Description
Split credential fields by field.advanced in the auth-config creation UI. Basic (non-advanced) fields render inline as before; advanced fields are tucked into a collapsible Advanced settings section that is collapsed by default. The section auto-expands when:
- Editing an existing auth config that already has values set on any advanced field, or
- Any advanced field is
required: true without a value — so submit can never silently fail Zod validation on a field the user can't see. (Added in response to Codex review.)
Why: Dashboard counterpart to the RFC Advanced Auth Parameters for Toolkits. The RFC introduced an advanced: boolean flag on strict fields so toolkits can surface niche regional/tenant/override knobs (e.g. regional_endpoint, api_version, tenant_id) without cluttering the standard connection flow. The flag now propagates cleanly all the way to the dashboard API response (see hermes/apps/apollo/src/lib/toolkits/get_toolkits_by_slug.ts — advanced: Boolean(advanced) on every credential field projection). Without this UI change, advanced fields would render identically to normal fields — defeating the RFC's intent.
Notes:
- Advanced fields are still validated by the same Zod schema — required advanced fields will block submission whether or not the user has expanded the section (but see auto-expand rule #2 above which prevents hidden validation failures).
- Scope fields are unaffected (they already render below credentials in their own block).
scopesOnly flows skip both basic and advanced credential rendering, unchanged.- Uses
~/components/ui/collapsible (Radix Collapsible) in uncontrolled mode via defaultOpen, with the chevron rotation driven by CSS (group-data-[state=open]:rotate-180). This avoids useState per the dashboard's no-restricted-imports lint rule.
How did I test this PR
Static checks — both clean on the modified file:
doppler run -- pnpm typecheck — no new errors in credential-form/index.tsx (the existing @composio/lib errors are pre-existing and unrelated).pnpm lint — no new errors in credential-form/index.tsx.
Code review — /codex-review-loop:
- Iteration 1 — Codex flagged a P2 hidden-validation-failure path: required advanced fields hidden behind the collapsible would still be enforced by Zod, causing confusing silent submit failures. Fix committed in
6cb3ce0d: extended auto-expand to cover any required advanced field that lacks a value.
- Iteration 2 — "The changes cleanly introduce an advanced-settings collapsible for credential fields without introducing validation or data-flow regressions." — LGTM.
Cursor Bugbot — two rounds of review on the combined change:
- Round 1 (commit
18e8a263) — flagged that the auto-open predicate inspected fieldDefaults (which merges API defaults) instead of user-provided values, so a brand-new config with an API default on an advanced field would spuriously force the section open. Fix: separated existingFieldValues (user-provided only) from merged fieldDefaults and scoped the "has value" check to the former.
- Round 2 (commit
15f44589) — flagged that the required-field clause still force-opened the section even when the required advanced field carried an API default that already satisfied .min(1) validation. Fix: the required-field branch now also consults fieldDefaults and only auto-opens when the field truly has no resolvable value (neither user-provided nor API default).
E2E browser testing (real dashboard, staging backend, authenticated session):
E2E video — Advanced Settings collapsible
Full end-to-end test flow:
- Logged in via dev-login on staging-backed dashboard
- Created a Slack OAuth2 auth config with
verification_token marked as advanced: true
- Verified: "Advanced settings (1)" collapsible appears between basic credential fields and Scopes, collapsed by default
- Verified: Expanding the collapsible reveals the Verification Token field with its description
- Filled: Client id, Client secret (basic fields), and Verification Token (advanced field)
- Submitted: Auth config created successfully (
ac_4deUESwp01IJ)
- Verified persistence: Navigated to Manage Config tab — all values persisted correctly, including the advanced Verification Token field
Screenshots:
- Collapsed state — "Advanced settings (1)" toggle visible between Client secret and Scopes
- Expanded state — Verification Token field visible inside the collapsible
- Persisted values — Manage Config tab showing all saved values including the advanced field
Refactor safety: The useMemo dependency array now includes scopesOnly (previously omitted despite being read inside — a latent bug). Verified via typecheck that existing call sites (CredentialForm is consumed in 3 places: consumer flow, developer manage flow, composio-managed flow) continue to pass props unchanged.
@zen-agent