Revise app client process

[jusdino]

Description List

• Tweaked the docs and app_client script a bit to split secrets from context of their use

While I worked on #981

Summary by CodeRabbit

• Documentation
  • Updated credential transmission instructions to separate sensitive credentials (clientId and clientSecret) from contextual information, providing a clearer process for secure sharing.
  • Added a dedicated email template section for sharing contextual details, including compact name, state, and relevant URLs.
  • Improved clarity and formatting in onboarding instructions for IT staff.

[coderabbitai]

Walkthrough

The changes update onboarding documentation and the app client creation script to separate the output of sensitive credentials from contextual information. The script now generates a credentials JSON containing only clientId and clientSecret, and a distinct email template with contextual details. Documentation was revised to reflect and clarify this new process.

Changes

Cohort / File(s)	Change Summary
App Client Creation Script backend/compact-connect/app_clients/bin/create_app_client.py	Refactored to separate sensitive credentials (output as JSON) from contextual information (output as an email template). Added print_email_template function. Simplified print_credentials function. Updated main control flow.
Onboarding Documentation backend/compact-connect/app_clients/README.md, backend/compact-connect/app_clients/it_staff_onboarding_instructions/README.md	Updated to clarify that credentials JSON now contains only clientId and clientSecret. Contextual information is now provided separately via email. Adjusted instructions and examples accordingly.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Script

    User->>Script: Run create_app_client.py
    Script->>User: Output Credentials JSON (clientId, clientSecret)
    Script->>User: Output Email Template (contextual info, link placeholder)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• Feat/create app client generation script #921: Introduced the original interactive app client creation script and related documentation, which this PR directly builds upon by refactoring the output structure.

Suggested reviewers

• jlkravitz

Poem

A rabbit with paws so neat and keen,
Splits secrets from context, keeps things clean.
Credentials in JSON, snug and tight,
Context in emails, clear and right.
With scripts and docs now up to date—
Safe onboarding, isn’t it great? 🐇✨

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cb83b95 and 842e96a.

📒 Files selected for processing (3)

• backend/compact-connect/app_clients/README.md (1 hunks)
• backend/compact-connect/app_clients/bin/create_app_client.py (3 hunks)
• backend/compact-connect/app_clients/it_staff_onboarding_instructions/README.md (9 hunks)

🧰 Additional context used

🧠 Learnings (9)

📓 Common learnings

Learnt from: landonshumway-ia
PR: csg-org/CompactConnect#798
File: backend/compact-connect/docs/onboarding/JURISDICTION_COMPACT_ONBOARDING.md:117-117
Timestamp: 2025-05-13T22:33:53.986Z
Learning: The app_clients directory is located at the root of the compact-connect directory, so the correct relative path from docs/onboarding is ../../app_clients/README.md

📚 Learning: the app_clients directory is located at the root of the compact-connect directory, so the correct re...

Learnt from: landonshumway-ia
PR: csg-org/CompactConnect#798
File: backend/compact-connect/docs/onboarding/JURISDICTION_COMPACT_ONBOARDING.md:117-117
Timestamp: 2025-05-13T22:33:53.986Z
Learning: The app_clients directory is located at the root of the compact-connect directory, so the correct relative path from docs/onboarding is ../../app_clients/README.md

Applied to files:

• backend/compact-connect/app_clients/README.md
• backend/compact-connect/app_clients/it_staff_onboarding_instructions/README.md
• backend/compact-connect/app_clients/bin/create_app_client.py

📚 Learning: in the compactconnect frontend codebase, the team prefers to keep non-dynamic text directly in vue t...

Learnt from: rmolinares
PR: csg-org/CompactConnect#905
File: webroot/src/components/UpdateHomeJurisdiction/UpdateHomeJurisdiction.vue:32-41
Timestamp: 2025-07-03T15:35:57.893Z
Learning: In the CompactConnect frontend codebase, the team prefers to keep non-dynamic text directly in Vue templates rather than moving it to computed properties in TypeScript modules, as this approach prevents cluttering the TS files with template labels.

Applied to files:

• backend/compact-connect/app_clients/README.md

📚 Learning: the compactconnect application uses a rest api gateway, not http api, so using `event.get('resource'...

Learnt from: landonshumway-ia
PR: csg-org/CompactConnect#796
File: backend/compact-connect/lambdas/python/provider-data-v1/handlers/provider_users.py:29-36
Timestamp: 2025-05-23T15:35:20.621Z
Learning: The CompactConnect application uses a REST API Gateway, not HTTP API, so using `event.get('resource')` for path routing is appropriate and reliable. There are no plans to use HTTP API integration in the near future.

Applied to files:

• backend/compact-connect/app_clients/it_staff_onboarding_instructions/README.md

📚 Learning: in the compact_configured_states_871 migration, existing jurisdiction configurations that have licen...

Learnt from: landonshumway-ia
PR: csg-org/CompactConnect#882
File: backend/compact-connect/lambdas/python/migration/compact_configured_states_871/main.py:127-130
Timestamp: 2025-06-26T16:42:00.781Z
Learning: In the compact_configured_states_871 migration, existing jurisdiction configurations that have licenseeRegistrationEnabled: true are migrated with isLive: true for backwards compatibility. This prevents breaking existing live functionality since those states are already operational. The migration preserves the current live state of jurisdictions to maintain service continuity, while new states added after migration can start with isLive: false and be controlled by compact admins.

Applied to files:

• backend/compact-connect/app_clients/it_staff_onboarding_instructions/README.md

📚 Learning: in compactconnect, landonshumway-ia prefers using the concrete `key` type instead of the `ikey` inte...

Learnt from: landonshumway-ia
PR: csg-org/CompactConnect#907
File: backend/compact-connect/stacks/persistent_stack/provider_table.py:0-0
Timestamp: 2025-07-21T20:45:42.420Z
Learning: In CompactConnect, landonshumway-ia prefers using the concrete `Key` type instead of the `IKey` interface for encryption_key parameters to intentionally prevent imported keys from being used. This is a security-conscious decision to ensure all encryption keys are newly created and managed within their infrastructure.

Applied to files:

• backend/compact-connect/app_clients/it_staff_onboarding_instructions/README.md

📚 Learning: in compactconnect tests, hardcoded values (like license type abbreviations 'slp') in test queries ar...

Learnt from: landonshumway-ia
PR: csg-org/CompactConnect#769
File: backend/compact-connect/lambdas/python/provider-data-v1/tests/function/test_handlers/test_encumbrance.py:138-147
Timestamp: 2025-04-29T02:52:40.532Z
Learning: In CompactConnect tests, hardcoded values (like license type abbreviations 'slp') in test queries are sometimes used intentionally rather than using dynamic lookups. This is a deliberate design decision to make tests fail if default test data changes, requiring developers to consciously update related tests.

Applied to files:

• backend/compact-connect/app_clients/it_staff_onboarding_instructions/README.md

📚 Learning: in the compactconnect project, authentication/authorization failures like misconfigured authorizers ...

Learnt from: landonshumway-ia
PR: csg-org/CompactConnect#769
File: backend/compact-connect/lambdas/python/provider-data-v1/handlers/encumbrance.py:39-41
Timestamp: 2025-04-29T02:09:36.291Z
Learning: In the CompactConnect project, authentication/authorization failures like misconfigured authorizers should be allowed to propagate as 500 errors rather than being caught and converted to 4xx errors, as this is intentional to trigger alerts for critical system issues.

Applied to files:

• backend/compact-connect/app_clients/it_staff_onboarding_instructions/README.md

📚 Learning: in the compactconnect codebase, compact values come from custom attributes on the user's cognito acc...

Learnt from: landonshumway-ia
PR: csg-org/CompactConnect#929
File: backend/compact-connect/lambdas/python/common/cc_common/data_model/data_client.py:1809-1814
Timestamp: 2025-07-15T02:02:56.052Z
Learning: In the CompactConnect codebase, compact values come from custom attributes on the user's Cognito account, not from user input. When get_compact_configuration raises CCNotFoundException, it should be allowed to propagate as a 500 error (CCInternalException) to trigger alerts for system configuration issues, rather than being treated as a 4xx user error.

Applied to files:

• backend/compact-connect/app_clients/it_staff_onboarding_instructions/README.md

🪛 LanguageTool

backend/compact-connect/app_clients/it_staff_onboarding_instructions/README.md

[grammar] ~28-~28: Ensure spelling is correct
Context: ... password manager or secrets management system 2. Do not share these credentials with unau...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

---

[grammar] ~29-~29: Ensure spelling is correct
Context: ...are these credentials with unauthorized personnel 3. Do not hardcode these credentials in sou...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

---

[grammar] ~31-~31: Ensure spelling is correct
Context: ...pact, state, URLs) for reference during integration > Important: If the link provided has a...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

---

[style] ~50-~50: Did you mean “that” or “date”?
Context: ... The API endpoint for uploading license data ## Authentication Process for Uploadi...

(DAT)

---

[style] ~52-~52: Did you mean “that” or “date”?
Context: ...ntication Process for Uploading License Data Follow these steps to obtain an acces...

(DAT)

---

[grammar] ~79-~79: Ensure spelling is correct
Context: ... - this information was provided in the email - <compact> with the lower-cased com...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

---

[grammar] ~117-~117: Ensure spelling is correct
Context: ... - this information was provided in the email - <jurisdiction> with your lower-cased two-letter state...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

---

[grammar] ~118-~118: Ensure spelling is correct
Context: ... - this information was provided in the email - The example payload shown here with your...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: TestPython

🔇 Additional comments (7)

backend/compact-connect/app_clients/bin/create_app_client.py (3)

226-241: Excellent security improvement in credential handling.

The simplified print_credentials function now correctly outputs only sensitive data (clientId and clientSecret) in JSON format, with clear messaging about secure handling. This separation reduces the risk of accidentally exposing credentials alongside contextual information.

---

243-293: Well-implemented email template generation with good security practices.

The new print_email_template function effectively separates contextual information from sensitive credentials. The template includes all necessary details (compact name, URLs, instructions) while maintaining a clear placeholder for the one-time link.

---

329-332: Proper separation of credential and template output.

The main function correctly calls both functions in sequence, maintaining the separation between sensitive credentials and contextual information. This aligns perfectly with the PR objective.

backend/compact-connect/app_clients/it_staff_onboarding_instructions/README.md (3)

26-32: Clear improvement in credential security guidance.

The updated instructions properly emphasize the separation between sensitive credentials (via one-time link) and contextual information (via email). The addition of step 4 to retain contextual information is helpful for users.

---

39-51: Simplified credentials format aligns with security improvements.

The credentials JSON now correctly shows only the sensitive fields (clientId and clientSecret), with clear explanation that contextual information is provided separately via email. This matches the script changes perfectly.

---

79-81: Good clarification on information sources.

The explicit mention that jurisdiction and compact information "was provided in the email" helps users understand where to find the contextual details needed for API calls.

backend/compact-connect/app_clients/README.md (1)

70-83: Excellent documentation of the separated output process.

The updated section clearly explains the two-part output structure: sensitive credentials for one-time link transmission and contextual email template for copy/paste. This documentation perfectly aligns with the script changes and maintains strong security practices.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[landonshumway-ia]

Looks great! Thanks for adding an email template should speed up the process

[landonshumway-ia]

@jlkravitz This is ready for your review. Thanks

[jlkravitz]

one question!

[jlkravitz]

@isabeleliassen good to go!