (
+                  <SelectItem
+                    key={view.id}
+                    value={view.id}
+                    className="pr-2 [&>span.absolute]:hidden [&>span]:block [&>span]:w-full"
+                  >
+                    <div className="flex w-full items-center gap-2">
+                      <span className="truncate">{view.name}</span>
+                      {view.namespace ? (
+                        <Badge
+                          variant="secondary"
+                          className="ml-auto px-1.5 py-0 text-[10px] font-medium"
+                        >
+                          {view.namespace}
+                        </Badge>
+                      ) : null}
+                    </div>
+                  </SelectItem>
+                ))}
+          </SelectContent>
+        </Select>
+      </div>
+    </div>
+  );
+}
+
+export function PermissionAccessCheckForm({
+  config,
+  isActive = true,
+  onCancel
+}: PermissionAccessCheckFormProps) {
+  const [requestError, setRequestError] = useState<string>();
   const [result, setResult] = useState<{
     allowed: boolean;
     error?: string;
   }>();
-  const [requestError, setRequestError] = useState<string>();
+
+  const lockedResource = config.lockedResource ?? config.resource;
+  const allowedResourceTypes = useMemo(() => {
+    if (lockedResource) {
+      return [lockedResource.type] as PermissionAccessCheckResourceType[];
+    }
+
+    if (config.allowedResourceTypes && config.allowedResourceTypes.length > 0) {
+      return config.allowedResourceTypes;
+    }
+
+    return ["playbook", "view"] as PermissionAccessCheckResourceType[];
+  }, [config.allowedResourceTypes, lockedResource]);
+
+  const initialResourceType =
+    lockedResource?.type ?? allowedResourceTypes[0] ?? "playbook";
 
   const { data: subjects = [], isLoading: isLoadingSubjects } = useQuery({
-    queryKey: ["permission-subjects", "access-check-modal"],
+    queryKey: ["permission-subjects", "access-check-form"],
     queryFn: fetchPermissionSubjects,
-    enabled: open
+    enabled: isActive
   });
 
   const { mutateAsync: checkAccess, isLoading: isCheckingAccess } = useMutation(
     {
-      mutationKey: [
-        "subject-access-review",
-        config.resource.type,
-        config.resource.id
-      ],
       mutationFn: reviewSubjectAccess
     }
   );
 
   useEffect(() => {
-    if (!open) {
-      setResourceScope("Configs");
+    if (!isActive) {
       setResult(undefined);
       setRequestError(undefined);
     }
-  }, [open]);
+  }, [isActive]);
 
   const initialValues: PermissionAccessCheckFormValues = useMemo(
     () => ({
+      resourceType: initialResourceType,
+      resourceId: lockedResource?.id ?? "",
       subjectId: "",
-      action: config.actions[0] ?? "",
-      targetResourceId: ""
+      action: config.actions[0] ?? ""
     }),
-    [config.actions]
+    [config.actions, initialResourceType, lockedResource?.id]
   );
 
+  return (
+    <Formik<PermissionAccessCheckFormValues>
+      initialValues={initialValues}
+      enableReinitialize
+      onSubmit={async (values, helpers) => {
+        if (!values.subjectId) {
+          helpers.setFieldError("subjectId", "Subject is required");
+          return;
+        }
+
+        if (!values.action) {
+          helpers.setFieldError("action", "Action is required");
+          return;
+        }
+
+        const resourceOverride = values.action
+          ? config.resourceOverrideByAction?.[values.action]
+          : undefined;
+        const shouldHideResourceSelector = values.action
+          ? !!config.hideResourceForActions?.includes(values.action)
+          : false;
+
+        if (
+          !resourceOverride &&
+          !shouldHideResourceSelector &&
+          !values.resourceId
+        ) {
+          helpers.setFieldError("resourceId", "Resource is required");
+          return;
+        }
+
+        setRequestError(undefined);
+        setResult(undefined);
+
+        try {
+          const response = await checkAccess({
+            resource:
+              resourceOverride ??
+              (values.resourceType === "playbook"
+                ? { playbook: values.resourceId }
+                : { view: values.resourceId }),
+            action: values.action,
+            subjects: [values.subjectId]
+          });
+
+          const firstResult = response?.results?.[0];
+          setResult(
+            firstResult
+              ? { allowed: firstResult.allowed, error: firstResult.error }
+              : undefined
+          );
+        } catch (error) {
+          setRequestError(getErrorMessage(error));
+          setResult(undefined);
+        } finally {
+          helpers.setSubmitting(false);
+        }
+      }}
+    >
+      {({ values, setFieldValue, errors, isSubmitting }) => {
+        const selectedSubject = subjects.find(
+          (subject) => subject.id === values.subjectId
+        );
+
+        const shouldHideResourceSelector = values.action
+          ? !!config.hideResourceForActions?.includes(values.action)
+          : false;
+
+        const resourceOverride = values.action
+          ? config.resourceOverrideByAction?.[values.action]
+          : undefined;
+
+        const overrideResourceLabel = resourceOverride?.global
+          ? resourceOverride.global.toUpperCase()
+          : (resourceOverride?.playbook ?? resourceOverride?.view);
+
+        const isCheckDisabled =
+          !values.subjectId ||
+          !values.action ||
+          (!resourceOverride &&
+            !shouldHideResourceSelector &&
+            !values.resourceId) ||
+          isCheckingAccess ||
+          isSubmitting;
+
+        const clearResult = () => {
+          setResult(undefined);
+          setRequestError(undefined);
+        };
+
+        return (
+          <Form className="space-y-4">
+            <div className="space-y-2">
+              <p className="text-sm font-medium">Subject</p>
+              <Select
+                value={values.subjectId || undefined}
+                onValueChange={(value) => {
+                  setFieldValue("subjectId", value);
+                  clearResult();
+                }}
+              >
+                <SelectTrigger>
+                  {selectedSubject ? (
+                    <div className="flex min-w-0 items-center gap-2">
+                      <SubjectAvatar subject={selectedSubject} size="xs" />
+                      <span className="truncate">{selectedSubject.name}</span>
+                    </div>
+                  ) : (
+                    <SelectValue
+                      placeholder={
+                        isLoadingSubjects
+                          ? "Loading subjects..."
+                          : "Select a subject"
+                      }
+                    />
+                  )}
+                </SelectTrigger>
+                <SelectContent>
+                  {subjects.map((subject) => (
+                    <SelectItem key={subject.id} value={subject.id}>
+                      <div className="flex items-center gap-2">
+                        <SubjectAvatar subject={subject} size="xs" />
+                        <span>{subject.name}</span>
+                      </div>
+                    </SelectItem>
+                  ))}
+                </SelectContent>
+              </Select>
+              {errors.subjectId ? (
+                <p className="text-sm text-red-500">{errors.subjectId}</p>
+              ) : null}
+            </div>
+
+            <div className="space-y-2">
+              <p className="text-sm font-medium">Action</p>
+              <Select
+                value={values.action || undefined}
+                onValueChange={(value) => {
+                  setFieldValue("action", value);
+                  clearResult();
+                }}
+              >
+                <SelectTrigger>
+                  <SelectValue placeholder="Select an action" />
+                </SelectTrigger>
+                <SelectContent>
+                  {config.actions.map((option) => (
+                    <SelectItem key={option} value={option}>
+                      {option}
+                    </SelectItem>
+                  ))}
+                </SelectContent>
+              </Select>
+              {errors.action ? (
+                <p className="text-sm text-red-500">{errors.action}</p>
+              ) : null}
+            </div>
+
+            {!shouldHideResourceSelector ? (
+              <>
+                <PermissionAccessResourceSelector
+                  resourceType={values.resourceType}
+                  resourceId={values.resourceId}
+                  setFieldValue={setFieldValue}
+                  clearResult={clearResult}
+                  lockedResource={lockedResource}
+                  allowedResourceTypes={allowedResourceTypes}
+                  isActive={isActive}
+                />
+                {errors.resourceId ? (
+                  <p className="-mt-2 text-sm text-red-500">
+                    {errors.resourceId}
+                  </p>
+                ) : null}
+              </>
+            ) : (
+              <div className="space-y-1">
+                <p className="text-sm font-medium">Resource</p>
+                <p className="rounded-md border bg-muted px-3 py-2 text-sm">
+                  {overrideResourceLabel ?? "N/A"}
+                </p>
+              </div>
+            )}
+
+            {requestError ? (
+              <div className="rounded-md border border-red-200 bg-red-50 p-2 text-sm text-red-700">
+                {requestError}
+              </div>
+            ) : null}
+
+            {result ? (
+              <div
+                className={
+                  result.allowed
+                    ? "rounded-md border border-emerald-200 bg-emerald-50 p-2 text-sm text-emerald-700"
+                    : "rounded-md border border-amber-200 bg-amber-50 p-2 text-sm text-amber-700"
+                }
+              >
+                {selectedSubject?.name ?? "Subject"} is
+                {result.allowed ? " allowed " : " not allowed "}
+                to perform <strong>{values.action}</strong>
+                {result.error ? ` (${result.error})` : ""}
+              </div>
+            ) : null}
+
+            <div className="flex justify-end gap-2">
+              {onCancel ? (
+                <Button type="button" variant="outline" onClick={onCancel}>
+                  Cancel
+                </Button>
+              ) : null}
+              <Button type="submit" disabled={isCheckDisabled}>
+                {isCheckingAccess ? "Checking..." : "Check Access"}
+              </Button>
+            </div>
+          </Form>
+        );
+      }}
+    </Formik>
+  );
+}
+
+export default function PermissionAccessCheckModal({
+  open,
+  onOpenChange,
+  config
+}: PermissionAccessCheckModalProps) {
   return (
     <Dialog open={open} onOpenChange={onOpenChange}>
       <DialogContent>
@@ -110,224 +587,11 @@ export default function PermissionAccessCheckModal({
           </DialogDescription>
         </DialogHeader>
 
-        <Formik<PermissionAccessCheckFormValues>
-          initialValues={initialValues}
-          enableReinitialize
-          onSubmit={async (values, helpers) => {
-            if (!values.subjectId) {
-              helpers.setFieldError("subjectId", "Subject is required");
-              return;
-            }
-
-            if (!values.action) {
-              helpers.setFieldError("action", "Action is required");
-              return;
-            }
-
-            setRequestError(undefined);
-            setResult(undefined);
-
-            try {
-              const response = await checkAccess({
-                resource:
-                  config.resource.type === "playbook"
-                    ? {
-                        playbook: config.resource.id,
-                        ...(resourceScope === "Configs" &&
-                        values.targetResourceId
-                          ? { config: values.targetResourceId }
-                          : {}),
-                        ...(resourceScope === "Checks" &&
-                        values.targetResourceId
-                          ? { check: values.targetResourceId }
-                          : {})
-                      }
-                    : { view: config.resource.id },
-                action: values.action,
-                subjects: [values.subjectId]
-              });
-
-              const firstResult = response?.results?.[0];
-              setResult(
-                firstResult
-                  ? { allowed: firstResult.allowed, error: firstResult.error }
-                  : undefined
-              );
-            } catch (error) {
-              setRequestError(getErrorMessage(error));
-              setResult(undefined);
-            } finally {
-              helpers.setSubmitting(false);
-            }
-          }}
-        >
-          {({ values, setFieldValue, errors, isSubmitting }) => {
-            const selectedSubject = subjects.find(
-              (subject) => subject.id === values.subjectId
-            );
-
-            const isCheckDisabled =
-              !values.subjectId ||
-              !values.action ||
-              isCheckingAccess ||
-              isSubmitting;
-
-            return (
-              <Form className="space-y-4">
-                <div className="space-y-1">
-                  <p className="text-sm font-medium">Resource</p>
-                  <p className="rounded-md border bg-muted px-3 py-2 text-sm">
-                    {config.resource.name ?? config.resource.id}
-                  </p>
-                </div>
-
-                <div className="space-y-2">
-                  <p className="text-sm font-medium">Subject</p>
-                  <Select
-                    value={values.subjectId || undefined}
-                    onValueChange={(value) => {
-                      setFieldValue("subjectId", value);
-                      setResult(undefined);
-                      setRequestError(undefined);
-                    }}
-                  >
-                    <SelectTrigger>
-                      {selectedSubject ? (
-                        <div className="flex min-w-0 items-center gap-2">
-                          <SubjectAvatar subject={selectedSubject} size="xs" />
-                          <span className="truncate">
-                            {selectedSubject.name}
-                          </span>
-                        </div>
-                      ) : (
-                        <SelectValue
-                          placeholder={
-                            isLoadingSubjects
-                              ? "Loading subjects..."
-                              : "Select a subject"
-                          }
-                        />
-                      )}
-                    </SelectTrigger>
-                    <SelectContent>
-                      {subjects.map((subject) => (
-                        <SelectItem key={subject.id} value={subject.id}>
-                          <div className="flex items-center gap-2">
-                            <SubjectAvatar subject={subject} size="xs" />
-                            <span>{subject.name}</span>
-                          </div>
-                        </SelectItem>
-                      ))}
-                    </SelectContent>
-                  </Select>
-                  {errors.subjectId ? (
-                    <p className="text-sm text-red-500">{errors.subjectId}</p>
-                  ) : null}
-                </div>
-
-                {config.resource.type === "playbook" ? (
-                  <div className="space-y-2">
-                    <p className="text-sm font-medium">Target Resource</p>
-                    <Switch<ResourceScopeLabel>
-                      options={["Configs", "Checks"]}
-                      value={resourceScope}
-                      onChange={(value) => {
-                        setResourceScope(value);
-                        setFieldValue("targetResourceId", "");
-                        setResult(undefined);
-                        setRequestError(undefined);
-                      }}
-                      className="w-full"
-                    />
-                    {resourceScope === "Configs" ? (
-                      <FormikResourceSelectorDropdown
-                        name="targetResourceId"
-                        label="Config"
-                        hintLink
-                        configResourceSelector={[{}]}
-                        className="flex flex-col space-y-2"
-                        renderMenuInPortal={false}
-                      />
-                    ) : (
-                      <FormikResourceSelectorDropdown
-                        name="targetResourceId"
-                        label="Check"
-                        hintLink
-                        checkResourceSelector={[{}]}
-                        className="flex flex-col space-y-2"
-                        renderMenuInPortal={false}
-                      />
-                    )}
-                    <p className="text-xs text-gray-500">
-                      Optional: narrow the access review to a specific config or
-                      check.
-                    </p>
-                  </div>
-                ) : null}
-
-                <div className="space-y-2">
-                  <p className="text-sm font-medium">Action</p>
-                  <Select
-                    value={values.action || undefined}
-                    onValueChange={(value) => {
-                      setFieldValue("action", value);
-                      setResult(undefined);
-                      setRequestError(undefined);
-                    }}
-                  >
-                    <SelectTrigger>
-                      <SelectValue placeholder="Select an action" />
-                    </SelectTrigger>
-                    <SelectContent>
-                      {config.actions.map((option) => (
-                        <SelectItem key={option} value={option}>
-                          {option}
-                        </SelectItem>
-                      ))}
-                    </SelectContent>
-                  </Select>
-                  {errors.action ? (
-                    <p className="text-sm text-red-500">{errors.action}</p>
-                  ) : null}
-                </div>
-
-                {requestError ? (
-                  <div className="rounded-md border border-red-200 bg-red-50 p-2 text-sm text-red-700">
-                    {requestError}
-                  </div>
-                ) : null}
-
-                {result ? (
-                  <div
-                    className={
-                      result.allowed
-                        ? "rounded-md border border-emerald-200 bg-emerald-50 p-2 text-sm text-emerald-700"
-                        : "rounded-md border border-amber-200 bg-amber-50 p-2 text-sm text-amber-700"
-                    }
-                  >
-                    {selectedSubject?.name ?? "Subject"} is
-                    {result.allowed ? " allowed " : " not allowed "}
-                    to perform <strong>{values.action}</strong>
-                    {result.error ? ` (${result.error})` : ""}
-                  </div>
-                ) : null}
-
-                <DialogFooter>
-                  <Button
-                    type="button"
-                    variant="outline"
-                    onClick={() => onOpenChange(false)}
-                  >
-                    Cancel
-                  </Button>
-                  <Button type="submit" disabled={isCheckDisabled}>
-                    {isCheckingAccess ? "Checking..." : "Check Access"}
-                  </Button>
-                </DialogFooter>
-              </Form>
-            );
-          }}
-        </Formik>
+        <PermissionAccessCheckForm
+          config={config}
+          isActive={open}
+          onCancel={() => onOpenChange(false)}
+        />
       </DialogContent>
     </Dialog>
   );
diff --git a/src/pages/Settings/mcp/McpCheckAccessPage.tsx b/src/pages/Settings/mcp/McpCheckAccessPage.tsx
new file mode 100644
index 0000000000..8dc5047259
--- /dev/null
+++ b/src/pages/Settings/mcp/McpCheckAccessPage.tsx
@@ -0,0 +1,42 @@
+import { SubjectAccessReviewAction } from "@flanksource-ui/api/services/rbac";
+import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
+import {
+  PermissionAccessCheckConfig,
+  PermissionAccessCheckForm
+} from "@flanksource-ui/components/Permissions/PermissionAccessCheckModal";
+
+const mcpAccessCheckActions: SubjectAccessReviewAction[] = [
+  "mcp:run",
+  "mcp:use"
+];
+
+const mcpAccessCheckConfig: PermissionAccessCheckConfig = {
+  actions: mcpAccessCheckActions,
+  title: "MCP Access Check",
+  description:
+    "Select a subject and action to check MCP access. Resource is required for mcp:run and fixed to MCP for mcp:use.",
+  allowedResourceTypes: ["playbook", "view"],
+  hideResourceForActions: ["mcp:use"],
+  resourceOverrideByAction: {
+    "mcp:use": {
+      global: "mcp"
+    }
+  }
+};
+
+export default function McpCheckAccessPage() {
+  return (
+    <McpTabsLinks activeTab="Check Access" loadingText="Loading resources...">
+      <div className="w-full max-w-3xl space-y-4 p-6">
+        <div>
+          <h3 className="text-lg font-semibold text-gray-900">Check Access</h3>
+          <p className="text-sm text-gray-600">
+            Validate whether a subject can invoke MCP resources.
+          </p>
+        </div>
+
+        <PermissionAccessCheckForm config={mcpAccessCheckConfig} />
+      </div>
+    </McpTabsLinks>
+  );
+}

From 2d310264138c4e38d6d26a05cbbf601a2e878a14 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Thu, 9 Apr 2026 18:49:11 +0545
Subject: [PATCH 34/48] feat(permissions): support access-token subjects in
 selector UI

---
 src/api/services/permissions.ts               |  19 +-
 src/api/types/permissions.ts                  |   3 +-
 src/components/MCP/UserList.tsx               |   1 +
 src/components/Permissions/SubjectAvatar.tsx  |   6 +-
 .../Permissions/SubjectSelectorPanel.tsx      | 167 ++++++++++++++----
 .../permissions/mcpPermissionCardMappings.ts  |   4 +
 src/pages/Settings/mcp/McpOverviewPage.tsx    |  11 +-
 7 files changed, 170 insertions(+), 41 deletions(-)

diff --git a/src/api/services/permissions.ts b/src/api/services/permissions.ts
index 7777f4ffb7..2db3149332 100644
--- a/src/api/services/permissions.ts
+++ b/src/api/services/permissions.ts
@@ -24,7 +24,8 @@ export type FetchPermissionsInput = {
     | "person"
     | "notification"
     | "component"
-    | "role";
+    | "role"
+    | "access_token_person";
 };
 
 function composeQueryParamForFetchPermissions({
@@ -178,7 +179,13 @@ export async function fetchMcpUserPermissions() {
 export type PermissionSubject = {
   id: string;
   name: string;
-  type: "team" | "permission_subject_group" | "person" | "role";
+  type:
+    | "team"
+    | "permission_subject_group"
+    | "person"
+    | "role"
+    | "access_token_person";
+  owner?: string | null;
 };
 
 export async function fetchPermissionSubjectsPaginated({
@@ -192,7 +199,7 @@ export async function fetchPermissionSubjectsPaginated({
 }) {
   const query = search.trim();
 
-  let url = "/permission_subjects?select=id,name,type&order=name.asc";
+  let url = "/permission_subjects?select=id,name,type,owner&order=name.asc";
   url += `&limit=${pageSize}&offset=${pageIndex * pageSize}`;
 
   if (query) {
@@ -213,14 +220,14 @@ export async function fetchPermissionSubjectsByIds(ids: string[]) {
     return [];
   }
   const response = await IncidentCommander.get<PermissionSubject[] | null>(
-    `/permission_subjects?select=id,name,type&id=in.(${ids.join(",")})&limit=${ids.length}`
+    `/permission_subjects?select=id,name,type,owner&id=in.(${ids.join(",")})&limit=${ids.length}`
   );
   return response.data ?? [];
 }
 
 export async function fetchPermissionSubjects() {
   const response = await IncidentCommander.get<PermissionSubject[] | null>(
-    "/permission_subjects?select=id,name,type&order=name.asc&limit=5000"
+    "/permission_subjects?select=id,name,type,owner&order=name.asc&limit=5000"
   );
 
   return response.data ?? [];
@@ -228,7 +235,7 @@ export async function fetchPermissionSubjects() {
 
 export async function fetchAllPermissionSubjects() {
   const response = await IncidentCommander.get<PermissionSubject[] | null>(
-    "/permission_subjects?select=id,name,type&order=type.asc,name.asc&limit=5000"
+    "/permission_subjects?select=id,name,type,owner&order=type.asc,name.asc&limit=5000"
   );
 
   return response.data ?? [];
diff --git a/src/api/types/permissions.ts b/src/api/types/permissions.ts
index b5ac311f90..2ab4695b77 100644
--- a/src/api/types/permissions.ts
+++ b/src/api/types/permissions.ts
@@ -52,7 +52,8 @@ export type PermissionTable = {
     | "person"
     | "notification"
     | "component"
-    | "role";
+    | "role"
+    | "access_token_person";
   created_by: string;
   updated_by: string;
   created_at: string;
diff --git a/src/components/MCP/UserList.tsx b/src/components/MCP/UserList.tsx
index 410df1ca00..239d471aa1 100644
--- a/src/components/MCP/UserList.tsx
+++ b/src/components/MCP/UserList.tsx
@@ -10,6 +10,7 @@ const MCP_ACTION = "mcp:use";
 
 const TYPE_LABELS: Record<PermissionSubject["type"], string> = {
   person: "person",
+  access_token_person: "access token",
   team: "team",
   role: "role",
   permission_subject_group: "group"
diff --git a/src/components/Permissions/SubjectAvatar.tsx b/src/components/Permissions/SubjectAvatar.tsx
index 713f5cfc92..4748aeaa8f 100644
--- a/src/components/Permissions/SubjectAvatar.tsx
+++ b/src/components/Permissions/SubjectAvatar.tsx
@@ -2,7 +2,7 @@ import { PermissionSubject } from "@flanksource-ui/api/services/permissions";
 import { Avatar } from "@flanksource-ui/ui/Avatar";
 import clsx from "clsx";
 import { IconType } from "react-icons";
-import { HiBadgeCheck, HiUserGroup, HiUsers } from "react-icons/hi";
+import { HiBadgeCheck, HiKey, HiUserGroup, HiUsers } from "react-icons/hi";
 
 export type PermissionSubjectType = PermissionSubject["type"];
 
@@ -32,6 +32,10 @@ const SUBJECT_TYPE_ICON_CONFIG: Record<
   role: {
     Icon: HiBadgeCheck,
     colors: "bg-indigo-50 text-indigo-700"
+  },
+  access_token_person: {
+    Icon: HiKey,
+    colors: "bg-indigo-50 text-indigo-700"
   }
 };
 
diff --git a/src/components/Permissions/SubjectSelectorPanel.tsx b/src/components/Permissions/SubjectSelectorPanel.tsx
index d747de8b00..af0b8a442d 100644
--- a/src/components/Permissions/SubjectSelectorPanel.tsx
+++ b/src/components/Permissions/SubjectSelectorPanel.tsx
@@ -15,6 +15,7 @@ const PAGE_SIZE = 20;
 
 const TYPE_LABELS: Record<PermissionSubject["type"], string> = {
   person: "person",
+  access_token_person: "access token",
   team: "team",
   role: "role",
   permission_subject_group: "group"
@@ -24,7 +25,8 @@ const SUBJECT_TYPE_ORDER: Record<PermissionSubject["type"], number> = {
   role: 0,
   permission_subject_group: 1,
   team: 2,
-  person: 3
+  person: 3,
+  access_token_person: 4
 };
 
 type SubjectSelectorPanelProps = {
@@ -121,6 +123,38 @@ export default function SubjectSelectorPanel({
     [data?.data]
   );
 
+  const missingOwnerIds = useMemo(() => {
+    const personIds = new Set(
+      [...subjectsByIds, ...pagedSubjects]
+        .filter((subject) => subject.type === "person")
+        .map((subject) => subject.id)
+    );
+
+    return [
+      ...new Set(
+        [...subjectsByIds, ...pagedSubjects]
+          .filter(
+            (subject) =>
+              subject.type === "access_token_person" &&
+              !!subject.owner &&
+              !personIds.has(subject.owner)
+          )
+          .map((subject) => subject.owner!)
+      )
+    ];
+  }, [pagedSubjects, subjectsByIds]);
+
+  const {
+    data: missingOwnerSubjects = [],
+    isLoading: isMissingOwnerSubjectsLoading,
+    isFetching: isMissingOwnerSubjectsFetching
+  } = useQuery({
+    queryKey: ["permission-subjects-owner-ids", missingOwnerIds],
+    queryFn: () => fetchPermissionSubjectsByIds(missingOwnerIds),
+    enabled: missingOwnerIds.length > 0,
+    staleTime: 60_000
+  });
+
   useEffect(() => {
     setSelectedSubjects((prev) => {
       const next: Record<string, PermissionSubject> = {};
@@ -173,8 +207,14 @@ export default function SubjectSelectorPanel({
       }
     }
 
+    for (const subject of missingOwnerSubjects) {
+      if (!merged.has(subject.id)) {
+        merged.set(subject.id, subject);
+      }
+    }
+
     return Array.from(merged.values());
-  }, [pagedSubjects, selectedHydratedSubjects]);
+  }, [missingOwnerSubjects, pagedSubjects, selectedHydratedSubjects]);
 
   const groupedDisplayedSubjects = useMemo(() => {
     const seen = new Set<string>();
@@ -201,6 +241,47 @@ export default function SubjectSelectorPanel({
       }));
   }, [displayedSubjects]);
 
+  const { accessTokensByOwnerId, unownedAccessTokens } = useMemo(() => {
+    const peopleIds = new Set(
+      displayedSubjects
+        .filter((subject) => subject.type === "person")
+        .map((subject) => subject.id)
+    );
+
+    const byOwner = new Map<string, PermissionSubject[]>();
+    const unowned: PermissionSubject[] = [];
+
+    for (const subject of displayedSubjects) {
+      if (subject.type !== "access_token_person") {
+        continue;
+      }
+
+      if (!subject.owner || !peopleIds.has(subject.owner)) {
+        unowned.push(subject);
+        continue;
+      }
+
+      const list = byOwner.get(subject.owner) ?? [];
+      list.push(subject);
+      byOwner.set(subject.owner, list);
+    }
+
+    for (const [, tokens] of byOwner.entries()) {
+      tokens.sort((a, b) =>
+        a.name.localeCompare(b.name, undefined, { sensitivity: "base" })
+      );
+    }
+
+    unowned.sort((a, b) =>
+      a.name.localeCompare(b.name, undefined, { sensitivity: "base" })
+    );
+
+    return {
+      accessTokensByOwnerId: byOwner,
+      unownedAccessTokens: unowned
+    };
+  }, [displayedSubjects]);
+
   const totalEntries = data?.totalEntries ?? 0;
   const pageCount = Math.ceil(totalEntries / PAGE_SIZE);
 
@@ -213,6 +294,8 @@ export default function SubjectSelectorPanel({
   const isPanelFetching =
     isLoading ||
     isFetching ||
+    isMissingOwnerSubjectsLoading ||
+    isMissingOwnerSubjectsFetching ||
     (shouldFetchSubjectsByIds &&
       (isSubjectsByIdsLoading || isSubjectsByIdsFetching));
 
@@ -251,6 +334,24 @@ export default function SubjectSelectorPanel({
     removeSelectedId(subject.id);
   };
 
+  const renderSubjectRow = (subject: PermissionSubject, className = "") => (
+    <div
+      key={subject.id}
+      className={`flex items-center justify-between rounded px-2 py-1.5 hover:bg-gray-50 ${className}`}
+    >
+      <div className="flex min-w-0 flex-1 items-center gap-2 pr-2">
+        <SubjectAvatar subject={subject} size="xs" />
+        <div className="min-w-0 truncate text-sm font-medium text-gray-900">
+          {subject.name}
+        </div>
+      </div>
+      <Switch
+        checked={!!selectedIds[subject.id]}
+        onCheckedChange={(checked) => toggleSubject(subject, checked)}
+      />
+    </div>
+  );
+
   return (
     <div className="flex h-full min-h-0 flex-col overflow-hidden rounded-md border border-gray-200 bg-white p-3">
       <div className="mb-3 flex items-start justify-between gap-2">
@@ -304,43 +405,45 @@ export default function SubjectSelectorPanel({
               </div>
             ) : null}
 
-            {groupedDisplayedSubjects.map((group) => (
-              <div key={group.type} className="space-y-1">
+            {groupedDisplayedSubjects
+              .filter((group) => group.type !== "access_token_person")
+              .map((group) => (
+                <div key={group.type} className="space-y-1">
+                  <div className="px-2 pt-2 text-xs font-semibold uppercase tracking-wide text-gray-500 first:pt-0">
+                    {TYPE_LABELS[group.type] ?? group.type}
+                  </div>
+                  {group.type === "person"
+                    ? group.subjects.map((person) => {
+                        const ownedTokens =
+                          accessTokensByOwnerId.get(person.id) ?? [];
+
+                        return (
+                          <div key={person.id} className="space-y-1">
+                            {renderSubjectRow(person)}
+                            {ownedTokens.map((token) =>
+                              renderSubjectRow(token, "ml-8")
+                            )}
+                          </div>
+                        );
+                      })
+                    : group.subjects.map((subject) =>
+                        renderSubjectRow(subject)
+                      )}
+                </div>
+              ))}
+
+            {unownedAccessTokens.length > 0 ? (
+              <div className="space-y-1">
                 <div className="px-2 pt-2 text-xs font-semibold uppercase tracking-wide text-gray-500 first:pt-0">
-                  {TYPE_LABELS[group.type] ?? group.type}
+                  {TYPE_LABELS.access_token_person}
                 </div>
-                {group.subjects.map((subject) => (
-                  <div
-                    key={subject.id}
-                    className="flex items-center justify-between rounded px-2 py-1.5 hover:bg-gray-50"
-                  >
-                    <div className="flex min-w-0 flex-1 items-center gap-2 pr-2">
-                      <SubjectAvatar subject={subject} size="xs" />
-                      <div className="min-w-0 truncate text-sm font-medium text-gray-900">
-                        {subject.name}
-                      </div>
-                    </div>
-                    <Switch
-                      checked={!!selectedIds[subject.id]}
-                      onCheckedChange={(checked) =>
-                        toggleSubject(subject, checked)
-                      }
-                    />
-                  </div>
-                ))}
+                {unownedAccessTokens.map((token) => renderSubjectRow(token))}
               </div>
-            ))}
+            ) : null}
           </>
         ) : (
           <div className="p-2 text-sm text-gray-500">No subjects found</div>
         )}
-
-        {isPanelFetching && !showFullLoadingState ? (
-          <div className="pointer-events-none absolute right-2 top-2 z-10 flex items-center gap-2 rounded-md border border-gray-200 bg-white/90 px-2 py-1 text-xs text-gray-500 shadow-sm backdrop-blur-sm">
-            <div className="h-3 w-3 animate-spin rounded-full border-2 border-gray-300 border-t-gray-600" />
-            Updating...
-          </div>
-        ) : null}
       </div>
 
       <div className="mt-3 flex items-center justify-between text-xs text-gray-500">
diff --git a/src/lib/permissions/mcpPermissionCardMappings.ts b/src/lib/permissions/mcpPermissionCardMappings.ts
index 23391ea790..9421d268fb 100644
--- a/src/lib/permissions/mcpPermissionCardMappings.ts
+++ b/src/lib/permissions/mcpPermissionCardMappings.ts
@@ -19,6 +19,10 @@ export function mapSubjectType(type: PermissionSubject["type"]) {
     return "role" as const;
   }
 
+  if (type === "access_token_person") {
+    return "person" as const;
+  }
+
   return type;
 }
 
diff --git a/src/pages/Settings/mcp/McpOverviewPage.tsx b/src/pages/Settings/mcp/McpOverviewPage.tsx
index 575000637a..05ee6f47ba 100644
--- a/src/pages/Settings/mcp/McpOverviewPage.tsx
+++ b/src/pages/Settings/mcp/McpOverviewPage.tsx
@@ -24,7 +24,8 @@ const SUBJECT_TYPE_ORDER: Record<PermissionSubject["type"], number> = {
   role: 0,
   permission_subject_group: 1,
   team: 2,
-  person: 3
+  person: 3,
+  access_token_person: 4
 };
 
 function isMcpUserAccessPermission(permission: PermissionsSummary) {
@@ -42,6 +43,10 @@ function mapPermissionSubjectType(type: PermissionSubject["type"]) {
     return "group" as const;
   }
 
+  if (type === "access_token_person") {
+    return "person" as const;
+  }
+
   return type;
 }
 
@@ -94,6 +99,10 @@ export default function McpOverviewPage() {
     const grouped = new Map<PermissionSubject["type"], PermissionSubject[]>();
 
     for (const subject of subjects) {
+      if (subject.type === "access_token_person") {
+        continue;
+      }
+
       if (seen.has(subject.id)) {
         continue;
       }

From 39931eada25422e61a83765dc70bd8a1284158dd Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Thu, 9 Apr 2026 18:53:23 +0545
Subject: [PATCH 35/48] fix(mcp): reduce subject avatar size in overview list

---
 src/api/services/permissions.ts               | 14 +++---
 src/api/services/playbooks.ts                 | 30 ------------
 src/api/types/permissions.ts                  |  6 +++
 .../Permissions/SubjectAccessCard.tsx         |  2 +-
 src/pages/Settings/mcp/McpViewsPage.tsx       | 49 ++++++++++++++-----
 5 files changed, 52 insertions(+), 49 deletions(-)

diff --git a/src/api/services/permissions.ts b/src/api/services/permissions.ts
index 2db3149332..43a1839787 100644
--- a/src/api/services/permissions.ts
+++ b/src/api/services/permissions.ts
@@ -225,18 +225,18 @@ export async function fetchPermissionSubjectsByIds(ids: string[]) {
   return response.data ?? [];
 }
 
-export async function fetchPermissionSubjects() {
+async function fetchPermissionSubjectsWithOrder(order: string) {
   const response = await IncidentCommander.get<PermissionSubject[] | null>(
-    "/permission_subjects?select=id,name,type,owner&order=name.asc&limit=5000"
+    `/permission_subjects?select=id,name,type,owner&order=${order}&limit=5000`
   );
 
   return response.data ?? [];
 }
 
-export async function fetchAllPermissionSubjects() {
-  const response = await IncidentCommander.get<PermissionSubject[] | null>(
-    "/permission_subjects?select=id,name,type,owner&order=type.asc,name.asc&limit=5000"
-  );
+export async function fetchPermissionSubjects() {
+  return fetchPermissionSubjectsWithOrder("name.asc");
+}
 
-  return response.data ?? [];
+export async function fetchAllPermissionSubjects() {
+  return fetchPermissionSubjectsWithOrder("type.asc,name.asc");
 }
diff --git a/src/api/services/playbooks.ts b/src/api/services/playbooks.ts
index 94ea0dacdc..468d5e762f 100644
--- a/src/api/services/playbooks.ts
+++ b/src/api/services/playbooks.ts
@@ -32,36 +32,6 @@ export async function getAllPlaybookNames() {
   return res.data ?? [];
 }
 
-export async function getPlaybookNamesPaginated({
-  pageIndex,
-  pageSize,
-  sortBy,
-  sortOrder
-}: {
-  pageIndex: number;
-  pageSize: number;
-  sortBy?: string;
-  sortOrder?: "asc" | "desc";
-}) {
-  let url =
-    "/playbook_names?select=id,name,namespace,title,icon,category,description";
-  url += `&limit=${pageSize}&offset=${pageIndex * pageSize}`;
-
-  if (sortBy) {
-    url += `&order=${encodeURIComponent(`${sortBy}.${sortOrder ?? "asc"}`)}`;
-  } else {
-    url += `&order=${encodeURIComponent("title.asc")}`;
-  }
-
-  return resolvePostGrestRequestWithPagination<PlaybookNames[]>(
-    IncidentCommander.get(url, {
-      headers: {
-        Prefer: "count=exact"
-      }
-    })
-  );
-}
-
 export async function getPlaybookSpec(id: string) {
   const res = await IncidentCommander.get<PlaybookSpec[] | null>(
     `/playbooks?id=eq.${id}&select=*,created_by(${AVATAR_INFO})`
diff --git a/src/api/types/permissions.ts b/src/api/types/permissions.ts
index 2ab4695b77..2a219ded58 100644
--- a/src/api/types/permissions.ts
+++ b/src/api/types/permissions.ts
@@ -14,6 +14,12 @@ export type PermissionGlobalObject =
   | "topology"
   | "mcp";
 
+/**
+ * Selector map for `object_selector` in a permission rule.
+ *
+ * Each key narrows the permission scope for that resource type.
+ * If omitted, the permission applies to all objects of the selected global object.
+ */
 type PermissionObjectSelector = {
   playbooks?: Selectors[];
   connections?: Selectors[];
diff --git a/src/components/Permissions/SubjectAccessCard.tsx b/src/components/Permissions/SubjectAccessCard.tsx
index 17e143251c..6cb83b53a5 100644
--- a/src/components/Permissions/SubjectAccessCard.tsx
+++ b/src/components/Permissions/SubjectAccessCard.tsx
@@ -48,7 +48,7 @@ export default function SubjectAccessCard({
       <div className="flex items-center gap-3">
         <SubjectAvatar
           subject={{ name: user.name ?? user.id, type: user.type ?? "person" }}
-          size="md"
+          size="xs"
         />
 
         <div className="flex min-w-0 flex-1 items-center justify-between gap-2">
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index e005cc363d..b49c957876 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -6,7 +6,7 @@ import ResourceAccessCard from "@flanksource-ui/components/Permissions/ResourceA
 import SubjectSelectorPanel from "@flanksource-ui/components/Permissions/SubjectSelectorPanel";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
 import { useQuery } from "@tanstack/react-query";
-import { useMemo } from "react";
+import { useEffect, useMemo, useState } from "react";
 
 const getViewRefs = (permission: PermissionsSummary) =>
   permission.object_selector?.views ?? [];
@@ -48,6 +48,26 @@ export default function McpViewsPage() {
     objectSelectorKey: "views"
   });
 
+  const [isSubjectPanelSwitching, setIsSubjectPanelSwitching] = useState(false);
+
+  useEffect(() => {
+    if (!selectedView) {
+      setIsSubjectPanelSwitching(false);
+      return;
+    }
+
+    // SubjectSelectorPanel remounts when the selected view changes (key={selectedView.id}).
+    // Keep this overlay on briefly so the switch feels intentional instead of a flicker.
+    setIsSubjectPanelSwitching(true);
+    const timer = setTimeout(() => {
+      setIsSubjectPanelSwitching(false);
+    }, 220);
+
+    return () => {
+      clearTimeout(timer);
+    };
+  }, [selectedView?.id]);
+
   return (
     <McpTabsLinks
       activeTab="Views"
@@ -92,18 +112,25 @@ export default function McpViewsPage() {
             })}
           </div>
 
+          {/* Keep a stable right-column width/height for both states so layout doesn't jump. */}
           <div className="min-h-0 w-full shrink-0 lg:w-[420px]">
             {selectedView ? (
-              <SubjectSelectorPanel
-                key={selectedView.id}
-                description="Select users, teams, groups, or roles to allow this view for MCP usage."
-                preselectedSubjectIds={preselectedSubjectIds}
-                isSubmitting={isAllowingSelective}
-                onClose={() => setSelectedResourceId(null)}
-                onAllow={(subjects) =>
-                  allowSelectiveAccess(selectedView, subjects)
-                }
-              />
+              <div className="relative h-full">
+                <SubjectSelectorPanel
+                  key={selectedView.id}
+                  description="Select users, teams, groups, or roles to allow this view for MCP usage."
+                  preselectedSubjectIds={preselectedSubjectIds}
+                  isSubmitting={isAllowingSelective}
+                  onClose={() => setSelectedResourceId(null)}
+                  onAllow={(subjects) =>
+                    allowSelectiveAccess(selectedView, subjects)
+                  }
+                />
+
+                {isSubjectPanelSwitching ? (
+                  <div className="pointer-events-none absolute inset-0 z-10 rounded-md bg-white/20 backdrop-blur-[1.5px]" />
+                ) : null}
+              </div>
             ) : (
               <div className="flex h-full items-center justify-center rounded-md border border-dashed border-gray-200 p-4 text-sm text-gray-500">
                 Select a view row to manage custom subject access.

From 65b798738478706693eea526390f08a5984e7123 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Fri, 10 Apr 2026 23:27:28 +0545
Subject: [PATCH 36/48] feat: Subject -> mcp settings

---
 src/App.tsx                                   |  10 +
 src/components/MCP/McpTabsLinks.tsx           |  13 +-
 .../Permissions/ResourceSelectorPanel.tsx     | 442 +++++++++++++++
 .../Permissions/SubjectSelectorPanel.tsx      | 493 ++++------------
 .../Permissions/TriStateAccessSwitch.tsx      |  78 +++
 .../permissions/useMcpResourcePermissions.ts  | 265 +++++++--
 src/pages/Settings/mcp/McpPlaybooksPage.tsx   |  18 +-
 .../Settings/mcp/McpSubjectAccessPage.tsx     | 527 ++++++++++++++++++
 src/pages/Settings/mcp/McpViewsPage.tsx       |  18 +-
 9 files changed, 1430 insertions(+), 434 deletions(-)
 create mode 100644 src/components/Permissions/ResourceSelectorPanel.tsx
 create mode 100644 src/components/Permissions/TriStateAccessSwitch.tsx
 create mode 100644 src/pages/Settings/mcp/McpSubjectAccessPage.tsx

diff --git a/src/App.tsx b/src/App.tsx
index 9a3c0896c2..44222f00be 100644
--- a/src/App.tsx
+++ b/src/App.tsx
@@ -50,6 +50,7 @@ import { PermissionsPage } from "./pages/Settings/PermissionsPage";
 import McpOverviewPage from "./pages/Settings/mcp/McpOverviewPage";
 import McpPlaybooksPage from "./pages/Settings/mcp/McpPlaybooksPage";
 import McpViewsPage from "./pages/Settings/mcp/McpViewsPage";
+import McpSubjectAccessPage from "./pages/Settings/mcp/McpSubjectAccessPage";
 import McpCheckAccessPage from "./pages/Settings/mcp/McpCheckAccessPage";
 import ScopesPage from "./pages/Settings/ScopesPage";
 import { features } from "./services/permissions/features";
@@ -883,6 +884,15 @@ export function IncidentManagerRoutes({ sidebar }: { sidebar: ReactNode }) {
               true
             )}
           />
+          <Route
+            path="subject-access"
+            element={withAuthorizationAccessCheck(
+              <McpSubjectAccessPage />,
+              tables.database,
+              "write",
+              true
+            )}
+          />
           <Route
             path="check-access"
             element={withAuthorizationAccessCheck(
diff --git a/src/components/MCP/McpTabsLinks.tsx b/src/components/MCP/McpTabsLinks.tsx
index a0f885f2c8..3ff4aa40df 100644
--- a/src/components/MCP/McpTabsLinks.tsx
+++ b/src/components/MCP/McpTabsLinks.tsx
@@ -14,7 +14,12 @@ import ConfigSidebar from "../Configs/Sidebar/ConfigSidebar";
 import { ErrorBoundary } from "../ErrorBoundary";
 
 type McpTabsLinksProps = {
-  activeTab: "Overview" | "Playbooks" | "Views" | "Check Access";
+  activeTab:
+    | "Overview"
+    | "Playbooks"
+    | "Views"
+    | "Subject access"
+    | "Check Access";
   children: React.ReactNode;
   className?: string;
   onRefresh?: () => void;
@@ -59,6 +64,12 @@ export default function McpTabsLinks({
         key: "Views",
         search
       },
+      {
+        label: "Subject access",
+        path: "/settings/mcp/subject-access",
+        key: "Subject access",
+        search
+      },
       {
         label: "Check Access",
         path: "/settings/mcp/check-access",
diff --git a/src/components/Permissions/ResourceSelectorPanel.tsx b/src/components/Permissions/ResourceSelectorPanel.tsx
new file mode 100644
index 0000000000..e13576f42b
--- /dev/null
+++ b/src/components/Permissions/ResourceSelectorPanel.tsx
@@ -0,0 +1,442 @@
+import { PermissionSubject } from "@flanksource-ui/api/services/permissions";
+import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
+import SubjectAvatar from "@flanksource-ui/components/Permissions/SubjectAvatar";
+import TriStateAccessSwitch from "@flanksource-ui/components/Permissions/TriStateAccessSwitch";
+import { Button } from "@flanksource-ui/components/ui/button";
+import { Input } from "@flanksource-ui/components/ui/input";
+import { mapSubjectType } from "@flanksource-ui/lib/permissions/mcpPermissionCardMappings";
+import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
+import { Icon } from "@flanksource-ui/ui/Icons/Icon";
+import { useMemo, useState } from "react";
+
+export type ResourceAccess = "deny" | "default" | "allow";
+
+export type McpSubjectResource = {
+  id: string;
+  kind: "playbook" | "view";
+  name: string;
+  namespace?: string;
+  icon?: string;
+  subtitle?: string;
+};
+
+type ResourceSelectorPanelProps = {
+  selectedSubject: PermissionSubject;
+  resources: McpSubjectResource[];
+  permissions: PermissionsSummary[];
+  isSubmitting?: boolean;
+  mutatingResourceIds?: Record<string, true>;
+  onSetResourceAccess: (
+    resource: McpSubjectResource,
+    access: ResourceAccess
+  ) => Promise<void> | void;
+  onSetManyResourceAccess: (
+    resources: McpSubjectResource[],
+    access: ResourceAccess
+  ) => Promise<void> | void;
+};
+
+const TABS = [
+  { key: "all", label: "All" },
+  { key: "allowed", label: "Allowed" },
+  { key: "playbook", label: "Playbooks" },
+  { key: "view", label: "Views" }
+] as const;
+
+const BULK_OPTIONS = ["Deny", "Default", "Allow"] as const;
+type BulkOption = (typeof BULK_OPTIONS)[number];
+
+type ActiveTab = (typeof TABS)[number]["key"];
+
+function getRefsForPermission(
+  permission: PermissionsSummary,
+  kind: "playbook" | "view"
+) {
+  return kind === "playbook"
+    ? (permission.object_selector?.playbooks ?? [])
+    : (permission.object_selector?.views ?? []);
+}
+
+function permissionMatchesResource(
+  permission: PermissionsSummary,
+  resource: McpSubjectResource
+) {
+  const refs = getRefsForPermission(permission, resource.kind);
+
+  return refs.some((ref) => {
+    if (!ref?.name || ref.name === "*") {
+      return false;
+    }
+
+    if (ref.namespace) {
+      return ref.namespace === resource.namespace && ref.name === resource.name;
+    }
+
+    return ref.name === resource.name;
+  });
+}
+
+function getAccessState(
+  permissions: PermissionsSummary[],
+  subject: PermissionSubject,
+  resource: McpSubjectResource
+): {
+  access: ResourceAccess;
+} {
+  const subjectType = mapSubjectType(subject.type);
+
+  const direct = permissions.filter(
+    (permission) =>
+      permission.action === "mcp:run" &&
+      permission.source === "mcp_settings" &&
+      permission.subject === subject.id &&
+      permission.subject_type === subjectType &&
+      permissionMatchesResource(permission, resource)
+  );
+
+  if (direct.length > 0) {
+    return {
+      access: direct.some((permission) => permission.deny === true)
+        ? "deny"
+        : "allow"
+    };
+  }
+
+  return { access: "default" };
+}
+
+export default function ResourceSelectorPanel({
+  selectedSubject,
+  resources,
+  permissions,
+  isSubmitting = false,
+  mutatingResourceIds = {},
+  onSetResourceAccess,
+  onSetManyResourceAccess
+}: ResourceSelectorPanelProps) {
+  const [activeTab, setActiveTab] = useState<ActiveTab>("all");
+  const [resourceSearch, setResourceSearch] = useState("");
+
+  const normalizedSearch = resourceSearch.trim().toLowerCase();
+
+  const filteredResources = useMemo(() => {
+    return resources.filter((resource) => {
+      if (activeTab === "playbook" || activeTab === "view") {
+        if (resource.kind !== activeTab) {
+          return false;
+        }
+      }
+
+      if (activeTab === "allowed") {
+        const access = getAccessState(
+          permissions,
+          selectedSubject,
+          resource
+        ).access;
+        if (access !== "allow") {
+          return false;
+        }
+      }
+
+      if (!normalizedSearch) {
+        return true;
+      }
+
+      const haystack =
+        `${resource.name} ${resource.subtitle || ""} ${resource.namespace || ""}`.toLowerCase();
+      return haystack.includes(normalizedSearch);
+    });
+  }, [activeTab, normalizedSearch, permissions, resources, selectedSubject]);
+
+  const resourcesByType = useMemo(() => {
+    const playbooks: McpSubjectResource[] = [];
+    const views: McpSubjectResource[] = [];
+
+    for (const resource of filteredResources) {
+      if (resource.kind === "playbook") {
+        playbooks.push(resource);
+      } else {
+        views.push(resource);
+      }
+    }
+
+    return { playbooks, views };
+  }, [filteredResources]);
+
+  const counts = useMemo(() => {
+    const playbooks = resources.filter(
+      (resource) => resource.kind === "playbook"
+    ).length;
+    const views = resources.filter(
+      (resource) => resource.kind === "view"
+    ).length;
+    const allowed = resources.filter(
+      (resource) =>
+        getAccessState(permissions, selectedSubject, resource).access ===
+        "allow"
+    ).length;
+
+    return {
+      all: playbooks + views,
+      allowed,
+      playbook: playbooks,
+      view: views
+    };
+  }, [permissions, resources, selectedSubject]);
+
+  const bulkAccess = useMemo<ResourceAccess>(() => {
+    const subjectType = mapSubjectType(selectedSubject.type);
+
+    const getWildcardAccessByKind = (
+      kind: "playbook" | "view"
+    ): ResourceAccess => {
+      const wildcardPermissions = permissions.filter((permission) => {
+        if (
+          permission.action !== "mcp:run" ||
+          permission.source !== "mcp_settings" ||
+          permission.subject !== selectedSubject.id ||
+          permission.subject_type !== subjectType
+        ) {
+          return false;
+        }
+
+        return getRefsForPermission(permission, kind).some(
+          (ref) => ref?.name === "*" && !ref?.namespace
+        );
+      });
+
+      if (wildcardPermissions.length === 0) {
+        return "default";
+      }
+
+      return wildcardPermissions.some((permission) => permission.deny === true)
+        ? "deny"
+        : "allow";
+    };
+
+    if (activeTab === "playbook") {
+      return getWildcardAccessByKind("playbook");
+    }
+
+    if (activeTab === "view") {
+      return getWildcardAccessByKind("view");
+    }
+
+    const playbookAccess = getWildcardAccessByKind("playbook");
+    const viewAccess = getWildcardAccessByKind("view");
+
+    if (playbookAccess === viewAccess) {
+      return playbookAccess;
+    }
+
+    return "default";
+  }, [activeTab, permissions, selectedSubject]);
+
+  const bulkOptionValue: BulkOption =
+    bulkAccess === "allow"
+      ? "Allow"
+      : bulkAccess === "deny"
+        ? "Deny"
+        : "Default";
+
+  return (
+    <div className="flex min-h-0 flex-1 flex-col gap-3">
+      <div className="flex items-center justify-between gap-3">
+        <div className="flex min-w-0 items-center gap-2">
+          <SubjectAvatar subject={selectedSubject} size="md" />
+          <div className="min-w-0">
+            <div className="truncate text-sm font-semibold text-gray-900">
+              {selectedSubject.name}
+            </div>
+          </div>
+        </div>
+
+        <div className="flex shrink-0 items-center gap-2">
+          <div
+            className={
+              isSubmitting || filteredResources.length === 0
+                ? "pointer-events-none opacity-60"
+                : undefined
+            }
+            aria-disabled={
+              isSubmitting || filteredResources.length === 0 || undefined
+            }
+          >
+            <Switch
+              size="sm"
+              options={[...BULK_OPTIONS]}
+              value={bulkOptionValue}
+              onChange={(value) => {
+                const access: ResourceAccess =
+                  value === "Allow"
+                    ? "allow"
+                    : value === "Deny"
+                      ? "deny"
+                      : "default";
+                onSetManyResourceAccess(filteredResources, access);
+              }}
+              getActiveItemClassName={(option) =>
+                option === "Allow"
+                  ? "!bg-green-600 !text-white !ring-green-600"
+                  : option === "Deny"
+                    ? "!bg-red-600 !text-white !ring-red-600"
+                    : undefined
+              }
+            />
+          </div>
+        </div>
+      </div>
+
+      <div className="flex items-center gap-2">
+        {TABS.map((tab) => {
+          const isActive = activeTab === tab.key;
+          const count = counts[tab.key];
+
+          return (
+            <Button
+              key={tab.key}
+              type="button"
+              variant={isActive ? "default" : "outline"}
+              size="sm"
+              className={
+                isActive
+                  ? "border-gray-900 bg-gray-900 text-white hover:bg-gray-800"
+                  : "text-gray-700"
+              }
+              onClick={() => setActiveTab(tab.key)}
+            >
+              {tab.label}{" "}
+              <span className="ml-1 text-xs opacity-80">{count}</span>
+            </Button>
+          );
+        })}
+      </div>
+
+      <Input
+        placeholder="Search playbooks and views..."
+        value={resourceSearch}
+        onChange={(event) => setResourceSearch(event.target.value)}
+      />
+
+      <div className="min-h-0 flex-1 space-y-4 overflow-y-auto">
+        {(activeTab === "all" ||
+          activeTab === "allowed" ||
+          activeTab === "playbook") && (
+          <div className="space-y-2">
+            <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
+              Playbooks
+            </div>
+            <div className="overflow-hidden rounded-md border border-gray-200">
+              {resourcesByType.playbooks.length === 0 ? (
+                <div className="p-3 text-sm text-gray-500">
+                  No playbooks found
+                </div>
+              ) : (
+                resourcesByType.playbooks.map((resource) => {
+                  const state = getAccessState(
+                    permissions,
+                    selectedSubject,
+                    resource
+                  );
+
+                  return (
+                    <div
+                      key={resource.id}
+                      className="flex items-center justify-between gap-3 border-b border-gray-200 p-3 last:border-b-0"
+                    >
+                      <div className="flex min-w-0 items-center gap-2">
+                        <Icon
+                          name={resource.icon || "playbook"}
+                          className="h-4 w-4 text-gray-500"
+                        />
+                        <div className="min-w-0">
+                          <div className="truncate text-sm font-medium text-gray-900">
+                            {resource.name}
+                          </div>
+                          {resource.subtitle ? (
+                            <div className="truncate text-xs text-gray-500">
+                              {resource.subtitle}
+                            </div>
+                          ) : null}
+                        </div>
+                      </div>
+
+                      <TriStateAccessSwitch
+                        value={state.access}
+                        disabled={
+                          Boolean(mutatingResourceIds[resource.id]) ||
+                          isSubmitting
+                        }
+                        onChange={(access) =>
+                          onSetResourceAccess(resource, access)
+                        }
+                      />
+                    </div>
+                  );
+                })
+              )}
+            </div>
+          </div>
+        )}
+
+        {(activeTab === "all" ||
+          activeTab === "allowed" ||
+          activeTab === "view") && (
+          <div className="space-y-2">
+            <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
+              Views
+            </div>
+            <div className="overflow-hidden rounded-md border border-gray-200">
+              {resourcesByType.views.length === 0 ? (
+                <div className="p-3 text-sm text-gray-500">No views found</div>
+              ) : (
+                resourcesByType.views.map((resource) => {
+                  const state = getAccessState(
+                    permissions,
+                    selectedSubject,
+                    resource
+                  );
+
+                  return (
+                    <div
+                      key={resource.id}
+                      className="flex items-center justify-between gap-3 border-b border-gray-200 p-3 last:border-b-0"
+                    >
+                      <div className="flex min-w-0 items-center gap-2">
+                        <Icon
+                          name={resource.icon || "workflow"}
+                          className="h-4 w-4 text-gray-500"
+                        />
+                        <div className="min-w-0">
+                          <div className="truncate text-sm font-medium text-gray-900">
+                            {resource.name}
+                          </div>
+                          {resource.subtitle ? (
+                            <div className="truncate text-xs text-gray-500">
+                              {resource.subtitle}
+                            </div>
+                          ) : null}
+                        </div>
+                      </div>
+
+                      <TriStateAccessSwitch
+                        value={state.access}
+                        disabled={
+                          Boolean(mutatingResourceIds[resource.id]) ||
+                          isSubmitting
+                        }
+                        onChange={(access) =>
+                          onSetResourceAccess(resource, access)
+                        }
+                      />
+                    </div>
+                  );
+                })
+              )}
+            </div>
+          </div>
+        )}
+      </div>
+    </div>
+  );
+}
diff --git a/src/components/Permissions/SubjectSelectorPanel.tsx b/src/components/Permissions/SubjectSelectorPanel.tsx
index af0b8a442d..21fd8bdce5 100644
--- a/src/components/Permissions/SubjectSelectorPanel.tsx
+++ b/src/components/Permissions/SubjectSelectorPanel.tsx
@@ -1,18 +1,15 @@
 import {
-  fetchPermissionSubjectsByIds,
-  fetchPermissionSubjectsPaginated,
+  fetchAllPermissionSubjects,
   PermissionSubject
 } from "@flanksource-ui/api/services/permissions";
+import SubjectAvatar from "@flanksource-ui/components/Permissions/SubjectAvatar";
+import TriStateAccessSwitch from "@flanksource-ui/components/Permissions/TriStateAccessSwitch";
 import { Button } from "@flanksource-ui/components/ui/button";
-import { Switch } from "@flanksource-ui/components/ui/switch";
 import { Input } from "@flanksource-ui/components/ui/input";
 import useDebouncedValue from "@flanksource-ui/hooks/useDebounce";
-import SubjectAvatar from "@flanksource-ui/components/Permissions/SubjectAvatar";
 import { useQuery } from "@tanstack/react-query";
 import { useEffect, useMemo, useState } from "react";
 
-const PAGE_SIZE = 20;
-
 const TYPE_LABELS: Record<PermissionSubject["type"], string> = {
   person: "person",
   access_token_person: "access token",
@@ -29,203 +26,104 @@ const SUBJECT_TYPE_ORDER: Record<PermissionSubject["type"], number> = {
   access_token_person: 4
 };
 
+type SubjectAccess = "deny" | "default" | "allow";
+
 type SubjectSelectorPanelProps = {
   title?: string;
   description?: string;
-  onAllow?: (selection: PermissionSubject[]) => Promise<void> | void;
-  preselectedSubjectIds?: string[];
+  preselectedSubjectAccess?: Record<string, "allow" | "deny">;
   isSubmitting?: boolean;
+  mutatingSubjectId?: string | null;
   onClose?: () => void;
+  onSetSubjectAccess: (
+    subject: PermissionSubject,
+    access: SubjectAccess
+  ) => Promise<void> | void;
 };
 
 export default function SubjectSelectorPanel({
   title,
   description,
-  onAllow,
-  preselectedSubjectIds = [],
+  preselectedSubjectAccess = {},
   isSubmitting = false,
-  onClose
+  mutatingSubjectId,
+  onClose,
+  onSetSubjectAccess
 }: SubjectSelectorPanelProps) {
   const [search, setSearch] = useState("");
-  const [pageIndex, setPageIndex] = useState(0);
-  const [selectedIds, setSelectedIds] = useState<Record<string, true>>({});
-  const [selectedSubjects, setSelectedSubjects] = useState<
-    Record<string, PermissionSubject>
+  const [selectedAccessById, setSelectedAccessById] = useState<
+    Record<string, SubjectAccess>
   >({});
-  const [initialSelectedIds, setInitialSelectedIds] = useState<
-    Record<string, true>
-  >({});
-
-  const normalizedPreselectedSubjectIds = useMemo(
-    () => [...new Set(preselectedSubjectIds)].sort(),
-    [preselectedSubjectIds]
-  );
-  const preselectedSubjectIdsSignature = useMemo(
-    () => normalizedPreselectedSubjectIds.join("|"),
-    [normalizedPreselectedSubjectIds]
-  );
-
-  useEffect(() => {
-    const ids = preselectedSubjectIdsSignature
-      ? preselectedSubjectIdsSignature.split("|")
-      : [];
-
-    const idMap: Record<string, true> = {};
-    for (const id of ids) {
-      idMap[id] = true;
-    }
-
-    setSearch("");
-    setPageIndex(0);
-    setSelectedIds(idMap);
-    setSelectedSubjects({});
-    setInitialSelectedIds(idMap);
-  }, [preselectedSubjectIdsSignature]);
-
-  const shouldFetchSubjectsByIds = normalizedPreselectedSubjectIds.length > 0;
-
-  const {
-    data: subjectsByIds = [],
-    isLoading: isSubjectsByIdsLoading,
-    isFetching: isSubjectsByIdsFetching
-  } = useQuery({
-    queryKey: ["permission-subjects-by-ids", normalizedPreselectedSubjectIds],
-    queryFn: () =>
-      fetchPermissionSubjectsByIds(normalizedPreselectedSubjectIds),
-    enabled: shouldFetchSubjectsByIds,
-    staleTime: 60_000
-  });
-
-  const debouncedSearch = useDebouncedValue(search, 300) ?? "";
-
-  useEffect(() => {
-    setPageIndex(0);
-  }, [debouncedSearch]);
-
-  const { data, isLoading, isFetching } = useQuery({
-    queryKey: [
-      "mcp",
-      "subject-selector",
-      debouncedSearch,
-      pageIndex,
-      PAGE_SIZE
-    ],
-    queryFn: async () =>
-      fetchPermissionSubjectsPaginated({
-        search: debouncedSearch,
-        pageIndex,
-        pageSize: PAGE_SIZE
-      })
-  });
-
-  const pagedSubjects = useMemo(
-    () => (data?.data ?? []) as PermissionSubject[],
-    [data?.data]
-  );
-
-  const missingOwnerIds = useMemo(() => {
-    const personIds = new Set(
-      [...subjectsByIds, ...pagedSubjects]
-        .filter((subject) => subject.type === "person")
-        .map((subject) => subject.id)
-    );
 
-    return [
-      ...new Set(
-        [...subjectsByIds, ...pagedSubjects]
-          .filter(
-            (subject) =>
-              subject.type === "access_token_person" &&
-              !!subject.owner &&
-              !personIds.has(subject.owner)
-          )
-          .map((subject) => subject.owner!)
-      )
-    ];
-  }, [pagedSubjects, subjectsByIds]);
+  const debouncedSearch =
+    useDebouncedValue(search, 250)?.trim().toLowerCase() ?? "";
 
   const {
-    data: missingOwnerSubjects = [],
-    isLoading: isMissingOwnerSubjectsLoading,
-    isFetching: isMissingOwnerSubjectsFetching
+    data: subjects = [],
+    isLoading,
+    isFetching
   } = useQuery({
-    queryKey: ["permission-subjects-owner-ids", missingOwnerIds],
-    queryFn: () => fetchPermissionSubjectsByIds(missingOwnerIds),
-    enabled: missingOwnerIds.length > 0,
+    queryKey: ["mcp", "subject-selector", "all-subjects"],
+    queryFn: fetchAllPermissionSubjects,
     staleTime: 60_000
   });
 
-  useEffect(() => {
-    setSelectedSubjects((prev) => {
-      const next: Record<string, PermissionSubject> = {};
-
-      for (const id of Object.keys(selectedIds)) {
-        if (prev[id]) {
-          next[id] = prev[id];
-        }
-      }
-
-      for (const subject of subjectsByIds) {
-        if (selectedIds[subject.id]) {
-          next[subject.id] = subject;
-        }
-      }
-
-      for (const subject of pagedSubjects) {
-        if (selectedIds[subject.id]) {
-          next[subject.id] = subject;
-        }
-      }
-
-      return next;
-    });
-  }, [pagedSubjects, selectedIds, subjectsByIds]);
-
-  const selectedHydratedSubjects = useMemo(
+  const normalizedPreselectedAccess = useMemo(
     () =>
-      Object.keys(selectedIds)
-        .map((id) => selectedSubjects[id])
-        .filter((subject): subject is PermissionSubject => !!subject),
-    [selectedIds, selectedSubjects]
+      Object.fromEntries(
+        Object.entries(preselectedSubjectAccess)
+          .filter(([, access]) => access === "allow" || access === "deny")
+          .sort(([a], [b]) => a.localeCompare(b))
+      ) as Record<string, "allow" | "deny">,
+    [preselectedSubjectAccess]
   );
 
-  const unresolvedSelectedIds = useMemo(
-    () => Object.keys(selectedIds).filter((id) => !selectedSubjects[id]),
-    [selectedIds, selectedSubjects]
+  const preselectedAccessSignature = useMemo(
+    () => JSON.stringify(normalizedPreselectedAccess),
+    [normalizedPreselectedAccess]
   );
 
-  const displayedSubjects = useMemo(() => {
-    const merged = new Map<string, PermissionSubject>();
-
-    for (const subject of selectedHydratedSubjects) {
-      merged.set(subject.id, subject);
+  useEffect(() => {
+    const parsed = preselectedAccessSignature
+      ? (JSON.parse(preselectedAccessSignature) as Record<
+          string,
+          "allow" | "deny"
+        >)
+      : {};
+
+    const next: Record<string, SubjectAccess> = {};
+    for (const [id, access] of Object.entries(parsed)) {
+      next[id] = access;
     }
 
-    for (const subject of pagedSubjects) {
-      if (!merged.has(subject.id)) {
-        merged.set(subject.id, subject);
-      }
-    }
+    setSelectedAccessById(next);
+  }, [preselectedAccessSignature]);
 
-    for (const subject of missingOwnerSubjects) {
-      if (!merged.has(subject.id)) {
-        merged.set(subject.id, subject);
-      }
-    }
+  const filteredSubjects = useMemo(() => {
+    const query = debouncedSearch;
 
-    return Array.from(merged.values());
-  }, [missingOwnerSubjects, pagedSubjects, selectedHydratedSubjects]);
+    return subjects
+      .filter((subject) => {
+        if (!query) {
+          return true;
+        }
+        return subject.name.toLowerCase().includes(query);
+      })
+      .sort((a, b) => {
+        const typeOrder =
+          SUBJECT_TYPE_ORDER[a.type] - SUBJECT_TYPE_ORDER[b.type];
+        if (typeOrder !== 0) {
+          return typeOrder;
+        }
+
+        return a.name.localeCompare(b.name, undefined, { sensitivity: "base" });
+      });
+  }, [debouncedSearch, subjects]);
 
   const groupedDisplayedSubjects = useMemo(() => {
-    const seen = new Set<string>();
     const grouped = new Map<PermissionSubject["type"], PermissionSubject[]>();
 
-    for (const subject of displayedSubjects) {
-      if (seen.has(subject.id)) {
-        continue;
-      }
-      seen.add(subject.id);
-
+    for (const subject of filteredSubjects) {
       const list = grouped.get(subject.type) ?? [];
       list.push(subject);
       grouped.set(subject.type, list);
@@ -235,123 +133,33 @@ export default function SubjectSelectorPanel({
       .sort((a, b) => SUBJECT_TYPE_ORDER[a[0]] - SUBJECT_TYPE_ORDER[b[0]])
       .map(([type, groupedSubjects]) => ({
         type,
-        subjects: groupedSubjects.sort((a, b) =>
-          a.name.localeCompare(b.name, undefined, { sensitivity: "base" })
-        )
+        subjects: groupedSubjects
       }));
-  }, [displayedSubjects]);
-
-  const { accessTokensByOwnerId, unownedAccessTokens } = useMemo(() => {
-    const peopleIds = new Set(
-      displayedSubjects
-        .filter((subject) => subject.type === "person")
-        .map((subject) => subject.id)
-    );
+  }, [filteredSubjects]);
 
-    const byOwner = new Map<string, PermissionSubject[]>();
-    const unowned: PermissionSubject[] = [];
+  const selectedCount = Object.keys(selectedAccessById).filter(
+    (id) => selectedAccessById[id] !== "default"
+  ).length;
 
-    for (const subject of displayedSubjects) {
-      if (subject.type !== "access_token_person") {
-        continue;
-      }
-
-      if (!subject.owner || !peopleIds.has(subject.owner)) {
-        unowned.push(subject);
-        continue;
-      }
-
-      const list = byOwner.get(subject.owner) ?? [];
-      list.push(subject);
-      byOwner.set(subject.owner, list);
-    }
-
-    for (const [, tokens] of byOwner.entries()) {
-      tokens.sort((a, b) =>
-        a.name.localeCompare(b.name, undefined, { sensitivity: "base" })
-      );
-    }
-
-    unowned.sort((a, b) =>
-      a.name.localeCompare(b.name, undefined, { sensitivity: "base" })
-    );
-
-    return {
-      accessTokensByOwnerId: byOwner,
-      unownedAccessTokens: unowned
-    };
-  }, [displayedSubjects]);
-
-  const totalEntries = data?.totalEntries ?? 0;
-  const pageCount = Math.ceil(totalEntries / PAGE_SIZE);
-
-  const selectedCount = Object.keys(selectedIds).length;
-  const hasChanged =
-    selectedCount !== Object.keys(initialSelectedIds).length ||
-    Object.keys(selectedIds).some((id) => !initialSelectedIds[id]);
-  const allSelectedHydrated = selectedHydratedSubjects.length === selectedCount;
-
-  const isPanelFetching =
-    isLoading ||
-    isFetching ||
-    isMissingOwnerSubjectsLoading ||
-    isMissingOwnerSubjectsFetching ||
-    (shouldFetchSubjectsByIds &&
-      (isSubjectsByIdsLoading || isSubjectsByIdsFetching));
-
-  const showFullLoadingState =
-    isPanelFetching &&
-    displayedSubjects.length === 0 &&
-    unresolvedSelectedIds.length === 0;
-
-  const removeSelectedId = (id: string) => {
-    setSelectedIds((prev) => {
-      if (!prev[id]) {
-        return prev;
-      }
+  const setSubjectAccess = (
+    subject: PermissionSubject,
+    access: SubjectAccess
+  ) => {
+    setSelectedAccessById((prev) => {
       const next = { ...prev };
-      delete next[id];
-      return next;
-    });
 
-    setSelectedSubjects((prev) => {
-      if (!prev[id]) {
-        return prev;
+      if (access === "default") {
+        delete next[subject.id];
+      } else {
+        next[subject.id] = access;
       }
-      const next = { ...prev };
-      delete next[id];
+
       return next;
     });
-  };
 
-  const toggleSubject = (subject: PermissionSubject, checked: boolean) => {
-    if (checked) {
-      setSelectedIds((prev) => ({ ...prev, [subject.id]: true }));
-      setSelectedSubjects((prev) => ({ ...prev, [subject.id]: subject }));
-      return;
-    }
-
-    removeSelectedId(subject.id);
+    void onSetSubjectAccess(subject, access);
   };
 
-  const renderSubjectRow = (subject: PermissionSubject, className = "") => (
-    <div
-      key={subject.id}
-      className={`flex items-center justify-between rounded px-2 py-1.5 hover:bg-gray-50 ${className}`}
-    >
-      <div className="flex min-w-0 flex-1 items-center gap-2 pr-2">
-        <SubjectAvatar subject={subject} size="xs" />
-        <div className="min-w-0 truncate text-sm font-medium text-gray-900">
-          {subject.name}
-        </div>
-      </div>
-      <Switch
-        checked={!!selectedIds[subject.id]}
-        onCheckedChange={(checked) => toggleSubject(subject, checked)}
-      />
-    </div>
-  );
-
   return (
     <div className="flex h-full min-h-0 flex-col overflow-hidden rounded-md border border-gray-200 bg-white p-3">
       <div className="mb-3 flex items-start justify-between gap-2">
@@ -363,6 +171,11 @@ export default function SubjectSelectorPanel({
             <div className="mt-0.5 text-xs text-gray-500">{description}</div>
           ) : null}
         </div>
+        {onClose ? (
+          <Button type="button" variant="outline" size="sm" onClick={onClose}>
+            Close
+          </Button>
+        ) : null}
       </div>
 
       <Input
@@ -371,124 +184,48 @@ export default function SubjectSelectorPanel({
         onChange={(event) => setSearch(event.target.value)}
       />
 
+      <div className="mt-2 text-xs text-gray-500">
+        Selected: {selectedCount} subject{selectedCount === 1 ? "" : "s"}
+      </div>
+
       <div className="relative mt-3 min-h-0 flex-1 space-y-4 overflow-y-auto rounded-md">
-        {showFullLoadingState ? (
+        {isLoading || isFetching ? (
           <div className="flex items-center gap-2 p-2 text-sm text-gray-500">
             <div className="h-4 w-4 animate-spin rounded-full border-2 border-gray-300 border-t-gray-600" />
             Loading subjects...
           </div>
-        ) : displayedSubjects.length > 0 || unresolvedSelectedIds.length > 0 ? (
-          <>
-            {unresolvedSelectedIds.length > 0 ? (
-              <div className="space-y-1">
-                <div className="px-2 pt-2 text-xs font-semibold uppercase tracking-wide text-amber-600 first:pt-0">
-                  Missing
-                </div>
-                {unresolvedSelectedIds.map((id) => (
-                  <div
-                    key={id}
-                    className="flex items-center justify-between rounded px-2 py-1.5 hover:bg-gray-50"
-                  >
-                    <div className="min-w-0 truncate text-sm font-medium text-gray-900">
-                      Missing subject ({id})
-                    </div>
-                    <Button
-                      type="button"
-                      variant="outline"
-                      size="sm"
-                      onClick={() => removeSelectedId(id)}
-                    >
-                      Remove
-                    </Button>
-                  </div>
-                ))}
+        ) : filteredSubjects.length > 0 ? (
+          groupedDisplayedSubjects.map((group) => (
+            <div key={group.type} className="space-y-1">
+              <div className="px-2 pt-2 text-xs font-semibold uppercase tracking-wide text-gray-500 first:pt-0">
+                {TYPE_LABELS[group.type] ?? group.type}
               </div>
-            ) : null}
 
-            {groupedDisplayedSubjects
-              .filter((group) => group.type !== "access_token_person")
-              .map((group) => (
-                <div key={group.type} className="space-y-1">
-                  <div className="px-2 pt-2 text-xs font-semibold uppercase tracking-wide text-gray-500 first:pt-0">
-                    {TYPE_LABELS[group.type] ?? group.type}
+              {group.subjects.map((subject) => (
+                <div
+                  key={subject.id}
+                  className="flex items-center justify-between rounded px-2 py-1.5 hover:bg-gray-50"
+                >
+                  <div className="flex min-w-0 flex-1 items-center gap-2 pr-2">
+                    <SubjectAvatar subject={subject} size="xs" />
+                    <div className="min-w-0 truncate text-sm font-medium text-gray-900">
+                      {subject.name}
+                    </div>
                   </div>
-                  {group.type === "person"
-                    ? group.subjects.map((person) => {
-                        const ownedTokens =
-                          accessTokensByOwnerId.get(person.id) ?? [];
 
-                        return (
-                          <div key={person.id} className="space-y-1">
-                            {renderSubjectRow(person)}
-                            {ownedTokens.map((token) =>
-                              renderSubjectRow(token, "ml-8")
-                            )}
-                          </div>
-                        );
-                      })
-                    : group.subjects.map((subject) =>
-                        renderSubjectRow(subject)
-                      )}
+                  <TriStateAccessSwitch
+                    value={selectedAccessById[subject.id] ?? "default"}
+                    disabled={isSubmitting || mutatingSubjectId === subject.id}
+                    onChange={(next) => setSubjectAccess(subject, next)}
+                  />
                 </div>
               ))}
-
-            {unownedAccessTokens.length > 0 ? (
-              <div className="space-y-1">
-                <div className="px-2 pt-2 text-xs font-semibold uppercase tracking-wide text-gray-500 first:pt-0">
-                  {TYPE_LABELS.access_token_person}
-                </div>
-                {unownedAccessTokens.map((token) => renderSubjectRow(token))}
-              </div>
-            ) : null}
-          </>
+            </div>
+          ))
         ) : (
           <div className="p-2 text-sm text-gray-500">No subjects found</div>
         )}
       </div>
-
-      <div className="mt-3 flex items-center justify-between text-xs text-gray-500">
-        <div>
-          Selected: {selectedCount} subject{selectedCount === 1 ? "" : "s"}
-        </div>
-        <div className="flex items-center gap-2">
-          <Button
-            type="button"
-            variant="outline"
-            size="sm"
-            disabled={pageIndex === 0}
-            onClick={() => setPageIndex((p) => Math.max(0, p - 1))}
-          >
-            Previous
-          </Button>
-          <span>
-            Page {pageCount === 0 ? 0 : pageIndex + 1} of {pageCount || 0}
-          </span>
-          <Button
-            type="button"
-            variant="outline"
-            size="sm"
-            disabled={pageCount === 0 || pageIndex + 1 >= pageCount}
-            onClick={() => setPageIndex((p) => (p + 1 < pageCount ? p + 1 : p))}
-          >
-            Next
-          </Button>
-        </div>
-      </div>
-
-      <div className="mt-3 flex justify-end gap-2">
-        {onClose ? (
-          <Button type="button" variant="outline" onClick={onClose}>
-            Cancel
-          </Button>
-        ) : null}
-        <Button
-          type="button"
-          disabled={!hasChanged || isSubmitting || !allSelectedHydrated}
-          onClick={() => onAllow?.(selectedHydratedSubjects)}
-        >
-          Apply
-        </Button>
-      </div>
     </div>
   );
 }
diff --git a/src/components/Permissions/TriStateAccessSwitch.tsx b/src/components/Permissions/TriStateAccessSwitch.tsx
new file mode 100644
index 0000000000..6f52bdd12e
--- /dev/null
+++ b/src/components/Permissions/TriStateAccessSwitch.tsx
@@ -0,0 +1,78 @@
+type ResourceAccess = "deny" | "default" | "allow";
+
+type TriStateAccessSwitchProps = {
+  value: ResourceAccess;
+  onChange: (value: ResourceAccess) => void;
+  disabled?: boolean;
+};
+
+const ACCESS_LABEL: Record<ResourceAccess, string> = {
+  deny: "Deny",
+  default: "Default",
+  allow: "Allow"
+};
+
+const ACCESS_LABEL_CLASSNAME: Record<ResourceAccess, string> = {
+  deny: "text-red-600",
+  default: "text-gray-500",
+  allow: "text-green-600"
+};
+
+const TRACK_CLASSNAME: Record<ResourceAccess, string> = {
+  deny: "bg-red-500",
+  default: "bg-gray-400",
+  allow: "bg-green-600"
+};
+
+const POSITION_BY_ACCESS: Record<ResourceAccess, number> = {
+  deny: 0,
+  default: 1,
+  allow: 2
+};
+
+const ACCESS_ORDER: ResourceAccess[] = ["deny", "default", "allow"];
+
+export default function TriStateAccessSwitch({
+  value,
+  onChange,
+  disabled = false
+}: TriStateAccessSwitchProps) {
+  const position = POSITION_BY_ACCESS[value] * 14;
+
+  return (
+    <div className="flex items-center gap-2">
+      <div
+        className={`relative inline-flex h-5 w-12 overflow-hidden rounded-full p-0.5 transition-colors ${TRACK_CLASSNAME[value]} ${disabled ? "opacity-60" : ""}`}
+      >
+        <span
+          className="pointer-events-none absolute top-0.5 h-4 w-4 rounded-full bg-white shadow transition-transform"
+          style={{ transform: `translateX(${position}px)` }}
+        />
+
+        {ACCESS_ORDER.map((option) => (
+          <button
+            key={option}
+            type="button"
+            className="relative z-10 h-full flex-1"
+            onClick={(event) => {
+              event.preventDefault();
+              event.stopPropagation();
+              if (!disabled) {
+                onChange(option);
+              }
+            }}
+            disabled={disabled}
+            aria-pressed={value === option}
+            aria-label={`Set access to ${ACCESS_LABEL[option]}`}
+          />
+        ))}
+      </div>
+
+      <span
+        className={`min-w-[42px] text-xs font-medium ${ACCESS_LABEL_CLASSNAME[value]}`}
+      >
+        {ACCESS_LABEL[value]}
+      </span>
+    </div>
+  );
+}
diff --git a/src/lib/permissions/useMcpResourcePermissions.ts b/src/lib/permissions/useMcpResourcePermissions.ts
index a68d53bc68..f4212dd093 100644
--- a/src/lib/permissions/useMcpResourcePermissions.ts
+++ b/src/lib/permissions/useMcpResourcePermissions.ts
@@ -36,6 +36,11 @@ export type McpResourcePermissionsConfig<TResource extends NamespacedResource> =
     objectSelectorKey: string;
   };
 
+export type SubjectAccessSelection = {
+  subject: PermissionSubject;
+  access: "allow" | "deny";
+};
+
 export function useMcpResourcePermissions<
   TResource extends NamespacedResource
 >({
@@ -55,6 +60,9 @@ export function useMcpResourcePermissions<
   const [mutatingResourceId, setMutatingResourceId] = useState<string | null>(
     null
   );
+  const [mutatingSubjectId, setMutatingSubjectId] = useState<string | null>(
+    null
+  );
 
   // ── Queries ──────────────────────────────────────────────────────────
 
@@ -88,21 +96,35 @@ export function useMcpResourcePermissions<
     [resources, selectedResourceId]
   );
 
-  const preselectedSubjectIds = useMemo(() => {
-    if (!selectedResource) return [];
-    return permissions
-      .filter(
-        (p) =>
-          p.deny !== true &&
-          p.subject &&
-          p.source === MCP_SETTINGS_PERMISSION_SOURCE &&
-          (p.subject_type === "person" ||
-            p.subject_type === "team" ||
-            p.subject_type === "group" ||
-            p.subject_type === "role") &&
-          permissionMatchesResource(p, selectedResource, getRefs)
-      )
-      .map((p) => p.subject!);
+  const preselectedSubjectAccess = useMemo(() => {
+    const accessBySubjectId: Record<string, "allow" | "deny"> = {};
+
+    if (!selectedResource) {
+      return accessBySubjectId;
+    }
+
+    for (const permission of permissions) {
+      if (
+        !permission.subject ||
+        permission.source !== MCP_SETTINGS_PERMISSION_SOURCE ||
+        (permission.subject_type !== "person" &&
+          permission.subject_type !== "team" &&
+          permission.subject_type !== "group" &&
+          permission.subject_type !== "role") ||
+        !permissionMatchesResource(permission, selectedResource, getRefs)
+      ) {
+        continue;
+      }
+
+      const subjectId = permission.subject;
+      const nextAccess = permission.deny === true ? "deny" : "allow";
+      const currentAccess = accessBySubjectId[subjectId];
+
+      accessBySubjectId[subjectId] =
+        currentAccess === "deny" || nextAccess === "deny" ? "deny" : "allow";
+    }
+
+    return accessBySubjectId;
   }, [permissions, selectedResource, getRefs]);
 
   // ── Mutations ───────────────────────────────────────────────────────
@@ -185,19 +207,34 @@ export function useMcpResourcePermissions<
       subjects
     }: {
       resource: TResource;
-      subjects: PermissionSubject[];
+      subjects: PermissionSubject[] | SubjectAccessSelection[];
     }) => {
       // Re-fetch to avoid acting on stale data from the render closure
       const latestPermissions = await fetchPermissions();
 
-      const desiredKeys = new Set(
-        subjects.map((s) => `${mapSubjectType(s.type)}:${s.id}`)
+      const normalizedSelections: SubjectAccessSelection[] = (
+        subjects as Array<PermissionSubject | SubjectAccessSelection>
+      ).map((entry) => {
+        if ("subject" in entry) {
+          return entry;
+        }
+
+        return {
+          subject: entry,
+          access: "allow"
+        };
+      });
+
+      const desiredAccessByKey = new Map<string, "allow" | "deny">(
+        normalizedSelections.map((selection) => [
+          `${mapSubjectType(selection.subject.type)}:${selection.subject.id}`,
+          selection.access
+        ])
       );
 
       const existingPermissions = latestPermissions.filter(
         (p) =>
           p.action === "mcp:run" &&
-          p.deny !== true &&
           p.subject &&
           p.id &&
           (p.subject_type === "person" ||
@@ -208,26 +245,32 @@ export function useMcpResourcePermissions<
           permissionMatchesResource(p, resource, getRefs)
       );
 
-      const existingKeys = new Set(
-        existingPermissions.map((p) => `${p.subject_type}:${p.subject}`)
-      );
+      const existingByKey = new Map<string, typeof existingPermissions>();
+
+      for (const permission of existingPermissions) {
+        const key = `${permission.subject_type}:${permission.subject}`;
+        const list = existingByKey.get(key) ?? [];
+        list.push(permission);
+        existingByKey.set(key, list);
+      }
 
       const resourceSelector = [
         { name: resource.name, namespace: resource.namespace }
       ];
 
-      const payloadsToAdd = subjects
-        .map((subject) => {
-          const subjectType = mapSubjectType(subject.type);
-          if (existingKeys.has(`${subjectType}:${subject.id}`)) {
+      const payloadsToAdd = normalizedSelections
+        .map((selection) => {
+          const subjectType = mapSubjectType(selection.subject.type);
+          const key = `${subjectType}:${selection.subject.id}`;
+          if (existingByKey.has(key)) {
             return null;
           }
           return {
             object_selector: { [objectSelectorKey]: resourceSelector },
             action: "mcp:run",
-            subject: subject.id,
+            subject: selection.subject.id,
             subject_type: subjectType,
-            deny: false,
+            deny: selection.access === "deny",
             source: MCP_SETTINGS_PERMISSION_SOURCE,
             created_by: user?.id
           };
@@ -239,10 +282,44 @@ export function useMcpResourcePermissions<
           )
         );
 
-      const deleteIds = existingPermissions
-        .filter((p) => !desiredKeys.has(`${p.subject_type}:${p.subject}`))
-        .map((p) => p.id!)
-        .sort((a, b) => a.localeCompare(b));
+      const updatePayloads = Array.from(existingByKey.entries())
+        .map(([key, permissionsForSubject]) => {
+          const desiredAccess = desiredAccessByKey.get(key);
+
+          if (!desiredAccess) {
+            return null;
+          }
+
+          const [primary, ...duplicates] = permissionsForSubject;
+          if (!primary?.id) {
+            return null;
+          }
+
+          const shouldDeny = desiredAccess === "deny";
+          const requiresUpdate =
+            primary.deny === true ? !shouldDeny : shouldDeny;
+
+          return {
+            id: primary.id,
+            deny: shouldDeny,
+            requiresUpdate,
+            duplicateIds: duplicates
+              .map((permission) => permission.id)
+              .filter((id): id is string => !!id)
+          };
+        })
+        .filter((entry): entry is NonNullable<typeof entry> => !!entry)
+        .sort((a, b) => a.id.localeCompare(b.id));
+
+      const deleteIds = [
+        ...existingPermissions
+          .filter((permission) => {
+            const key = `${permission.subject_type}:${permission.subject}`;
+            return !desiredAccessByKey.has(key);
+          })
+          .map((permission) => permission.id!),
+        ...updatePayloads.flatMap((entry) => entry.duplicateIds)
+      ].sort((a, b) => a.localeCompare(b));
 
       const addedPermissionIds: string[] = [];
 
@@ -254,6 +331,17 @@ export function useMcpResourcePermissions<
           }
         }
 
+        for (const payload of updatePayloads) {
+          if (!payload.requiresUpdate) {
+            continue;
+          }
+
+          await updatePermission({
+            id: payload.id,
+            deny: payload.deny
+          } as any);
+        }
+
         for (const id of deleteIds) {
           await deletePermission(id);
         }
@@ -266,13 +354,19 @@ export function useMcpResourcePermissions<
         throw error;
       }
 
-      return { added: payloadsToAdd.length, removed: deleteIds.length };
+      return {
+        added: payloadsToAdd.length,
+        updated: updatePayloads.filter((entry) => entry.requiresUpdate).length,
+        removed: deleteIds.length
+      };
     },
-    onSuccess: ({ added, removed }) => {
-      if (added === 0 && removed === 0) {
+    onSuccess: ({ added, updated, removed }) => {
+      if (added === 0 && updated === 0 && removed === 0) {
         toastSuccess("No permission changes");
       } else {
-        toastSuccess(`Updated permissions: +${added} / -${removed}`);
+        toastSuccess(
+          `Updated permissions: +${added} / ~${updated} / -${removed}`
+        );
       }
       setSelectedResourceId(null);
     },
@@ -303,11 +397,100 @@ export function useMcpResourcePermissions<
 
   const allowSelectiveAccess = async (
     resource: TResource,
-    subjects: PermissionSubject[]
+    subjects: PermissionSubject[] | SubjectAccessSelection[]
   ) => {
     await allowSelectiveAccessMutation({ resource, subjects });
   };
 
+  const {
+    mutateAsync: setSelectiveSubjectAccessMutation,
+    isLoading: isSettingSelectiveSubjectAccess
+  } = useMutation({
+    mutationFn: async ({
+      resource,
+      subject,
+      access
+    }: {
+      resource: TResource;
+      subject: PermissionSubject;
+      access: "allow" | "deny" | "default";
+    }) => {
+      const latestPermissions = await fetchPermissions();
+      const subjectType = mapSubjectType(subject.type);
+
+      const existingPermissions = latestPermissions.filter(
+        (p) =>
+          p.action === "mcp:run" &&
+          p.subject === subject.id &&
+          p.subject_type === subjectType &&
+          p.id &&
+          p.source === MCP_SETTINGS_PERMISSION_SOURCE &&
+          permissionMatchesResource(p, resource, getRefs)
+      );
+
+      if (access === "default") {
+        await Promise.all(
+          existingPermissions.map((permission) =>
+            deletePermission(permission.id!)
+          )
+        );
+        return;
+      }
+
+      const shouldDeny = access === "deny";
+      const [primary, ...duplicates] = existingPermissions;
+
+      if (!primary) {
+        await addPermission({
+          object_selector: {
+            [objectSelectorKey]: [
+              { name: resource.name, namespace: resource.namespace }
+            ]
+          },
+          action: "mcp:run",
+          subject: subject.id,
+          subject_type: subjectType,
+          deny: shouldDeny,
+          source: MCP_SETTINGS_PERMISSION_SOURCE,
+          created_by: user?.id
+        } as any);
+      } else if (primary.deny !== shouldDeny) {
+        await updatePermission({
+          id: primary.id,
+          deny: shouldDeny
+        } as any);
+      }
+
+      if (duplicates.length > 0) {
+        await Promise.all(
+          duplicates
+            .map((permission) => permission.id)
+            .filter((id): id is string => !!id)
+            .map((id) => deletePermission(id))
+        );
+      }
+    },
+    onError: (error) => {
+      toastError(error as any);
+    },
+    onSettled: () => {
+      refetchPermissions();
+    }
+  });
+
+  const setSelectiveSubjectAccess = async (
+    resource: TResource,
+    subject: PermissionSubject,
+    access: "allow" | "deny" | "default"
+  ) => {
+    setMutatingSubjectId(subject.id);
+    try {
+      await setSelectiveSubjectAccessMutation({ resource, subject, access });
+    } finally {
+      setMutatingSubjectId((cur) => (cur === subject.id ? null : cur));
+    }
+  };
+
   // ── Loading state ───────────────────────────────────────────────────
 
   const loading =
@@ -316,7 +499,8 @@ export function useMcpResourcePermissions<
     isResourcesRefetching ||
     isPermissionsRefetching ||
     isUpdatingGlobalOverride ||
-    isAllowingSelective;
+    isAllowingSelective ||
+    isSettingSelectiveSubjectAccess;
 
   const isInitialLoading =
     (isResourcesLoading || isPermissionsLoading) && resources.length === 0;
@@ -330,9 +514,12 @@ export function useMcpResourcePermissions<
     setGlobalOverride,
     allowSelectiveAccess,
     isAllowingSelective,
+    setSelectiveSubjectAccess,
+    mutatingSubjectId,
+    isSettingSelectiveSubjectAccess,
     loading,
     isInitialLoading,
-    preselectedSubjectIds,
+    preselectedSubjectAccess,
     refetch: () => {
       refetchResources();
       refetchPermissions();
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index a33c7d1033..c3085ca4be 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -28,11 +28,12 @@ export default function McpPlaybooksPage() {
     setSelectedResourceId,
     mutatingResourceId,
     setGlobalOverride,
-    allowSelectiveAccess,
-    isAllowingSelective,
+    setSelectiveSubjectAccess,
+    isSettingSelectiveSubjectAccess,
+    mutatingSubjectId,
     loading,
     isInitialLoading,
-    preselectedSubjectIds,
+    preselectedSubjectAccess,
     refetch: refetchAll
   } = useMcpResourcePermissions({
     resources: playbooks,
@@ -163,12 +164,13 @@ export default function McpPlaybooksPage() {
                   title={`Subject access for ${
                     selectedPlaybook.title || selectedPlaybook.name
                   }`}
-                  description="Select users, teams, groups, or roles to allow this playbook for MCP usage."
-                  preselectedSubjectIds={preselectedSubjectIds}
-                  isSubmitting={isAllowingSelective}
+                  description="Select users, teams, groups, or roles to manage playbook access for MCP usage."
+                  preselectedSubjectAccess={preselectedSubjectAccess}
+                  isSubmitting={isSettingSelectiveSubjectAccess}
+                  mutatingSubjectId={mutatingSubjectId}
                   onClose={() => setSelectedResourceId(null)}
-                  onAllow={(subjects) =>
-                    allowSelectiveAccess(selectedPlaybook, subjects)
+                  onSetSubjectAccess={(subject, access) =>
+                    setSelectiveSubjectAccess(selectedPlaybook, subject, access)
                   }
                 />
 
diff --git a/src/pages/Settings/mcp/McpSubjectAccessPage.tsx b/src/pages/Settings/mcp/McpSubjectAccessPage.tsx
new file mode 100644
index 0000000000..aab3f947ac
--- /dev/null
+++ b/src/pages/Settings/mcp/McpSubjectAccessPage.tsx
@@ -0,0 +1,527 @@
+import { getAllPlaybookNames } from "@flanksource-ui/api/services/playbooks";
+import {
+  addPermission,
+  deletePermission,
+  fetchAllPermissionSubjects,
+  fetchMcpRunPermissions,
+  MCP_SETTINGS_PERMISSION_SOURCE,
+  PermissionSubject,
+  updatePermission
+} from "@flanksource-ui/api/services/permissions";
+import { getAllViews } from "@flanksource-ui/api/services/views";
+import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
+import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
+import ResourceSelectorPanel, {
+  McpSubjectResource,
+  ResourceAccess
+} from "@flanksource-ui/components/Permissions/ResourceSelectorPanel";
+import SubjectAvatar from "@flanksource-ui/components/Permissions/SubjectAvatar";
+import {
+  toastError,
+  toastSuccess
+} from "@flanksource-ui/components/Toast/toast";
+import { Input } from "@flanksource-ui/components/ui/input";
+import { useUser } from "@flanksource-ui/context";
+import { mapSubjectType } from "@flanksource-ui/lib/permissions/mcpPermissionCardMappings";
+import useDebouncedValue from "@flanksource-ui/hooks/useDebounce";
+import { useQuery } from "@tanstack/react-query";
+import { useEffect, useMemo, useState } from "react";
+
+const SUBJECT_TYPE_ORDER: Record<PermissionSubject["type"], number> = {
+  role: 0,
+  permission_subject_group: 1,
+  team: 2,
+  person: 3,
+  access_token_person: 4
+};
+
+const TYPE_LABELS: Record<PermissionSubject["type"], string> = {
+  person: "person",
+  access_token_person: "access token",
+  team: "team",
+  role: "role",
+  permission_subject_group: "group"
+};
+
+function getPermissionRefs(
+  permission: PermissionsSummary,
+  kind: "playbook" | "view"
+) {
+  return kind === "playbook"
+    ? (permission.object_selector?.playbooks ?? [])
+    : (permission.object_selector?.views ?? []);
+}
+
+function permissionMatchesResource(
+  permission: PermissionsSummary,
+  resource: McpSubjectResource
+) {
+  const refs = getPermissionRefs(permission, resource.kind);
+
+  return refs.some((ref) => {
+    if (!ref?.name || ref.name === "*") {
+      return false;
+    }
+
+    if (ref.namespace) {
+      return ref.namespace === resource.namespace && ref.name === resource.name;
+    }
+
+    return ref.name === resource.name;
+  });
+}
+
+export default function McpSubjectAccessPage() {
+  const { user } = useUser();
+  const [subjectSearch, setSubjectSearch] = useState("");
+  const [selectedSubjectId, setSelectedSubjectId] = useState<string | null>(
+    null
+  );
+  const [isSubmitting, setIsSubmitting] = useState(false);
+  const [mutatingResourceIds, setMutatingResourceIds] = useState<
+    Record<string, true>
+  >({});
+  const [isResourcePanelSwitching, setIsResourcePanelSwitching] =
+    useState(false);
+
+  const debouncedSearch = useDebouncedValue(subjectSearch, 200) ?? "";
+
+  const {
+    data: subjects = [],
+    isLoading: isSubjectsLoading,
+    isRefetching: isSubjectsRefetching,
+    refetch: refetchSubjects
+  } = useQuery({
+    queryKey: ["mcp", "subject-access", "subjects"],
+    queryFn: fetchAllPermissionSubjects
+  });
+
+  const {
+    data: playbooks = [],
+    isLoading: isPlaybooksLoading,
+    isRefetching: isPlaybooksRefetching,
+    refetch: refetchPlaybooks
+  } = useQuery({
+    queryKey: ["mcp", "subject-access", "playbooks"],
+    queryFn: getAllPlaybookNames
+  });
+
+  const {
+    data: viewsResponse,
+    isLoading: isViewsLoading,
+    isRefetching: isViewsRefetching,
+    refetch: refetchViews
+  } = useQuery({
+    queryKey: ["mcp", "subject-access", "views"],
+    queryFn: async () => getAllViews([{ id: "name", desc: false }], 0, 1000)
+  });
+
+  const {
+    data: permissions = [],
+    isLoading: isPermissionsLoading,
+    isRefetching: isPermissionsRefetching,
+    refetch: refetchPermissions
+  } = useQuery({
+    queryKey: ["mcp", "subject-access", "permissions"],
+    queryFn: fetchMcpRunPermissions
+  });
+
+  const views = useMemo(() => viewsResponse?.data ?? [], [viewsResponse?.data]);
+
+  const sortedSubjects = useMemo(() => {
+    const loweredSearch = debouncedSearch.trim().toLowerCase();
+
+    return subjects
+      .filter((subject) => subject.type !== "access_token_person")
+      .filter((subject) => {
+        if (!loweredSearch) {
+          return true;
+        }
+
+        return subject.name.toLowerCase().includes(loweredSearch);
+      })
+      .sort((a, b) => {
+        const typeOrder =
+          SUBJECT_TYPE_ORDER[a.type] - SUBJECT_TYPE_ORDER[b.type];
+        if (typeOrder !== 0) {
+          return typeOrder;
+        }
+
+        return a.name.localeCompare(b.name, undefined, { sensitivity: "base" });
+      });
+  }, [debouncedSearch, subjects]);
+
+  const groupedSubjects = useMemo(() => {
+    const grouped = new Map<PermissionSubject["type"], PermissionSubject[]>();
+
+    for (const subject of sortedSubjects) {
+      const list = grouped.get(subject.type) ?? [];
+      list.push(subject);
+      grouped.set(subject.type, list);
+    }
+
+    return Array.from(grouped.entries()).map(([type, list]) => ({
+      type,
+      list
+    }));
+  }, [sortedSubjects]);
+
+  useEffect(() => {
+    if (
+      selectedSubjectId &&
+      sortedSubjects.some((subject) => subject.id === selectedSubjectId)
+    ) {
+      return;
+    }
+
+    setSelectedSubjectId(sortedSubjects[0]?.id ?? null);
+  }, [selectedSubjectId, sortedSubjects]);
+
+  const selectedSubject = useMemo(
+    () =>
+      sortedSubjects.find((subject) => subject.id === selectedSubjectId) ??
+      null,
+    [selectedSubjectId, sortedSubjects]
+  );
+
+  useEffect(() => {
+    if (!selectedSubject) {
+      setIsResourcePanelSwitching(false);
+      return;
+    }
+
+    setIsResourcePanelSwitching(true);
+    const timer = setTimeout(() => {
+      setIsResourcePanelSwitching(false);
+    }, 220);
+
+    return () => {
+      clearTimeout(timer);
+    };
+  }, [selectedSubject?.id]);
+
+  const resources = useMemo<McpSubjectResource[]>(() => {
+    const playbookResources = playbooks
+      .map((playbook) => ({
+        id: playbook.id,
+        kind: "playbook" as const,
+        name: playbook.title || playbook.name,
+        namespace: playbook.namespace,
+        icon: playbook.icon || "playbook",
+        subtitle: playbook.namespace
+          ? `${playbook.namespace} · playbook`
+          : "playbook"
+      }))
+      .sort((a, b) =>
+        a.name.localeCompare(b.name, undefined, { sensitivity: "base" })
+      );
+
+    const viewResources = views
+      .map((view) => ({
+        id: view.id,
+        kind: "view" as const,
+        name: view.spec?.title || view.name,
+        namespace: view.namespace,
+        icon: view.spec?.icon || "workflow",
+        subtitle: view.namespace ? `${view.namespace} · view` : "view"
+      }))
+      .sort((a, b) =>
+        a.name.localeCompare(b.name, undefined, { sensitivity: "base" })
+      );
+
+    return [...playbookResources, ...viewResources];
+  }, [playbooks, views]);
+
+  const loading =
+    isSubjectsLoading ||
+    isPlaybooksLoading ||
+    isViewsLoading ||
+    isPermissionsLoading ||
+    isSubjectsRefetching ||
+    isPlaybooksRefetching ||
+    isViewsRefetching ||
+    isPermissionsRefetching ||
+    isSubmitting;
+
+  const isInitialLoading =
+    (isSubjectsLoading ||
+      isPlaybooksLoading ||
+      isViewsLoading ||
+      isPermissionsLoading) &&
+    resources.length === 0;
+
+  const setResourceAccess = async (
+    subject: PermissionSubject,
+    targetResource: McpSubjectResource,
+    access: ResourceAccess,
+    latestPermissions?: PermissionsSummary[]
+  ) => {
+    const currentPermissions =
+      latestPermissions ?? (await fetchMcpRunPermissions());
+    const subjectType = mapSubjectType(subject.type);
+
+    const matchingPermissions = currentPermissions.filter(
+      (permission) =>
+        permission.action === "mcp:run" &&
+        permission.source === MCP_SETTINGS_PERMISSION_SOURCE &&
+        permission.subject === subject.id &&
+        permission.subject_type === subjectType &&
+        permission.id &&
+        permissionMatchesResource(permission, targetResource)
+    );
+
+    if (access === "default") {
+      await Promise.all(
+        matchingPermissions.map((permission) =>
+          deletePermission(permission.id!)
+        )
+      );
+      return;
+    }
+
+    const deny = access === "deny";
+    const [primaryPermission, ...duplicates] = matchingPermissions;
+
+    if (!primaryPermission) {
+      await addPermission({
+        action: "mcp:run",
+        object_selector: {
+          [targetResource.kind === "playbook" ? "playbooks" : "views"]: [
+            { name: targetResource.name, namespace: targetResource.namespace }
+          ]
+        },
+        subject: subject.id,
+        subject_type: subjectType,
+        deny,
+        source: MCP_SETTINGS_PERMISSION_SOURCE,
+        created_by: user?.id
+      } as any);
+      return;
+    }
+
+    await Promise.all([
+      ...(primaryPermission.deny === deny
+        ? []
+        : [
+            updatePermission({
+              id: primaryPermission.id,
+              deny
+            } as any)
+          ]),
+      ...duplicates.map((permission) => deletePermission(permission.id!))
+    ]);
+  };
+
+  const applyAccess = async (
+    targetResources: McpSubjectResource[],
+    access: ResourceAccess
+  ) => {
+    if (!selectedSubject || targetResources.length === 0) {
+      return;
+    }
+
+    const subjectType = mapSubjectType(selectedSubject.type);
+    const targetKinds = [
+      ...new Set(targetResources.map((resource) => resource.kind))
+    ];
+
+    setIsSubmitting(true);
+    setMutatingResourceIds(
+      Object.fromEntries(targetResources.map((resource) => [resource.id, true]))
+    );
+
+    try {
+      const latestPermissions = await fetchMcpRunPermissions();
+
+      if (targetResources.length > 1) {
+        for (const kind of targetKinds) {
+          const selectorKey = kind === "playbook" ? "playbooks" : "views";
+
+          const existingForKind = latestPermissions.filter((permission) => {
+            if (
+              permission.action !== "mcp:run" ||
+              permission.source !== MCP_SETTINGS_PERMISSION_SOURCE ||
+              permission.subject !== selectedSubject.id ||
+              permission.subject_type !== subjectType ||
+              !permission.id
+            ) {
+              return false;
+            }
+
+            return getPermissionRefs(permission, kind).length > 0;
+          });
+
+          if (access === "default") {
+            await Promise.all(
+              existingForKind.map((permission) =>
+                deletePermission(permission.id!)
+              )
+            );
+            continue;
+          }
+
+          const deny = access === "deny";
+          const wildcardPermissions = existingForKind.filter((permission) =>
+            getPermissionRefs(permission, kind).some(
+              (ref) => ref?.name === "*" && !ref?.namespace
+            )
+          );
+
+          const [primaryWildcard, ...duplicateWildcards] = wildcardPermissions;
+
+          if (!primaryWildcard) {
+            await addPermission({
+              action: "mcp:run",
+              object_selector: {
+                [selectorKey]: [{ name: "*" }]
+              },
+              subject: selectedSubject.id,
+              subject_type: subjectType,
+              deny,
+              source: MCP_SETTINGS_PERMISSION_SOURCE,
+              created_by: user?.id
+            } as any);
+          } else if (primaryWildcard.deny !== deny) {
+            await updatePermission({
+              id: primaryWildcard.id,
+              deny
+            } as any);
+          }
+
+          const wildcardIdsToKeep = new Set(
+            primaryWildcard?.id ? [primaryWildcard.id] : []
+          );
+
+          const permissionIdsToDelete = [
+            ...duplicateWildcards.map((permission) => permission.id!),
+            ...existingForKind
+              .filter((permission) => !wildcardIdsToKeep.has(permission.id!))
+              .filter(
+                (permission) =>
+                  !wildcardPermissions.some(
+                    (wildcard) => wildcard.id === permission.id
+                  )
+              )
+              .map((permission) => permission.id!)
+          ];
+
+          if (permissionIdsToDelete.length > 0) {
+            await Promise.all(
+              permissionIdsToDelete.map((id) => deletePermission(id))
+            );
+          }
+        }
+
+        toastSuccess("Updated subject access");
+      } else {
+        await setResourceAccess(
+          selectedSubject,
+          targetResources[0],
+          access,
+          latestPermissions
+        );
+        toastSuccess("Updated subject access");
+      }
+    } catch (error) {
+      toastError(error as any);
+    } finally {
+      setMutatingResourceIds({});
+      setIsSubmitting(false);
+      refetchPermissions();
+    }
+  };
+
+  return (
+    <McpTabsLinks
+      activeTab="Subject access"
+      loading={loading}
+      isInitialLoading={isInitialLoading}
+      loadingText="Loading MCP subject access..."
+      onRefresh={() => {
+        refetchSubjects();
+        refetchPlaybooks();
+        refetchViews();
+        refetchPermissions();
+      }}
+    >
+      <div className="flex h-full min-h-0 w-full flex-1 flex-col gap-4 p-6 pb-6">
+        <div>
+          <h3 className="text-lg font-semibold text-gray-900">
+            Subject access
+          </h3>
+          <p className="text-sm text-gray-600">
+            See all playbooks and views a specific user, role, or group can
+            access through this gateway.
+          </p>
+        </div>
+
+        <div className="flex min-h-0 flex-1 gap-4">
+          <div className="flex w-[280px] shrink-0 flex-col">
+            <Input
+              placeholder="Search subjects..."
+              value={subjectSearch}
+              onChange={(event) => setSubjectSearch(event.target.value)}
+            />
+
+            <div className="mt-3 min-h-0 flex-1 space-y-3 overflow-y-auto">
+              {groupedSubjects.map((group) => (
+                <div key={group.type} className="space-y-1">
+                  <div className="px-2 text-xs font-semibold uppercase tracking-wide text-gray-500">
+                    {TYPE_LABELS[group.type] ?? group.type}
+                  </div>
+
+                  {group.list.map((subject) => {
+                    const isActive = subject.id === selectedSubjectId;
+
+                    return (
+                      <button
+                        key={subject.id}
+                        type="button"
+                        onClick={() => setSelectedSubjectId(subject.id)}
+                        className={`flex w-full items-center gap-2 rounded px-2 py-1.5 text-left text-sm transition-colors ${
+                          isActive
+                            ? "bg-blue-50 text-blue-800"
+                            : "text-gray-800 hover:bg-gray-50"
+                        }`}
+                      >
+                        <SubjectAvatar subject={subject} size="xs" />
+                        <span className="truncate">{subject.name}</span>
+                      </button>
+                    );
+                  })}
+                </div>
+              ))}
+            </div>
+          </div>
+
+          <div className="min-h-0 min-w-0 flex-1 lg:max-w-3xl">
+            {selectedSubject ? (
+              <div className="relative h-full">
+                <ResourceSelectorPanel
+                  key={selectedSubject.id}
+                  selectedSubject={selectedSubject}
+                  resources={resources}
+                  permissions={permissions}
+                  isSubmitting={isSubmitting}
+                  mutatingResourceIds={mutatingResourceIds}
+                  onSetResourceAccess={(resource, access) =>
+                    applyAccess([resource], access)
+                  }
+                  onSetManyResourceAccess={applyAccess}
+                />
+
+                {isResourcePanelSwitching ? (
+                  <div className="pointer-events-none absolute inset-0 z-10 rounded-md bg-white/20 backdrop-blur-[1.5px]" />
+                ) : null}
+              </div>
+            ) : (
+              <div className="flex h-full items-center justify-center rounded-md border border-dashed border-gray-200 p-4 text-sm text-gray-500">
+                Select a subject to inspect MCP resource access.
+              </div>
+            )}
+          </div>
+        </div>
+      </div>
+    </McpTabsLinks>
+  );
+}
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index b49c957876..a44faa7baf 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -31,11 +31,12 @@ export default function McpViewsPage() {
     setSelectedResourceId,
     mutatingResourceId,
     setGlobalOverride,
-    allowSelectiveAccess,
-    isAllowingSelective,
+    setSelectiveSubjectAccess,
+    isSettingSelectiveSubjectAccess,
+    mutatingSubjectId,
     loading,
     isInitialLoading,
-    preselectedSubjectIds,
+    preselectedSubjectAccess,
     refetch: refetchAll
   } = useMcpResourcePermissions({
     resources: views,
@@ -118,12 +119,13 @@ export default function McpViewsPage() {
               <div className="relative h-full">
                 <SubjectSelectorPanel
                   key={selectedView.id}
-                  description="Select users, teams, groups, or roles to allow this view for MCP usage."
-                  preselectedSubjectIds={preselectedSubjectIds}
-                  isSubmitting={isAllowingSelective}
+                  description="Select users, teams, groups, or roles to manage view access for MCP usage."
+                  preselectedSubjectAccess={preselectedSubjectAccess}
+                  isSubmitting={isSettingSelectiveSubjectAccess}
+                  mutatingSubjectId={mutatingSubjectId}
                   onClose={() => setSelectedResourceId(null)}
-                  onAllow={(subjects) =>
-                    allowSelectiveAccess(selectedView, subjects)
+                  onSetSubjectAccess={(subject, access) =>
+                    setSelectiveSubjectAccess(selectedView, subject, access)
                   }
                 />
 

From 77a5fa9dd5aa4fc0978d0be3ab536b6f520c98ad Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Fri, 10 Apr 2026 23:44:20 +0545
Subject: [PATCH 37/48] parity between playbooks and users page

---
 src/components/MCP/McpTabsLinks.tsx           |  12 +-
 .../Permissions/ResourceAccessCard.tsx        |  92 +++--
 .../Permissions/ResourceSelectorPanel.tsx     | 329 +++++++++-------
 .../Permissions/SubjectSelectorPanel.tsx      | 357 ++++++++++++++----
 src/pages/Settings/mcp/McpCheckAccessPage.tsx |  10 +-
 src/pages/Settings/mcp/McpPlaybooksPage.tsx   | 163 +++++---
 .../Settings/mcp/McpSubjectAccessPage.tsx     |   2 +-
 src/pages/Settings/mcp/McpViewsPage.tsx       | 175 +++++++--
 8 files changed, 809 insertions(+), 331 deletions(-)

diff --git a/src/components/MCP/McpTabsLinks.tsx b/src/components/MCP/McpTabsLinks.tsx
index 3ff4aa40df..a91b833754 100644
--- a/src/components/MCP/McpTabsLinks.tsx
+++ b/src/components/MCP/McpTabsLinks.tsx
@@ -52,6 +52,12 @@ export default function McpTabsLinks({
         key: "Overview",
         search
       },
+      {
+        label: "Subjects",
+        path: "/settings/mcp/subject-access",
+        key: "Subject access",
+        search
+      },
       {
         label: "Playbooks",
         path: "/settings/mcp/playbooks",
@@ -64,12 +70,6 @@ export default function McpTabsLinks({
         key: "Views",
         search
       },
-      {
-        label: "Subject access",
-        path: "/settings/mcp/subject-access",
-        key: "Subject access",
-        search
-      },
       {
         label: "Check Access",
         path: "/settings/mcp/check-access",
diff --git a/src/components/Permissions/ResourceAccessCard.tsx b/src/components/Permissions/ResourceAccessCard.tsx
index cf192d8020..c0c8495ee9 100644
--- a/src/components/Permissions/ResourceAccessCard.tsx
+++ b/src/components/Permissions/ResourceAccessCard.tsx
@@ -13,10 +13,11 @@ type Entity = {
 type PermissionAccessCardProps = {
   entity: Entity;
   globalOverride?: GlobalOverride;
-  onGlobalOverrideChange: (value: GlobalOverride) => void;
+  onGlobalOverrideChange?: (value: GlobalOverride) => void;
   onViewSubjects?: () => void;
   isMutating?: boolean;
   isSelected?: boolean;
+  showGlobalSwitch?: boolean;
 };
 
 const SWITCH_OPTIONS = ["Deny all", "Custom", "Allow all"];
@@ -50,9 +51,14 @@ export default function ResourceAccessCard({
   onGlobalOverrideChange,
   onViewSubjects,
   isMutating = false,
-  isSelected = false
+  isSelected = false,
+  showGlobalSwitch = true
 }: PermissionAccessCardProps) {
-  const canOpenSubjects = globalOverride === "none" && Boolean(onViewSubjects);
+  const { icon, name, namespace } = entity;
+  const canOpenSubjects =
+    (showGlobalSwitch ? globalOverride === "none" : true) &&
+    Boolean(onViewSubjects);
+  const isGlobalSwitchDisabled = isMutating || !onGlobalOverrideChange;
 
   const handleCardClick = () => {
     if (!canOpenSubjects) {
@@ -62,6 +68,14 @@ export default function ResourceAccessCard({
     onViewSubjects?.();
   };
 
+  const handleGlobalOverrideSwitchChange = (value: string) => {
+    if (!onGlobalOverrideChange) {
+      return;
+    }
+
+    onGlobalOverrideChange(toGlobalOverride(value));
+  };
+
   return (
     <div
       className={`w-full max-w-3xl ${canOpenSubjects ? "cursor-pointer" : ""} ${isSelected ? "rounded-md bg-gray-50 ring-1 ring-inset ring-gray-300" : ""}`}
@@ -69,60 +83,62 @@ export default function ResourceAccessCard({
     >
       <div className="flex items-start gap-3">
         <div className="ml-2 flex h-8 w-8 shrink-0 items-center justify-center rounded-md text-xs font-semibold text-gray-700">
-          <Icon name={entity.icon ?? "playbook"} className="h-4 w-4" />
+          <Icon name={icon ?? "playbook"} className="h-4 w-4" />
         </div>
 
         <div className="flex min-w-0 flex-1 items-start justify-between gap-2">
           <div className="min-w-0">
             <div
               className="truncate text-sm font-semibold text-gray-900"
-              title={entity.name}
+              title={name}
             >
-              {entity.name}
+              {name}
             </div>
-            {entity.namespace && (
+            {namespace && (
               <div
                 className="mt-0.5 truncate text-xs text-gray-500"
-                title={entity.namespace}
+                title={namespace}
               >
-                {entity.namespace}
+                {namespace}
               </div>
             )}
           </div>
 
-          <div
-            className="shrink-0"
-            onClick={(event) => event.stopPropagation()}
-          >
+          {showGlobalSwitch ? (
             <div
-              className={
-                isMutating ? "pointer-events-none opacity-60" : undefined
-              }
-              aria-disabled={isMutating || undefined}
+              className="shrink-0"
+              onClick={(event) => event.stopPropagation()}
             >
-              <Switch
-                size="sm"
-                options={SWITCH_OPTIONS}
-                value={toSwitchOption(globalOverride)}
-                onChange={(value) =>
-                  onGlobalOverrideChange(toGlobalOverride(value))
+              <div
+                className={
+                  isGlobalSwitchDisabled
+                    ? "pointer-events-none opacity-60"
+                    : undefined
                 }
-                className="mr-2 h-auto"
-                itemsClassName=""
-                getActiveItemClassName={(option) => {
-                  if (option === "Allow all") {
-                    return "bg-blue-50 text-blue-700 ring-blue-200";
-                  }
-
-                  if (option === "Deny all") {
-                    return "bg-red-50 text-red-700 ring-red-200";
-                  }
-
-                  return undefined;
-                }}
-              />
+                aria-disabled={isGlobalSwitchDisabled || undefined}
+              >
+                <Switch
+                  size="sm"
+                  options={SWITCH_OPTIONS}
+                  value={toSwitchOption(globalOverride)}
+                  onChange={handleGlobalOverrideSwitchChange}
+                  className="mr-2 h-auto"
+                  itemsClassName=""
+                  getActiveItemClassName={(option) => {
+                    if (option === "Allow all") {
+                      return "bg-blue-50 text-blue-700 ring-blue-200";
+                    }
+
+                    if (option === "Deny all") {
+                      return "bg-red-50 text-red-700 ring-red-200";
+                    }
+
+                    return undefined;
+                  }}
+                />
+              </div>
             </div>
-          </div>
+          ) : null}
         </div>
       </div>
     </div>
diff --git a/src/components/Permissions/ResourceSelectorPanel.tsx b/src/components/Permissions/ResourceSelectorPanel.tsx
index e13576f42b..11111016f8 100644
--- a/src/components/Permissions/ResourceSelectorPanel.tsx
+++ b/src/components/Permissions/ResourceSelectorPanel.tsx
@@ -239,6 +239,15 @@ export default function ResourceSelectorPanel({
         ? "Deny"
         : "Default";
 
+  const isListLocked = bulkAccess === "allow" || bulkAccess === "deny";
+
+  const resetTargetResources =
+    activeTab === "playbook"
+      ? resources.filter((resource) => resource.kind === "playbook")
+      : activeTab === "view"
+        ? resources.filter((resource) => resource.kind === "view")
+        : resources;
+
   return (
     <div className="flex min-h-0 flex-1 flex-col gap-3">
       <div className="flex items-center justify-between gap-3">
@@ -287,155 +296,195 @@ export default function ResourceSelectorPanel({
         </div>
       </div>
 
-      <div className="flex items-center gap-2">
-        {TABS.map((tab) => {
-          const isActive = activeTab === tab.key;
-          const count = counts[tab.key];
-
-          return (
-            <Button
-              key={tab.key}
-              type="button"
-              variant={isActive ? "default" : "outline"}
-              size="sm"
-              className={
-                isActive
-                  ? "border-gray-900 bg-gray-900 text-white hover:bg-gray-800"
-                  : "text-gray-700"
-              }
-              onClick={() => setActiveTab(tab.key)}
-            >
-              {tab.label}{" "}
-              <span className="ml-1 text-xs opacity-80">{count}</span>
-            </Button>
-          );
-        })}
-      </div>
+      <div className="relative min-h-0 flex-1">
+        <div
+          className={`flex h-full min-h-0 flex-col gap-3 ${
+            isListLocked
+              ? "pointer-events-none select-none opacity-60 blur-[1px]"
+              : ""
+          }`}
+          aria-hidden={isListLocked || undefined}
+        >
+          <div className="flex items-center gap-2">
+            {TABS.map((tab) => {
+              const isActive = activeTab === tab.key;
+              const count = counts[tab.key];
+
+              return (
+                <Button
+                  key={tab.key}
+                  type="button"
+                  variant={isActive ? "default" : "outline"}
+                  size="sm"
+                  className={
+                    isActive
+                      ? "border-gray-900 bg-gray-900 text-white hover:bg-gray-800"
+                      : "text-gray-700"
+                  }
+                  onClick={() => setActiveTab(tab.key)}
+                >
+                  {tab.label}{" "}
+                  <span className="ml-1 text-xs opacity-80">{count}</span>
+                </Button>
+              );
+            })}
+          </div>
 
-      <Input
-        placeholder="Search playbooks and views..."
-        value={resourceSearch}
-        onChange={(event) => setResourceSearch(event.target.value)}
-      />
-
-      <div className="min-h-0 flex-1 space-y-4 overflow-y-auto">
-        {(activeTab === "all" ||
-          activeTab === "allowed" ||
-          activeTab === "playbook") && (
-          <div className="space-y-2">
-            <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
-              Playbooks
-            </div>
-            <div className="overflow-hidden rounded-md border border-gray-200">
-              {resourcesByType.playbooks.length === 0 ? (
-                <div className="p-3 text-sm text-gray-500">
-                  No playbooks found
+          <Input
+            placeholder="Search ..."
+            value={resourceSearch}
+            onChange={(event) => setResourceSearch(event.target.value)}
+          />
+
+          <div className="mb-3 min-h-0 flex-1 space-y-4 overflow-y-auto">
+            {(activeTab === "all" ||
+              activeTab === "allowed" ||
+              activeTab === "playbook") && (
+              <div className="space-y-2">
+                <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
+                  Playbooks
                 </div>
-              ) : (
-                resourcesByType.playbooks.map((resource) => {
-                  const state = getAccessState(
-                    permissions,
-                    selectedSubject,
-                    resource
-                  );
-
-                  return (
-                    <div
-                      key={resource.id}
-                      className="flex items-center justify-between gap-3 border-b border-gray-200 p-3 last:border-b-0"
-                    >
-                      <div className="flex min-w-0 items-center gap-2">
-                        <Icon
-                          name={resource.icon || "playbook"}
-                          className="h-4 w-4 text-gray-500"
-                        />
-                        <div className="min-w-0">
-                          <div className="truncate text-sm font-medium text-gray-900">
-                            {resource.name}
-                          </div>
-                          {resource.subtitle ? (
-                            <div className="truncate text-xs text-gray-500">
-                              {resource.subtitle}
+                <div className="overflow-hidden rounded-md border border-gray-200">
+                  {resourcesByType.playbooks.length === 0 ? (
+                    <div className="p-3 text-sm text-gray-500">
+                      No playbooks found
+                    </div>
+                  ) : (
+                    resourcesByType.playbooks.map((resource) => {
+                      const state = getAccessState(
+                        permissions,
+                        selectedSubject,
+                        resource
+                      );
+
+                      return (
+                        <div
+                          key={resource.id}
+                          className="flex items-center justify-between gap-3 border-b border-gray-200 p-3 last:border-b-0"
+                        >
+                          <div className="flex min-w-0 items-center gap-2">
+                            <Icon
+                              name={resource.icon || "playbook"}
+                              className="h-4 w-4 text-gray-500"
+                            />
+                            <div className="min-w-0">
+                              <div className="truncate text-sm font-medium text-gray-900">
+                                {resource.name}
+                              </div>
+                              {resource.subtitle ? (
+                                <div className="truncate text-xs text-gray-500">
+                                  {resource.subtitle}
+                                </div>
+                              ) : null}
                             </div>
-                          ) : null}
+                          </div>
+
+                          <TriStateAccessSwitch
+                            value={state.access}
+                            disabled={
+                              isListLocked ||
+                              Boolean(mutatingResourceIds[resource.id]) ||
+                              isSubmitting
+                            }
+                            onChange={(access) =>
+                              onSetResourceAccess(resource, access)
+                            }
+                          />
                         </div>
-                      </div>
-
-                      <TriStateAccessSwitch
-                        value={state.access}
-                        disabled={
-                          Boolean(mutatingResourceIds[resource.id]) ||
-                          isSubmitting
-                        }
-                        onChange={(access) =>
-                          onSetResourceAccess(resource, access)
-                        }
-                      />
+                      );
+                    })
+                  )}
+                </div>
+              </div>
+            )}
+
+            {(activeTab === "all" ||
+              activeTab === "allowed" ||
+              activeTab === "view") && (
+              <div className="space-y-2">
+                <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
+                  Views
+                </div>
+                <div className="overflow-hidden rounded-md border border-gray-200">
+                  {resourcesByType.views.length === 0 ? (
+                    <div className="p-3 text-sm text-gray-500">
+                      No views found
                     </div>
-                  );
-                })
-              )}
-            </div>
-          </div>
-        )}
-
-        {(activeTab === "all" ||
-          activeTab === "allowed" ||
-          activeTab === "view") && (
-          <div className="space-y-2">
-            <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
-              Views
-            </div>
-            <div className="overflow-hidden rounded-md border border-gray-200">
-              {resourcesByType.views.length === 0 ? (
-                <div className="p-3 text-sm text-gray-500">No views found</div>
-              ) : (
-                resourcesByType.views.map((resource) => {
-                  const state = getAccessState(
-                    permissions,
-                    selectedSubject,
-                    resource
-                  );
-
-                  return (
-                    <div
-                      key={resource.id}
-                      className="flex items-center justify-between gap-3 border-b border-gray-200 p-3 last:border-b-0"
-                    >
-                      <div className="flex min-w-0 items-center gap-2">
-                        <Icon
-                          name={resource.icon || "workflow"}
-                          className="h-4 w-4 text-gray-500"
-                        />
-                        <div className="min-w-0">
-                          <div className="truncate text-sm font-medium text-gray-900">
-                            {resource.name}
-                          </div>
-                          {resource.subtitle ? (
-                            <div className="truncate text-xs text-gray-500">
-                              {resource.subtitle}
+                  ) : (
+                    resourcesByType.views.map((resource) => {
+                      const state = getAccessState(
+                        permissions,
+                        selectedSubject,
+                        resource
+                      );
+
+                      return (
+                        <div
+                          key={resource.id}
+                          className="flex items-center justify-between gap-3 border-b border-gray-200 p-3 last:border-b-0"
+                        >
+                          <div className="flex min-w-0 items-center gap-2">
+                            <Icon
+                              name={resource.icon || "workflow"}
+                              className="h-4 w-4 text-gray-500"
+                            />
+                            <div className="min-w-0">
+                              <div className="truncate text-sm font-medium text-gray-900">
+                                {resource.name}
+                              </div>
+                              {resource.subtitle ? (
+                                <div className="truncate text-xs text-gray-500">
+                                  {resource.subtitle}
+                                </div>
+                              ) : null}
                             </div>
-                          ) : null}
+                          </div>
+
+                          <TriStateAccessSwitch
+                            value={state.access}
+                            disabled={
+                              isListLocked ||
+                              Boolean(mutatingResourceIds[resource.id]) ||
+                              isSubmitting
+                            }
+                            onChange={(access) =>
+                              onSetResourceAccess(resource, access)
+                            }
+                          />
                         </div>
-                      </div>
-
-                      <TriStateAccessSwitch
-                        value={state.access}
-                        disabled={
-                          Boolean(mutatingResourceIds[resource.id]) ||
-                          isSubmitting
-                        }
-                        onChange={(access) =>
-                          onSetResourceAccess(resource, access)
-                        }
-                      />
-                    </div>
-                  );
-                })
-              )}
+                      );
+                    })
+                  )}
+                </div>
+              </div>
+            )}
+          </div>
+        </div>
+
+        {isListLocked ? (
+          <div className="pointer-events-auto absolute inset-0 z-10 flex items-center justify-center rounded-md">
+            <div className="max-w-sm rounded-md border border-gray-200 bg-white/95 p-4 text-center shadow-sm">
+              <p className="text-sm font-medium text-gray-900">
+                Individual resource rules are locked while
+                {bulkAccess === "allow" ? " Allow all" : " Deny all"} is active.
+              </p>
+              <p className="mt-1 text-xs text-gray-500">
+                Set bulk access to Default to edit individual resources.
+              </p>
+              <Button
+                type="button"
+                size="sm"
+                variant="outline"
+                className="mt-3"
+                onClick={() =>
+                  onSetManyResourceAccess(resetTargetResources, "default")
+                }
+              >
+                Set to Default
+              </Button>
             </div>
           </div>
-        )}
+        ) : null}
       </div>
     </div>
   );
diff --git a/src/components/Permissions/SubjectSelectorPanel.tsx b/src/components/Permissions/SubjectSelectorPanel.tsx
index 21fd8bdce5..0c03326580 100644
--- a/src/components/Permissions/SubjectSelectorPanel.tsx
+++ b/src/components/Permissions/SubjectSelectorPanel.tsx
@@ -7,6 +7,8 @@ import TriStateAccessSwitch from "@flanksource-ui/components/Permissions/TriStat
 import { Button } from "@flanksource-ui/components/ui/button";
 import { Input } from "@flanksource-ui/components/ui/input";
 import useDebouncedValue from "@flanksource-ui/hooks/useDebounce";
+import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
+import { Icon } from "@flanksource-ui/ui/Icons/Icon";
 import { useQuery } from "@tanstack/react-query";
 import { useEffect, useMemo, useState } from "react";
 
@@ -26,19 +28,38 @@ const SUBJECT_TYPE_ORDER: Record<PermissionSubject["type"], number> = {
   access_token_person: 4
 };
 
-type SubjectAccess = "deny" | "default" | "allow";
+export type SubjectAccess = "deny" | "default" | "allow";
+
+type ActiveTab = "all" | "allowed";
+
+const TABS: Array<{ key: ActiveTab; label: string }> = [
+  { key: "all", label: "All" },
+  { key: "allowed", label: "Allowed" }
+];
+
+const BULK_OPTIONS = ["Deny", "Default", "Allow"] as const;
+type BulkOption = (typeof BULK_OPTIONS)[number];
 
 type SubjectSelectorPanelProps = {
   title?: string;
   description?: string;
+  headerEntity?: {
+    name: string;
+    icon?: string;
+  };
   preselectedSubjectAccess?: Record<string, "allow" | "deny">;
   isSubmitting?: boolean;
+  isBulkSubmitting?: boolean;
   mutatingSubjectId?: string | null;
-  onClose?: () => void;
+  bulkAccess?: SubjectAccess;
+  onSetBulkAccess?: (access: SubjectAccess) => Promise<void> | void;
   onSetSubjectAccess: (
     subject: PermissionSubject,
     access: SubjectAccess
   ) => Promise<void> | void;
+  onSetManySubjectAccess?: (
+    selections: Array<{ subject: PermissionSubject; access: "allow" | "deny" }>
+  ) => Promise<void> | void;
 };
 
 export default function SubjectSelectorPanel({
@@ -46,10 +67,15 @@ export default function SubjectSelectorPanel({
   description,
   preselectedSubjectAccess = {},
   isSubmitting = false,
+  isBulkSubmitting = false,
   mutatingSubjectId,
-  onClose,
-  onSetSubjectAccess
+  headerEntity,
+  bulkAccess,
+  onSetBulkAccess,
+  onSetSubjectAccess,
+  onSetManySubjectAccess
 }: SubjectSelectorPanelProps) {
+  const [activeTab, setActiveTab] = useState<ActiveTab>("all");
   const [search, setSearch] = useState("");
   const [selectedAccessById, setSelectedAccessById] = useState<
     Record<string, SubjectAccess>
@@ -99,7 +125,7 @@ export default function SubjectSelectorPanel({
     setSelectedAccessById(next);
   }, [preselectedAccessSignature]);
 
-  const filteredSubjects = useMemo(() => {
+  const sortedSubjects = useMemo(() => {
     const query = debouncedSearch;
 
     return subjects
@@ -120,10 +146,20 @@ export default function SubjectSelectorPanel({
       });
   }, [debouncedSearch, subjects]);
 
+  const displayedSubjects = useMemo(() => {
+    if (activeTab === "allowed") {
+      return sortedSubjects.filter(
+        (subject) => selectedAccessById[subject.id] === "allow"
+      );
+    }
+
+    return sortedSubjects;
+  }, [activeTab, selectedAccessById, sortedSubjects]);
+
   const groupedDisplayedSubjects = useMemo(() => {
     const grouped = new Map<PermissionSubject["type"], PermissionSubject[]>();
 
-    for (const subject of filteredSubjects) {
+    for (const subject of displayedSubjects) {
       const list = grouped.get(subject.type) ?? [];
       list.push(subject);
       grouped.set(subject.type, list);
@@ -131,15 +167,111 @@ export default function SubjectSelectorPanel({
 
     return Array.from(grouped.entries())
       .sort((a, b) => SUBJECT_TYPE_ORDER[a[0]] - SUBJECT_TYPE_ORDER[b[0]])
-      .map(([type, groupedSubjects]) => ({
+      .map(([type, groupSubjects]) => ({
         type,
-        subjects: groupedSubjects
+        subjects: groupSubjects
       }));
-  }, [filteredSubjects]);
+  }, [displayedSubjects]);
+
+  const counts = useMemo(() => {
+    const all = subjects.length;
+    const allowed = subjects.filter(
+      (subject) => selectedAccessById[subject.id] === "allow"
+    ).length;
+
+    return { all, allowed };
+  }, [selectedAccessById, subjects]);
+
+  const bulkAccessFromSelection = useMemo<SubjectAccess>(() => {
+    if (displayedSubjects.length === 0) {
+      return "default";
+    }
+
+    const accessValues = displayedSubjects.map(
+      (subject) => selectedAccessById[subject.id] ?? "default"
+    );
+
+    if (accessValues.every((value) => value === "allow")) {
+      return "allow";
+    }
+
+    if (accessValues.every((value) => value === "deny")) {
+      return "deny";
+    }
+
+    if (accessValues.every((value) => value === "default")) {
+      return "default";
+    }
+
+    return "default";
+  }, [displayedSubjects, selectedAccessById]);
+
+  const resolvedBulkAccess = bulkAccess ?? bulkAccessFromSelection;
+
+  const bulkOptionValue: BulkOption =
+    resolvedBulkAccess === "allow"
+      ? "Allow"
+      : resolvedBulkAccess === "deny"
+        ? "Deny"
+        : "Default";
+
+  const setBulkSubjectAccess = async (access: SubjectAccess) => {
+    if (onSetBulkAccess) {
+      await onSetBulkAccess(access);
+      return;
+    }
+
+    if (displayedSubjects.length === 0) {
+      return;
+    }
+
+    const nextSelections = { ...selectedAccessById };
+
+    for (const subject of displayedSubjects) {
+      if (access === "default") {
+        delete nextSelections[subject.id];
+      } else {
+        nextSelections[subject.id] = access;
+      }
+    }
+
+    setSelectedAccessById(nextSelections);
+
+    if (onSetManySubjectAccess) {
+      const subjectsById = new Map(
+        subjects.map((subject) => [subject.id, subject] as const)
+      );
 
-  const selectedCount = Object.keys(selectedAccessById).filter(
-    (id) => selectedAccessById[id] !== "default"
-  ).length;
+      const selections = Object.entries(nextSelections)
+        .filter(([, value]) => value === "allow" || value === "deny")
+        .map(([subjectId, value]) => {
+          const subject = subjectsById.get(subjectId);
+          if (!subject) {
+            return null;
+          }
+
+          return {
+            subject,
+            access: value as "allow" | "deny"
+          };
+        })
+        .filter(
+          (
+            entry
+          ): entry is {
+            subject: PermissionSubject;
+            access: "allow" | "deny";
+          } => !!entry
+        );
+
+      await onSetManySubjectAccess(selections);
+      return;
+    }
+
+    await Promise.all(
+      displayedSubjects.map((subject) => onSetSubjectAccess(subject, access))
+    );
+  };
 
   const setSubjectAccess = (
     subject: PermissionSubject,
@@ -160,71 +292,166 @@ export default function SubjectSelectorPanel({
     void onSetSubjectAccess(subject, access);
   };
 
+  const isListLocked =
+    Boolean(onSetBulkAccess) &&
+    (resolvedBulkAccess === "allow" || resolvedBulkAccess === "deny");
+
   return (
-    <div className="flex h-full min-h-0 flex-col overflow-hidden rounded-md border border-gray-200 bg-white p-3">
-      <div className="mb-3 flex items-start justify-between gap-2">
-        <div>
-          {title ? (
-            <div className="text-sm font-semibold text-gray-900">{title}</div>
-          ) : null}
-          {description ? (
-            <div className="mt-0.5 text-xs text-gray-500">{description}</div>
+    <div className="flex min-h-0 flex-1 flex-col gap-3">
+      <div className="flex items-center justify-between gap-3">
+        <div className="flex min-w-0 items-center gap-2">
+          {headerEntity ? (
+            <span className="flex h-8 w-8 shrink-0 items-center justify-center rounded-md bg-gray-100 text-gray-700">
+              <Icon
+                name={headerEntity.icon || "playbook"}
+                className="h-4 w-4"
+              />
+            </span>
           ) : null}
+          <div className="min-w-0">
+            <div className="truncate text-sm font-semibold text-gray-900">
+              {headerEntity?.name || title}
+            </div>
+            {!headerEntity && description ? (
+              <div className="mt-0.5 text-xs text-gray-500">{description}</div>
+            ) : null}
+          </div>
         </div>
-        {onClose ? (
-          <Button type="button" variant="outline" size="sm" onClick={onClose}>
-            Close
-          </Button>
-        ) : null}
-      </div>
 
-      <Input
-        placeholder="Search users, teams, groups, or roles"
-        value={search}
-        onChange={(event) => setSearch(event.target.value)}
-      />
-
-      <div className="mt-2 text-xs text-gray-500">
-        Selected: {selectedCount} subject{selectedCount === 1 ? "" : "s"}
+        <div
+          className={
+            isSubmitting || isBulkSubmitting || displayedSubjects.length === 0
+              ? "pointer-events-none opacity-60"
+              : undefined
+          }
+          aria-disabled={
+            isSubmitting ||
+            isBulkSubmitting ||
+            displayedSubjects.length === 0 ||
+            undefined
+          }
+        >
+          <Switch
+            size="sm"
+            options={[...BULK_OPTIONS]}
+            value={bulkOptionValue}
+            onChange={(value) => {
+              const access: SubjectAccess =
+                value === "Allow"
+                  ? "allow"
+                  : value === "Deny"
+                    ? "deny"
+                    : "default";
+              void setBulkSubjectAccess(access);
+            }}
+            getActiveItemClassName={(option) =>
+              option === "Allow"
+                ? "!bg-green-600 !text-white !ring-green-600"
+                : option === "Deny"
+                  ? "!bg-red-600 !text-white !ring-red-600"
+                  : undefined
+            }
+          />
+        </div>
       </div>
 
-      <div className="relative mt-3 min-h-0 flex-1 space-y-4 overflow-y-auto rounded-md">
-        {isLoading || isFetching ? (
-          <div className="flex items-center gap-2 p-2 text-sm text-gray-500">
-            <div className="h-4 w-4 animate-spin rounded-full border-2 border-gray-300 border-t-gray-600" />
-            Loading subjects...
-          </div>
-        ) : filteredSubjects.length > 0 ? (
-          groupedDisplayedSubjects.map((group) => (
-            <div key={group.type} className="space-y-1">
-              <div className="px-2 pt-2 text-xs font-semibold uppercase tracking-wide text-gray-500 first:pt-0">
-                {TYPE_LABELS[group.type] ?? group.type}
-              </div>
+      <div className="relative min-h-0 flex-1">
+        <div
+          className={`flex h-full min-h-0 flex-col gap-3 ${
+            isListLocked
+              ? "pointer-events-none select-none opacity-60 blur-[1px]"
+              : ""
+          }`}
+          aria-hidden={isListLocked || undefined}
+        >
+          <div className="flex items-center gap-2">
+            {TABS.map((tab) => {
+              const isActive = activeTab === tab.key;
+              const count = counts[tab.key];
 
-              {group.subjects.map((subject) => (
-                <div
-                  key={subject.id}
-                  className="flex items-center justify-between rounded px-2 py-1.5 hover:bg-gray-50"
+              return (
+                <Button
+                  key={tab.key}
+                  type="button"
+                  variant={isActive ? "default" : "outline"}
+                  size="sm"
+                  className={
+                    isActive
+                      ? "border-gray-900 bg-gray-900 text-white hover:bg-gray-800"
+                      : "text-gray-700"
+                  }
+                  onClick={() => setActiveTab(tab.key)}
                 >
-                  <div className="flex min-w-0 flex-1 items-center gap-2 pr-2">
-                    <SubjectAvatar subject={subject} size="xs" />
-                    <div className="min-w-0 truncate text-sm font-medium text-gray-900">
-                      {subject.name}
-                    </div>
+                  {tab.label}{" "}
+                  <span className="ml-1 text-xs opacity-80">{count}</span>
+                </Button>
+              );
+            })}
+          </div>
+
+          <Input
+            placeholder="Search ..."
+            value={search}
+            onChange={(event) => setSearch(event.target.value)}
+          />
+
+          <div className="mb-3 min-h-0 flex-1 space-y-4 overflow-y-auto">
+            {isLoading || isFetching ? (
+              <div className="flex items-center gap-2 p-2 text-sm text-gray-500">
+                <div className="h-4 w-4 animate-spin rounded-full border-2 border-gray-300 border-t-gray-600" />
+                Loading subjects...
+              </div>
+            ) : displayedSubjects.length > 0 ? (
+              groupedDisplayedSubjects.map((group) => (
+                <div key={group.type} className="space-y-2">
+                  <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
+                    {TYPE_LABELS[group.type] ?? group.type}
                   </div>
 
-                  <TriStateAccessSwitch
-                    value={selectedAccessById[subject.id] ?? "default"}
-                    disabled={isSubmitting || mutatingSubjectId === subject.id}
-                    onChange={(next) => setSubjectAccess(subject, next)}
-                  />
+                  <div className="overflow-hidden rounded-md border border-gray-200">
+                    {group.subjects.map((subject) => (
+                      <div
+                        key={subject.id}
+                        className="flex items-center justify-between gap-3 border-b border-gray-200 p-3 last:border-b-0"
+                      >
+                        <div className="flex min-w-0 flex-1 items-center gap-2 pr-2">
+                          <SubjectAvatar subject={subject} size="xs" />
+                          <div className="min-w-0 truncate text-sm font-medium text-gray-900">
+                            {subject.name}
+                          </div>
+                        </div>
+
+                        <TriStateAccessSwitch
+                          value={selectedAccessById[subject.id] ?? "default"}
+                          disabled={
+                            isListLocked ||
+                            isSubmitting ||
+                            mutatingSubjectId === subject.id
+                          }
+                          onChange={(next) => setSubjectAccess(subject, next)}
+                        />
+                      </div>
+                    ))}
+                  </div>
                 </div>
-              ))}
+              ))
+            ) : (
+              <div className="p-2 text-sm text-gray-500">No subjects found</div>
+            )}
+          </div>
+        </div>
+
+        {isListLocked ? (
+          <div className="pointer-events-auto absolute inset-0 z-10 flex items-center justify-center rounded-md">
+            <div className="max-w-sm rounded-md border border-gray-200 bg-white/95 p-4 text-center shadow-sm">
+              <p className="text-sm font-medium text-gray-900">
+                Individual subject rules are locked while
+                {resolvedBulkAccess === "allow" ? " Allow all" : " Deny all"} is
+                active.
+              </p>
             </div>
-          ))
-        ) : (
-          <div className="p-2 text-sm text-gray-500">No subjects found</div>
-        )}
+          </div>
+        ) : null}
       </div>
     </div>
   );
diff --git a/src/pages/Settings/mcp/McpCheckAccessPage.tsx b/src/pages/Settings/mcp/McpCheckAccessPage.tsx
index 8dc5047259..57ba435ca9 100644
--- a/src/pages/Settings/mcp/McpCheckAccessPage.tsx
+++ b/src/pages/Settings/mcp/McpCheckAccessPage.tsx
@@ -31,7 +31,15 @@ export default function McpCheckAccessPage() {
         <div>
           <h3 className="text-lg font-semibold text-gray-900">Check Access</h3>
           <p className="text-sm text-gray-600">
-            Validate whether a subject can invoke MCP resources.
+            Permissions granted from the MCP settings page are only one part of
+            the overall access model. Additional permissions, created elsewhere
+            in the UI or from Kubernetes resources, may override or supersede
+            them.
+          </p>
+          <br />
+          <p className="text-sm text-gray-600">
+            This check evaluates the final effective access across all
+            permissions.
           </p>
         </div>
 
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index c3085ca4be..0b872749fe 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -1,10 +1,14 @@
 import { getAllPlaybookNames } from "@flanksource-ui/api/services/playbooks";
 import { fetchMcpRunPermissions } from "@flanksource-ui/api/services/permissions";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
-import { useMcpResourcePermissions } from "@flanksource-ui/lib/permissions/useMcpResourcePermissions";
-import ResourceAccessCard from "@flanksource-ui/components/Permissions/ResourceAccessCard";
-import SubjectSelectorPanel from "@flanksource-ui/components/Permissions/SubjectSelectorPanel";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
+import SubjectSelectorPanel, {
+  SubjectAccess
+} from "@flanksource-ui/components/Permissions/SubjectSelectorPanel";
+import { Input } from "@flanksource-ui/components/ui/input";
+import useDebouncedValue from "@flanksource-ui/hooks/useDebounce";
+import { useMcpResourcePermissions } from "@flanksource-ui/lib/permissions/useMcpResourcePermissions";
+import { Icon } from "@flanksource-ui/ui/Icons/Icon";
 import { useQuery } from "@tanstack/react-query";
 import { useEffect, useMemo, useState } from "react";
 
@@ -31,6 +35,8 @@ export default function McpPlaybooksPage() {
     setSelectiveSubjectAccess,
     isSettingSelectiveSubjectAccess,
     mutatingSubjectId,
+    allowSelectiveAccess,
+    isAllowingSelective,
     loading,
     isInitialLoading,
     preselectedSubjectAccess,
@@ -47,6 +53,9 @@ export default function McpPlaybooksPage() {
   });
 
   const [isSubjectPanelSwitching, setIsSubjectPanelSwitching] = useState(false);
+  const [playbookSearch, setPlaybookSearch] = useState("");
+
+  const debouncedSearch = useDebouncedValue(playbookSearch, 200) ?? "";
 
   useEffect(() => {
     if (!selectedPlaybook) {
@@ -66,8 +75,17 @@ export default function McpPlaybooksPage() {
 
   const groupedPlaybooks = useMemo(() => {
     const grouped = new Map<string, typeof playbooks>();
+    const loweredSearch = debouncedSearch.trim().toLowerCase();
 
     for (const playbook of playbooks) {
+      const displayName = playbook.title || playbook.name;
+      const haystack =
+        `${displayName} ${playbook.namespace || ""} ${playbook.category || ""}`.toLowerCase();
+
+      if (loweredSearch && !haystack.includes(loweredSearch)) {
+        continue;
+      }
+
       const category = playbook.category?.trim() || "Other";
       const categoryPlaybooks = grouped.get(category) ?? [];
       categoryPlaybooks.push(playbook);
@@ -93,7 +111,23 @@ export default function McpPlaybooksPage() {
           })
         )
       }));
-  }, [playbooks]);
+  }, [debouncedSearch, playbooks]);
+
+  const visiblePlaybooks = useMemo(
+    () => groupedPlaybooks.flatMap((group) => group.playbooks),
+    [groupedPlaybooks]
+  );
+
+  useEffect(() => {
+    if (
+      selectedPlaybook?.id &&
+      visiblePlaybooks.some((playbook) => playbook.id === selectedPlaybook.id)
+    ) {
+      return;
+    }
+
+    setSelectedResourceId(visiblePlaybooks[0]?.id ?? null);
+  }, [selectedPlaybook?.id, setSelectedResourceId, visiblePlaybooks]);
 
   return (
     <McpTabsLinks
@@ -113,65 +147,98 @@ export default function McpPlaybooksPage() {
           </p>
         </div>
 
-        <div className="flex min-h-0 flex-1 flex-col gap-4 lg:flex-row">
-          <div className="min-h-0 min-w-0 flex-1 overflow-y-auto pr-3 lg:max-w-3xl">
-            <div className="space-y-4">
-              {groupedPlaybooks.map((group) => {
-                return (
-                  <div key={group.category} className="space-y-2">
-                    <h4 className="text-sm font-semibold text-gray-700">
+        <div className="flex min-h-0 flex-1 gap-4">
+          <div className="flex w-[320px] shrink-0 flex-col">
+            <Input
+              placeholder="Search playbooks..."
+              value={playbookSearch}
+              onChange={(event) => setPlaybookSearch(event.target.value)}
+            />
+
+            <div className="mt-3 min-h-0 flex-1 space-y-3 overflow-y-auto">
+              {groupedPlaybooks.length === 0 ? (
+                <div className="px-2 py-1.5 text-sm text-gray-500">
+                  No playbooks found
+                </div>
+              ) : (
+                groupedPlaybooks.map((group) => (
+                  <div key={group.category} className="space-y-1">
+                    <div className="px-2 text-xs font-semibold uppercase tracking-wide text-gray-500">
                       {group.category}
-                    </h4>
-
-                    <div className="[&>*+*]:border-t [&>*+*]:border-gray-200 [&>*]:pb-2 [&>*]:pt-2">
-                      {group.playbooks.map((playbook) => {
-                        return (
-                          <ResourceAccessCard
-                            key={playbook.id}
-                            entity={{
-                              id: playbook.id,
-                              name: playbook.title || playbook.name,
-                              namespace: playbook.namespace,
-                              icon: playbook.icon
-                            }}
-                            globalOverride={
-                              globalOverrideByResource.get(playbook.id) ??
-                              "none"
-                            }
-                            isMutating={mutatingResourceId === playbook.id}
-                            isSelected={selectedPlaybook?.id === playbook.id}
-                            onGlobalOverrideChange={(override) =>
-                              setGlobalOverride(playbook, override)
-                            }
-                            onViewSubjects={() =>
-                              setSelectedResourceId(playbook.id)
-                            }
-                          />
-                        );
-                      })}
                     </div>
+
+                    {group.playbooks.map((playbook) => {
+                      const isActive = selectedPlaybook?.id === playbook.id;
+
+                      return (
+                        <button
+                          key={playbook.id}
+                          type="button"
+                          onClick={() => setSelectedResourceId(playbook.id)}
+                          className={`flex w-full items-center gap-2 rounded px-2 py-1.5 text-left text-sm transition-colors ${
+                            isActive
+                              ? "bg-blue-50 text-blue-800"
+                              : "text-gray-800 hover:bg-gray-50"
+                          }`}
+                        >
+                          <span className="flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-indigo-50 text-indigo-700">
+                            <Icon
+                              name={playbook.icon || "playbook"}
+                              className="h-3 w-3"
+                            />
+                          </span>
+                          <span className="truncate">
+                            {playbook.title || playbook.name}
+                          </span>
+                        </button>
+                      );
+                    })}
                   </div>
-                );
-              })}
+                ))
+              )}
             </div>
           </div>
 
-          <div className="min-h-0 w-full shrink-0 lg:w-[420px]">
+          <div className="min-h-0 min-w-0 flex-1 lg:max-w-3xl">
             {selectedPlaybook ? (
               <div className="relative h-full">
                 <SubjectSelectorPanel
                   key={selectedPlaybook.id}
-                  title={`Subject access for ${
-                    selectedPlaybook.title || selectedPlaybook.name
-                  }`}
-                  description="Select users, teams, groups, or roles to manage playbook access for MCP usage."
+                  headerEntity={{
+                    name: selectedPlaybook.title || selectedPlaybook.name,
+                    icon: selectedPlaybook.icon || "playbook"
+                  }}
                   preselectedSubjectAccess={preselectedSubjectAccess}
-                  isSubmitting={isSettingSelectiveSubjectAccess}
+                  bulkAccess={
+                    (globalOverrideByResource.get(selectedPlaybook.id) ===
+                    "allow"
+                      ? "allow"
+                      : globalOverrideByResource.get(selectedPlaybook.id) ===
+                          "deny"
+                        ? "deny"
+                        : "default") as SubjectAccess
+                  }
+                  isSubmitting={
+                    isSettingSelectiveSubjectAccess || isAllowingSelective
+                  }
+                  isBulkSubmitting={mutatingResourceId === selectedPlaybook.id}
                   mutatingSubjectId={mutatingSubjectId}
-                  onClose={() => setSelectedResourceId(null)}
+                  onSetBulkAccess={(access) =>
+                    setGlobalOverride(
+                      selectedPlaybook,
+                      access === "allow"
+                        ? "allow"
+                        : access === "deny"
+                          ? "deny"
+                          : "none"
+                    )
+                  }
                   onSetSubjectAccess={(subject, access) =>
                     setSelectiveSubjectAccess(selectedPlaybook, subject, access)
                   }
+                  onSetManySubjectAccess={(selections) =>
+                    allowSelectiveAccess(selectedPlaybook, selections)
+                  }
                 />
 
                 {isSubjectPanelSwitching ? (
diff --git a/src/pages/Settings/mcp/McpSubjectAccessPage.tsx b/src/pages/Settings/mcp/McpSubjectAccessPage.tsx
index aab3f947ac..0440e05bdc 100644
--- a/src/pages/Settings/mcp/McpSubjectAccessPage.tsx
+++ b/src/pages/Settings/mcp/McpSubjectAccessPage.tsx
@@ -456,7 +456,7 @@ export default function McpSubjectAccessPage() {
         </div>
 
         <div className="flex min-h-0 flex-1 gap-4">
-          <div className="flex w-[280px] shrink-0 flex-col">
+          <div className="flex w-[320px] shrink-0 flex-col">
             <Input
               placeholder="Search subjects..."
               value={subjectSearch}
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index a44faa7baf..a18f341028 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -1,10 +1,14 @@
 import { fetchMcpRunPermissions } from "@flanksource-ui/api/services/permissions";
 import { getAllViews } from "@flanksource-ui/api/services/views";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
-import { useMcpResourcePermissions } from "@flanksource-ui/lib/permissions/useMcpResourcePermissions";
-import ResourceAccessCard from "@flanksource-ui/components/Permissions/ResourceAccessCard";
-import SubjectSelectorPanel from "@flanksource-ui/components/Permissions/SubjectSelectorPanel";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
+import SubjectSelectorPanel, {
+  SubjectAccess
+} from "@flanksource-ui/components/Permissions/SubjectSelectorPanel";
+import { Input } from "@flanksource-ui/components/ui/input";
+import useDebouncedValue from "@flanksource-ui/hooks/useDebounce";
+import { useMcpResourcePermissions } from "@flanksource-ui/lib/permissions/useMcpResourcePermissions";
+import { Icon } from "@flanksource-ui/ui/Icons/Icon";
 import { useQuery } from "@tanstack/react-query";
 import { useEffect, useMemo, useState } from "react";
 
@@ -25,7 +29,6 @@ export default function McpViewsPage() {
   const views = useMemo(() => viewsResponse?.data ?? [], [viewsResponse?.data]);
 
   const {
-    permissionsByResource,
     globalOverrideByResource,
     selectedResource: selectedView,
     setSelectedResourceId,
@@ -34,6 +37,8 @@ export default function McpViewsPage() {
     setSelectiveSubjectAccess,
     isSettingSelectiveSubjectAccess,
     mutatingSubjectId,
+    allowSelectiveAccess,
+    isAllowingSelective,
     loading,
     isInitialLoading,
     preselectedSubjectAccess,
@@ -50,6 +55,9 @@ export default function McpViewsPage() {
   });
 
   const [isSubjectPanelSwitching, setIsSubjectPanelSwitching] = useState(false);
+  const [viewSearch, setViewSearch] = useState("");
+
+  const debouncedSearch = useDebouncedValue(viewSearch, 200) ?? "";
 
   useEffect(() => {
     if (!selectedView) {
@@ -69,6 +77,58 @@ export default function McpViewsPage() {
     };
   }, [selectedView?.id]);
 
+  const groupedViews = useMemo(() => {
+    const grouped = new Map<string, typeof views>();
+    const loweredSearch = debouncedSearch.trim().toLowerCase();
+
+    for (const view of views) {
+      const displayName = view.spec?.title || view.name;
+      const group = view.namespace?.trim() || "Global";
+      const haystack = `${displayName} ${view.namespace || ""}`.toLowerCase();
+
+      if (loweredSearch && !haystack.includes(loweredSearch)) {
+        continue;
+      }
+
+      const list = grouped.get(group) ?? [];
+      list.push(view);
+      grouped.set(group, list);
+    }
+
+    return Array.from(grouped.entries())
+      .sort(([a], [b]) =>
+        a.localeCompare(b, undefined, { sensitivity: "base" })
+      )
+      .map(([group, groupedItems]) => ({
+        group,
+        views: groupedItems.sort((a, b) =>
+          (a.spec?.title || a.name).localeCompare(
+            b.spec?.title || b.name,
+            undefined,
+            {
+              sensitivity: "base"
+            }
+          )
+        )
+      }));
+  }, [debouncedSearch, views]);
+
+  const visibleViews = useMemo(
+    () => groupedViews.flatMap((group) => group.views),
+    [groupedViews]
+  );
+
+  useEffect(() => {
+    if (
+      selectedView?.id &&
+      visibleViews.some((view) => view.id === selectedView.id)
+    ) {
+      return;
+    }
+
+    setSelectedResourceId(visibleViews[0]?.id ?? null);
+  }, [selectedView?.id, setSelectedResourceId, visibleViews]);
+
   return (
     <McpTabsLinks
       activeTab="Views"
@@ -87,46 +147,97 @@ export default function McpViewsPage() {
           </p>
         </div>
 
-        <div className="flex min-h-0 flex-1 flex-col gap-4 lg:flex-row">
-          <div className="min-h-0 min-w-0 flex-1 overflow-y-auto pr-3 lg:max-w-3xl [&>*+*]:border-t [&>*+*]:border-gray-200 [&>*]:pb-2 [&>*]:pt-2">
-            {views.map((view) => {
-              return (
-                <ResourceAccessCard
-                  key={view.id}
-                  entity={{
-                    id: view.id,
-                    name: view.spec?.title || view.name,
-                    namespace: view.namespace,
-                    icon: view.spec?.icon || "workflow"
-                  }}
-                  globalOverride={
-                    globalOverrideByResource.get(view.id) ?? "none"
-                  }
-                  isMutating={mutatingResourceId === view.id}
-                  isSelected={selectedView?.id === view.id}
-                  onGlobalOverrideChange={(override) =>
-                    setGlobalOverride(view, override)
-                  }
-                  onViewSubjects={() => setSelectedResourceId(view.id)}
-                />
-              );
-            })}
+        <div className="flex min-h-0 flex-1 gap-4">
+          <div className="flex w-[320px] shrink-0 flex-col">
+            <Input
+              placeholder="Search views..."
+              value={viewSearch}
+              onChange={(event) => setViewSearch(event.target.value)}
+            />
+
+            <div className="mt-3 min-h-0 flex-1 space-y-3 overflow-y-auto">
+              {groupedViews.length === 0 ? (
+                <div className="px-2 py-1.5 text-sm text-gray-500">
+                  No views found
+                </div>
+              ) : (
+                groupedViews.map((group) => (
+                  <div key={group.group} className="space-y-1">
+                    <div className="px-2 text-xs font-semibold uppercase tracking-wide text-gray-500">
+                      {group.group}
+                    </div>
+
+                    {group.views.map((view) => {
+                      const isActive = selectedView?.id === view.id;
+
+                      return (
+                        <button
+                          key={view.id}
+                          type="button"
+                          onClick={() => setSelectedResourceId(view.id)}
+                          className={`flex w-full items-center gap-2 rounded px-2 py-1.5 text-left text-sm transition-colors ${
+                            isActive
+                              ? "bg-blue-50 text-blue-800"
+                              : "text-gray-800 hover:bg-gray-50"
+                          }`}
+                        >
+                          <span className="flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-indigo-50 text-indigo-700">
+                            <Icon
+                              name={view.spec?.icon || "workflow"}
+                              className="h-3 w-3"
+                            />
+                          </span>
+                          <span className="truncate">
+                            {view.spec?.title || view.name}
+                          </span>
+                        </button>
+                      );
+                    })}
+                  </div>
+                ))
+              )}
+            </div>
           </div>
 
           {/* Keep a stable right-column width/height for both states so layout doesn't jump. */}
-          <div className="min-h-0 w-full shrink-0 lg:w-[420px]">
+          <div className="min-h-0 min-w-0 flex-1 lg:max-w-3xl">
             {selectedView ? (
               <div className="relative h-full">
                 <SubjectSelectorPanel
                   key={selectedView.id}
-                  description="Select users, teams, groups, or roles to manage view access for MCP usage."
+                  headerEntity={{
+                    name: selectedView.spec?.title || selectedView.name,
+                    icon: selectedView.spec?.icon || "workflow"
+                  }}
                   preselectedSubjectAccess={preselectedSubjectAccess}
-                  isSubmitting={isSettingSelectiveSubjectAccess}
+                  bulkAccess={
+                    (globalOverrideByResource.get(selectedView.id) === "allow"
+                      ? "allow"
+                      : globalOverrideByResource.get(selectedView.id) === "deny"
+                        ? "deny"
+                        : "default") as SubjectAccess
+                  }
+                  isSubmitting={
+                    isSettingSelectiveSubjectAccess || isAllowingSelective
+                  }
+                  isBulkSubmitting={mutatingResourceId === selectedView.id}
                   mutatingSubjectId={mutatingSubjectId}
-                  onClose={() => setSelectedResourceId(null)}
+                  onSetBulkAccess={(access) =>
+                    setGlobalOverride(
+                      selectedView,
+                      access === "allow"
+                        ? "allow"
+                        : access === "deny"
+                          ? "deny"
+                          : "none"
+                    )
+                  }
                   onSetSubjectAccess={(subject, access) =>
                     setSelectiveSubjectAccess(selectedView, subject, access)
                   }
+                  onSetManySubjectAccess={(selections) =>
+                    allowSelectiveAccess(selectedView, selections)
+                  }
                 />
 
                 {isSubjectPanelSwitching ? (

From 6ee4764fef9159dfd2b29959f59654130e2b4a95 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 13 Apr 2026 10:50:31 +0545
Subject: [PATCH 38/48] feat(permissions): add effective access checks across
 MCP tabs

---
 src/api/services/rbac.ts                      | 126 +++++++++++
 .../Permissions/ResourceSelectorPanel.tsx     | 121 ++++++++---
 .../Permissions/SubjectSelectorPanel.tsx      | 205 ++++++++++++++----
 .../Permissions/TriStateAccessSwitch.tsx      |   6 +-
 src/pages/Settings/mcp/McpPlaybooksPage.tsx   |   5 +
 .../Settings/mcp/McpSubjectAccessPage.tsx     |  88 +++++++-
 src/pages/Settings/mcp/McpViewsPage.tsx       |   5 +
 7 files changed, 480 insertions(+), 76 deletions(-)

diff --git a/src/api/services/rbac.ts b/src/api/services/rbac.ts
index c5da50707f..17948e022b 100644
--- a/src/api/services/rbac.ts
+++ b/src/api/services/rbac.ts
@@ -115,3 +115,129 @@ export async function reviewSubjectAccess(
 
   return response.data;
 }
+
+export type EffectiveSubjectResourceAccessResource = {
+  id: string;
+  type: "playbook" | "view";
+};
+
+export type EffectiveSubjectResourceAccessRequest = {
+  subject: string;
+  action: SubjectAccessReviewAction;
+  resources: EffectiveSubjectResourceAccessResource[];
+};
+
+export type EffectiveSubjectResourceAccessResult = {
+  resourceId: string;
+  resourceType: "playbook" | "view";
+  allowed: boolean;
+};
+
+export type EffectiveSubjectResourceAccessResponse = {
+  subject: string;
+  action: SubjectAccessReviewAction;
+  results: EffectiveSubjectResourceAccessResult[];
+};
+
+type SubjectAccessSearchRequest = {
+  subject: string;
+  action: SubjectAccessReviewAction;
+  resource_types?: Array<"playbook" | "view">;
+  search?: string;
+  namespace?: string;
+};
+
+type SubjectAccessSearchResponse = {
+  subject: string;
+  action: SubjectAccessReviewAction;
+  resource_types: Array<"playbook" | "view">;
+  total: number;
+  limit: number;
+  offset: number;
+  results: Array<{
+    resource_type: "playbook" | "view";
+    id: string;
+    name: string;
+    namespace?: string;
+  }>;
+};
+
+export async function fetchEffectiveSubjectResourceAccess(
+  payload: EffectiveSubjectResourceAccessRequest
+): Promise<EffectiveSubjectResourceAccessResponse> {
+  const resourceTypes = Array.from(
+    new Set(payload.resources.map((resource) => resource.type))
+  );
+
+  const allowedResourceKeys = new Set<string>();
+
+  const response = await Rback.post<SubjectAccessSearchResponse>(
+    "/subject-access-search",
+    {
+      subject: payload.subject,
+      action: payload.action,
+      resource_types: resourceTypes
+    } satisfies SubjectAccessSearchRequest
+  );
+
+  const data = response.data;
+
+  for (const result of data.results ?? []) {
+    allowedResourceKeys.add(`${result.resource_type}:${result.id}`);
+  }
+
+  return {
+    subject: payload.subject,
+    action: payload.action,
+    results: payload.resources.map((resource) => ({
+      resourceId: resource.id,
+      resourceType: resource.type,
+      allowed: allowedResourceKeys.has(`${resource.type}:${resource.id}`)
+    }))
+  };
+}
+
+export type EffectiveResourceSubjectAccessRequest = {
+  resource: EffectiveSubjectResourceAccessResource;
+  action: SubjectAccessReviewAction;
+  subjects: string[];
+};
+
+export type EffectiveResourceSubjectAccessResult = {
+  subjectId: string;
+  allowed: boolean;
+};
+
+export type EffectiveResourceSubjectAccessResponse = {
+  resource: EffectiveSubjectResourceAccessResource;
+  action: SubjectAccessReviewAction;
+  results: EffectiveResourceSubjectAccessResult[];
+};
+
+export async function fetchEffectiveResourceSubjectAccess(
+  payload: EffectiveResourceSubjectAccessRequest
+): Promise<EffectiveResourceSubjectAccessResponse> {
+  const resource: SubjectAccessReviewResource =
+    payload.resource.type === "playbook"
+      ? { playbook: payload.resource.id }
+      : { view: payload.resource.id };
+
+  const response = await reviewSubjectAccess({
+    resource,
+    action: payload.action,
+    subjects: ["*"]
+  });
+
+  const allowedBySubject = new Map(
+    (response.results ?? []).map((result) => [result.subject, result.allowed])
+  );
+
+  return {
+    resource: payload.resource,
+    action: payload.action,
+    results: payload.subjects.map((subjectId) => ({
+      subjectId,
+      allowed: allowedBySubject.get(subjectId) === true
+    }))
+  };
+}
diff --git a/src/components/Permissions/ResourceSelectorPanel.tsx b/src/components/Permissions/ResourceSelectorPanel.tsx
index 11111016f8..d908f0df0b 100644
--- a/src/components/Permissions/ResourceSelectorPanel.tsx
+++ b/src/components/Permissions/ResourceSelectorPanel.tsx
@@ -4,9 +4,15 @@ import SubjectAvatar from "@flanksource-ui/components/Permissions/SubjectAvatar"
 import TriStateAccessSwitch from "@flanksource-ui/components/Permissions/TriStateAccessSwitch";
 import { Button } from "@flanksource-ui/components/ui/button";
 import { Input } from "@flanksource-ui/components/ui/input";
+import {
+  Tooltip,
+  TooltipContent,
+  TooltipTrigger
+} from "@flanksource-ui/components/ui/tooltip";
 import { mapSubjectType } from "@flanksource-ui/lib/permissions/mcpPermissionCardMappings";
 import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
 import { Icon } from "@flanksource-ui/ui/Icons/Icon";
+import { Check, X } from "lucide-react";
 import { useMemo, useState } from "react";
 
 export type ResourceAccess = "deny" | "default" | "allow";
@@ -14,18 +20,24 @@ export type ResourceAccess = "deny" | "default" | "allow";
 export type McpSubjectResource = {
   id: string;
   kind: "playbook" | "view";
+  /** Canonical selector name used by object_selector (e.g. playbook.name / view.name). */
   name: string;
+  /** Optional UI label (e.g. title). Falls back to canonical `name`. */
+  displayName?: string;
   namespace?: string;
   icon?: string;
   subtitle?: string;
 };
-
 type ResourceSelectorPanelProps = {
   selectedSubject: PermissionSubject;
   resources: McpSubjectResource[];
   permissions: PermissionsSummary[];
+  effectiveAccessByResourceKey?: Record<string, boolean>;
+  hasEffectiveAccessResults?: boolean;
+  isCheckingEffectiveAccess?: boolean;
   isSubmitting?: boolean;
   mutatingResourceIds?: Record<string, true>;
+  onCheckEffectiveAccess?: () => void;
   onSetResourceAccess: (
     resource: McpSubjectResource,
     access: ResourceAccess
@@ -35,7 +47,6 @@ type ResourceSelectorPanelProps = {
     access: ResourceAccess
   ) => Promise<void> | void;
 };
-
 const TABS = [
   { key: "all", label: "All" },
   { key: "allowed", label: "Allowed" },
@@ -109,8 +120,12 @@ export default function ResourceSelectorPanel({
   selectedSubject,
   resources,
   permissions,
+  effectiveAccessByResourceKey = {},
+  hasEffectiveAccessResults = false,
+  isCheckingEffectiveAccess = false,
   isSubmitting = false,
   mutatingResourceIds = {},
+  onCheckEffectiveAccess,
   onSetResourceAccess,
   onSetManyResourceAccess
 }: ResourceSelectorPanelProps) {
@@ -143,7 +158,7 @@ export default function ResourceSelectorPanel({
       }
 
       const haystack =
-        `${resource.name} ${resource.subtitle || ""} ${resource.namespace || ""}`.toLowerCase();
+        `${resource.displayName || resource.name} ${resource.name} ${resource.subtitle || ""} ${resource.namespace || ""}`.toLowerCase();
       return haystack.includes(normalizedSearch);
     });
   }, [activeTab, normalizedSearch, permissions, resources, selectedSubject]);
@@ -248,6 +263,38 @@ export default function ResourceSelectorPanel({
         ? resources.filter((resource) => resource.kind === "view")
         : resources;
 
+  const getEffectiveBadge = (resource: McpSubjectResource) => {
+    if (!hasEffectiveAccessResults) {
+      return null;
+    }
+
+    const isAllowed =
+      effectiveAccessByResourceKey[`${resource.kind}:${resource.id}`] === true;
+
+    return (
+      <Tooltip>
+        <TooltipTrigger asChild>
+          <span
+            className={
+              isAllowed
+                ? "inline-flex h-5 w-5 items-center justify-center rounded-full bg-emerald-50 text-emerald-600"
+                : "inline-flex h-5 w-5 items-center justify-center rounded-full bg-red-50 text-red-600"
+            }
+          >
+            {isAllowed ? (
+              <Check className="h-3.5 w-3.5" />
+            ) : (
+              <X className="h-3.5 w-3.5" />
+            )}
+          </span>
+        </TooltipTrigger>
+        <TooltipContent side="top">
+          Effective access: {isAllowed ? "Allowed" : "Denied"}
+        </TooltipContent>
+      </Tooltip>
+    );
+  };
+
   return (
     <div className="flex min-h-0 flex-1 flex-col gap-3">
       <div className="flex items-center justify-between gap-3">
@@ -261,6 +308,20 @@ export default function ResourceSelectorPanel({
         </div>
 
         <div className="flex shrink-0 items-center gap-2">
+          {onCheckEffectiveAccess ? (
+            <Button
+              type="button"
+              size="sm"
+              className="bg-blue-600 text-white hover:bg-blue-700"
+              onClick={onCheckEffectiveAccess}
+              disabled={isCheckingEffectiveAccess || resources.length === 0}
+            >
+              {isCheckingEffectiveAccess
+                ? "Checking effective access..."
+                : "Check effective access"}
+            </Button>
+          ) : null}
+
           <div
             className={
               isSubmitting || filteredResources.length === 0
@@ -369,7 +430,7 @@ export default function ResourceSelectorPanel({
                             />
                             <div className="min-w-0">
                               <div className="truncate text-sm font-medium text-gray-900">
-                                {resource.name}
+                                {resource.displayName || resource.name}
                               </div>
                               {resource.subtitle ? (
                                 <div className="truncate text-xs text-gray-500">
@@ -379,17 +440,20 @@ export default function ResourceSelectorPanel({
                             </div>
                           </div>
 
-                          <TriStateAccessSwitch
-                            value={state.access}
-                            disabled={
-                              isListLocked ||
-                              Boolean(mutatingResourceIds[resource.id]) ||
-                              isSubmitting
-                            }
-                            onChange={(access) =>
-                              onSetResourceAccess(resource, access)
-                            }
-                          />
+                          <div className="flex items-center gap-2">
+                            {getEffectiveBadge(resource)}
+                            <TriStateAccessSwitch
+                              value={state.access}
+                              disabled={
+                                isListLocked ||
+                                Boolean(mutatingResourceIds[resource.id]) ||
+                                isSubmitting
+                              }
+                              onChange={(access) =>
+                                onSetResourceAccess(resource, access)
+                              }
+                            />
+                          </div>
                         </div>
                       );
                     })
@@ -430,7 +494,7 @@ export default function ResourceSelectorPanel({
                             />
                             <div className="min-w-0">
                               <div className="truncate text-sm font-medium text-gray-900">
-                                {resource.name}
+                                {resource.displayName || resource.name}
                               </div>
                               {resource.subtitle ? (
                                 <div className="truncate text-xs text-gray-500">
@@ -440,17 +504,20 @@ export default function ResourceSelectorPanel({
                             </div>
                           </div>
 
-                          <TriStateAccessSwitch
-                            value={state.access}
-                            disabled={
-                              isListLocked ||
-                              Boolean(mutatingResourceIds[resource.id]) ||
-                              isSubmitting
-                            }
-                            onChange={(access) =>
-                              onSetResourceAccess(resource, access)
-                            }
-                          />
+                          <div className="flex items-center gap-2">
+                            {getEffectiveBadge(resource)}
+                            <TriStateAccessSwitch
+                              value={state.access}
+                              disabled={
+                                isListLocked ||
+                                Boolean(mutatingResourceIds[resource.id]) ||
+                                isSubmitting
+                              }
+                              onChange={(access) =>
+                                onSetResourceAccess(resource, access)
+                              }
+                            />
+                          </div>
                         </div>
                       );
                     })
diff --git a/src/components/Permissions/SubjectSelectorPanel.tsx b/src/components/Permissions/SubjectSelectorPanel.tsx
index 0c03326580..2b89e3d502 100644
--- a/src/components/Permissions/SubjectSelectorPanel.tsx
+++ b/src/components/Permissions/SubjectSelectorPanel.tsx
@@ -2,14 +2,24 @@ import {
   fetchAllPermissionSubjects,
   PermissionSubject
 } from "@flanksource-ui/api/services/permissions";
+import {
+  fetchEffectiveResourceSubjectAccess,
+  SubjectAccessReviewAction
+} from "@flanksource-ui/api/services/rbac";
 import SubjectAvatar from "@flanksource-ui/components/Permissions/SubjectAvatar";
 import TriStateAccessSwitch from "@flanksource-ui/components/Permissions/TriStateAccessSwitch";
 import { Button } from "@flanksource-ui/components/ui/button";
 import { Input } from "@flanksource-ui/components/ui/input";
+import {
+  Tooltip,
+  TooltipContent,
+  TooltipTrigger
+} from "@flanksource-ui/components/ui/tooltip";
 import useDebouncedValue from "@flanksource-ui/hooks/useDebounce";
 import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
 import { Icon } from "@flanksource-ui/ui/Icons/Icon";
 import { useQuery } from "@tanstack/react-query";
+import { Check, X } from "lucide-react";
 import { useEffect, useMemo, useState } from "react";
 
 const TYPE_LABELS: Record<PermissionSubject["type"], string> = {
@@ -47,6 +57,11 @@ type SubjectSelectorPanelProps = {
     name: string;
     icon?: string;
   };
+  effectiveAccessResource?: {
+    id: string;
+    type: "playbook" | "view";
+    action?: SubjectAccessReviewAction;
+  };
   preselectedSubjectAccess?: Record<string, "allow" | "deny">;
   isSubmitting?: boolean;
   isBulkSubmitting?: boolean;
@@ -65,6 +80,7 @@ type SubjectSelectorPanelProps = {
 export default function SubjectSelectorPanel({
   title,
   description,
+  effectiveAccessResource,
   preselectedSubjectAccess = {},
   isSubmitting = false,
   isBulkSubmitting = false,
@@ -80,6 +96,10 @@ export default function SubjectSelectorPanel({
   const [selectedAccessById, setSelectedAccessById] = useState<
     Record<string, SubjectAccess>
   >({});
+  const [
+    hasTriggeredEffectiveAccessCheck,
+    setHasTriggeredEffectiveAccessCheck
+  ] = useState(false);
 
   const debouncedSearch =
     useDebouncedValue(search, 250)?.trim().toLowerCase() ?? "";
@@ -94,6 +114,40 @@ export default function SubjectSelectorPanel({
     staleTime: 60_000
   });
 
+  const {
+    data: effectiveSubjectAccessResponse,
+    isFetching: isCheckingEffectiveAccess,
+    refetch: refetchEffectiveSubjectAccess
+  } = useQuery({
+    queryKey: [
+      "mcp",
+      "subject-selector",
+      "effective-access",
+      effectiveAccessResource?.type ?? "none",
+      effectiveAccessResource?.id ?? "none",
+      subjects.length
+    ],
+    enabled: false,
+    queryFn: async () => {
+      if (!effectiveAccessResource) {
+        return {
+          resource: { id: "", type: "playbook" as const },
+          action: "mcp:run" as const,
+          results: [] as Array<{ subjectId: string; allowed: boolean }>
+        };
+      }
+
+      return fetchEffectiveResourceSubjectAccess({
+        resource: {
+          id: effectiveAccessResource.id,
+          type: effectiveAccessResource.type
+        },
+        action: effectiveAccessResource.action ?? "mcp:run",
+        subjects: subjects.map((subject) => subject.id)
+      });
+    }
+  });
+
   const normalizedPreselectedAccess = useMemo(
     () =>
       Object.fromEntries(
@@ -125,6 +179,20 @@ export default function SubjectSelectorPanel({
     setSelectedAccessById(next);
   }, [preselectedAccessSignature]);
 
+  useEffect(() => {
+    setHasTriggeredEffectiveAccessCheck(false);
+  }, [effectiveAccessResource?.type, effectiveAccessResource?.id]);
+
+  const effectiveAccessBySubjectId = useMemo(() => {
+    const map: Record<string, boolean> = {};
+
+    for (const result of effectiveSubjectAccessResponse?.results ?? []) {
+      map[result.subjectId] = result.allowed;
+    }
+
+    return map;
+  }, [effectiveSubjectAccessResponse?.results]);
+
   const sortedSubjects = useMemo(() => {
     const query = debouncedSearch;
 
@@ -296,6 +364,37 @@ export default function SubjectSelectorPanel({
     Boolean(onSetBulkAccess) &&
     (resolvedBulkAccess === "allow" || resolvedBulkAccess === "deny");
 
+  const renderEffectiveAccessIcon = (subject: PermissionSubject) => {
+    if (!hasTriggeredEffectiveAccessCheck) {
+      return null;
+    }
+
+    const allowed = effectiveAccessBySubjectId[subject.id] === true;
+
+    return (
+      <Tooltip>
+        <TooltipTrigger asChild>
+          <span
+            className={
+              allowed
+                ? "inline-flex h-5 w-5 items-center justify-center rounded-full bg-emerald-50 text-emerald-600"
+                : "inline-flex h-5 w-5 items-center justify-center rounded-full bg-red-50 text-red-600"
+            }
+          >
+            {allowed ? (
+              <Check className="h-3.5 w-3.5" />
+            ) : (
+              <X className="h-3.5 w-3.5" />
+            )}
+          </span>
+        </TooltipTrigger>
+        <TooltipContent side="top">
+          Effective access: {allowed ? "Allowed" : "Denied"}
+        </TooltipContent>
+      </Tooltip>
+    );
+  };
+
   return (
     <div className="flex min-h-0 flex-1 flex-col gap-3">
       <div className="flex items-center justify-between gap-3">
@@ -318,40 +417,59 @@ export default function SubjectSelectorPanel({
           </div>
         </div>
 
-        <div
-          className={
-            isSubmitting || isBulkSubmitting || displayedSubjects.length === 0
-              ? "pointer-events-none opacity-60"
-              : undefined
-          }
-          aria-disabled={
-            isSubmitting ||
-            isBulkSubmitting ||
-            displayedSubjects.length === 0 ||
-            undefined
-          }
-        >
-          <Switch
-            size="sm"
-            options={[...BULK_OPTIONS]}
-            value={bulkOptionValue}
-            onChange={(value) => {
-              const access: SubjectAccess =
-                value === "Allow"
-                  ? "allow"
-                  : value === "Deny"
-                    ? "deny"
-                    : "default";
-              void setBulkSubjectAccess(access);
-            }}
-            getActiveItemClassName={(option) =>
-              option === "Allow"
-                ? "!bg-green-600 !text-white !ring-green-600"
-                : option === "Deny"
-                  ? "!bg-red-600 !text-white !ring-red-600"
-                  : undefined
+        <div className="flex items-center gap-2">
+          {effectiveAccessResource ? (
+            <Button
+              type="button"
+              size="sm"
+              className="bg-blue-600 text-white hover:bg-blue-700"
+              disabled={isCheckingEffectiveAccess || subjects.length === 0}
+              onClick={() => {
+                setHasTriggeredEffectiveAccessCheck(true);
+                refetchEffectiveSubjectAccess();
+              }}
+            >
+              {isCheckingEffectiveAccess
+                ? "Checking effective access..."
+                : "Check effective access"}
+            </Button>
+          ) : null}
+
+          <div
+            className={
+              isSubmitting || isBulkSubmitting || displayedSubjects.length === 0
+                ? "pointer-events-none opacity-60"
+                : undefined
             }
-          />
+            aria-disabled={
+              isSubmitting ||
+              isBulkSubmitting ||
+              displayedSubjects.length === 0 ||
+              undefined
+            }
+          >
+            <Switch
+              size="sm"
+              options={[...BULK_OPTIONS]}
+              value={bulkOptionValue}
+              onChange={(value) => {
+                const access: SubjectAccess =
+                  value === "Allow"
+                    ? "allow"
+                    : value === "Deny"
+                      ? "deny"
+                      : "default";
+                void setBulkSubjectAccess(access);
+              }}
+              getActiveItemClassName={(option) =>
+                option === "Allow"
+                  ? "!bg-green-600 !text-white !ring-green-600"
+                  : option === "Deny"
+                    ? "!bg-red-600 !text-white !ring-red-600"
+                    : undefined
+              }
+            />
+          </div>
         </div>
       </div>
 
@@ -421,15 +539,18 @@ export default function SubjectSelectorPanel({
                           </div>
                         </div>
 
-                        <TriStateAccessSwitch
-                          value={selectedAccessById[subject.id] ?? "default"}
-                          disabled={
-                            isListLocked ||
-                            isSubmitting ||
-                            mutatingSubjectId === subject.id
-                          }
-                          onChange={(next) => setSubjectAccess(subject, next)}
-                        />
+                        <div className="flex items-center gap-2">
+                          {renderEffectiveAccessIcon(subject)}
+                          <TriStateAccessSwitch
+                            value={selectedAccessById[subject.id] ?? "default"}
+                            disabled={
+                              isListLocked ||
+                              isSubmitting ||
+                              mutatingSubjectId === subject.id
+                            }
+                            onChange={(next) => setSubjectAccess(subject, next)}
+                          />
+                        </div>
                       </div>
                     ))}
                   </div>
diff --git a/src/components/Permissions/TriStateAccessSwitch.tsx b/src/components/Permissions/TriStateAccessSwitch.tsx
index 6f52bdd12e..52a00012ce 100644
--- a/src/components/Permissions/TriStateAccessSwitch.tsx
+++ b/src/components/Permissions/TriStateAccessSwitch.tsx
@@ -42,10 +42,10 @@ export default function TriStateAccessSwitch({
   return (
     <div className="flex items-center gap-2">
       <div
-        className={`relative inline-flex h-5 w-12 overflow-hidden rounded-full p-0.5 transition-colors ${TRACK_CLASSNAME[value]} ${disabled ? "opacity-60" : ""}`}
+        className={`relative inline-flex h-4 w-11 overflow-hidden rounded-full p-0.5 transition-colors ${TRACK_CLASSNAME[value]} ${disabled ? "opacity-60" : ""}`}
       >
         <span
-          className="pointer-events-none absolute top-0.5 h-4 w-4 rounded-full bg-white shadow transition-transform"
+          className="pointer-events-none absolute top-0.5 h-3 w-3 rounded-full bg-white shadow transition-transform"
           style={{ transform: `translateX(${position}px)` }}
         />
 
@@ -69,7 +69,7 @@ export default function TriStateAccessSwitch({
       </div>
 
       <span
-        className={`min-w-[42px] text-xs font-medium ${ACCESS_LABEL_CLASSNAME[value]}`}
+        className={`min-w-[40px] text-xs font-medium ${ACCESS_LABEL_CLASSNAME[value]}`}
       >
         {ACCESS_LABEL[value]}
       </span>
diff --git a/src/pages/Settings/mcp/McpPlaybooksPage.tsx b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
index 0b872749fe..84b9fe03bc 100644
--- a/src/pages/Settings/mcp/McpPlaybooksPage.tsx
+++ b/src/pages/Settings/mcp/McpPlaybooksPage.tsx
@@ -208,6 +208,11 @@ export default function McpPlaybooksPage() {
                     name: selectedPlaybook.title || selectedPlaybook.name,
                     icon: selectedPlaybook.icon || "playbook"
                   }}
+                  effectiveAccessResource={{
+                    id: selectedPlaybook.id,
+                    type: "playbook",
+                    action: "mcp:run"
+                  }}
                   preselectedSubjectAccess={preselectedSubjectAccess}
                   bulkAccess={
                     (globalOverrideByResource.get(selectedPlaybook.id) ===
diff --git a/src/pages/Settings/mcp/McpSubjectAccessPage.tsx b/src/pages/Settings/mcp/McpSubjectAccessPage.tsx
index 0440e05bdc..e3bf4eb7ed 100644
--- a/src/pages/Settings/mcp/McpSubjectAccessPage.tsx
+++ b/src/pages/Settings/mcp/McpSubjectAccessPage.tsx
@@ -8,6 +8,10 @@ import {
   PermissionSubject,
   updatePermission
 } from "@flanksource-ui/api/services/permissions";
+import {
+  fetchEffectiveSubjectResourceAccess,
+  EffectiveSubjectResourceAccessResult
+} from "@flanksource-ui/api/services/rbac";
 import { getAllViews } from "@flanksource-ui/api/services/views";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
@@ -83,6 +87,10 @@ export default function McpSubjectAccessPage() {
   >({});
   const [isResourcePanelSwitching, setIsResourcePanelSwitching] =
     useState(false);
+  const [
+    hasTriggeredEffectiveAccessCheck,
+    setHasTriggeredEffectiveAccessCheck
+  ] = useState(false);
 
   const debouncedSearch = useDebouncedValue(subjectSearch, 200) ?? "";
 
@@ -205,7 +213,8 @@ export default function McpSubjectAccessPage() {
       .map((playbook) => ({
         id: playbook.id,
         kind: "playbook" as const,
-        name: playbook.title || playbook.name,
+        name: playbook.name,
+        displayName: playbook.title || playbook.name,
         namespace: playbook.namespace,
         icon: playbook.icon || "playbook",
         subtitle: playbook.namespace
@@ -213,25 +222,89 @@ export default function McpSubjectAccessPage() {
           : "playbook"
       }))
       .sort((a, b) =>
-        a.name.localeCompare(b.name, undefined, { sensitivity: "base" })
+        (a.displayName || a.name).localeCompare(
+          b.displayName || b.name,
+          undefined,
+          {
+            sensitivity: "base"
+          }
+        )
       );
 
     const viewResources = views
       .map((view) => ({
         id: view.id,
         kind: "view" as const,
-        name: view.spec?.title || view.name,
+        name: view.name,
+        displayName: view.spec?.title || view.name,
         namespace: view.namespace,
         icon: view.spec?.icon || "workflow",
         subtitle: view.namespace ? `${view.namespace} · view` : "view"
       }))
       .sort((a, b) =>
-        a.name.localeCompare(b.name, undefined, { sensitivity: "base" })
+        (a.displayName || a.name).localeCompare(
+          b.displayName || b.name,
+          undefined,
+          {
+            sensitivity: "base"
+          }
+        )
       );
 
     return [...playbookResources, ...viewResources];
   }, [playbooks, views]);
 
+  const {
+    data: effectiveAccessResponse,
+    isFetching: isCheckingEffectiveAccess,
+    refetch: refetchEffectiveAccess
+  } = useQuery({
+    queryKey: [
+      "mcp",
+      "subject-access",
+      "effective-access",
+      selectedSubject?.id ?? "none",
+      resources.length
+    ],
+    enabled: false,
+    queryFn: async () => {
+      if (!selectedSubject) {
+        return {
+          subject: "",
+          action: "mcp:run" as const,
+          results: [] as EffectiveSubjectResourceAccessResult[]
+        };
+      }
+
+      return fetchEffectiveSubjectResourceAccess({
+        subject: selectedSubject.id,
+        action: "mcp:run",
+        resources: resources.map((resource) => ({
+          id: resource.id,
+          type: resource.kind
+        }))
+      });
+    }
+  });
+
+  const effectiveAccessByResourceKey = useMemo(() => {
+    const map: Record<string, boolean> = {};
+
+    for (const result of effectiveAccessResponse?.results ?? []) {
+      map[`${result.resourceType}:${result.resourceId}`] = result.allowed;
+    }
+
+    return map;
+  }, [effectiveAccessResponse?.results]);
+
+  const hasEffectiveAccessResults =
+    hasTriggeredEffectiveAccessCheck &&
+    (effectiveAccessResponse?.results?.length ?? 0) > 0;
+
+  useEffect(() => {
+    setHasTriggeredEffectiveAccessCheck(false);
+  }, [selectedSubject?.id]);
+
   const loading =
     isSubjectsLoading ||
     isPlaybooksLoading ||
@@ -502,8 +575,15 @@ export default function McpSubjectAccessPage() {
                   selectedSubject={selectedSubject}
                   resources={resources}
                   permissions={permissions}
+                  effectiveAccessByResourceKey={effectiveAccessByResourceKey}
+                  hasEffectiveAccessResults={hasEffectiveAccessResults}
+                  isCheckingEffectiveAccess={isCheckingEffectiveAccess}
                   isSubmitting={isSubmitting}
                   mutatingResourceIds={mutatingResourceIds}
+                  onCheckEffectiveAccess={() => {
+                    setHasTriggeredEffectiveAccessCheck(true);
+                    refetchEffectiveAccess();
+                  }}
                   onSetResourceAccess={(resource, access) =>
                     applyAccess([resource], access)
                   }
diff --git a/src/pages/Settings/mcp/McpViewsPage.tsx b/src/pages/Settings/mcp/McpViewsPage.tsx
index a18f341028..2bf0bef36f 100644
--- a/src/pages/Settings/mcp/McpViewsPage.tsx
+++ b/src/pages/Settings/mcp/McpViewsPage.tsx
@@ -209,6 +209,11 @@ export default function McpViewsPage() {
                     name: selectedView.spec?.title || selectedView.name,
                     icon: selectedView.spec?.icon || "workflow"
                   }}
+                  effectiveAccessResource={{
+                    id: selectedView.id,
+                    type: "view",
+                    action: "mcp:run"
+                  }}
                   preselectedSubjectAccess={preselectedSubjectAccess}
                   bulkAccess={
                     (globalOverrideByResource.get(selectedView.id) === "allow"

From 76c82b6055f62eeaec11663433d5f5adbcc30602 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 13 Apr 2026 11:55:54 +0545
Subject: [PATCH 39/48] fix(mcp): reuse tokens table on overview without layout
 gap

---
 src/components/MCP/UserList.tsx            |  2 +-
 src/components/Tokens/List/TokensTable.tsx | 34 +++++++++++++---------
 src/pages/Settings/mcp/McpOverviewPage.tsx | 30 +++++++++++++++++++
 3 files changed, 52 insertions(+), 14 deletions(-)

diff --git a/src/components/MCP/UserList.tsx b/src/components/MCP/UserList.tsx
index 239d471aa1..50ff0dfa0f 100644
--- a/src/components/MCP/UserList.tsx
+++ b/src/components/MCP/UserList.tsx
@@ -38,7 +38,7 @@ export default function UserList({
   onChangeAccess
 }: Props) {
   return (
-    <div className="flex h-full w-full flex-1 flex-col gap-4 p-6 pb-6">
+    <div className="flex w-full flex-col gap-4 p-6 pb-6">
       {groupedSubjects.map((group) => (
         <div key={group.type} className="space-y-1">
           <div className="pt-2 text-xs font-semibold uppercase tracking-wide text-gray-500 first:pt-0">
diff --git a/src/components/Tokens/List/TokensTable.tsx b/src/components/Tokens/List/TokensTable.tsx
index decaf56584..2d97e60966 100644
--- a/src/components/Tokens/List/TokensTable.tsx
+++ b/src/components/Tokens/List/TokensTable.tsx
@@ -11,23 +11,29 @@ type TokensTableProps = {
   isLoading?: boolean;
   isRefetching?: boolean;
   refresh?: () => void;
+  showHideAgentsToggle?: boolean;
+  defaultHideAgents?: boolean;
+  tokenIdSearchParamKey?: string;
 };
 
 export default function TokensTable({
   tokens,
   isLoading,
   isRefetching,
-  refresh
+  refresh,
+  showHideAgentsToggle = true,
+  defaultHideAgents = true,
+  tokenIdSearchParamKey = "id"
 }: TokensTableProps) {
   const [searchParams, setSearchParams] = useSearchParams();
   const columns = useMemo(() => tokensTableColumns, []);
 
-  const tokenId = searchParams.get("id") ?? undefined;
+  const tokenId = searchParams.get(tokenIdSearchParamKey) ?? undefined;
   const selectedToken = useMemo(() => {
     return tokens.find((token) => token.id === tokenId);
   }, [tokens, tokenId]);
 
-  const [hideAgents, setHideAgents] = useState(true);
+  const [hideAgents, setHideAgents] = useState(defaultHideAgents);
   const filteredTokens = useMemo(() => {
     if (hideAgents) {
       return tokens.filter((token) => !token.name.startsWith("agent-"));
@@ -38,14 +44,16 @@ export default function TokensTable({
 
   return (
     <div className="flex h-full w-full flex-col gap-4">
-      <Toggle
-        value={hideAgents}
-        label="Hide Agents"
-        className="inline-flex items-center"
-        onChange={(val) => {
-          setHideAgents(val);
-        }}
-      />
+      {showHideAgentsToggle && (
+        <Toggle
+          value={hideAgents}
+          label="Hide Agents"
+          className="inline-flex items-center"
+          onChange={(val) => {
+            setHideAgents(val);
+          }}
+        />
+      )}
 
       <MRTDataTable
         data={filteredTokens}
@@ -54,7 +62,7 @@ export default function TokensTable({
         isRefetching={isRefetching}
         enableServerSideSorting={false}
         onRowClick={(token) => {
-          searchParams.set("id", token.id);
+          searchParams.set(tokenIdSearchParamKey, token.id);
           setSearchParams(searchParams);
         }}
       />
@@ -67,7 +75,7 @@ export default function TokensTable({
             if (refresh) {
               refresh();
             }
-            searchParams.delete("id");
+            searchParams.delete(tokenIdSearchParamKey);
             setSearchParams(searchParams);
           }}
         />
diff --git a/src/pages/Settings/mcp/McpOverviewPage.tsx b/src/pages/Settings/mcp/McpOverviewPage.tsx
index 05ee6f47ba..87fce8321b 100644
--- a/src/pages/Settings/mcp/McpOverviewPage.tsx
+++ b/src/pages/Settings/mcp/McpOverviewPage.tsx
@@ -7,9 +7,11 @@ import {
   PermissionSubject,
   updatePermission
 } from "@flanksource-ui/api/services/permissions";
+import { useTokensListQuery } from "@flanksource-ui/api/query-hooks/useTokensQuery";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
 import UserList from "@flanksource-ui/components/MCP/UserList";
+import TokensTable from "@flanksource-ui/components/Tokens/List/TokensTable";
 import { toastError } from "@flanksource-ui/components/Toast/toast";
 import SetupMcpModal from "@flanksource-ui/components/Users/SetupMcpModal";
 import { useUser } from "@flanksource-ui/context";
@@ -197,6 +199,17 @@ export default function McpOverviewPage() {
       }
     });
 
+  const {
+    data: tokens = [],
+    isLoading: isTokensLoading,
+    refetch: refetchTokens,
+    isRefetching: isTokensRefetching
+  } = useTokensListQuery({
+    keepPreviousData: true,
+    staleTime: 0,
+    cacheTime: 0
+  });
+
   const loading =
     isUsersLoading ||
     isPermissionsLoading ||
@@ -227,6 +240,7 @@ export default function McpOverviewPage() {
       onRefresh={() => {
         refetchUsers();
         refetchPermissions();
+        refetchTokens();
       }}
     >
       <UserList
@@ -247,6 +261,22 @@ export default function McpOverviewPage() {
           );
         }}
       />
+
+      <div className="px-6">
+        <div className="mb-2 text-xs font-semibold uppercase tracking-wide text-gray-500">
+          MCP access tokens
+        </div>
+        <TokensTable
+          tokens={tokens}
+          isLoading={isTokensLoading}
+          isRefetching={isTokensRefetching}
+          refresh={refetchTokens}
+          showHideAgentsToggle={false}
+          defaultHideAgents={true}
+          tokenIdSearchParamKey="mcpTokenId"
+        />
+      </div>
+
       <SetupMcpModal
         isOpen={isSetupMcpModalOpen}
         onClose={() => setIsSetupMcpModalOpen(false)}

From 963cc7e485b806ccce959bed405ff282082dc4b6 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 13 Apr 2026 13:17:03 +0545
Subject: [PATCH 40/48] fix(permissions): align selector panel bulk-lock UX

---
 .../Permissions/ResourceSelectorPanel.tsx     | 343 ++++++------------
 .../Permissions/SubjectSelectorPanel.tsx      | 111 ++----
 2 files changed, 133 insertions(+), 321 deletions(-)

diff --git a/src/components/Permissions/ResourceSelectorPanel.tsx b/src/components/Permissions/ResourceSelectorPanel.tsx
index d908f0df0b..78d1210598 100644
--- a/src/components/Permissions/ResourceSelectorPanel.tsx
+++ b/src/components/Permissions/ResourceSelectorPanel.tsx
@@ -10,7 +10,7 @@ import {
   TooltipTrigger
 } from "@flanksource-ui/components/ui/tooltip";
 import { mapSubjectType } from "@flanksource-ui/lib/permissions/mcpPermissionCardMappings";
-import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
+import { Switch as SegmentedSwitch } from "@flanksource-ui/ui/FormControls/Switch";
 import { Icon } from "@flanksource-ui/ui/Icons/Icon";
 import { Check, X } from "lucide-react";
 import { useMemo, useState } from "react";
@@ -47,18 +47,9 @@ type ResourceSelectorPanelProps = {
     access: ResourceAccess
   ) => Promise<void> | void;
 };
-const TABS = [
-  { key: "all", label: "All" },
-  { key: "allowed", label: "Allowed" },
-  { key: "playbook", label: "Playbooks" },
-  { key: "view", label: "Views" }
-] as const;
-
-const BULK_OPTIONS = ["Deny", "Default", "Allow"] as const;
+const BULK_OPTIONS = ["Deny All", "Custom", "Allow all"] as const;
 type BulkOption = (typeof BULK_OPTIONS)[number];
 
-type ActiveTab = (typeof TABS)[number]["key"];
-
 function getRefsForPermission(
   permission: PermissionsSummary,
   kind: "playbook" | "view"
@@ -129,30 +120,12 @@ export default function ResourceSelectorPanel({
   onSetResourceAccess,
   onSetManyResourceAccess
 }: ResourceSelectorPanelProps) {
-  const [activeTab, setActiveTab] = useState<ActiveTab>("all");
   const [resourceSearch, setResourceSearch] = useState("");
 
   const normalizedSearch = resourceSearch.trim().toLowerCase();
 
   const filteredResources = useMemo(() => {
     return resources.filter((resource) => {
-      if (activeTab === "playbook" || activeTab === "view") {
-        if (resource.kind !== activeTab) {
-          return false;
-        }
-      }
-
-      if (activeTab === "allowed") {
-        const access = getAccessState(
-          permissions,
-          selectedSubject,
-          resource
-        ).access;
-        if (access !== "allow") {
-          return false;
-        }
-      }
-
       if (!normalizedSearch) {
         return true;
       }
@@ -161,7 +134,7 @@ export default function ResourceSelectorPanel({
         `${resource.displayName || resource.name} ${resource.name} ${resource.subtitle || ""} ${resource.namespace || ""}`.toLowerCase();
       return haystack.includes(normalizedSearch);
     });
-  }, [activeTab, normalizedSearch, permissions, resources, selectedSubject]);
+  }, [normalizedSearch, resources]);
 
   const resourcesByType = useMemo(() => {
     const playbooks: McpSubjectResource[] = [];
@@ -178,27 +151,6 @@ export default function ResourceSelectorPanel({
     return { playbooks, views };
   }, [filteredResources]);
 
-  const counts = useMemo(() => {
-    const playbooks = resources.filter(
-      (resource) => resource.kind === "playbook"
-    ).length;
-    const views = resources.filter(
-      (resource) => resource.kind === "view"
-    ).length;
-    const allowed = resources.filter(
-      (resource) =>
-        getAccessState(permissions, selectedSubject, resource).access ===
-        "allow"
-    ).length;
-
-    return {
-      all: playbooks + views,
-      allowed,
-      playbook: playbooks,
-      view: views
-    };
-  }, [permissions, resources, selectedSubject]);
-
   const bulkAccess = useMemo<ResourceAccess>(() => {
     const subjectType = mapSubjectType(selectedSubject.type);
 
@@ -229,14 +181,6 @@ export default function ResourceSelectorPanel({
         : "allow";
     };
 
-    if (activeTab === "playbook") {
-      return getWildcardAccessByKind("playbook");
-    }
-
-    if (activeTab === "view") {
-      return getWildcardAccessByKind("view");
-    }
-
     const playbookAccess = getWildcardAccessByKind("playbook");
     const viewAccess = getWildcardAccessByKind("view");
 
@@ -245,24 +189,17 @@ export default function ResourceSelectorPanel({
     }
 
     return "default";
-  }, [activeTab, permissions, selectedSubject]);
+  }, [permissions, selectedSubject]);
 
   const bulkOptionValue: BulkOption =
     bulkAccess === "allow"
-      ? "Allow"
+      ? "Allow all"
       : bulkAccess === "deny"
-        ? "Deny"
-        : "Default";
+        ? "Deny All"
+        : "Custom";
 
   const isListLocked = bulkAccess === "allow" || bulkAccess === "deny";
 
-  const resetTargetResources =
-    activeTab === "playbook"
-      ? resources.filter((resource) => resource.kind === "playbook")
-      : activeTab === "view"
-        ? resources.filter((resource) => resource.kind === "view")
-        : resources;
-
   const getEffectiveBadge = (resource: McpSubjectResource) => {
     if (!hasEffectiveAccessResults) {
       return null;
@@ -332,23 +269,23 @@ export default function ResourceSelectorPanel({
               isSubmitting || filteredResources.length === 0 || undefined
             }
           >
-            <Switch
+            <SegmentedSwitch
               size="sm"
               options={[...BULK_OPTIONS]}
               value={bulkOptionValue}
               onChange={(value) => {
                 const access: ResourceAccess =
-                  value === "Allow"
+                  value === "Allow all"
                     ? "allow"
-                    : value === "Deny"
+                    : value === "Deny All"
                       ? "deny"
                       : "default";
                 onSetManyResourceAccess(filteredResources, access);
               }}
               getActiveItemClassName={(option) =>
-                option === "Allow"
+                option === "Allow all"
                   ? "!bg-green-600 !text-white !ring-green-600"
-                  : option === "Deny"
+                  : option === "Deny All"
                     ? "!bg-red-600 !text-white !ring-red-600"
                     : undefined
               }
@@ -358,94 +295,62 @@ export default function ResourceSelectorPanel({
       </div>
 
       <div className="relative min-h-0 flex-1">
-        <div
-          className={`flex h-full min-h-0 flex-col gap-3 ${
-            isListLocked
-              ? "pointer-events-none select-none opacity-60 blur-[1px]"
-              : ""
-          }`}
-          aria-hidden={isListLocked || undefined}
-        >
-          <div className="flex items-center gap-2">
-            {TABS.map((tab) => {
-              const isActive = activeTab === tab.key;
-              const count = counts[tab.key];
-
-              return (
-                <Button
-                  key={tab.key}
-                  type="button"
-                  variant={isActive ? "default" : "outline"}
-                  size="sm"
-                  className={
-                    isActive
-                      ? "border-gray-900 bg-gray-900 text-white hover:bg-gray-800"
-                      : "text-gray-700"
-                  }
-                  onClick={() => setActiveTab(tab.key)}
-                >
-                  {tab.label}{" "}
-                  <span className="ml-1 text-xs opacity-80">{count}</span>
-                </Button>
-              );
-            })}
+        <div className="flex h-full min-h-0 flex-col gap-3">
+          <div className="flex items-center gap-3">
+            <Input
+              className="flex-1"
+              placeholder="Search ..."
+              value={resourceSearch}
+              onChange={(event) => setResourceSearch(event.target.value)}
+            />
           </div>
 
-          <Input
-            placeholder="Search ..."
-            value={resourceSearch}
-            onChange={(event) => setResourceSearch(event.target.value)}
-          />
-
           <div className="mb-3 min-h-0 flex-1 space-y-4 overflow-y-auto">
-            {(activeTab === "all" ||
-              activeTab === "allowed" ||
-              activeTab === "playbook") && (
-              <div className="space-y-2">
-                <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
-                  Playbooks
-                </div>
-                <div className="overflow-hidden rounded-md border border-gray-200">
-                  {resourcesByType.playbooks.length === 0 ? (
-                    <div className="p-3 text-sm text-gray-500">
-                      No playbooks found
-                    </div>
-                  ) : (
-                    resourcesByType.playbooks.map((resource) => {
-                      const state = getAccessState(
-                        permissions,
-                        selectedSubject,
-                        resource
-                      );
-
-                      return (
-                        <div
-                          key={resource.id}
-                          className="flex items-center justify-between gap-3 border-b border-gray-200 p-3 last:border-b-0"
-                        >
-                          <div className="flex min-w-0 items-center gap-2">
-                            <Icon
-                              name={resource.icon || "playbook"}
-                              className="h-4 w-4 text-gray-500"
-                            />
-                            <div className="min-w-0">
-                              <div className="truncate text-sm font-medium text-gray-900">
-                                {resource.displayName || resource.name}
-                              </div>
-                              {resource.subtitle ? (
-                                <div className="truncate text-xs text-gray-500">
-                                  {resource.subtitle}
-                                </div>
-                              ) : null}
+            <div className="space-y-2">
+              <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
+                Playbooks
+              </div>
+              <div className="overflow-hidden rounded-md border border-gray-200">
+                {resourcesByType.playbooks.length === 0 ? (
+                  <div className="p-3 text-sm text-gray-500">
+                    No playbooks found
+                  </div>
+                ) : (
+                  resourcesByType.playbooks.map((resource) => {
+                    const state = getAccessState(
+                      permissions,
+                      selectedSubject,
+                      resource
+                    );
+
+                    return (
+                      <div
+                        key={resource.id}
+                        className="flex items-center justify-between gap-3 border-b border-gray-200 p-3 last:border-b-0"
+                      >
+                        <div className="flex min-w-0 items-center gap-2">
+                          <Icon
+                            name={resource.icon || "playbook"}
+                            className="h-4 w-4 text-gray-500"
+                          />
+                          <div className="min-w-0">
+                            <div className="truncate text-sm font-medium text-gray-900">
+                              {resource.displayName || resource.name}
                             </div>
+                            {resource.subtitle ? (
+                              <div className="truncate text-xs text-gray-500">
+                                {resource.subtitle}
+                              </div>
+                            ) : null}
                           </div>
+                        </div>
 
-                          <div className="flex items-center gap-2">
-                            {getEffectiveBadge(resource)}
+                        <div className="flex items-center gap-2">
+                          {getEffectiveBadge(resource)}
+                          {!isListLocked ? (
                             <TriStateAccessSwitch
                               value={state.access}
                               disabled={
-                                isListLocked ||
                                 Boolean(mutatingResourceIds[resource.id]) ||
                                 isSubmitting
                               }
@@ -453,63 +358,60 @@ export default function ResourceSelectorPanel({
                                 onSetResourceAccess(resource, access)
                               }
                             />
-                          </div>
+                          ) : null}
                         </div>
-                      );
-                    })
-                  )}
-                </div>
+                      </div>
+                    );
+                  })
+                )}
               </div>
-            )}
+            </div>
 
-            {(activeTab === "all" ||
-              activeTab === "allowed" ||
-              activeTab === "view") && (
-              <div className="space-y-2">
-                <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
-                  Views
-                </div>
-                <div className="overflow-hidden rounded-md border border-gray-200">
-                  {resourcesByType.views.length === 0 ? (
-                    <div className="p-3 text-sm text-gray-500">
-                      No views found
-                    </div>
-                  ) : (
-                    resourcesByType.views.map((resource) => {
-                      const state = getAccessState(
-                        permissions,
-                        selectedSubject,
-                        resource
-                      );
-
-                      return (
-                        <div
-                          key={resource.id}
-                          className="flex items-center justify-between gap-3 border-b border-gray-200 p-3 last:border-b-0"
-                        >
-                          <div className="flex min-w-0 items-center gap-2">
-                            <Icon
-                              name={resource.icon || "workflow"}
-                              className="h-4 w-4 text-gray-500"
-                            />
-                            <div className="min-w-0">
-                              <div className="truncate text-sm font-medium text-gray-900">
-                                {resource.displayName || resource.name}
-                              </div>
-                              {resource.subtitle ? (
-                                <div className="truncate text-xs text-gray-500">
-                                  {resource.subtitle}
-                                </div>
-                              ) : null}
+            <div className="space-y-2">
+              <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
+                Views
+              </div>
+              <div className="overflow-hidden rounded-md border border-gray-200">
+                {resourcesByType.views.length === 0 ? (
+                  <div className="p-3 text-sm text-gray-500">
+                    No views found
+                  </div>
+                ) : (
+                  resourcesByType.views.map((resource) => {
+                    const state = getAccessState(
+                      permissions,
+                      selectedSubject,
+                      resource
+                    );
+
+                    return (
+                      <div
+                        key={resource.id}
+                        className="flex items-center justify-between gap-3 border-b border-gray-200 p-3 last:border-b-0"
+                      >
+                        <div className="flex min-w-0 items-center gap-2">
+                          <Icon
+                            name={resource.icon || "workflow"}
+                            className="h-4 w-4 text-gray-500"
+                          />
+                          <div className="min-w-0">
+                            <div className="truncate text-sm font-medium text-gray-900">
+                              {resource.displayName || resource.name}
                             </div>
+                            {resource.subtitle ? (
+                              <div className="truncate text-xs text-gray-500">
+                                {resource.subtitle}
+                              </div>
+                            ) : null}
                           </div>
+                        </div>
 
-                          <div className="flex items-center gap-2">
-                            {getEffectiveBadge(resource)}
+                        <div className="flex items-center gap-2">
+                          {getEffectiveBadge(resource)}
+                          {!isListLocked ? (
                             <TriStateAccessSwitch
                               value={state.access}
                               disabled={
-                                isListLocked ||
                                 Boolean(mutatingResourceIds[resource.id]) ||
                                 isSubmitting
                               }
@@ -517,41 +419,16 @@ export default function ResourceSelectorPanel({
                                 onSetResourceAccess(resource, access)
                               }
                             />
-                          </div>
+                          ) : null}
                         </div>
-                      );
-                    })
-                  )}
-                </div>
+                      </div>
+                    );
+                  })
+                )}
               </div>
-            )}
-          </div>
-        </div>
-
-        {isListLocked ? (
-          <div className="pointer-events-auto absolute inset-0 z-10 flex items-center justify-center rounded-md">
-            <div className="max-w-sm rounded-md border border-gray-200 bg-white/95 p-4 text-center shadow-sm">
-              <p className="text-sm font-medium text-gray-900">
-                Individual resource rules are locked while
-                {bulkAccess === "allow" ? " Allow all" : " Deny all"} is active.
-              </p>
-              <p className="mt-1 text-xs text-gray-500">
-                Set bulk access to Default to edit individual resources.
-              </p>
-              <Button
-                type="button"
-                size="sm"
-                variant="outline"
-                className="mt-3"
-                onClick={() =>
-                  onSetManyResourceAccess(resetTargetResources, "default")
-                }
-              >
-                Set to Default
-              </Button>
             </div>
           </div>
-        ) : null}
+        </div>
       </div>
     </div>
   );
diff --git a/src/components/Permissions/SubjectSelectorPanel.tsx b/src/components/Permissions/SubjectSelectorPanel.tsx
index 2b89e3d502..bb8c53c9ad 100644
--- a/src/components/Permissions/SubjectSelectorPanel.tsx
+++ b/src/components/Permissions/SubjectSelectorPanel.tsx
@@ -40,14 +40,7 @@ const SUBJECT_TYPE_ORDER: Record<PermissionSubject["type"], number> = {
 
 export type SubjectAccess = "deny" | "default" | "allow";
 
-type ActiveTab = "all" | "allowed";
-
-const TABS: Array<{ key: ActiveTab; label: string }> = [
-  { key: "all", label: "All" },
-  { key: "allowed", label: "Allowed" }
-];
-
-const BULK_OPTIONS = ["Deny", "Default", "Allow"] as const;
+const BULK_OPTIONS = ["Deny All", "Custom", "Allow all"] as const;
 type BulkOption = (typeof BULK_OPTIONS)[number];
 
 type SubjectSelectorPanelProps = {
@@ -91,7 +84,6 @@ export default function SubjectSelectorPanel({
   onSetSubjectAccess,
   onSetManySubjectAccess
 }: SubjectSelectorPanelProps) {
-  const [activeTab, setActiveTab] = useState<ActiveTab>("all");
   const [search, setSearch] = useState("");
   const [selectedAccessById, setSelectedAccessById] = useState<
     Record<string, SubjectAccess>
@@ -214,15 +206,7 @@ export default function SubjectSelectorPanel({
       });
   }, [debouncedSearch, subjects]);
 
-  const displayedSubjects = useMemo(() => {
-    if (activeTab === "allowed") {
-      return sortedSubjects.filter(
-        (subject) => selectedAccessById[subject.id] === "allow"
-      );
-    }
-
-    return sortedSubjects;
-  }, [activeTab, selectedAccessById, sortedSubjects]);
+  const displayedSubjects = sortedSubjects;
 
   const groupedDisplayedSubjects = useMemo(() => {
     const grouped = new Map<PermissionSubject["type"], PermissionSubject[]>();
@@ -241,15 +225,6 @@ export default function SubjectSelectorPanel({
       }));
   }, [displayedSubjects]);
 
-  const counts = useMemo(() => {
-    const all = subjects.length;
-    const allowed = subjects.filter(
-      (subject) => selectedAccessById[subject.id] === "allow"
-    ).length;
-
-    return { all, allowed };
-  }, [selectedAccessById, subjects]);
-
   const bulkAccessFromSelection = useMemo<SubjectAccess>(() => {
     if (displayedSubjects.length === 0) {
       return "default";
@@ -278,10 +253,10 @@ export default function SubjectSelectorPanel({
 
   const bulkOptionValue: BulkOption =
     resolvedBulkAccess === "allow"
-      ? "Allow"
+      ? "Allow all"
       : resolvedBulkAccess === "deny"
-        ? "Deny"
-        : "Default";
+        ? "Deny All"
+        : "Custom";
 
   const setBulkSubjectAccess = async (access: SubjectAccess) => {
     if (onSetBulkAccess) {
@@ -454,17 +429,17 @@ export default function SubjectSelectorPanel({
               value={bulkOptionValue}
               onChange={(value) => {
                 const access: SubjectAccess =
-                  value === "Allow"
+                  value === "Allow all"
                     ? "allow"
-                    : value === "Deny"
+                    : value === "Deny All"
                       ? "deny"
                       : "default";
                 void setBulkSubjectAccess(access);
               }}
               getActiveItemClassName={(option) =>
-                option === "Allow"
+                option === "Allow all"
                   ? "!bg-green-600 !text-white !ring-green-600"
-                  : option === "Deny"
+                  : option === "Deny All"
                     ? "!bg-red-600 !text-white !ring-red-600"
                     : undefined
               }
@@ -474,39 +449,7 @@ export default function SubjectSelectorPanel({
       </div>
 
       <div className="relative min-h-0 flex-1">
-        <div
-          className={`flex h-full min-h-0 flex-col gap-3 ${
-            isListLocked
-              ? "pointer-events-none select-none opacity-60 blur-[1px]"
-              : ""
-          }`}
-          aria-hidden={isListLocked || undefined}
-        >
-          <div className="flex items-center gap-2">
-            {TABS.map((tab) => {
-              const isActive = activeTab === tab.key;
-              const count = counts[tab.key];
-
-              return (
-                <Button
-                  key={tab.key}
-                  type="button"
-                  variant={isActive ? "default" : "outline"}
-                  size="sm"
-                  className={
-                    isActive
-                      ? "border-gray-900 bg-gray-900 text-white hover:bg-gray-800"
-                      : "text-gray-700"
-                  }
-                  onClick={() => setActiveTab(tab.key)}
-                >
-                  {tab.label}{" "}
-                  <span className="ml-1 text-xs opacity-80">{count}</span>
-                </Button>
-              );
-            })}
-          </div>
-
+        <div className="flex h-full min-h-0 flex-col gap-3">
           <Input
             placeholder="Search ..."
             value={search}
@@ -541,15 +484,19 @@ export default function SubjectSelectorPanel({
 
                         <div className="flex items-center gap-2">
                           {renderEffectiveAccessIcon(subject)}
-                          <TriStateAccessSwitch
-                            value={selectedAccessById[subject.id] ?? "default"}
-                            disabled={
-                              isListLocked ||
-                              isSubmitting ||
-                              mutatingSubjectId === subject.id
-                            }
-                            onChange={(next) => setSubjectAccess(subject, next)}
-                          />
+                          {!isListLocked ? (
+                            <TriStateAccessSwitch
+                              value={
+                                selectedAccessById[subject.id] ?? "default"
+                              }
+                              disabled={
+                                isSubmitting || mutatingSubjectId === subject.id
+                              }
+                              onChange={(next) =>
+                                setSubjectAccess(subject, next)
+                              }
+                            />
+                          ) : null}
                         </div>
                       </div>
                     ))}
@@ -561,18 +508,6 @@ export default function SubjectSelectorPanel({
             )}
           </div>
         </div>
-
-        {isListLocked ? (
-          <div className="pointer-events-auto absolute inset-0 z-10 flex items-center justify-center rounded-md">
-            <div className="max-w-sm rounded-md border border-gray-200 bg-white/95 p-4 text-center shadow-sm">
-              <p className="text-sm font-medium text-gray-900">
-                Individual subject rules are locked while
-                {resolvedBulkAccess === "allow" ? " Allow all" : " Deny all"} is
-                active.
-              </p>
-            </div>
-          </div>
-        ) : null}
       </div>
     </div>
   );

From d3566b22c935dc029aabbd4f8e2a1f3a612a5275 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 13 Apr 2026 13:28:30 +0545
Subject: [PATCH 41/48] fix(permissions): match effective access and mode
 control widths

---
 .../Permissions/ResourceSelectorPanel.tsx     | 28 +++++++----
 .../Permissions/SubjectSelectorPanel.tsx      | 50 +++++++++++--------
 2 files changed, 46 insertions(+), 32 deletions(-)

diff --git a/src/components/Permissions/ResourceSelectorPanel.tsx b/src/components/Permissions/ResourceSelectorPanel.tsx
index 78d1210598..11548cc91b 100644
--- a/src/components/Permissions/ResourceSelectorPanel.tsx
+++ b/src/components/Permissions/ResourceSelectorPanel.tsx
@@ -233,23 +233,23 @@ export default function ResourceSelectorPanel({
   };
 
   return (
-    <div className="flex min-h-0 flex-1 flex-col gap-3">
-      <div className="flex items-center justify-between gap-3">
-        <div className="flex min-w-0 items-center gap-2">
-          <SubjectAvatar subject={selectedSubject} size="md" />
-          <div className="min-w-0">
-            <div className="truncate text-sm font-semibold text-gray-900">
-              {selectedSubject.name}
+    <div className="flex min-h-0 flex-1 flex-col">
+      <div className="space-y-3 pb-3">
+        <div className="flex items-center justify-between gap-3">
+          <div className="flex min-w-0 items-center gap-2">
+            <SubjectAvatar subject={selectedSubject} size="md" />
+            <div className="min-w-0">
+              <div className="truncate text-sm font-semibold text-gray-900">
+                {selectedSubject.name}
+              </div>
             </div>
           </div>
-        </div>
 
-        <div className="flex shrink-0 items-center gap-2">
           {onCheckEffectiveAccess ? (
             <Button
               type="button"
               size="sm"
-              className="bg-blue-600 text-white hover:bg-blue-700"
+              className="w-48 justify-center bg-blue-600 text-white hover:bg-blue-700"
               onClick={onCheckEffectiveAccess}
               disabled={isCheckingEffectiveAccess || resources.length === 0}
             >
@@ -258,6 +258,10 @@ export default function ResourceSelectorPanel({
                 : "Check effective access"}
             </Button>
           ) : null}
+        </div>
+
+        <div className="flex items-center justify-between gap-3">
+          <div className="text-sm text-gray-600">Global Permission</div>
 
           <div
             className={
@@ -271,6 +275,8 @@ export default function ResourceSelectorPanel({
           >
             <SegmentedSwitch
               size="sm"
+              className="w-48"
+              itemsClassName="flex-1 justify-center"
               options={[...BULK_OPTIONS]}
               value={bulkOptionValue}
               onChange={(value) => {
@@ -294,7 +300,7 @@ export default function ResourceSelectorPanel({
         </div>
       </div>
 
-      <div className="relative min-h-0 flex-1">
+      <div className="relative min-h-0 flex-1 pt-3">
         <div className="flex h-full min-h-0 flex-col gap-3">
           <div className="flex items-center gap-3">
             <Input
diff --git a/src/components/Permissions/SubjectSelectorPanel.tsx b/src/components/Permissions/SubjectSelectorPanel.tsx
index bb8c53c9ad..27c4079f80 100644
--- a/src/components/Permissions/SubjectSelectorPanel.tsx
+++ b/src/components/Permissions/SubjectSelectorPanel.tsx
@@ -371,33 +371,35 @@ export default function SubjectSelectorPanel({
   };
 
   return (
-    <div className="flex min-h-0 flex-1 flex-col gap-3">
-      <div className="flex items-center justify-between gap-3">
-        <div className="flex min-w-0 items-center gap-2">
-          {headerEntity ? (
-            <span className="flex h-8 w-8 shrink-0 items-center justify-center rounded-md bg-gray-100 text-gray-700">
-              <Icon
-                name={headerEntity.icon || "playbook"}
-                className="h-4 w-4"
-              />
-            </span>
-          ) : null}
-          <div className="min-w-0">
-            <div className="truncate text-sm font-semibold text-gray-900">
-              {headerEntity?.name || title}
-            </div>
-            {!headerEntity && description ? (
-              <div className="mt-0.5 text-xs text-gray-500">{description}</div>
+    <div className="flex min-h-0 flex-1 flex-col">
+      <div className="space-y-3 pb-3">
+        <div className="flex items-center justify-between gap-3">
+          <div className="flex min-w-0 items-center gap-2">
+            {headerEntity ? (
+              <span className="flex h-8 w-8 shrink-0 items-center justify-center rounded-md bg-gray-100 text-gray-700">
+                <Icon
+                  name={headerEntity.icon || "playbook"}
+                  className="h-4 w-4"
+                />
+              </span>
             ) : null}
+            <div className="min-w-0">
+              <div className="truncate text-sm font-semibold text-gray-900">
+                {headerEntity?.name || title}
+              </div>
+              {!headerEntity && description ? (
+                <div className="mt-0.5 text-xs text-gray-500">
+                  {description}
+                </div>
+              ) : null}
+            </div>
           </div>
-        </div>
 
-        <div className="flex items-center gap-2">
           {effectiveAccessResource ? (
             <Button
               type="button"
               size="sm"
-              className="bg-blue-600 text-white hover:bg-blue-700"
+              className="w-48 justify-center bg-blue-600 text-white hover:bg-blue-700"
               disabled={isCheckingEffectiveAccess || subjects.length === 0}
               onClick={() => {
                 setHasTriggeredEffectiveAccessCheck(true);
@@ -409,6 +411,10 @@ export default function SubjectSelectorPanel({
                 : "Check effective access"}
             </Button>
           ) : null}
+        </div>
+
+        <div className="flex items-center justify-between gap-3">
+          <div className="text-sm text-gray-600">Global permission</div>
 
           <div
             className={
@@ -425,6 +431,8 @@ export default function SubjectSelectorPanel({
           >
             <Switch
               size="sm"
+              className="w-48"
+              itemsClassName="flex-1 justify-center"
               options={[...BULK_OPTIONS]}
               value={bulkOptionValue}
               onChange={(value) => {
@@ -448,7 +456,7 @@ export default function SubjectSelectorPanel({
         </div>
       </div>
 
-      <div className="relative min-h-0 flex-1">
+      <div className="relative min-h-0 flex-1 pt-3">
         <div className="flex h-full min-h-0 flex-col gap-3">
           <Input
             placeholder="Search ..."

From 9fa7671eb1c193cf9b11b2eaf6734b280c5de2d4 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 13 Apr 2026 16:03:28 +0545
Subject: [PATCH 42/48] sorting

---
 .../Permissions/ResourceSelectorPanel.tsx     | 156 +++++++++++++++---
 1 file changed, 137 insertions(+), 19 deletions(-)

diff --git a/src/components/Permissions/ResourceSelectorPanel.tsx b/src/components/Permissions/ResourceSelectorPanel.tsx
index 11548cc91b..c7ee202829 100644
--- a/src/components/Permissions/ResourceSelectorPanel.tsx
+++ b/src/components/Permissions/ResourceSelectorPanel.tsx
@@ -4,6 +4,13 @@ import SubjectAvatar from "@flanksource-ui/components/Permissions/SubjectAvatar"
 import TriStateAccessSwitch from "@flanksource-ui/components/Permissions/TriStateAccessSwitch";
 import { Button } from "@flanksource-ui/components/ui/button";
 import { Input } from "@flanksource-ui/components/ui/input";
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue
+} from "@flanksource-ui/components/ui/select";
 import {
   Tooltip,
   TooltipContent,
@@ -50,6 +57,21 @@ type ResourceSelectorPanelProps = {
 const BULK_OPTIONS = ["Deny All", "Custom", "Allow all"] as const;
 type BulkOption = (typeof BULK_OPTIONS)[number];
 
+const RESOURCE_SORT_OPTIONS = [
+  "deny-first",
+  "allow-first",
+  "custom-first",
+  "alphabetical"
+] as const;
+type ResourceSortOption = (typeof RESOURCE_SORT_OPTIONS)[number];
+
+const RESOURCE_SORT_OPTION_LABELS: Record<ResourceSortOption, string> = {
+  "deny-first": "Deny first",
+  "allow-first": "Allow first",
+  "custom-first": "Custom first",
+  alphabetical: "Alphabetically"
+};
+
 function getRefsForPermission(
   permission: PermissionsSummary,
   kind: "playbook" | "view"
@@ -107,6 +129,25 @@ function getAccessState(
   return { access: "default" };
 }
 
+function getSortRank(access: ResourceAccess, sortOption: ResourceSortOption) {
+  switch (sortOption) {
+    case "deny-first":
+      return access === "deny" ? 0 : access === "allow" ? 1 : 2;
+    case "allow-first":
+      return access === "allow" ? 0 : access === "deny" ? 1 : 2;
+    case "custom-first":
+      // "Custom" means explicitly configured (allow/deny), so keep defaults last.
+      return access === "default" ? 1 : 0;
+    case "alphabetical":
+    default:
+      return 0;
+  }
+}
+
+function getResourceKey(resource: McpSubjectResource) {
+  return `${resource.kind}:${resource.id}`;
+}
+
 export default function ResourceSelectorPanel({
   selectedSubject,
   resources,
@@ -121,6 +162,9 @@ export default function ResourceSelectorPanel({
   onSetManyResourceAccess
 }: ResourceSelectorPanelProps) {
   const [resourceSearch, setResourceSearch] = useState("");
+  const [playbookSort, setPlaybookSort] =
+    useState<ResourceSortOption>("alphabetical");
+  const [viewSort, setViewSort] = useState<ResourceSortOption>("alphabetical");
 
   const normalizedSearch = resourceSearch.trim().toLowerCase();
 
@@ -136,6 +180,20 @@ export default function ResourceSelectorPanel({
     });
   }, [normalizedSearch, resources]);
 
+  const accessByResourceKey = useMemo(() => {
+    const byKey: Record<string, ResourceAccess> = {};
+
+    for (const resource of filteredResources) {
+      byKey[getResourceKey(resource)] = getAccessState(
+        permissions,
+        selectedSubject,
+        resource
+      ).access;
+    }
+
+    return byKey;
+  }, [filteredResources, permissions, selectedSubject]);
+
   const resourcesByType = useMemo(() => {
     const playbooks: McpSubjectResource[] = [];
     const views: McpSubjectResource[] = [];
@@ -148,8 +206,34 @@ export default function ResourceSelectorPanel({
       }
     }
 
-    return { playbooks, views };
-  }, [filteredResources]);
+    const sortResources = (
+      list: McpSubjectResource[],
+      sortOption: ResourceSortOption
+    ) => {
+      return [...list].sort((a, b) => {
+        const aAccess = accessByResourceKey[getResourceKey(a)] ?? "default";
+        const bAccess = accessByResourceKey[getResourceKey(b)] ?? "default";
+
+        const rankDiff =
+          getSortRank(aAccess, sortOption) - getSortRank(bAccess, sortOption);
+
+        if (rankDiff !== 0) {
+          return rankDiff;
+        }
+
+        return (a.displayName || a.name).localeCompare(
+          b.displayName || b.name,
+          undefined,
+          { sensitivity: "base" }
+        );
+      });
+    };
+
+    return {
+      playbooks: sortResources(playbooks, playbookSort),
+      views: sortResources(views, viewSort)
+    };
+  }, [accessByResourceKey, filteredResources, playbookSort, viewSort]);
 
   const bulkAccess = useMemo<ResourceAccess>(() => {
     const subjectType = mapSubjectType(selectedSubject.type);
@@ -206,7 +290,7 @@ export default function ResourceSelectorPanel({
     }
 
     const isAllowed =
-      effectiveAccessByResourceKey[`${resource.kind}:${resource.id}`] === true;
+      effectiveAccessByResourceKey[getResourceKey(resource)] === true;
 
     return (
       <Tooltip>
@@ -313,8 +397,27 @@ export default function ResourceSelectorPanel({
 
           <div className="mb-3 min-h-0 flex-1 space-y-4 overflow-y-auto">
             <div className="space-y-2">
-              <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
-                Playbooks
+              <div className="flex items-center justify-between gap-2">
+                <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
+                  Playbooks
+                </div>
+                <Select
+                  value={playbookSort}
+                  onValueChange={(value) =>
+                    setPlaybookSort(value as ResourceSortOption)
+                  }
+                >
+                  <SelectTrigger className="h-8 w-[150px] text-xs">
+                    <SelectValue placeholder="Sort" />
+                  </SelectTrigger>
+                  <SelectContent>
+                    {RESOURCE_SORT_OPTIONS.map((option) => (
+                      <SelectItem key={option} value={option}>
+                        {RESOURCE_SORT_OPTION_LABELS[option]}
+                      </SelectItem>
+                    ))}
+                  </SelectContent>
+                </Select>
               </div>
               <div className="overflow-hidden rounded-md border border-gray-200">
                 {resourcesByType.playbooks.length === 0 ? (
@@ -323,11 +426,9 @@ export default function ResourceSelectorPanel({
                   </div>
                 ) : (
                   resourcesByType.playbooks.map((resource) => {
-                    const state = getAccessState(
-                      permissions,
-                      selectedSubject,
-                      resource
-                    );
+                    const access =
+                      accessByResourceKey[getResourceKey(resource)] ??
+                      "default";
 
                     return (
                       <div
@@ -355,7 +456,7 @@ export default function ResourceSelectorPanel({
                           {getEffectiveBadge(resource)}
                           {!isListLocked ? (
                             <TriStateAccessSwitch
-                              value={state.access}
+                              value={access}
                               disabled={
                                 Boolean(mutatingResourceIds[resource.id]) ||
                                 isSubmitting
@@ -374,8 +475,27 @@ export default function ResourceSelectorPanel({
             </div>
 
             <div className="space-y-2">
-              <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
-                Views
+              <div className="flex items-center justify-between gap-2">
+                <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
+                  Views
+                </div>
+                <Select
+                  value={viewSort}
+                  onValueChange={(value) =>
+                    setViewSort(value as ResourceSortOption)
+                  }
+                >
+                  <SelectTrigger className="h-8 w-[150px] text-xs">
+                    <SelectValue placeholder="Sort" />
+                  </SelectTrigger>
+                  <SelectContent>
+                    {RESOURCE_SORT_OPTIONS.map((option) => (
+                      <SelectItem key={option} value={option}>
+                        {RESOURCE_SORT_OPTION_LABELS[option]}
+                      </SelectItem>
+                    ))}
+                  </SelectContent>
+                </Select>
               </div>
               <div className="overflow-hidden rounded-md border border-gray-200">
                 {resourcesByType.views.length === 0 ? (
@@ -384,11 +504,9 @@ export default function ResourceSelectorPanel({
                   </div>
                 ) : (
                   resourcesByType.views.map((resource) => {
-                    const state = getAccessState(
-                      permissions,
-                      selectedSubject,
-                      resource
-                    );
+                    const access =
+                      accessByResourceKey[getResourceKey(resource)] ??
+                      "default";
 
                     return (
                       <div
@@ -416,7 +534,7 @@ export default function ResourceSelectorPanel({
                           {getEffectiveBadge(resource)}
                           {!isListLocked ? (
                             <TriStateAccessSwitch
-                              value={state.access}
+                              value={access}
                               disabled={
                                 Boolean(mutatingResourceIds[resource.id]) ||
                                 isSubmitting

From bba56ba34241747279ffe6343294a494e81c7545 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 13 Apr 2026 16:15:37 +0545
Subject: [PATCH 43/48] sorting animation

---
 .../Permissions/ResourceSelectorPanel.tsx     | 22 +++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/src/components/Permissions/ResourceSelectorPanel.tsx b/src/components/Permissions/ResourceSelectorPanel.tsx
index c7ee202829..f728f72650 100644
--- a/src/components/Permissions/ResourceSelectorPanel.tsx
+++ b/src/components/Permissions/ResourceSelectorPanel.tsx
@@ -20,6 +20,7 @@ import { mapSubjectType } from "@flanksource-ui/lib/permissions/mcpPermissionCar
 import { Switch as SegmentedSwitch } from "@flanksource-ui/ui/FormControls/Switch";
 import { Icon } from "@flanksource-ui/ui/Icons/Icon";
 import { Check, X } from "lucide-react";
+import { motion } from "motion/react";
 import { useMemo, useState } from "react";
 
 export type ResourceAccess = "deny" | "default" | "allow";
@@ -72,6 +73,13 @@ const RESOURCE_SORT_OPTION_LABELS: Record<ResourceSortOption, string> = {
   alphabetical: "Alphabetically"
 };
 
+const ROW_LAYOUT_TRANSITION = {
+  type: "spring",
+  stiffness: 620,
+  damping: 42,
+  mass: 0.7
+} as const;
+
 function getRefsForPermission(
   permission: PermissionsSummary,
   kind: "playbook" | "view"
@@ -431,7 +439,10 @@ export default function ResourceSelectorPanel({
                       "default";
 
                     return (
-                      <div
+                      <motion.div
+                        layout="position"
+                        initial={false}
+                        transition={ROW_LAYOUT_TRANSITION}
                         key={resource.id}
                         className="flex items-center justify-between gap-3 border-b border-gray-200 p-3 last:border-b-0"
                       >
@@ -467,7 +478,7 @@ export default function ResourceSelectorPanel({
                             />
                           ) : null}
                         </div>
-                      </div>
+                      </motion.div>
                     );
                   })
                 )}
@@ -509,7 +520,10 @@ export default function ResourceSelectorPanel({
                       "default";
 
                     return (
-                      <div
+                      <motion.div
+                        layout="position"
+                        initial={false}
+                        transition={ROW_LAYOUT_TRANSITION}
                         key={resource.id}
                         className="flex items-center justify-between gap-3 border-b border-gray-200 p-3 last:border-b-0"
                       >
@@ -545,7 +559,7 @@ export default function ResourceSelectorPanel({
                             />
                           ) : null}
                         </div>
-                      </div>
+                      </motion.div>
                     );
                   })
                 )}

From dabc0ffbdb8b2cb273f0d28765a630267dd9b561 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 13 Apr 2026 16:26:04 +0545
Subject: [PATCH 44/48] change sort menu

---
 .../Permissions/ResourceSelectorPanel.tsx     | 170 ++++++++++++------
 1 file changed, 114 insertions(+), 56 deletions(-)

diff --git a/src/components/Permissions/ResourceSelectorPanel.tsx b/src/components/Permissions/ResourceSelectorPanel.tsx
index f728f72650..2ac5a30482 100644
--- a/src/components/Permissions/ResourceSelectorPanel.tsx
+++ b/src/components/Permissions/ResourceSelectorPanel.tsx
@@ -19,7 +19,7 @@ import {
 import { mapSubjectType } from "@flanksource-ui/lib/permissions/mcpPermissionCardMappings";
 import { Switch as SegmentedSwitch } from "@flanksource-ui/ui/FormControls/Switch";
 import { Icon } from "@flanksource-ui/ui/Icons/Icon";
-import { Check, X } from "lucide-react";
+import { ArrowDown, ArrowUp, Check, X } from "lucide-react";
 import { motion } from "motion/react";
 import { useMemo, useState } from "react";
 
@@ -58,19 +58,14 @@ type ResourceSelectorPanelProps = {
 const BULK_OPTIONS = ["Deny All", "Custom", "Allow all"] as const;
 type BulkOption = (typeof BULK_OPTIONS)[number];
 
-const RESOURCE_SORT_OPTIONS = [
-  "deny-first",
-  "allow-first",
-  "custom-first",
-  "alphabetical"
-] as const;
+const RESOURCE_SORT_OPTIONS = ["deny", "allow", "alphabetical"] as const;
 type ResourceSortOption = (typeof RESOURCE_SORT_OPTIONS)[number];
+type ResourceSortDirection = "asc" | "desc";
 
 const RESOURCE_SORT_OPTION_LABELS: Record<ResourceSortOption, string> = {
-  "deny-first": "Deny first",
-  "allow-first": "Allow first",
-  "custom-first": "Custom first",
-  alphabetical: "Alphabetically"
+  deny: "Deny",
+  allow: "Allow",
+  alphabetical: "Alphabetical"
 };
 
 const ROW_LAYOUT_TRANSITION = {
@@ -139,13 +134,10 @@ function getAccessState(
 
 function getSortRank(access: ResourceAccess, sortOption: ResourceSortOption) {
   switch (sortOption) {
-    case "deny-first":
+    case "deny":
       return access === "deny" ? 0 : access === "allow" ? 1 : 2;
-    case "allow-first":
+    case "allow":
       return access === "allow" ? 0 : access === "deny" ? 1 : 2;
-    case "custom-first":
-      // "Custom" means explicitly configured (allow/deny), so keep defaults last.
-      return access === "default" ? 1 : 0;
     case "alphabetical":
     default:
       return 0;
@@ -172,7 +164,11 @@ export default function ResourceSelectorPanel({
   const [resourceSearch, setResourceSearch] = useState("");
   const [playbookSort, setPlaybookSort] =
     useState<ResourceSortOption>("alphabetical");
+  const [playbookSortDirection, setPlaybookSortDirection] =
+    useState<ResourceSortDirection>("asc");
   const [viewSort, setViewSort] = useState<ResourceSortOption>("alphabetical");
+  const [viewSortDirection, setViewSortDirection] =
+    useState<ResourceSortDirection>("asc");
 
   const normalizedSearch = resourceSearch.trim().toLowerCase();
 
@@ -216,7 +212,8 @@ export default function ResourceSelectorPanel({
 
     const sortResources = (
       list: McpSubjectResource[],
-      sortOption: ResourceSortOption
+      sortOption: ResourceSortOption,
+      sortDirection: ResourceSortDirection
     ) => {
       return [...list].sort((a, b) => {
         const aAccess = accessByResourceKey[getResourceKey(a)] ?? "default";
@@ -226,22 +223,31 @@ export default function ResourceSelectorPanel({
           getSortRank(aAccess, sortOption) - getSortRank(bAccess, sortOption);
 
         if (rankDiff !== 0) {
-          return rankDiff;
+          return sortDirection === "asc" ? rankDiff : -rankDiff;
         }
 
-        return (a.displayName || a.name).localeCompare(
+        const nameDiff = (a.displayName || a.name).localeCompare(
           b.displayName || b.name,
           undefined,
           { sensitivity: "base" }
         );
+
+        return sortDirection === "asc" ? nameDiff : -nameDiff;
       });
     };
 
     return {
-      playbooks: sortResources(playbooks, playbookSort),
-      views: sortResources(views, viewSort)
+      playbooks: sortResources(playbooks, playbookSort, playbookSortDirection),
+      views: sortResources(views, viewSort, viewSortDirection)
     };
-  }, [accessByResourceKey, filteredResources, playbookSort, viewSort]);
+  }, [
+    accessByResourceKey,
+    filteredResources,
+    playbookSort,
+    playbookSortDirection,
+    viewSort,
+    viewSortDirection
+  ]);
 
   const bulkAccess = useMemo<ResourceAccess>(() => {
     const subjectType = mapSubjectType(selectedSubject.type);
@@ -409,23 +415,49 @@ export default function ResourceSelectorPanel({
                 <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
                   Playbooks
                 </div>
-                <Select
-                  value={playbookSort}
-                  onValueChange={(value) =>
-                    setPlaybookSort(value as ResourceSortOption)
-                  }
-                >
-                  <SelectTrigger className="h-8 w-[150px] text-xs">
-                    <SelectValue placeholder="Sort" />
-                  </SelectTrigger>
-                  <SelectContent>
-                    {RESOURCE_SORT_OPTIONS.map((option) => (
-                      <SelectItem key={option} value={option}>
-                        {RESOURCE_SORT_OPTION_LABELS[option]}
-                      </SelectItem>
-                    ))}
-                  </SelectContent>
-                </Select>
+                <div className="flex items-center gap-1">
+                  <Select
+                    value={playbookSort}
+                    onValueChange={(value) =>
+                      setPlaybookSort(value as ResourceSortOption)
+                    }
+                  >
+                    <SelectTrigger className="h-8 w-[140px] text-xs">
+                      <SelectValue placeholder="Sort" />
+                    </SelectTrigger>
+                    <SelectContent>
+                      {RESOURCE_SORT_OPTIONS.map((option) => (
+                        <SelectItem key={option} value={option}>
+                          {RESOURCE_SORT_OPTION_LABELS[option]}
+                        </SelectItem>
+                      ))}
+                    </SelectContent>
+                  </Select>
+
+                  <Button
+                    type="button"
+                    size="icon"
+                    variant="outline"
+                    className="h-8 w-8"
+                    disabled={resourcesByType.playbooks.length === 0}
+                    aria-label={
+                      playbookSortDirection === "asc"
+                        ? "Sort ascending"
+                        : "Sort descending"
+                    }
+                    onClick={() =>
+                      setPlaybookSortDirection((prev) =>
+                        prev === "asc" ? "desc" : "asc"
+                      )
+                    }
+                  >
+                    {playbookSortDirection === "asc" ? (
+                      <ArrowUp className="h-3.5 w-3.5" />
+                    ) : (
+                      <ArrowDown className="h-3.5 w-3.5" />
+                    )}
+                  </Button>
+                </div>
               </div>
               <div className="overflow-hidden rounded-md border border-gray-200">
                 {resourcesByType.playbooks.length === 0 ? (
@@ -490,23 +522,49 @@ export default function ResourceSelectorPanel({
                 <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
                   Views
                 </div>
-                <Select
-                  value={viewSort}
-                  onValueChange={(value) =>
-                    setViewSort(value as ResourceSortOption)
-                  }
-                >
-                  <SelectTrigger className="h-8 w-[150px] text-xs">
-                    <SelectValue placeholder="Sort" />
-                  </SelectTrigger>
-                  <SelectContent>
-                    {RESOURCE_SORT_OPTIONS.map((option) => (
-                      <SelectItem key={option} value={option}>
-                        {RESOURCE_SORT_OPTION_LABELS[option]}
-                      </SelectItem>
-                    ))}
-                  </SelectContent>
-                </Select>
+                <div className="flex items-center gap-1">
+                  <Select
+                    value={viewSort}
+                    onValueChange={(value) =>
+                      setViewSort(value as ResourceSortOption)
+                    }
+                  >
+                    <SelectTrigger className="h-8 w-[140px] text-xs">
+                      <SelectValue placeholder="Sort" />
+                    </SelectTrigger>
+                    <SelectContent>
+                      {RESOURCE_SORT_OPTIONS.map((option) => (
+                        <SelectItem key={option} value={option}>
+                          {RESOURCE_SORT_OPTION_LABELS[option]}
+                        </SelectItem>
+                      ))}
+                    </SelectContent>
+                  </Select>
+
+                  <Button
+                    type="button"
+                    size="icon"
+                    variant="outline"
+                    className="h-8 w-8"
+                    disabled={resourcesByType.views.length === 0}
+                    aria-label={
+                      viewSortDirection === "asc"
+                        ? "Sort ascending"
+                        : "Sort descending"
+                    }
+                    onClick={() =>
+                      setViewSortDirection((prev) =>
+                        prev === "asc" ? "desc" : "asc"
+                      )
+                    }
+                  >
+                    {viewSortDirection === "asc" ? (
+                      <ArrowUp className="h-3.5 w-3.5" />
+                    ) : (
+                      <ArrowDown className="h-3.5 w-3.5" />
+                    )}
+                  </Button>
+                </div>
               </div>
               <div className="overflow-hidden rounded-md border border-gray-200">
                 {resourcesByType.views.length === 0 ? (

From 975c19953c38622b3719d2409b1db07153891c34 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 13 Apr 2026 16:30:56 +0545
Subject: [PATCH 45/48] feat(permissions): add subject sort controls with
 direction toggle

---
 .../Permissions/SubjectSelectorPanel.tsx      | 140 ++++++++++++++++--
 1 file changed, 130 insertions(+), 10 deletions(-)

diff --git a/src/components/Permissions/SubjectSelectorPanel.tsx b/src/components/Permissions/SubjectSelectorPanel.tsx
index 27c4079f80..5feb281a5e 100644
--- a/src/components/Permissions/SubjectSelectorPanel.tsx
+++ b/src/components/Permissions/SubjectSelectorPanel.tsx
@@ -10,6 +10,13 @@ import SubjectAvatar from "@flanksource-ui/components/Permissions/SubjectAvatar"
 import TriStateAccessSwitch from "@flanksource-ui/components/Permissions/TriStateAccessSwitch";
 import { Button } from "@flanksource-ui/components/ui/button";
 import { Input } from "@flanksource-ui/components/ui/input";
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue
+} from "@flanksource-ui/components/ui/select";
 import {
   Tooltip,
   TooltipContent,
@@ -19,7 +26,8 @@ import useDebouncedValue from "@flanksource-ui/hooks/useDebounce";
 import { Switch } from "@flanksource-ui/ui/FormControls/Switch";
 import { Icon } from "@flanksource-ui/ui/Icons/Icon";
 import { useQuery } from "@tanstack/react-query";
-import { Check, X } from "lucide-react";
+import { ArrowDown, ArrowUp, Check, X } from "lucide-react";
+import { motion } from "motion/react";
 import { useEffect, useMemo, useState } from "react";
 
 const TYPE_LABELS: Record<PermissionSubject["type"], string> = {
@@ -43,6 +51,29 @@ export type SubjectAccess = "deny" | "default" | "allow";
 const BULK_OPTIONS = ["Deny All", "Custom", "Allow all"] as const;
 type BulkOption = (typeof BULK_OPTIONS)[number];
 
+const SUBJECT_SORT_OPTIONS = [
+  "deny",
+  "allow",
+  "custom",
+  "alphabetical"
+] as const;
+type SubjectSortOption = (typeof SUBJECT_SORT_OPTIONS)[number];
+type SubjectSortDirection = "asc" | "desc";
+
+const SUBJECT_SORT_OPTION_LABELS: Record<SubjectSortOption, string> = {
+  deny: "Deny",
+  allow: "Allow",
+  custom: "Custom",
+  alphabetical: "Alphabetical"
+};
+
+const ROW_LAYOUT_TRANSITION = {
+  type: "spring",
+  stiffness: 620,
+  damping: 42,
+  mass: 0.7
+} as const;
+
 type SubjectSelectorPanelProps = {
   title?: string;
   description?: string;
@@ -70,6 +101,23 @@ type SubjectSelectorPanelProps = {
   ) => Promise<void> | void;
 };
 
+function getSubjectSortRank(
+  access: SubjectAccess,
+  sortOption: SubjectSortOption
+) {
+  switch (sortOption) {
+    case "deny":
+      return access === "deny" ? 0 : access === "allow" ? 1 : 2;
+    case "allow":
+      return access === "allow" ? 0 : access === "deny" ? 1 : 2;
+    case "custom":
+      return access === "default" ? 1 : 0;
+    case "alphabetical":
+    default:
+      return 0;
+  }
+}
+
 export default function SubjectSelectorPanel({
   title,
   description,
@@ -85,6 +133,10 @@ export default function SubjectSelectorPanel({
   onSetManySubjectAccess
 }: SubjectSelectorPanelProps) {
   const [search, setSearch] = useState("");
+  const [subjectSort, setSubjectSort] =
+    useState<SubjectSortOption>("alphabetical");
+  const [subjectSortDirection, setSubjectSortDirection] =
+    useState<SubjectSortDirection>("asc");
   const [selectedAccessById, setSelectedAccessById] = useState<
     Record<string, SubjectAccess>
   >({});
@@ -202,9 +254,29 @@ export default function SubjectSelectorPanel({
           return typeOrder;
         }
 
-        return a.name.localeCompare(b.name, undefined, { sensitivity: "base" });
+        const aAccess = selectedAccessById[a.id] ?? "default";
+        const bAccess = selectedAccessById[b.id] ?? "default";
+        const rankDiff =
+          getSubjectSortRank(aAccess, subjectSort) -
+          getSubjectSortRank(bAccess, subjectSort);
+
+        if (rankDiff !== 0) {
+          return subjectSortDirection === "asc" ? rankDiff : -rankDiff;
+        }
+
+        const nameDiff = a.name.localeCompare(b.name, undefined, {
+          sensitivity: "base"
+        });
+
+        return subjectSortDirection === "asc" ? nameDiff : -nameDiff;
       });
-  }, [debouncedSearch, subjects]);
+  }, [
+    debouncedSearch,
+    selectedAccessById,
+    subjectSort,
+    subjectSortDirection,
+    subjects
+  ]);
 
   const displayedSubjects = sortedSubjects;
 
@@ -458,11 +530,56 @@ export default function SubjectSelectorPanel({
 
       <div className="relative min-h-0 flex-1 pt-3">
         <div className="flex h-full min-h-0 flex-col gap-3">
-          <Input
-            placeholder="Search ..."
-            value={search}
-            onChange={(event) => setSearch(event.target.value)}
-          />
+          <div className="flex items-center gap-2">
+            <Input
+              className="flex-1"
+              placeholder="Search ..."
+              value={search}
+              onChange={(event) => setSearch(event.target.value)}
+            />
+
+            <Select
+              value={subjectSort}
+              onValueChange={(value) =>
+                setSubjectSort(value as SubjectSortOption)
+              }
+            >
+              <SelectTrigger className="h-8 w-[140px] text-xs">
+                <SelectValue placeholder="Sort" />
+              </SelectTrigger>
+              <SelectContent>
+                {SUBJECT_SORT_OPTIONS.map((option) => (
+                  <SelectItem key={option} value={option}>
+                    {SUBJECT_SORT_OPTION_LABELS[option]}
+                  </SelectItem>
+                ))}
+              </SelectContent>
+            </Select>
+
+            <Button
+              type="button"
+              size="icon"
+              variant="outline"
+              className="h-8 w-8"
+              disabled={displayedSubjects.length === 0}
+              aria-label={
+                subjectSortDirection === "asc"
+                  ? "Sort ascending"
+                  : "Sort descending"
+              }
+              onClick={() =>
+                setSubjectSortDirection((prev) =>
+                  prev === "asc" ? "desc" : "asc"
+                )
+              }
+            >
+              {subjectSortDirection === "asc" ? (
+                <ArrowUp className="h-3.5 w-3.5" />
+              ) : (
+                <ArrowDown className="h-3.5 w-3.5" />
+              )}
+            </Button>
+          </div>
 
           <div className="mb-3 min-h-0 flex-1 space-y-4 overflow-y-auto">
             {isLoading || isFetching ? (
@@ -479,7 +596,10 @@ export default function SubjectSelectorPanel({
 
                   <div className="overflow-hidden rounded-md border border-gray-200">
                     {group.subjects.map((subject) => (
-                      <div
+                      <motion.div
+                        layout="position"
+                        initial={false}
+                        transition={ROW_LAYOUT_TRANSITION}
                         key={subject.id}
                         className="flex items-center justify-between gap-3 border-b border-gray-200 p-3 last:border-b-0"
                       >
@@ -506,7 +626,7 @@ export default function SubjectSelectorPanel({
                             />
                           ) : null}
                         </div>
-                      </div>
+                      </motion.div>
                     ))}
                   </div>
                 </div>

From d320fee60518b38d70b7269ae819c3e4e2aa3096 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 13 Apr 2026 16:34:01 +0545
Subject: [PATCH 46/48] feat(permissions): split resource selector lists by
 type

Extract ResourceList, ResourceRow, and EffectiveAccessBadge from ResourceSelectorPanel.

Add independent bulk access switches for Playbooks and Views.
---
 .../Permissions/EffectiveAccessBadge.tsx      |  37 ++
 src/components/Permissions/ResourceList.tsx   | 179 ++++++++
 src/components/Permissions/ResourceRow.tsx    |  78 ++++
 .../Permissions/ResourceSelectorPanel.tsx     | 388 +++---------------
 4 files changed, 355 insertions(+), 327 deletions(-)
 create mode 100644 src/components/Permissions/EffectiveAccessBadge.tsx
 create mode 100644 src/components/Permissions/ResourceList.tsx
 create mode 100644 src/components/Permissions/ResourceRow.tsx

diff --git a/src/components/Permissions/EffectiveAccessBadge.tsx b/src/components/Permissions/EffectiveAccessBadge.tsx
new file mode 100644
index 0000000000..763127bcf1
--- /dev/null
+++ b/src/components/Permissions/EffectiveAccessBadge.tsx
@@ -0,0 +1,37 @@
+import {
+  Tooltip,
+  TooltipContent,
+  TooltipTrigger
+} from "@flanksource-ui/components/ui/tooltip";
+import { Check, X } from "lucide-react";
+
+type EffectiveAccessBadgeProps = {
+  isAllowed: boolean;
+};
+
+export default function EffectiveAccessBadge({
+  isAllowed
+}: EffectiveAccessBadgeProps) {
+  return (
+    <Tooltip>
+      <TooltipTrigger asChild>
+        <span
+          className={
+            isAllowed
+              ? "inline-flex h-5 w-5 items-center justify-center rounded-full bg-emerald-50 text-emerald-600"
+              : "inline-flex h-5 w-5 items-center justify-center rounded-full bg-red-50 text-red-600"
+          }
+        >
+          {isAllowed ? (
+            <Check className="h-3.5 w-3.5" />
+          ) : (
+            <X className="h-3.5 w-3.5" />
+          )}
+        </span>
+      </TooltipTrigger>
+      <TooltipContent side="top">
+        Effective access: {isAllowed ? "Allowed" : "Denied"}
+      </TooltipContent>
+    </Tooltip>
+  );
+}
diff --git a/src/components/Permissions/ResourceList.tsx b/src/components/Permissions/ResourceList.tsx
new file mode 100644
index 0000000000..6493b0682d
--- /dev/null
+++ b/src/components/Permissions/ResourceList.tsx
@@ -0,0 +1,179 @@
+import { Button } from "@flanksource-ui/components/ui/button";
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue
+} from "@flanksource-ui/components/ui/select";
+import { Switch as SegmentedSwitch } from "@flanksource-ui/ui/FormControls/Switch";
+import { ArrowDown, ArrowUp } from "lucide-react";
+import { ReactNode } from "react";
+import type {
+  McpSubjectResource,
+  ResourceAccess
+} from "./ResourceSelectorPanel";
+import ResourceRow from "./ResourceRow";
+
+const BULK_OPTIONS = ["Deny All", "Custom", "Allow All"] as const;
+type BulkOption = (typeof BULK_OPTIONS)[number];
+
+const RESOURCE_SORT_OPTIONS = ["deny", "allow", "alphabetical"] as const;
+export type ResourceSortOption = (typeof RESOURCE_SORT_OPTIONS)[number];
+export type ResourceSortDirection = "asc" | "desc";
+
+const RESOURCE_SORT_OPTION_LABELS: Record<ResourceSortOption, string> = {
+  deny: "Deny",
+  allow: "Allow",
+  alphabetical: "Alphabetical"
+};
+
+type ResourceListProps = {
+  title: string;
+  emptyMessage: string;
+  defaultIcon: string;
+  resources: McpSubjectResource[];
+  sort: ResourceSortOption;
+  sortDirection: ResourceSortDirection;
+  onSortChange: (sort: ResourceSortOption) => void;
+  onSortDirectionToggle: () => void;
+  bulkAccess: ResourceAccess;
+  onBulkAccessChange: (access: ResourceAccess) => void;
+  accessByResourceKey: Record<string, ResourceAccess>;
+  getResourceKey: (resource: McpSubjectResource) => string;
+  getEffectiveBadge: (resource: McpSubjectResource) => ReactNode;
+  isListLocked: boolean;
+  isSubmitting: boolean;
+  mutatingResourceIds: Record<string, true>;
+  onSetResourceAccess: (
+    resource: McpSubjectResource,
+    access: ResourceAccess
+  ) => Promise<void> | void;
+};
+
+export default function ResourceList({
+  title,
+  emptyMessage,
+  defaultIcon,
+  resources,
+  sort,
+  sortDirection,
+  onSortChange,
+  onSortDirectionToggle,
+  bulkAccess,
+  onBulkAccessChange,
+  accessByResourceKey,
+  getResourceKey,
+  getEffectiveBadge,
+  isListLocked,
+  isSubmitting,
+  mutatingResourceIds,
+  onSetResourceAccess
+}: ResourceListProps) {
+  const bulkOptionValue: BulkOption =
+    bulkAccess === "allow"
+      ? "Allow All"
+      : bulkAccess === "deny"
+        ? "Deny All"
+        : "Custom";
+
+  return (
+    <div className="space-y-2">
+      <div className="flex items-center justify-between gap-2">
+        <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
+          {title}
+        </div>
+        <div className="flex items-center gap-2">
+          <div
+            className={
+              isSubmitting || resources.length === 0
+                ? "pointer-events-none opacity-60"
+                : undefined
+            }
+            aria-disabled={isSubmitting || resources.length === 0 || undefined}
+          >
+            <SegmentedSwitch
+              size="sm"
+              className="w-48"
+              itemsClassName="flex-1 justify-center"
+              options={[...BULK_OPTIONS]}
+              value={bulkOptionValue}
+              onChange={(value) => {
+                const access: ResourceAccess =
+                  value === "Allow All"
+                    ? "allow"
+                    : value === "Deny All"
+                      ? "deny"
+                      : "default";
+                onBulkAccessChange(access);
+              }}
+              getActiveItemClassName={(option) =>
+                option === "Allow All"
+                  ? "!bg-green-600 !text-white !ring-green-600"
+                  : option === "Deny All"
+                    ? "!bg-red-600 !text-white !ring-red-600"
+                    : undefined
+              }
+            />
+          </div>
+
+          <Select
+            value={sort}
+            onValueChange={(value) => onSortChange(value as ResourceSortOption)}
+          >
+            <SelectTrigger className="h-8 w-[140px] text-xs">
+              <SelectValue placeholder="Sort" />
+            </SelectTrigger>
+            <SelectContent>
+              {RESOURCE_SORT_OPTIONS.map((option) => (
+                <SelectItem key={option} value={option}>
+                  {RESOURCE_SORT_OPTION_LABELS[option]}
+                </SelectItem>
+              ))}
+            </SelectContent>
+          </Select>
+
+          <Button
+            type="button"
+            size="icon"
+            variant="outline"
+            className="h-8 w-8"
+            disabled={resources.length === 0}
+            aria-label={
+              sortDirection === "asc" ? "Sort ascending" : "Sort descending"
+            }
+            onClick={onSortDirectionToggle}
+          >
+            {sortDirection === "asc" ? (
+              <ArrowUp className="h-3.5 w-3.5" />
+            ) : (
+              <ArrowDown className="h-3.5 w-3.5" />
+            )}
+          </Button>
+        </div>
+      </div>
+
+      <div className="overflow-hidden rounded-md border border-gray-200">
+        {resources.length === 0 ? (
+          <div className="p-3 text-sm text-gray-500">{emptyMessage}</div>
+        ) : (
+          resources.map((resource) => (
+            <ResourceRow
+              key={resource.id}
+              resource={resource}
+              access={
+                accessByResourceKey[getResourceKey(resource)] ?? "default"
+              }
+              defaultIcon={defaultIcon}
+              effectiveBadge={getEffectiveBadge(resource)}
+              isListLocked={isListLocked}
+              isSubmitting={isSubmitting}
+              isMutating={Boolean(mutatingResourceIds[resource.id])}
+              onSetResourceAccess={onSetResourceAccess}
+            />
+          ))
+        )}
+      </div>
+    </div>
+  );
+}
diff --git a/src/components/Permissions/ResourceRow.tsx b/src/components/Permissions/ResourceRow.tsx
new file mode 100644
index 0000000000..99714ea33a
--- /dev/null
+++ b/src/components/Permissions/ResourceRow.tsx
@@ -0,0 +1,78 @@
+import TriStateAccessSwitch from "@flanksource-ui/components/Permissions/TriStateAccessSwitch";
+import { Icon } from "@flanksource-ui/ui/Icons/Icon";
+import { motion } from "motion/react";
+import { ReactNode } from "react";
+import type {
+  McpSubjectResource,
+  ResourceAccess
+} from "./ResourceSelectorPanel";
+
+const ROW_LAYOUT_TRANSITION = {
+  type: "spring",
+  stiffness: 620,
+  damping: 42,
+  mass: 0.7
+} as const;
+
+type ResourceRowProps = {
+  resource: McpSubjectResource;
+  access: ResourceAccess;
+  defaultIcon: string;
+  effectiveBadge: ReactNode;
+  isListLocked: boolean;
+  isSubmitting: boolean;
+  isMutating: boolean;
+  onSetResourceAccess: (
+    resource: McpSubjectResource,
+    access: ResourceAccess
+  ) => Promise<void> | void;
+};
+
+export default function ResourceRow({
+  resource,
+  access,
+  defaultIcon,
+  effectiveBadge,
+  isListLocked,
+  isSubmitting,
+  isMutating,
+  onSetResourceAccess
+}: ResourceRowProps) {
+  return (
+    <motion.div
+      layout="position"
+      initial={false}
+      transition={ROW_LAYOUT_TRANSITION}
+      key={resource.id}
+      className="flex items-center justify-between gap-3 border-b border-gray-200 p-3 last:border-b-0"
+    >
+      <div className="flex min-w-0 items-center gap-2">
+        <Icon
+          name={resource.icon || defaultIcon}
+          className="h-4 w-4 text-gray-500"
+        />
+        <div className="min-w-0">
+          <div className="truncate text-sm font-medium text-gray-900">
+            {resource.displayName || resource.name}
+          </div>
+          {resource.subtitle ? (
+            <div className="truncate text-xs text-gray-500">
+              {resource.subtitle}
+            </div>
+          ) : null}
+        </div>
+      </div>
+
+      <div className="flex items-center gap-2">
+        {effectiveBadge}
+        {!isListLocked ? (
+          <TriStateAccessSwitch
+            value={access}
+            disabled={isMutating || isSubmitting}
+            onChange={(nextAccess) => onSetResourceAccess(resource, nextAccess)}
+          />
+        ) : null}
+      </div>
+    </motion.div>
+  );
+}
diff --git a/src/components/Permissions/ResourceSelectorPanel.tsx b/src/components/Permissions/ResourceSelectorPanel.tsx
index 2ac5a30482..84a07bcdc3 100644
--- a/src/components/Permissions/ResourceSelectorPanel.tsx
+++ b/src/components/Permissions/ResourceSelectorPanel.tsx
@@ -1,26 +1,14 @@
 import { PermissionSubject } from "@flanksource-ui/api/services/permissions";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
+import EffectiveAccessBadge from "@flanksource-ui/components/Permissions/EffectiveAccessBadge";
+import ResourceList, {
+  ResourceSortDirection,
+  ResourceSortOption
+} from "@flanksource-ui/components/Permissions/ResourceList";
 import SubjectAvatar from "@flanksource-ui/components/Permissions/SubjectAvatar";
-import TriStateAccessSwitch from "@flanksource-ui/components/Permissions/TriStateAccessSwitch";
 import { Button } from "@flanksource-ui/components/ui/button";
 import { Input } from "@flanksource-ui/components/ui/input";
-import {
-  Select,
-  SelectContent,
-  SelectItem,
-  SelectTrigger,
-  SelectValue
-} from "@flanksource-ui/components/ui/select";
-import {
-  Tooltip,
-  TooltipContent,
-  TooltipTrigger
-} from "@flanksource-ui/components/ui/tooltip";
 import { mapSubjectType } from "@flanksource-ui/lib/permissions/mcpPermissionCardMappings";
-import { Switch as SegmentedSwitch } from "@flanksource-ui/ui/FormControls/Switch";
-import { Icon } from "@flanksource-ui/ui/Icons/Icon";
-import { ArrowDown, ArrowUp, Check, X } from "lucide-react";
-import { motion } from "motion/react";
 import { useMemo, useState } from "react";
 
 export type ResourceAccess = "deny" | "default" | "allow";
@@ -55,25 +43,6 @@ type ResourceSelectorPanelProps = {
     access: ResourceAccess
   ) => Promise<void> | void;
 };
-const BULK_OPTIONS = ["Deny All", "Custom", "Allow all"] as const;
-type BulkOption = (typeof BULK_OPTIONS)[number];
-
-const RESOURCE_SORT_OPTIONS = ["deny", "allow", "alphabetical"] as const;
-type ResourceSortOption = (typeof RESOURCE_SORT_OPTIONS)[number];
-type ResourceSortDirection = "asc" | "desc";
-
-const RESOURCE_SORT_OPTION_LABELS: Record<ResourceSortOption, string> = {
-  deny: "Deny",
-  allow: "Allow",
-  alphabetical: "Alphabetical"
-};
-
-const ROW_LAYOUT_TRANSITION = {
-  type: "spring",
-  stiffness: 620,
-  damping: 42,
-  mass: 0.7
-} as const;
 
 function getRefsForPermission(
   permission: PermissionsSummary,
@@ -249,7 +218,7 @@ export default function ResourceSelectorPanel({
     viewSortDirection
   ]);
 
-  const bulkAccess = useMemo<ResourceAccess>(() => {
+  const bulkAccessByKind = useMemo(() => {
     const subjectType = mapSubjectType(selectedSubject.type);
 
     const getWildcardAccessByKind = (
@@ -279,25 +248,12 @@ export default function ResourceSelectorPanel({
         : "allow";
     };
 
-    const playbookAccess = getWildcardAccessByKind("playbook");
-    const viewAccess = getWildcardAccessByKind("view");
-
-    if (playbookAccess === viewAccess) {
-      return playbookAccess;
-    }
-
-    return "default";
+    return {
+      playbook: getWildcardAccessByKind("playbook"),
+      view: getWildcardAccessByKind("view")
+    };
   }, [permissions, selectedSubject]);
 
-  const bulkOptionValue: BulkOption =
-    bulkAccess === "allow"
-      ? "Allow all"
-      : bulkAccess === "deny"
-        ? "Deny All"
-        : "Custom";
-
-  const isListLocked = bulkAccess === "allow" || bulkAccess === "deny";
-
   const getEffectiveBadge = (resource: McpSubjectResource) => {
     if (!hasEffectiveAccessResults) {
       return null;
@@ -306,28 +262,7 @@ export default function ResourceSelectorPanel({
     const isAllowed =
       effectiveAccessByResourceKey[getResourceKey(resource)] === true;
 
-    return (
-      <Tooltip>
-        <TooltipTrigger asChild>
-          <span
-            className={
-              isAllowed
-                ? "inline-flex h-5 w-5 items-center justify-center rounded-full bg-emerald-50 text-emerald-600"
-                : "inline-flex h-5 w-5 items-center justify-center rounded-full bg-red-50 text-red-600"
-            }
-          >
-            {isAllowed ? (
-              <Check className="h-3.5 w-3.5" />
-            ) : (
-              <X className="h-3.5 w-3.5" />
-            )}
-          </span>
-        </TooltipTrigger>
-        <TooltipContent side="top">
-          Effective access: {isAllowed ? "Allowed" : "Denied"}
-        </TooltipContent>
-      </Tooltip>
-    );
+    return <EffectiveAccessBadge isAllowed={isAllowed} />;
   };
 
   return (
@@ -357,45 +292,6 @@ export default function ResourceSelectorPanel({
             </Button>
           ) : null}
         </div>
-
-        <div className="flex items-center justify-between gap-3">
-          <div className="text-sm text-gray-600">Global Permission</div>
-
-          <div
-            className={
-              isSubmitting || filteredResources.length === 0
-                ? "pointer-events-none opacity-60"
-                : undefined
-            }
-            aria-disabled={
-              isSubmitting || filteredResources.length === 0 || undefined
-            }
-          >
-            <SegmentedSwitch
-              size="sm"
-              className="w-48"
-              itemsClassName="flex-1 justify-center"
-              options={[...BULK_OPTIONS]}
-              value={bulkOptionValue}
-              onChange={(value) => {
-                const access: ResourceAccess =
-                  value === "Allow all"
-                    ? "allow"
-                    : value === "Deny All"
-                      ? "deny"
-                      : "default";
-                onSetManyResourceAccess(filteredResources, access);
-              }}
-              getActiveItemClassName={(option) =>
-                option === "Allow all"
-                  ? "!bg-green-600 !text-white !ring-green-600"
-                  : option === "Deny All"
-                    ? "!bg-red-600 !text-white !ring-red-600"
-                    : undefined
-              }
-            />
-          </div>
-        </div>
       </div>
 
       <div className="relative min-h-0 flex-1 pt-3">
@@ -410,219 +306,57 @@ export default function ResourceSelectorPanel({
           </div>
 
           <div className="mb-3 min-h-0 flex-1 space-y-4 overflow-y-auto">
-            <div className="space-y-2">
-              <div className="flex items-center justify-between gap-2">
-                <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
-                  Playbooks
-                </div>
-                <div className="flex items-center gap-1">
-                  <Select
-                    value={playbookSort}
-                    onValueChange={(value) =>
-                      setPlaybookSort(value as ResourceSortOption)
-                    }
-                  >
-                    <SelectTrigger className="h-8 w-[140px] text-xs">
-                      <SelectValue placeholder="Sort" />
-                    </SelectTrigger>
-                    <SelectContent>
-                      {RESOURCE_SORT_OPTIONS.map((option) => (
-                        <SelectItem key={option} value={option}>
-                          {RESOURCE_SORT_OPTION_LABELS[option]}
-                        </SelectItem>
-                      ))}
-                    </SelectContent>
-                  </Select>
-
-                  <Button
-                    type="button"
-                    size="icon"
-                    variant="outline"
-                    className="h-8 w-8"
-                    disabled={resourcesByType.playbooks.length === 0}
-                    aria-label={
-                      playbookSortDirection === "asc"
-                        ? "Sort ascending"
-                        : "Sort descending"
-                    }
-                    onClick={() =>
-                      setPlaybookSortDirection((prev) =>
-                        prev === "asc" ? "desc" : "asc"
-                      )
-                    }
-                  >
-                    {playbookSortDirection === "asc" ? (
-                      <ArrowUp className="h-3.5 w-3.5" />
-                    ) : (
-                      <ArrowDown className="h-3.5 w-3.5" />
-                    )}
-                  </Button>
-                </div>
-              </div>
-              <div className="overflow-hidden rounded-md border border-gray-200">
-                {resourcesByType.playbooks.length === 0 ? (
-                  <div className="p-3 text-sm text-gray-500">
-                    No playbooks found
-                  </div>
-                ) : (
-                  resourcesByType.playbooks.map((resource) => {
-                    const access =
-                      accessByResourceKey[getResourceKey(resource)] ??
-                      "default";
-
-                    return (
-                      <motion.div
-                        layout="position"
-                        initial={false}
-                        transition={ROW_LAYOUT_TRANSITION}
-                        key={resource.id}
-                        className="flex items-center justify-between gap-3 border-b border-gray-200 p-3 last:border-b-0"
-                      >
-                        <div className="flex min-w-0 items-center gap-2">
-                          <Icon
-                            name={resource.icon || "playbook"}
-                            className="h-4 w-4 text-gray-500"
-                          />
-                          <div className="min-w-0">
-                            <div className="truncate text-sm font-medium text-gray-900">
-                              {resource.displayName || resource.name}
-                            </div>
-                            {resource.subtitle ? (
-                              <div className="truncate text-xs text-gray-500">
-                                {resource.subtitle}
-                              </div>
-                            ) : null}
-                          </div>
-                        </div>
-
-                        <div className="flex items-center gap-2">
-                          {getEffectiveBadge(resource)}
-                          {!isListLocked ? (
-                            <TriStateAccessSwitch
-                              value={access}
-                              disabled={
-                                Boolean(mutatingResourceIds[resource.id]) ||
-                                isSubmitting
-                              }
-                              onChange={(access) =>
-                                onSetResourceAccess(resource, access)
-                              }
-                            />
-                          ) : null}
-                        </div>
-                      </motion.div>
-                    );
-                  })
-                )}
-              </div>
-            </div>
+            <ResourceList
+              title="Playbooks"
+              emptyMessage="No playbooks found"
+              defaultIcon="playbook"
+              resources={resourcesByType.playbooks}
+              sort={playbookSort}
+              sortDirection={playbookSortDirection}
+              onSortChange={setPlaybookSort}
+              onSortDirectionToggle={() =>
+                setPlaybookSortDirection((prev) =>
+                  prev === "asc" ? "desc" : "asc"
+                )
+              }
+              bulkAccess={bulkAccessByKind.playbook}
+              onBulkAccessChange={(access) =>
+                onSetManyResourceAccess(resourcesByType.playbooks, access)
+              }
+              accessByResourceKey={accessByResourceKey}
+              getResourceKey={getResourceKey}
+              getEffectiveBadge={getEffectiveBadge}
+              isListLocked={bulkAccessByKind.playbook !== "default"}
+              isSubmitting={isSubmitting}
+              mutatingResourceIds={mutatingResourceIds}
+              onSetResourceAccess={onSetResourceAccess}
+            />
 
-            <div className="space-y-2">
-              <div className="flex items-center justify-between gap-2">
-                <div className="text-xs font-semibold uppercase tracking-wide text-gray-500">
-                  Views
-                </div>
-                <div className="flex items-center gap-1">
-                  <Select
-                    value={viewSort}
-                    onValueChange={(value) =>
-                      setViewSort(value as ResourceSortOption)
-                    }
-                  >
-                    <SelectTrigger className="h-8 w-[140px] text-xs">
-                      <SelectValue placeholder="Sort" />
-                    </SelectTrigger>
-                    <SelectContent>
-                      {RESOURCE_SORT_OPTIONS.map((option) => (
-                        <SelectItem key={option} value={option}>
-                          {RESOURCE_SORT_OPTION_LABELS[option]}
-                        </SelectItem>
-                      ))}
-                    </SelectContent>
-                  </Select>
-
-                  <Button
-                    type="button"
-                    size="icon"
-                    variant="outline"
-                    className="h-8 w-8"
-                    disabled={resourcesByType.views.length === 0}
-                    aria-label={
-                      viewSortDirection === "asc"
-                        ? "Sort ascending"
-                        : "Sort descending"
-                    }
-                    onClick={() =>
-                      setViewSortDirection((prev) =>
-                        prev === "asc" ? "desc" : "asc"
-                      )
-                    }
-                  >
-                    {viewSortDirection === "asc" ? (
-                      <ArrowUp className="h-3.5 w-3.5" />
-                    ) : (
-                      <ArrowDown className="h-3.5 w-3.5" />
-                    )}
-                  </Button>
-                </div>
-              </div>
-              <div className="overflow-hidden rounded-md border border-gray-200">
-                {resourcesByType.views.length === 0 ? (
-                  <div className="p-3 text-sm text-gray-500">
-                    No views found
-                  </div>
-                ) : (
-                  resourcesByType.views.map((resource) => {
-                    const access =
-                      accessByResourceKey[getResourceKey(resource)] ??
-                      "default";
-
-                    return (
-                      <motion.div
-                        layout="position"
-                        initial={false}
-                        transition={ROW_LAYOUT_TRANSITION}
-                        key={resource.id}
-                        className="flex items-center justify-between gap-3 border-b border-gray-200 p-3 last:border-b-0"
-                      >
-                        <div className="flex min-w-0 items-center gap-2">
-                          <Icon
-                            name={resource.icon || "workflow"}
-                            className="h-4 w-4 text-gray-500"
-                          />
-                          <div className="min-w-0">
-                            <div className="truncate text-sm font-medium text-gray-900">
-                              {resource.displayName || resource.name}
-                            </div>
-                            {resource.subtitle ? (
-                              <div className="truncate text-xs text-gray-500">
-                                {resource.subtitle}
-                              </div>
-                            ) : null}
-                          </div>
-                        </div>
-
-                        <div className="flex items-center gap-2">
-                          {getEffectiveBadge(resource)}
-                          {!isListLocked ? (
-                            <TriStateAccessSwitch
-                              value={access}
-                              disabled={
-                                Boolean(mutatingResourceIds[resource.id]) ||
-                                isSubmitting
-                              }
-                              onChange={(access) =>
-                                onSetResourceAccess(resource, access)
-                              }
-                            />
-                          ) : null}
-                        </div>
-                      </motion.div>
-                    );
-                  })
-                )}
-              </div>
-            </div>
+            <ResourceList
+              title="Views"
+              emptyMessage="No views found"
+              defaultIcon="workflow"
+              resources={resourcesByType.views}
+              sort={viewSort}
+              sortDirection={viewSortDirection}
+              onSortChange={setViewSort}
+              onSortDirectionToggle={() =>
+                setViewSortDirection((prev) =>
+                  prev === "asc" ? "desc" : "asc"
+                )
+              }
+              bulkAccess={bulkAccessByKind.view}
+              onBulkAccessChange={(access) =>
+                onSetManyResourceAccess(resourcesByType.views, access)
+              }
+              accessByResourceKey={accessByResourceKey}
+              getResourceKey={getResourceKey}
+              getEffectiveBadge={getEffectiveBadge}
+              isListLocked={bulkAccessByKind.view !== "default"}
+              isSubmitting={isSubmitting}
+              mutatingResourceIds={mutatingResourceIds}
+              onSetResourceAccess={onSetResourceAccess}
+            />
           </div>
         </div>
       </div>

From 8d8bf5692877dcc1e16b5e0d705952c49fe4638b Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 13 Apr 2026 16:38:36 +0545
Subject: [PATCH 47/48] perf(permissions): localize list sorting to reduce
 flicker

Move sort state and sorting logic into each ResourceList so sorting one list does not rerender the sibling list.

Memoize ResourceList and ResourceRow and stabilize bulk handlers in the parent.
---
 src/components/Permissions/ResourceList.tsx   | 102 ++++++++++-----
 src/components/Permissions/ResourceRow.tsx    |  18 ++-
 .../Permissions/ResourceSelectorPanel.tsx     | 118 ++++--------------
 3 files changed, 104 insertions(+), 134 deletions(-)

diff --git a/src/components/Permissions/ResourceList.tsx b/src/components/Permissions/ResourceList.tsx
index 6493b0682d..f28947b858 100644
--- a/src/components/Permissions/ResourceList.tsx
+++ b/src/components/Permissions/ResourceList.tsx
@@ -8,7 +8,7 @@ import {
 } from "@flanksource-ui/components/ui/select";
 import { Switch as SegmentedSwitch } from "@flanksource-ui/ui/FormControls/Switch";
 import { ArrowDown, ArrowUp } from "lucide-react";
-import { ReactNode } from "react";
+import { memo, useMemo, useState } from "react";
 import type {
   McpSubjectResource,
   ResourceAccess
@@ -19,8 +19,8 @@ const BULK_OPTIONS = ["Deny All", "Custom", "Allow All"] as const;
 type BulkOption = (typeof BULK_OPTIONS)[number];
 
 const RESOURCE_SORT_OPTIONS = ["deny", "allow", "alphabetical"] as const;
-export type ResourceSortOption = (typeof RESOURCE_SORT_OPTIONS)[number];
-export type ResourceSortDirection = "asc" | "desc";
+type ResourceSortOption = (typeof RESOURCE_SORT_OPTIONS)[number];
+type ResourceSortDirection = "asc" | "desc";
 
 const RESOURCE_SORT_OPTION_LABELS: Record<ResourceSortOption, string> = {
   deny: "Deny",
@@ -28,20 +28,29 @@ const RESOURCE_SORT_OPTION_LABELS: Record<ResourceSortOption, string> = {
   alphabetical: "Alphabetical"
 };
 
+function getSortRank(access: ResourceAccess, sortOption: ResourceSortOption) {
+  switch (sortOption) {
+    case "deny":
+      return access === "deny" ? 0 : access === "allow" ? 1 : 2;
+    case "allow":
+      return access === "allow" ? 0 : access === "deny" ? 1 : 2;
+    case "alphabetical":
+    default:
+      return 0;
+  }
+}
+
 type ResourceListProps = {
   title: string;
   emptyMessage: string;
   defaultIcon: string;
   resources: McpSubjectResource[];
-  sort: ResourceSortOption;
-  sortDirection: ResourceSortDirection;
-  onSortChange: (sort: ResourceSortOption) => void;
-  onSortDirectionToggle: () => void;
   bulkAccess: ResourceAccess;
   onBulkAccessChange: (access: ResourceAccess) => void;
   accessByResourceKey: Record<string, ResourceAccess>;
+  effectiveAccessByResourceKey: Record<string, boolean>;
+  hasEffectiveAccessResults: boolean;
   getResourceKey: (resource: McpSubjectResource) => string;
-  getEffectiveBadge: (resource: McpSubjectResource) => ReactNode;
   isListLocked: boolean;
   isSubmitting: boolean;
   mutatingResourceIds: Record<string, true>;
@@ -51,25 +60,47 @@ type ResourceListProps = {
   ) => Promise<void> | void;
 };
 
-export default function ResourceList({
+function ResourceList({
   title,
   emptyMessage,
   defaultIcon,
   resources,
-  sort,
-  sortDirection,
-  onSortChange,
-  onSortDirectionToggle,
   bulkAccess,
   onBulkAccessChange,
   accessByResourceKey,
+  effectiveAccessByResourceKey,
+  hasEffectiveAccessResults,
   getResourceKey,
-  getEffectiveBadge,
   isListLocked,
   isSubmitting,
   mutatingResourceIds,
   onSetResourceAccess
 }: ResourceListProps) {
+  const [sort, setSort] = useState<ResourceSortOption>("alphabetical");
+  const [sortDirection, setSortDirection] =
+    useState<ResourceSortDirection>("asc");
+
+  const sortedResources = useMemo(() => {
+    return [...resources].sort((a, b) => {
+      const aAccess = accessByResourceKey[getResourceKey(a)] ?? "default";
+      const bAccess = accessByResourceKey[getResourceKey(b)] ?? "default";
+
+      const rankDiff = getSortRank(aAccess, sort) - getSortRank(bAccess, sort);
+
+      if (rankDiff !== 0) {
+        return sortDirection === "asc" ? rankDiff : -rankDiff;
+      }
+
+      const nameDiff = (a.displayName || a.name).localeCompare(
+        b.displayName || b.name,
+        undefined,
+        { sensitivity: "base" }
+      );
+
+      return sortDirection === "asc" ? nameDiff : -nameDiff;
+    });
+  }, [accessByResourceKey, getResourceKey, resources, sort, sortDirection]);
+
   const bulkOptionValue: BulkOption =
     bulkAccess === "allow"
       ? "Allow All"
@@ -119,7 +150,7 @@ export default function ResourceList({
 
           <Select
             value={sort}
-            onValueChange={(value) => onSortChange(value as ResourceSortOption)}
+            onValueChange={(value) => setSort(value as ResourceSortOption)}
           >
             <SelectTrigger className="h-8 w-[140px] text-xs">
               <SelectValue placeholder="Sort" />
@@ -142,7 +173,9 @@ export default function ResourceList({
             aria-label={
               sortDirection === "asc" ? "Sort ascending" : "Sort descending"
             }
-            onClick={onSortDirectionToggle}
+            onClick={() =>
+              setSortDirection((prev) => (prev === "asc" ? "desc" : "asc"))
+            }
           >
             {sortDirection === "asc" ? (
               <ArrowUp className="h-3.5 w-3.5" />
@@ -154,26 +187,31 @@ export default function ResourceList({
       </div>
 
       <div className="overflow-hidden rounded-md border border-gray-200">
-        {resources.length === 0 ? (
+        {sortedResources.length === 0 ? (
           <div className="p-3 text-sm text-gray-500">{emptyMessage}</div>
         ) : (
-          resources.map((resource) => (
-            <ResourceRow
-              key={resource.id}
-              resource={resource}
-              access={
-                accessByResourceKey[getResourceKey(resource)] ?? "default"
-              }
-              defaultIcon={defaultIcon}
-              effectiveBadge={getEffectiveBadge(resource)}
-              isListLocked={isListLocked}
-              isSubmitting={isSubmitting}
-              isMutating={Boolean(mutatingResourceIds[resource.id])}
-              onSetResourceAccess={onSetResourceAccess}
-            />
-          ))
+          sortedResources.map((resource) => {
+            const key = getResourceKey(resource);
+
+            return (
+              <ResourceRow
+                key={resource.id}
+                resource={resource}
+                access={accessByResourceKey[key] ?? "default"}
+                defaultIcon={defaultIcon}
+                showEffectiveBadge={hasEffectiveAccessResults}
+                isAllowed={effectiveAccessByResourceKey[key] === true}
+                isListLocked={isListLocked}
+                isSubmitting={isSubmitting}
+                isMutating={Boolean(mutatingResourceIds[resource.id])}
+                onSetResourceAccess={onSetResourceAccess}
+              />
+            );
+          })
         )}
       </div>
     </div>
   );
 }
+
+export default memo(ResourceList);
diff --git a/src/components/Permissions/ResourceRow.tsx b/src/components/Permissions/ResourceRow.tsx
index 99714ea33a..7faa0b0837 100644
--- a/src/components/Permissions/ResourceRow.tsx
+++ b/src/components/Permissions/ResourceRow.tsx
@@ -1,7 +1,8 @@
+import EffectiveAccessBadge from "@flanksource-ui/components/Permissions/EffectiveAccessBadge";
 import TriStateAccessSwitch from "@flanksource-ui/components/Permissions/TriStateAccessSwitch";
 import { Icon } from "@flanksource-ui/ui/Icons/Icon";
 import { motion } from "motion/react";
-import { ReactNode } from "react";
+import { memo } from "react";
 import type {
   McpSubjectResource,
   ResourceAccess
@@ -18,7 +19,8 @@ type ResourceRowProps = {
   resource: McpSubjectResource;
   access: ResourceAccess;
   defaultIcon: string;
-  effectiveBadge: ReactNode;
+  showEffectiveBadge: boolean;
+  isAllowed: boolean;
   isListLocked: boolean;
   isSubmitting: boolean;
   isMutating: boolean;
@@ -28,11 +30,12 @@ type ResourceRowProps = {
   ) => Promise<void> | void;
 };
 
-export default function ResourceRow({
+function ResourceRow({
   resource,
   access,
   defaultIcon,
-  effectiveBadge,
+  showEffectiveBadge,
+  isAllowed,
   isListLocked,
   isSubmitting,
   isMutating,
@@ -43,7 +46,6 @@ export default function ResourceRow({
       layout="position"
       initial={false}
       transition={ROW_LAYOUT_TRANSITION}
-      key={resource.id}
       className="flex items-center justify-between gap-3 border-b border-gray-200 p-3 last:border-b-0"
     >
       <div className="flex min-w-0 items-center gap-2">
@@ -64,7 +66,9 @@ export default function ResourceRow({
       </div>
 
       <div className="flex items-center gap-2">
-        {effectiveBadge}
+        {showEffectiveBadge ? (
+          <EffectiveAccessBadge isAllowed={isAllowed} />
+        ) : null}
         {!isListLocked ? (
           <TriStateAccessSwitch
             value={access}
@@ -76,3 +80,5 @@ export default function ResourceRow({
     </motion.div>
   );
 }
+
+export default memo(ResourceRow);
diff --git a/src/components/Permissions/ResourceSelectorPanel.tsx b/src/components/Permissions/ResourceSelectorPanel.tsx
index 84a07bcdc3..958a4635c5 100644
--- a/src/components/Permissions/ResourceSelectorPanel.tsx
+++ b/src/components/Permissions/ResourceSelectorPanel.tsx
@@ -1,15 +1,11 @@
 import { PermissionSubject } from "@flanksource-ui/api/services/permissions";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
-import EffectiveAccessBadge from "@flanksource-ui/components/Permissions/EffectiveAccessBadge";
-import ResourceList, {
-  ResourceSortDirection,
-  ResourceSortOption
-} from "@flanksource-ui/components/Permissions/ResourceList";
+import ResourceList from "@flanksource-ui/components/Permissions/ResourceList";
 import SubjectAvatar from "@flanksource-ui/components/Permissions/SubjectAvatar";
 import { Button } from "@flanksource-ui/components/ui/button";
 import { Input } from "@flanksource-ui/components/ui/input";
 import { mapSubjectType } from "@flanksource-ui/lib/permissions/mcpPermissionCardMappings";
-import { useMemo, useState } from "react";
+import { useCallback, useMemo, useState } from "react";
 
 export type ResourceAccess = "deny" | "default" | "allow";
 
@@ -101,18 +97,6 @@ function getAccessState(
   return { access: "default" };
 }
 
-function getSortRank(access: ResourceAccess, sortOption: ResourceSortOption) {
-  switch (sortOption) {
-    case "deny":
-      return access === "deny" ? 0 : access === "allow" ? 1 : 2;
-    case "allow":
-      return access === "allow" ? 0 : access === "deny" ? 1 : 2;
-    case "alphabetical":
-    default:
-      return 0;
-  }
-}
-
 function getResourceKey(resource: McpSubjectResource) {
   return `${resource.kind}:${resource.id}`;
 }
@@ -131,13 +115,6 @@ export default function ResourceSelectorPanel({
   onSetManyResourceAccess
 }: ResourceSelectorPanelProps) {
   const [resourceSearch, setResourceSearch] = useState("");
-  const [playbookSort, setPlaybookSort] =
-    useState<ResourceSortOption>("alphabetical");
-  const [playbookSortDirection, setPlaybookSortDirection] =
-    useState<ResourceSortDirection>("asc");
-  const [viewSort, setViewSort] = useState<ResourceSortOption>("alphabetical");
-  const [viewSortDirection, setViewSortDirection] =
-    useState<ResourceSortDirection>("asc");
 
   const normalizedSearch = resourceSearch.trim().toLowerCase();
 
@@ -179,44 +156,8 @@ export default function ResourceSelectorPanel({
       }
     }
 
-    const sortResources = (
-      list: McpSubjectResource[],
-      sortOption: ResourceSortOption,
-      sortDirection: ResourceSortDirection
-    ) => {
-      return [...list].sort((a, b) => {
-        const aAccess = accessByResourceKey[getResourceKey(a)] ?? "default";
-        const bAccess = accessByResourceKey[getResourceKey(b)] ?? "default";
-
-        const rankDiff =
-          getSortRank(aAccess, sortOption) - getSortRank(bAccess, sortOption);
-
-        if (rankDiff !== 0) {
-          return sortDirection === "asc" ? rankDiff : -rankDiff;
-        }
-
-        const nameDiff = (a.displayName || a.name).localeCompare(
-          b.displayName || b.name,
-          undefined,
-          { sensitivity: "base" }
-        );
-
-        return sortDirection === "asc" ? nameDiff : -nameDiff;
-      });
-    };
-
-    return {
-      playbooks: sortResources(playbooks, playbookSort, playbookSortDirection),
-      views: sortResources(views, viewSort, viewSortDirection)
-    };
-  }, [
-    accessByResourceKey,
-    filteredResources,
-    playbookSort,
-    playbookSortDirection,
-    viewSort,
-    viewSortDirection
-  ]);
+    return { playbooks, views };
+  }, [filteredResources]);
 
   const bulkAccessByKind = useMemo(() => {
     const subjectType = mapSubjectType(selectedSubject.type);
@@ -254,16 +195,19 @@ export default function ResourceSelectorPanel({
     };
   }, [permissions, selectedSubject]);
 
-  const getEffectiveBadge = (resource: McpSubjectResource) => {
-    if (!hasEffectiveAccessResults) {
-      return null;
-    }
-
-    const isAllowed =
-      effectiveAccessByResourceKey[getResourceKey(resource)] === true;
+  const onSetPlaybookBulkAccess = useCallback(
+    (access: ResourceAccess) => {
+      onSetManyResourceAccess(resourcesByType.playbooks, access);
+    },
+    [onSetManyResourceAccess, resourcesByType.playbooks]
+  );
 
-    return <EffectiveAccessBadge isAllowed={isAllowed} />;
-  };
+  const onSetViewBulkAccess = useCallback(
+    (access: ResourceAccess) => {
+      onSetManyResourceAccess(resourcesByType.views, access);
+    },
+    [onSetManyResourceAccess, resourcesByType.views]
+  );
 
   return (
     <div className="flex min-h-0 flex-1 flex-col">
@@ -311,21 +255,12 @@ export default function ResourceSelectorPanel({
               emptyMessage="No playbooks found"
               defaultIcon="playbook"
               resources={resourcesByType.playbooks}
-              sort={playbookSort}
-              sortDirection={playbookSortDirection}
-              onSortChange={setPlaybookSort}
-              onSortDirectionToggle={() =>
-                setPlaybookSortDirection((prev) =>
-                  prev === "asc" ? "desc" : "asc"
-                )
-              }
               bulkAccess={bulkAccessByKind.playbook}
-              onBulkAccessChange={(access) =>
-                onSetManyResourceAccess(resourcesByType.playbooks, access)
-              }
+              onBulkAccessChange={onSetPlaybookBulkAccess}
               accessByResourceKey={accessByResourceKey}
+              effectiveAccessByResourceKey={effectiveAccessByResourceKey}
+              hasEffectiveAccessResults={hasEffectiveAccessResults}
               getResourceKey={getResourceKey}
-              getEffectiveBadge={getEffectiveBadge}
               isListLocked={bulkAccessByKind.playbook !== "default"}
               isSubmitting={isSubmitting}
               mutatingResourceIds={mutatingResourceIds}
@@ -337,21 +272,12 @@ export default function ResourceSelectorPanel({
               emptyMessage="No views found"
               defaultIcon="workflow"
               resources={resourcesByType.views}
-              sort={viewSort}
-              sortDirection={viewSortDirection}
-              onSortChange={setViewSort}
-              onSortDirectionToggle={() =>
-                setViewSortDirection((prev) =>
-                  prev === "asc" ? "desc" : "asc"
-                )
-              }
               bulkAccess={bulkAccessByKind.view}
-              onBulkAccessChange={(access) =>
-                onSetManyResourceAccess(resourcesByType.views, access)
-              }
+              onBulkAccessChange={onSetViewBulkAccess}
               accessByResourceKey={accessByResourceKey}
+              effectiveAccessByResourceKey={effectiveAccessByResourceKey}
+              hasEffectiveAccessResults={hasEffectiveAccessResults}
               getResourceKey={getResourceKey}
-              getEffectiveBadge={getEffectiveBadge}
               isListLocked={bulkAccessByKind.view !== "default"}
               isSubmitting={isSubmitting}
               mutatingResourceIds={mutatingResourceIds}

From edcf9376bedbe0cc13dceda6f1e7f33b61867db2 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 13 Apr 2026 18:26:56 +0545
Subject: [PATCH 48/48] feat(permissions): add subjects tab with shared subject
 panel

---
 src/App.tsx                                   |   9 ++
 .../Permissions/PermissionSubjectPanel.tsx    |  72 ++++++++++
 .../Permissions/PermissionsTabsLinks.tsx      |  91 +++++++++++++
 src/pages/Settings/PermissionsPage.tsx        | 118 +++++++---------
 .../Settings/PermissionsSubjectsPage.tsx      | 126 ++++++++++++++++++
 .../Settings/mcp/McpSubjectAccessPage.tsx     |  55 ++------
 6 files changed, 355 insertions(+), 116 deletions(-)
 create mode 100644 src/components/Permissions/PermissionSubjectPanel.tsx
 create mode 100644 src/components/Permissions/PermissionsTabsLinks.tsx
 create mode 100644 src/pages/Settings/PermissionsSubjectsPage.tsx

diff --git a/src/App.tsx b/src/App.tsx
index 44222f00be..39fc0a7b5f 100644
--- a/src/App.tsx
+++ b/src/App.tsx
@@ -47,6 +47,7 @@ import { UserAccessStateContextProvider } from "./context/UserAccessContext/User
 import { tables } from "./context/UserAccessContext/permissions";
 
 import { PermissionsPage } from "./pages/Settings/PermissionsPage";
+import { PermissionsSubjectsPage } from "./pages/Settings/PermissionsSubjectsPage";
 import McpOverviewPage from "./pages/Settings/mcp/McpOverviewPage";
 import McpPlaybooksPage from "./pages/Settings/mcp/McpPlaybooksPage";
 import McpViewsPage from "./pages/Settings/mcp/McpViewsPage";
@@ -749,6 +750,14 @@ export function IncidentManagerRoutes({ sidebar }: { sidebar: ReactNode }) {
             "read"
           )}
         />
+        <Route
+          path="permissions/subjects"
+          element={withAuthorizationAccessCheck(
+            <PermissionsSubjectsPage />,
+            tables.permissions,
+            "read"
+          )}
+        />
         <Route
           path="scopes"
           element={withAuthorizationAccessCheck(
diff --git a/src/components/Permissions/PermissionSubjectPanel.tsx b/src/components/Permissions/PermissionSubjectPanel.tsx
new file mode 100644
index 0000000000..fdf21580a6
--- /dev/null
+++ b/src/components/Permissions/PermissionSubjectPanel.tsx
@@ -0,0 +1,72 @@
+import { PermissionSubject } from "@flanksource-ui/api/services/permissions";
+import SubjectAvatar from "@flanksource-ui/components/Permissions/SubjectAvatar";
+import { Input } from "@flanksource-ui/components/ui/input";
+
+export type PermissionSubjectGroup = {
+  type: PermissionSubject["type"];
+  list: PermissionSubject[];
+};
+
+type PermissionSubjectPanelProps = {
+  subjectSearch: string;
+  onSubjectSearchChange: (value: string) => void;
+  groupedSubjects: PermissionSubjectGroup[];
+  selectedSubjectId: string | null;
+  onSelectSubject: (subjectId: string) => void;
+};
+
+const TYPE_LABELS: Record<PermissionSubject["type"], string> = {
+  person: "person",
+  access_token_person: "access token",
+  team: "team",
+  role: "role",
+  permission_subject_group: "group"
+};
+
+export default function PermissionSubjectPanel({
+  subjectSearch,
+  onSubjectSearchChange,
+  groupedSubjects,
+  selectedSubjectId,
+  onSelectSubject
+}: PermissionSubjectPanelProps) {
+  return (
+    <div className="flex w-[320px] shrink-0 flex-col">
+      <Input
+        placeholder="Search subjects..."
+        value={subjectSearch}
+        onChange={(event) => onSubjectSearchChange(event.target.value)}
+      />
+
+      <div className="mt-3 min-h-0 flex-1 space-y-3 overflow-y-auto">
+        {groupedSubjects.map((group) => (
+          <div key={group.type} className="space-y-1">
+            <div className="px-2 text-xs font-semibold uppercase tracking-wide text-gray-500">
+              {TYPE_LABELS[group.type] ?? group.type}
+            </div>
+
+            {group.list.map((subject) => {
+              const isActive = subject.id === selectedSubjectId;
+
+              return (
+                <button
+                  key={subject.id}
+                  type="button"
+                  onClick={() => onSelectSubject(subject.id)}
+                  className={`flex w-full items-center gap-2 rounded px-2 py-1.5 text-left text-sm transition-colors ${
+                    isActive
+                      ? "bg-blue-50 text-blue-800"
+                      : "text-gray-800 hover:bg-gray-50"
+                  }`}
+                >
+                  <SubjectAvatar subject={subject} size="xs" />
+                  <span className="truncate">{subject.name}</span>
+                </button>
+              );
+            })}
+          </div>
+        ))}
+      </div>
+    </div>
+  );
+}
diff --git a/src/components/Permissions/PermissionsTabsLinks.tsx b/src/components/Permissions/PermissionsTabsLinks.tsx
new file mode 100644
index 0000000000..d74f54c387
--- /dev/null
+++ b/src/components/Permissions/PermissionsTabsLinks.tsx
@@ -0,0 +1,91 @@
+import {
+  BreadcrumbChild,
+  BreadcrumbNav,
+  BreadcrumbRoot
+} from "@flanksource-ui/ui/BreadcrumbNav";
+import { Head } from "@flanksource-ui/ui/Head";
+import { SearchLayout } from "@flanksource-ui/ui/Layout/SearchLayout";
+import TabbedLinks from "@flanksource-ui/ui/Tabs/TabbedLinks";
+import clsx from "clsx";
+import { useMemo } from "react";
+import { useSearchParams } from "react-router-dom";
+import ConfigSidebar from "../Configs/Sidebar/ConfigSidebar";
+import { ErrorBoundary } from "../ErrorBoundary";
+
+type PermissionsTabsLinksProps = {
+  activeTab: "Permissions" | "Subjects";
+  children: React.ReactNode;
+  className?: string;
+  onRefresh?: () => void;
+  loading?: boolean;
+  headerAction?: React.ReactNode;
+};
+
+export default function PermissionsTabsLinks({
+  activeTab,
+  children,
+  className,
+  onRefresh = () => {},
+  loading = false,
+  headerAction
+}: PermissionsTabsLinksProps) {
+  const [searchParams] = useSearchParams();
+
+  const tabLinks = useMemo(() => {
+    const query = searchParams.toString();
+    const search = query ? `?${query}` : "";
+
+    return [
+      {
+        label: "Permissions",
+        path: "/settings/permissions",
+        key: "Permissions",
+        search
+      },
+      {
+        label: "Subjects",
+        path: "/settings/permissions/subjects",
+        key: "Subjects",
+        search
+      }
+    ];
+  }, [searchParams]);
+
+  return (
+    <>
+      <Head prefix={`Permissions - ${activeTab}`} />
+      <SearchLayout
+        title={
+          <BreadcrumbNav
+            list={[
+              <BreadcrumbRoot key="permissions" link="/settings/permissions">
+                Permissions
+              </BreadcrumbRoot>,
+              <BreadcrumbChild key={activeTab}>{activeTab}</BreadcrumbChild>,
+              ...(headerAction ? [headerAction] : [])
+            ]}
+          />
+        }
+        onRefresh={onRefresh}
+        loading={loading}
+        contentClass="p-0 h-full overflow-y-hidden"
+      >
+        <div className="flex h-full flex-row">
+          <div className="flex flex-1 flex-col">
+            <TabbedLinks
+              activeTabName={activeTab}
+              tabLinks={tabLinks}
+              contentClassName={clsx(
+                "bg-white border border-t-0 border-gray-300 flex-1 overflow-y-auto",
+                className
+              )}
+            >
+              <ErrorBoundary>{children}</ErrorBoundary>
+            </TabbedLinks>
+          </div>
+          <ConfigSidebar />
+        </div>
+      </SearchLayout>
+    </>
+  );
+}
diff --git a/src/pages/Settings/PermissionsPage.tsx b/src/pages/Settings/PermissionsPage.tsx
index 0e4fda18dd..5d00eba87f 100644
--- a/src/pages/Settings/PermissionsPage.tsx
+++ b/src/pages/Settings/PermissionsPage.tsx
@@ -1,19 +1,14 @@
 import { AuthorizationAccessCheck } from "@flanksource-ui/components/Permissions/AuthorizationAccessCheck";
 import AddPermissionButton from "@flanksource-ui/components/Permissions/ManagePermissions/Forms/AddPermissionButton";
+import PermissionsTabsLinks from "@flanksource-ui/components/Permissions/PermissionsTabsLinks";
 import PermissionsView, {
   permissionsActionsList
 } from "@flanksource-ui/components/Permissions/PermissionsView";
+import { ReactSelectDropdown } from "@flanksource-ui/components/ReactSelectDropdown";
 import { tables } from "@flanksource-ui/context/UserAccessContext/permissions";
-import {
-  BreadcrumbNav,
-  BreadcrumbRoot
-} from "@flanksource-ui/ui/BreadcrumbNav";
-import { Head } from "@flanksource-ui/ui/Head";
-import { SearchLayout } from "@flanksource-ui/ui/Layout/SearchLayout";
-import { useMemo, useRef, useState } from "react";
 import { parseTristateKeyState } from "@flanksource-ui/ui/Dropdowns/TristateReactSelect";
+import { useMemo, useRef, useState } from "react";
 import { useSearchParams } from "react-router-dom";
-import { ReactSelectDropdown } from "@flanksource-ui/components/ReactSelectDropdown";
 
 export function PermissionsPage() {
   const [isLoading, setIsLoading] = useState(false);
@@ -63,68 +58,53 @@ export function PermissionsPage() {
   );
 
   return (
-    <>
-      <Head prefix="Permissions" />
-      <SearchLayout
-        title={
-          <BreadcrumbNav
-            list={[
-              <BreadcrumbRoot
-                link="/settings/permissions"
-                key="permissions-root-item"
-              >
-                Permissions
-              </BreadcrumbRoot>,
-              <AuthorizationAccessCheck
-                key={"add-button"}
-                resource={tables.permissions}
-                action="write"
-              >
-                <AddPermissionButton />
-              </AuthorizationAccessCheck>
-            ]}
+    <PermissionsTabsLinks
+      activeTab="Permissions"
+      loading={isLoading}
+      onRefresh={() => refetchFunctionRef.current?.()}
+      headerAction={
+        <AuthorizationAccessCheck
+          key={"add-button"}
+          resource={tables.permissions}
+          action="write"
+        >
+          <AddPermissionButton />
+        </AuthorizationAccessCheck>
+      }
+    >
+      <div className="flex h-full flex-col overflow-y-auto px-6 pb-0">
+        <div className="flex flex-row items-center py-4">
+          <ReactSelectDropdown
+            name="permissions-action-filter"
+            items={actionOptions}
+            value={actionFilter}
+            onChange={(value) => {
+              const nextParams = new URLSearchParams(searchParams);
+              if (!value || value === "all") {
+                nextParams.delete("action");
+              } else {
+                nextParams.set("action", value);
+              }
+              setSearchParams(nextParams);
+            }}
+            className="min-w-[180px]"
+            dropDownClassNames="w-[260px] left-0"
+            hideControlBorder
+            prefix={<span className="text-xs text-gray-500">Action:</span>}
+          />
+        </div>
+        <div className="flex h-full flex-col overflow-y-auto pb-6">
+          <PermissionsView
+            permissionRequest={{
+              ...(rawActionFilter !== "all" ? { action: rawActionFilter } : {})
+            }}
+            setIsLoading={setIsLoading}
+            onRefetch={(refetch) => {
+              refetchFunctionRef.current = refetch;
+            }}
           />
-        }
-        onRefresh={() => refetchFunctionRef.current?.()}
-        contentClass="p-0 h-full"
-        loading={isLoading}
-      >
-        <div className="flex h-full flex-col overflow-y-auto px-6 pb-0">
-          <div className="flex flex-row items-center py-4">
-            <ReactSelectDropdown
-              name="permissions-action-filter"
-              items={actionOptions}
-              value={actionFilter}
-              onChange={(value) => {
-                const nextParams = new URLSearchParams(searchParams);
-                if (!value || value === "all") {
-                  nextParams.delete("action");
-                } else {
-                  nextParams.set("action", value);
-                }
-                setSearchParams(nextParams);
-              }}
-              className="min-w-[180px]"
-              dropDownClassNames="w-[260px] left-0"
-              hideControlBorder
-              prefix={<span className="text-xs text-gray-500">Action:</span>}
-            />
-          </div>
-          <div className="flex h-full flex-col overflow-y-auto pb-6">
-            <PermissionsView
-              permissionRequest={{
-                ...(rawActionFilter !== "all"
-                  ? { action: rawActionFilter }
-                  : {})
-              }}
-              setIsLoading={setIsLoading}
-              onRefetch={(refetch) => {
-                refetchFunctionRef.current = refetch;
-              }}
-            />
-          </div>
         </div>
-      </SearchLayout>
-    </>
+      </div>
+    </PermissionsTabsLinks>
   );
 }
diff --git a/src/pages/Settings/PermissionsSubjectsPage.tsx b/src/pages/Settings/PermissionsSubjectsPage.tsx
new file mode 100644
index 0000000000..d68e3765b4
--- /dev/null
+++ b/src/pages/Settings/PermissionsSubjectsPage.tsx
@@ -0,0 +1,126 @@
+import { fetchAllPermissionSubjects } from "@flanksource-ui/api/services/permissions";
+import PermissionSubjectPanel, {
+  PermissionSubjectGroup
+} from "@flanksource-ui/components/Permissions/PermissionSubjectPanel";
+import PermissionsTabsLinks from "@flanksource-ui/components/Permissions/PermissionsTabsLinks";
+import useDebouncedValue from "@flanksource-ui/hooks/useDebounce";
+import { useQuery } from "@tanstack/react-query";
+import { useEffect, useMemo, useState } from "react";
+
+const SUBJECT_TYPE_ORDER = {
+  role: 0,
+  permission_subject_group: 1,
+  team: 2,
+  person: 3,
+  access_token_person: 4
+} as const;
+
+export function PermissionsSubjectsPage() {
+  const [subjectSearch, setSubjectSearch] = useState("");
+  const [selectedSubjectId, setSelectedSubjectId] = useState<string | null>(
+    null
+  );
+
+  const debouncedSearch = useDebouncedValue(subjectSearch, 200) ?? "";
+
+  const {
+    data: subjects = [],
+    isLoading,
+    isRefetching,
+    refetch
+  } = useQuery({
+    queryKey: ["permissions", "subjects", "all"],
+    queryFn: fetchAllPermissionSubjects
+  });
+
+  const sortedSubjects = useMemo(() => {
+    const loweredSearch = debouncedSearch.trim().toLowerCase();
+
+    return subjects
+      .filter((subject) => {
+        if (!loweredSearch) {
+          return true;
+        }
+
+        return subject.name.toLowerCase().includes(loweredSearch);
+      })
+      .sort((a, b) => {
+        const typeOrder =
+          SUBJECT_TYPE_ORDER[a.type] - SUBJECT_TYPE_ORDER[b.type];
+        if (typeOrder !== 0) {
+          return typeOrder;
+        }
+
+        return a.name.localeCompare(b.name, undefined, { sensitivity: "base" });
+      });
+  }, [debouncedSearch, subjects]);
+
+  const groupedSubjects = useMemo<PermissionSubjectGroup[]>(() => {
+    const grouped = new Map<PermissionSubjectGroup["type"], typeof subjects>();
+
+    for (const subject of sortedSubjects) {
+      const list = grouped.get(subject.type) ?? [];
+      list.push(subject);
+      grouped.set(subject.type, list);
+    }
+
+    return Array.from(grouped.entries()).map(([type, list]) => ({
+      type,
+      list
+    }));
+  }, [sortedSubjects]);
+
+  useEffect(() => {
+    if (
+      selectedSubjectId &&
+      sortedSubjects.some((subject) => subject.id === selectedSubjectId)
+    ) {
+      return;
+    }
+
+    setSelectedSubjectId(sortedSubjects[0]?.id ?? null);
+  }, [selectedSubjectId, sortedSubjects]);
+
+  const selectedSubject = useMemo(
+    () =>
+      sortedSubjects.find((subject) => subject.id === selectedSubjectId) ??
+      null,
+    [selectedSubjectId, sortedSubjects]
+  );
+
+  return (
+    <PermissionsTabsLinks
+      activeTab="Subjects"
+      loading={isLoading || isRefetching}
+      onRefresh={() => refetch()}
+    >
+      <div className="flex h-full min-h-0 w-full flex-1 flex-col gap-4 p-6 pb-6">
+        <div>
+          <h3 className="text-lg font-semibold text-gray-900">Subjects</h3>
+          <p className="text-sm text-gray-600">
+            Browse permission subjects. Subject details and actions will be
+            added here.
+          </p>
+        </div>
+
+        <div className="flex min-h-0 flex-1 gap-4">
+          <PermissionSubjectPanel
+            subjectSearch={subjectSearch}
+            onSubjectSearchChange={setSubjectSearch}
+            groupedSubjects={groupedSubjects}
+            selectedSubjectId={selectedSubjectId}
+            onSelectSubject={setSelectedSubjectId}
+          />
+
+          <div className="min-h-0 min-w-0 flex-1 lg:max-w-3xl">
+            <div className="flex h-full items-center justify-center rounded-md border border-dashed border-gray-200 p-4 text-sm text-gray-500">
+              {selectedSubject
+                ? `Selected subject: ${selectedSubject.name}`
+                : "Select a subject."}
+            </div>
+          </div>
+        </div>
+      </div>
+    </PermissionsTabsLinks>
+  );
+}
diff --git a/src/pages/Settings/mcp/McpSubjectAccessPage.tsx b/src/pages/Settings/mcp/McpSubjectAccessPage.tsx
index e3bf4eb7ed..ddeeda5937 100644
--- a/src/pages/Settings/mcp/McpSubjectAccessPage.tsx
+++ b/src/pages/Settings/mcp/McpSubjectAccessPage.tsx
@@ -15,16 +15,15 @@ import {
 import { getAllViews } from "@flanksource-ui/api/services/views";
 import { PermissionsSummary } from "@flanksource-ui/api/types/permissions";
 import McpTabsLinks from "@flanksource-ui/components/MCP/McpTabsLinks";
+import PermissionSubjectPanel from "@flanksource-ui/components/Permissions/PermissionSubjectPanel";
 import ResourceSelectorPanel, {
   McpSubjectResource,
   ResourceAccess
 } from "@flanksource-ui/components/Permissions/ResourceSelectorPanel";
-import SubjectAvatar from "@flanksource-ui/components/Permissions/SubjectAvatar";
 import {
   toastError,
   toastSuccess
 } from "@flanksource-ui/components/Toast/toast";
-import { Input } from "@flanksource-ui/components/ui/input";
 import { useUser } from "@flanksource-ui/context";
 import { mapSubjectType } from "@flanksource-ui/lib/permissions/mcpPermissionCardMappings";
 import useDebouncedValue from "@flanksource-ui/hooks/useDebounce";
@@ -39,14 +38,6 @@ const SUBJECT_TYPE_ORDER: Record<PermissionSubject["type"], number> = {
   access_token_person: 4
 };
 
-const TYPE_LABELS: Record<PermissionSubject["type"], string> = {
-  person: "person",
-  access_token_person: "access token",
-  team: "team",
-  role: "role",
-  permission_subject_group: "group"
-};
-
 function getPermissionRefs(
   permission: PermissionsSummary,
   kind: "playbook" | "view"
@@ -529,43 +520,13 @@ export default function McpSubjectAccessPage() {
         </div>
 
         <div className="flex min-h-0 flex-1 gap-4">
-          <div className="flex w-[320px] shrink-0 flex-col">
-            <Input
-              placeholder="Search subjects..."
-              value={subjectSearch}
-              onChange={(event) => setSubjectSearch(event.target.value)}
-            />
-
-            <div className="mt-3 min-h-0 flex-1 space-y-3 overflow-y-auto">
-              {groupedSubjects.map((group) => (
-                <div key={group.type} className="space-y-1">
-                  <div className="px-2 text-xs font-semibold uppercase tracking-wide text-gray-500">
-                    {TYPE_LABELS[group.type] ?? group.type}
-                  </div>
-
-                  {group.list.map((subject) => {
-                    const isActive = subject.id === selectedSubjectId;
-
-                    return (
-                      <button
-                        key={subject.id}
-                        type="button"
-                        onClick={() => setSelectedSubjectId(subject.id)}
-                        className={`flex w-full items-center gap-2 rounded px-2 py-1.5 text-left text-sm transition-colors ${
-                          isActive
-                            ? "bg-blue-50 text-blue-800"
-                            : "text-gray-800 hover:bg-gray-50"
-                        }`}
-                      >
-                        <SubjectAvatar subject={subject} size="xs" />
-                        <span className="truncate">{subject.name}</span>
-                      </button>
-                    );
-                  })}
-                </div>
-              ))}
-            </div>
-          </div>
+          <PermissionSubjectPanel
+            subjectSearch={subjectSearch}
+            onSubjectSearchChange={setSubjectSearch}
+            groupedSubjects={groupedSubjects}
+            selectedSubjectId={selectedSubjectId}
+            onSelectSubject={setSelectedSubjectId}
+          />
 
           <div className="min-h-0 min-w-0 flex-1 lg:max-w-3xl">
             {selectedSubject ? (