Enrollment Token Admin UI
OP-066c makes endpoint onboarding visible in the console. Tenant admins and system admins can issue and revoke enrollment tokens from Settings through the existing OP-032R enrollment-token APIs.
What Changed
- Added an API-backed Settings panel for enrollment token metadata.
- Added same-origin frontend handlers for token creation and revocation.
- Rendered the raw enrollment token only once after creation.
- Hid token create/revoke controls from operators and auditors.
- Hid token metadata entirely from auditors.
Guardrails
- No fake token controls are rendered.
- Enrollment token secrets are never returned by list/status APIs.
- The UI never renders token hashes, CSRs, certificate PEMs, private keys, hardware fingerprints, or other enrollment secrets.
- Operators can inspect token metadata for onboarding support, but cannot create or revoke tokens.
- Auditors cannot inspect or mutate enrollment tokens.
- Backend role checks and audit records remain the source of truth.
Validation
npm --prefix frontend run typecheck
npm --prefix frontend test -- --run
make docs-build
Acceptance
| Requirement | Evidence |
|---|---|
| Tenant admin can create enrollment token | Settings form posts /console-api/oneprotect/agent-enrollment/tokens |
| Tenant admin can view active token metadata | Settings table renders token site, status, use count, expiry, and classes |
| Tenant admin can revoke token | Settings action posts /console-api/oneprotect/agent-enrollment/tokens/{token_id}/revoke |
| Raw token appears once | Creation response renders a one-time token box only after POST success |
| Auditor sees no token metadata or controls | Frontend tests cover auditor-hidden rendering |