feat(jira-wizard): add API-token-with-scopes auth-type selector (MNG-1744)#1491
Merged
Merged
Conversation
nhopeatall
approved these changes
Jul 10, 2026
nhopeatall
left a comment
Collaborator
There was a problem hiding this comment.
Summary
APPROVE — clean, tightly-scoped frontend-only change that implements all seven MNG-1744 acceptance criteria and is correctly wired end-to-end. Verified the two "already merged" backend dependencies actually accept what this PR sends, ran the affected tests (126 pass), and confirmed CI is 7/7 green.
Verification performed
- State/reducer —
jiraAuthTypedefaults to'basic';SET_JIRA_AUTH_TYPEsets the value and clearsverificationResult/verifyError. AggregatecreateInitialState()picks it up viacreateInitialJiraState(), andisJiraWizardAction(type.includes('JIRA')) routes the new action to the JIRA slice reducer. - Metadata path — adding
{ role: 'auth_type', stateField: 'jiraAuthType' }torawCredentialsdoes not regressareCredentialsReadyFromMetadata(field always non-empty) and makesbuildProviderAuthArgFromMetadataauto-includeauth_typein the verify/mutation bags. - Backend contracts confirmed present (not just assumed):
pm.discovery.discovercredentials schema isz.record(z.string(), z.string())— the extraauth_typekey is accepted, andjiraManifest.createDiscoveryProviderreadscreds.auth_typeviacoerceJiraAuthType.integrationsDiscovery.jiraProjectDetailsextendsjiraCredsInput, which declaresauthType: z.enum(['basic','scoped']).optional()and threads it intowithJiraCredentials.jiraManifest.createCustomFieldreadscredentials.auth_type, so the mutation bag that now carriesauth_typestill routes correctly.jiraConfigSchema.authTypeexists, sobuildIntegrationConfigpersistingauthTyperound-trips.
- Persistence boundary —
jiraAuthTypeis correctly kept out ofjiraCredentialPersistence(non-secret; persisted through configauthType, mirroringbase_url). - Pattern consistency — the
React.ComponentProps<typeof Button> & DataPropscast and Button-based segmented control match existing shared step components (label-mapping.tsx,trello/webhook-step.tsx);buildEditStatecorrectly returns no raw credential values.
Minor (optional, non-blocking)
SET_JIRA_AUTH_TYPEclears the verification result but leavesjiraProjects/jiraProjectDetailspopulated. If an operator verifies under one host, then switches token type and re-verifies, the auto-fetchuseEffectonly refetches whenjiraProjects.length === 0, so a stale project list from the prior host can persist. This is identical to the existingSET_JIRA_BASE_URL/SET_JIRA_EMAILbehavior (both also change the host and don't reset the project list), so it's consistent rather than a new regression — noting only becauseauth_typeis explicitly a host-routing switch. Not a merge blocker.
🕵️ claude-code · claude-opus-4-8 · run details
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the API-token vs API-token-with-scopes selector to the JIRA setup wizard (MNG-1744). Operators can now pick the JIRA auth mode in the wizard; the choice is persisted to integration config, hydrated in edit mode, and threaded into the discovery/verification credential bags as
auth_type.This is a frontend-only story. The backend already persists (
jiraConfigSchema.authType— MNG-1736) and consumes (auth_type/authTypein discovery + verification — MNG-1743) the value; both dependencies are merged.Issue: https://linear.app/issue/MNG-1744
What changed
web/src/components/projects/pm-providers/jira/state.tsJiraWizardAuthType = 'basic' | 'scoped'union (single source of truth to prevent drift with the aggregate state type).jiraAuthTypefield added toJiraWizardStateSlice(default'basic').SET_JIRA_AUTH_TYPEaction + reducer case that sets the value and clearsverificationResult/verifyError(auth mode changes the host verification runs against, so a prior "Verified as …" result is stale).web/src/components/projects/pm-wizard-state.tsjiraAuthTypeinto the aggregateWizardState. The action is auto-composed via the existingJiraWizardActionunion; initial state flows throughcreateInitialJiraState(); reducer routing already delegates JIRA actions.web/src/components/projects/pm-providers/jira/wizard.tsJiraCredentialsAdapternow renders abasic/scopedsegmented control (shadcnButtonprimitives, SSR-safe — no raw radio/select) above the credential inputs, with per-option helper text (scoped ⇒api.atlassian.comgateway + granular scopes; basic ⇒ classic site-URL REST API). Wired toSET_JIRA_AUTH_TYPE.buildIntegrationConfigpersistsauthType.buildEditStatehydratesjiraAuthTypefrominitialConfig.authType ?? 'basic'(legacy configs without the field default to basic).web/src/components/projects/pm-providers/jira/auth.ts{ role: 'auth_type', stateField: 'jiraAuthType' }tojiraAuthMetadata.rawCredentials. BecausejiraAuthTypealways has a value,areCredentialsReadyFromMetadatastill enables the Verify button andbuildProviderAuthArgFromMetadataauto-includesauth_typein the verify credential bag.web/src/components/projects/pm-providers/jira/hooks.tsauth_type: state.jiraAuthTypeinto thejiraProjectsMutationcredentials bag andauthType: state.jiraAuthTypeinto thejiraProjectDetailsdiscovery call, so project/detail discovery routes through the correct host.UX wording
Presented as a host-routing / security-scope choice, not a different auth protocol (per MNG-1735 research). Both modes still authenticate via
email:api_token; the helper text avoids implying Bearer/OAuth setup.Tests
pm-wizard-state.test.ts—jiraAuthTypedefault (basic),SET_JIRA_AUTH_TYPEaction (sets value + clears verification, via both the slice reducer and the aggregate reducer), edit-mode hydration (scoped from config; basic fallback for legacy config).pm-wizard-hooks.test.ts—auth_typepresent in the verify / discovery credential bags for both basic (default) and scoped;rawCredentialsrole list includesauth_type→jiraAuthType;buildIntegrationConfigpersistsauthType.jira-credentials-auth-type.test.ts(new) — renders the selector + helper text (basic ⇒ "site URL"; scoped ⇒ "api.atlassian.com"), credential inputs still present, selected state reflectsjiraAuthType, and the control dispatchesSET_JIRA_AUTH_TYPE.All
tests/unit/web(724 tests), PM conformance, and JIRA provider tests pass.biome checkand webtsc --noEmitare clean.Out of scope
Backend routing / discovery threading (MNG-1743) and config/credential persistence shape (MNG-1736) — both already merged.
🤖 Generated with Claude Code
🕵️ claude-code · claude-opus-4-8 · run details