P2: Management UI

[GregorShear]

Dashboard UI for creating, browsing, and managing service accounts and their API keys. Uses Phase 1 GraphQL APIs with no backend changes.

Design doc: plans/service-accounts.md.

Scope

Service Accounts list (under tenant admin area):

• Table: display name, prefix, created by, created date, API key count
• Scoped to the admin's current tenant prefix
• "Create Service Account" action

Service Account detail:

• Display name (editable), prefix (read-only, set at creation)
• API keys list: label, created date, expires date, status (active / expired)
• "Create API Key" action with copy-once secret display + configurable lifetime
• "Revoke API Key" action per key
• "Disable Service Account" action with confirmation

API key creation UX:

1. Admin clicks "Create API Key"
2. Enters label (e.g., "GitHub Actions") and lifetime (dropdown: 90 days, 180 days, 1 year, custom)
3. System returns the flow_sa_-prefixed secret — ready to use as a Bearer token
4. Secret is displayed once in a copy-able field with a warning that it won't be shown again
5. Admin copies and configures their CI/CD system

Verification

• Create service account, create API key, copy secret → use in API call → works
• Secret display disappears on navigation — not retrievable
• Expired API keys show visual indicator
• Disable service account → shown as disabled in list