Cache Admin API scopes returned by preview store creation#7948
Merged
Conversation
Contributor
Author
This stack of pull requests is managed by Graphite. Learn more about stacking. |
This was referenced Jun 28, 2026
The preview store creation endpoint now returns admin_api_scopes (e.g. read_themes, write_themes) alongside the admin API token. Parse this list and persist it in the local store-auth session cache instead of an empty array, mirroring how store auth stores granted scopes. Backends that predate the field omit it, so we default to an empty list. Assisted-By: devx/f38d0794-3b14-4a2a-a849-b95ae665f83d
7554acb to
7e206fe
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Captures the Admin API scopes returned by the preview store creation API and persists them into the local store-auth session cache, so downstream commands can accurately reflect what a preview store token is permitted to do.
Changes:
- Parse
admin_api_scopesfrom the preview store create response intoadminApiScopes: string[]and treat it as a required response field. - Persist the returned scopes into the stored preview-session (
scopes) instead of hardcoding[]. - Add/adjust unit tests to cover required-field enforcement, filtering non-string entries, and persistence behavior.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| packages/store/src/cli/services/store/create/preview/index.ts | Stores response.adminApiScopes into the preview session cache (scopes) when persisting the created store session. |
| packages/store/src/cli/services/store/create/preview/index.test.ts | Updates preview-create service tests to include and assert persisted scopes (including empty-scope cases). |
| packages/store/src/cli/services/store/create/preview/client.ts | Adds admin_api_scopes parsing/validation (required) and returns it as adminApiScopes. |
| packages/store/src/cli/services/store/create/preview/client.test.ts | Adds tests for omitted scopes (reject) and non-string scope filtering; updates existing tests for the new field. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
isaacroldan
approved these changes
Jun 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

WHY are these changes introduced?
Preview stores aren't a logged-in experience, so the Admin API scopes granted to their token are fixed at creation time — there's no OAuth flow to grant more later. Following shop/world#869091, the preview store creation API now returns an
admin_api_scopesfield alongside theadmin_api_token. The CLI needs to capture and persist those scopes (just likestore authstashes granted scopes) so later commands can surface what the token is actually allowed to do.This is the first PR in a stack:
store info --json.store authearly for preview stores #7950 — Exitstore authearly for preview stores, listing the preapproved scopes.WHAT is this pull request doing?
client.ts: parse the newadmin_api_scopesfield from the preview store create response intoadminApiScopes: string[]onPreviewStoreCreateResponse. The field is treated as required (assuming an updated backend) — a response missing it throws"Preview store creation response is missing required fields.", consistent with the other required fields. Non-string entries are filtered out defensively, and an empty array is accepted.index.ts: persistresponse.adminApiScopesinto the localStoredStoreAppSessioncache (scopes:) instead of the previously hardcoded empty array, mirroring howstore authcaches granted scopes.No changeset — preview stores aren't released yet, and this only changes cached data (no user-visible behavior).
How to test your changes?
admin_api_scopes.Unit tests cover: parsing the scopes, rejecting a response that omits the field, dropping non-string entries, and persisting the scopes into the session cache.
Checklist