feat: scope and preselect PAT org role in create dialog

[rohanchkrabrty]

Summary

• Scope the organization-role select to the requesting user's permission level: members without org update permission now only see non-admin roles. Uses a single BatchCheckPermission self-check; no privilege escalation since the backend already caps a PAT at min(user role, PAT scope).
• Auto-preselect the org role when exactly one option is available, gated on both the roles and permission queries having settled — fixes a first-load race where the temporarily-filtered list could wrongly preselect a role.
• De-duplicate the org-update permission-string logic shared between the role filter and the admin check.
• Refetch PATs immediately on creation instead of on success-dialog close, removing the now-unused onClose handler.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
frontier	Ready	Preview, Comment	Jun 17, 2026 10:03am

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Organization role dropdown now displays only roles you have permission to assign.
  • Organization role auto-selects when only one option is available.

• Bug Fixes

  • PAT list now updates immediately after creating a new PAT.

Walkthrough

The PAT form dialog gains permission-driven org role filtering: it queries org-update permissions via usePermissions, computes selectableOrgRoles, auto-selects the role when only one option is available, and gates loading state on the permissions fetch. PatsView is simplified to call refetch() directly on PAT creation instead of on success dialog close.

Changes

PAT Form Permission Filtering and Refetch Fix

Layer / File(s)	Summary
Permission imports, constants, and role-grant helper web/sdk/client/views/pat/components/pat-form-dialog.tsx	Adds the Role type import, imports usePermissions and shouldShowComponent, defines ORG_UPDATE_PERMISSION, and introduces a helper that checks whether a role grants the org-update permission.
Permission query, role filtering, auto-selection, and dropdown rendering web/sdk/client/views/pat/components/pat-form-dialog.tsx	Queries org-scoped permissions to derive canUpdateOrg and selectableOrgRoles, simplifies isOrgAdmin to reuse the same grant helper, adds an effect to auto-set orgRoleId when exactly one selectable role exists, extends isDataLoading to include the org-permissions fetch, and renders the Organization Role dropdown from selectableOrgRoles.
PAT creation refetch timing fix web/sdk/client/views/pat/pat-view.tsx	Moves refetch() into handlePATCreated for immediate list refresh on creation, removes handleSuccessDialogClose, and drops the onClose prop from PATCreatedDialog.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• rsbh
• paanSinghCoder
• rohilsurana

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

web/sdk/client/views/pat/components/pat-form-dialog.tsx (1)

494-499: 💤 Low value

Consider UX when editing a PAT with a no-longer-selectable role.

If a user edits a PAT whose org role grants org_update but the user no longer has that permission, the selected value won't appear in the dropdown options. The Select component may show the raw value or placeholder, causing confusion.

Since backend enforcement prevents privilege escalation anyway, this is a minor UX edge case — consider showing a disabled option for the current role or a hint message when this mismatch occurs.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6bd100d2-fb8a-4df6-96ba-dfe37bbf6981

📥 Commits

Reviewing files that changed from the base of the PR and between 36ed818 and f6b2dc3.

📒 Files selected for processing (2)

• web/sdk/client/views/pat/components/pat-form-dialog.tsx
• web/sdk/client/views/pat/pat-view.tsx

💤 Files with no reviewable changes (1)

• web/sdk/client/views/pat/pat-view.tsx

[coveralls]

Coverage Report for CI Build 27681163693

Warning

Build has drifted: This PR's base is out of sync with its target branch, so coverage data may include unrelated changes.
Quick fix: rebase this PR. Learn more →

Coverage remained the same at 43.631%

Details

• Coverage remained the same as the base build.
• Patch coverage: No coverable lines changed in this PR.
• No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	37036
Covered Lines:	16159
Line Coverage:	43.63%
Coverage Strength:	12.39 hits per line

---

💛 - Coveralls