graphql-hive
diff --git a/‎.changeset/neat-ladybugs-pay.md
Lines changed: 16 additions & 0 deletions b/‎.changeset/neat-ladybugs-pay.md
Lines changed: 16 additions & 0 deletions
diff --git a/‎integration-tests/tests/api/organization-access-tokens.spec.ts
Lines changed: 1 addition & 1 deletion b/‎integration-tests/tests/api/organization-access-tokens.spec.ts
Lines changed: 1 addition & 1 deletion
diff --git a/‎integration-tests/tests/api/organization/members.spec.ts
Lines changed: 1 addition & 0 deletions b/‎integration-tests/tests/api/organization/members.spec.ts
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/services/api/src/modules/organization/lib/organization-access-token-permissions.ts
Lines changed: 3 additions & 3 deletions b/‎packages/services/api/src/modules/organization/lib/organization-access-token-permissions.ts
Lines changed: 3 additions & 3 deletions
diff --git a/‎packages/services/api/src/modules/organization/lib/organization-member-permissions.ts
Lines changed: 7 additions & 1 deletion b/‎packages/services/api/src/modules/organization/lib/organization-member-permissions.ts
Lines changed: 7 additions & 1 deletion
diff --git a/‎packages/services/api/src/modules/organization/module.graphql.ts
Lines changed: 9 additions & 0 deletions b/‎packages/services/api/src/modules/organization/module.graphql.ts
Lines changed: 9 additions & 0 deletions
diff --git a/‎packages/services/api/src/modules/organization/providers/organization-access-tokens.ts
Lines changed: 25 additions & 1 deletion b/‎packages/services/api/src/modules/organization/providers/organization-access-tokens.ts
Lines changed: 25 additions & 1 deletion
diff --git a/‎packages/services/api/src/modules/organization/resolvers/Organization.ts
Lines changed: 24 additions & 0 deletions b/‎packages/services/api/src/modules/organization/resolvers/Organization.ts
Lines changed: 24 additions & 0 deletions
diff --git a/‎packages/services/storage/src/index.ts
Lines changed: 0 additions & 1 deletion b/‎packages/services/storage/src/index.ts
Lines changed: 0 additions & 1 deletion
diff --git a/‎packages/web/app/package.json
Lines changed: 1 addition & 0 deletions b/‎packages/web/app/package.json
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,16 @@
+---
+'hive': minor
+---
+
+Add organization access tokens; a new way to issue access tokens for performing actions with the CLI
+and doing usage reporting.
+
+**Breaking Change:** The `usage` service now requires environment variables for Postgres
+(`POSTGRES_SSL`, `POSTGRES_HOST`, `POSTGRES_PORT`, `POSTGRES_DB`, `POSTGRES_USER`,
+`POSTGRES_PASSWORD`) and Redis (`REDIS_HOST`, `REDIS_PORT`, `REDIS_PASSWORD`, `REDIS_TLS_ENABLED`).
+
+For more information please refer to the organization access token documentation.
+
+- [Product Update: Organization-Level Access Tokens for Enhanced Security & Flexibility](https://the-guild.dev/graphql/hive/product-updates/2025-03-10-new-access-tokens)
+- [Migration Guide: Moving from Registry Access Tokens to Access Tokens](https://the-guild.dev/graphql/hive/docs/migration-guides/organization-access-tokens)
+- [Access Token Documentation](https://the-guild.dev/graphql/hive/docs/management/access-tokens)
@@ -129,7 +129,7 @@ test.concurrent('create: failure invalid title', async ({ expect }) => {
     {
       details: {
         description: null,
-        title: Can only contain letters, numbers, " ", '_', and '-'.,
+        title: Can only contain letters, numbers, " ", "_", and "-".,
       },
       message: Invalid input provided.,
     }
 
@@ -11,6 +11,7 @@ test.concurrent('owner of an organization should have all scopes', async ({ expe
     [
       organization:describe,
       support:manageTickets,
+      accessToken:modify,
       organization:modifySlug,
       auditLog:export,
       organization:delete,
 
@@ -18,14 +18,14 @@ export const permissionGroups: Array<PermissionGroup> = [
     permissions: [
       {
         id: 'project:describe',
-        title: 'View project',
+        title: 'Describe project',
         description: 'Fetch information about the specified projects.',
       },
     ],
   },
   {
-    id: 'targets',
-    title: 'Targets',
+    id: 'usage-reporting',
+    title: 'Usage Reporting',
     permissions: [
       {
         id: 'usage:report',
 
@@ -17,6 +17,13 @@ export const permissionGroups: Array<PermissionGroup> = [
         title: 'Access support tickets',
         description: 'Member can access, create and reply to support tickets.',
       },
+      {
+        id: 'accessToken:modify',
+        title: 'Manage organization access tokens',
+        description: 'Member can create and delete organization access tokens.',
+        warning:
+          'Granting a role the ability to manage members enables it to elevate its own permissions.',
+      },
       {
         id: 'organization:modifySlug',
         title: 'Update organization slug',
@@ -266,7 +273,6 @@ assertAllRulesAreAssigned([
   'appDeployment:publish',
   'appDeployment:retire',
   'usage:report',
-  'accessToken:modify',
 ]);
 
 /**
 
@@ -88,6 +88,7 @@ export default gql`
     description: String
     permissions: [String!]!
     resources: ResourceAssignment!
+    firstCharacters: String!
     createdAt: DateTime!
   }
 
@@ -320,9 +321,17 @@ export default gql`
     """
     availableOrganizationPermissionGroups: [PermissionGroup!]!
     """
+    Whether the viewer can manage access tokens.
+    """
+    viewerCanManageAccessTokens: Boolean!
+    """
     Paginated organization access tokens.
     """
     accessTokens(first: Int, after: String): OrganizationAccessTokenConnection!
+    """
+    Get organization access token by id.
+    """
+    accessToken(id: ID!): OrganizationAccessToken
   }
 
   type OrganizationAccessTokenEdge {
 
@@ -31,7 +31,7 @@ import {
 const TitleInputModel = z
   .string()
   .trim()
-  .regex(/^[ a-zA-Z0-9_-]+$/, `Can only contain letters, numbers, " ", '_', and '-'.`)
+  .regex(/^[ a-zA-Z0-9_-]+$/, 'Can only contain letters, numbers, " ", "_", and "-".')
   .min(2, 'Minimum length is 2 characters.')
   .max(100, 'Maximum length is 100 characters.');
 
@@ -305,6 +305,30 @@ export class OrganizationAccessTokens {
       },
     };
   }
+
+  async get(args: { organizationId: string; id: string }) {
+    await this.session.assertPerformAction({
+      organizationId: args.organizationId,
+      params: { organizationId: args.organizationId },
+      action: 'accessToken:modify',
+    });
+
+    const row = await this.pool.maybeOne<unknown>(sql` /* OrganizationAccessTokens.getPaginated */
+      SELECT
+        ${organizationAccessTokenFields}
+      FROM
+        "organization_access_tokens"
+      WHERE
+        "id" = ${args.id}
+        AND "organization_id" = ${args.organizationId}
+    `);
+
+    if (row === null) {
+      return null;
+    }
+
+    return OrganizationAccessTokenModel.parse(row);
+  }
 }
 
 /**
 
@@ -9,6 +9,7 @@ import type { OrganizationResolvers } from './../../../__generated__/types';
 
 export const Organization: Pick<
   OrganizationResolvers,
+  | 'accessToken'
   | 'accessTokens'
   | 'availableMemberPermissionGroups'
   | 'availableOrganizationPermissionGroups'
@@ -26,6 +27,7 @@ export const Organization: Pick<
   | 'viewerCanAssignUserRoles'
   | 'viewerCanDelete'
   | 'viewerCanExportAuditLogs'
+  | 'viewerCanManageAccessTokens'
   | 'viewerCanManageInvitations'
   | 'viewerCanManageRoles'
   | 'viewerCanModifySlug'
@@ -142,6 +144,13 @@ export const Organization: Pick<
           organizationId: organization.id,
         },
       }),
+      session.canPerformAction({
+        action: 'accessToken:modify',
+        organizationId: organization.id,
+        params: {
+          organizationId: organization.id,
+        },
+      }),
     ]).then(result => result.some(Boolean));
   },
   viewerCanSeeMembers: async (organization, _arg, { session }) => {
@@ -203,4 +212,19 @@ export const Organization: Pick<
       after: args.after ?? null,
     });
   },
+  viewerCanManageAccessTokens: async (organization, _arg, { session }) => {
+    return session.canPerformAction({
+      organizationId: organization.id,
+      action: 'accessToken:modify',
+      params: {
+        organizationId: organization.id,
+      },
+    });
+  },
+  accessToken: async (organization, args, { injector }) => {
+    return injector.get(OrganizationAccessTokens).get({
+      organizationId: organization.id,
+      id: args.id,
+    });
+  },
 };
@@ -5207,7 +5207,6 @@ export function findTargetBySlug(deps: { pool: DatabasePool }) {
       return null;
     }
 
-    // Consider adding error handling similar to what was suggested for findTargetById.
     return TargetWithOrgIdModel.parse(data);
   };
 }
 
@@ -52,6 +52,7 @@
     "@sentry/node": "7.120.2",
     "@sentry/react": "7.120.2",
     "@sentry/types": "7.120.2",
+    "@stepperize/react": "5.1.0",
     "@storybook/addon-essentials": "8.4.7",
     "@storybook/addon-interactions": "8.4.7",
     "@storybook/addon-links": "8.4.7",
Original file line number	Diff line number	Diff line change
`@@ -129,7 +129,7 @@ test.concurrent('create: failure invalid title', async ({ expect }) => {`
`129`	`129`	`{`
`130`	`130`	`details: {`
`131`	`131`	`description: null,`
`132`		`- title: Can only contain letters, numbers, " ", '_', and '-'.,`
	`132`	`+ title: Can only contain letters, numbers, " ", "_", and "-".,`
`133`	`133`	`},`
`134`	`134`	`message: Invalid input provided.,`
`135`	`135`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ test.concurrent('owner of an organization should have all scopes', async ({ expe`
`11`	`11`	`[`
`12`	`12`	`organization:describe,`
`13`	`13`	`support:manageTickets,`
	`14`	`+ accessToken:modify,`
`14`	`15`	`organization:modifySlug,`
`15`	`16`	`auditLog:export,`
`16`	`17`	`organization:delete,`
Original file line number	Diff line number	Diff line change
`@@ -18,14 +18,14 @@ export const permissionGroups: Array<PermissionGroup> = [`
`18`	`18`	`permissions: [`
`19`	`19`	`{`
`20`	`20`	`id: 'project:describe',`
`21`		`- title: 'View project',`
	`21`	`+ title: 'Describe project',`
`22`	`22`	`description: 'Fetch information about the specified projects.',`
`23`	`23`	`},`
`24`	`24`	`],`
`25`	`25`	`},`
`26`	`26`	`{`
`27`		`- id: 'targets',`
`28`		`- title: 'Targets',`
	`27`	`+ id: 'usage-reporting',`
	`28`	`+ title: 'Usage Reporting',`
`29`	`29`	`permissions: [`
`30`	`30`	`{`
`31`	`31`	`id: 'usage:report',`
Original file line number	Diff line number	Diff line change
`@@ -5207,7 +5207,6 @@ export function findTargetBySlug(deps: { pool: DatabasePool }) {`
`5207`	`5207`	`return null;`
`5208`	`5208`	`}`
`5209`	`5209`
`5210`		`- // Consider adding error handling similar to what was suggested for findTargetById.`
`5211`	`5210`	`return TargetWithOrgIdModel.parse(data);`
`5212`	`5211`	`};`
`5213`	`5212`	`}`