From c3cbe1d50d8f8e3dbe622b1e77e0e7c2cb2ac47e Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Sun, 12 Oct 2025 06:02:18 -0400
Subject: [PATCH 01/28] Add SCIM tab to UI

---
 app/pages/system/silos/SiloPage.tsx    |   3 +-
 app/pages/system/silos/SiloScimTab.tsx | 305 +++++++++++++++++++++++++
 app/routes.tsx                         |   4 +
 app/ui/lib/Modal.tsx                   |  10 +-
 app/util/links.ts                      |   6 +
 app/util/path-builder.ts               |   1 +
 mock-api/msw/db.ts                     |   1 +
 mock-api/msw/handlers.ts               |  54 ++++-
 mock-api/silo.ts                       |  25 ++
 scim-todos.txt                         |   3 +
 10 files changed, 403 insertions(+), 9 deletions(-)
 create mode 100644 app/pages/system/silos/SiloScimTab.tsx
 create mode 100644 scim-todos.txt

diff --git a/app/pages/system/silos/SiloPage.tsx b/app/pages/system/silos/SiloPage.tsx
index 1088509fc..3f0b2b263 100644
--- a/app/pages/system/silos/SiloPage.tsx
+++ b/app/pages/system/silos/SiloPage.tsx
@@ -58,9 +58,10 @@ export default function SiloPage() {
 
       <RouteTabs fullWidth>
         <Tab to={pb.siloIdps(siloSelector)}>Identity Providers</Tab>
-        <Tab to={pb.siloIpPools(siloSelector)}>IP Pools</Tab>
+        <Tab to={pb.siloIpPools(siloSelector)}>Linked Pools</Tab>
         <Tab to={pb.siloQuotas(siloSelector)}>Quotas</Tab>
         <Tab to={pb.siloFleetRoles(siloSelector)}>Fleet roles</Tab>
+        <Tab to={pb.siloScim(siloSelector)}>SCIM</Tab>
       </RouteTabs>
     </>
   )
diff --git a/app/pages/system/silos/SiloScimTab.tsx b/app/pages/system/silos/SiloScimTab.tsx
new file mode 100644
index 000000000..9e87a231f
--- /dev/null
+++ b/app/pages/system/silos/SiloScimTab.tsx
@@ -0,0 +1,305 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * Copyright Oxide Computer Company
+ */
+
+import { createColumnHelper, getCoreRowModel, useReactTable } from '@tanstack/react-table'
+import { useCallback, useMemo, useState } from 'react'
+import { type LoaderFunctionArgs } from 'react-router'
+
+import { AccessToken24Icon, OpenLink12Icon } from '@oxide/design-system/icons/react'
+
+import {
+  apiQueryClient,
+  useApiMutation,
+  usePrefetchedApiQuery,
+  type ScimClientBearerToken,
+} from '~/api'
+import { getSiloSelector, useSiloSelector } from '~/hooks/use-params'
+import { confirmDelete } from '~/stores/confirm-delete'
+import { addToast } from '~/stores/toast'
+import { useColsWithActions, type MenuAction } from '~/table/columns/action-col'
+import { Columns } from '~/table/columns/common'
+import { Table } from '~/table/Table'
+import { Badge } from '~/ui/lib/Badge'
+import { Button } from '~/ui/lib/Button'
+import { CardBlock } from '~/ui/lib/CardBlock'
+import { CopyToClipboard } from '~/ui/lib/CopyToClipboard'
+import { CreateButton } from '~/ui/lib/CreateButton'
+import { DateTime } from '~/ui/lib/DateTime'
+import { EmptyMessage } from '~/ui/lib/EmptyMessage'
+import { Message } from '~/ui/lib/Message'
+import { Modal } from '~/ui/lib/Modal'
+import { TableEmptyBox } from '~/ui/lib/Table'
+import { Tooltip } from '~/ui/lib/Tooltip'
+import { docLinks } from '~/util/links'
+
+const colHelper = createColumnHelper<ScimClientBearerToken>()
+
+const EmptyState = () => (
+  <TableEmptyBox border={false}>
+    <EmptyMessage
+      icon={<AccessToken24Icon />}
+      title="No SCIM tokens"
+      body="Create a token to see it here"
+    />
+  </TableEmptyBox>
+)
+
+export async function clientLoader({ params }: LoaderFunctionArgs) {
+  const { silo } = getSiloSelector(params)
+  await apiQueryClient.prefetchQuery('scimTokenList', { query: { silo } })
+  return null
+}
+
+export default function SiloScimTab() {
+  const siloSelector = useSiloSelector()
+  const { data: tokens } = usePrefetchedApiQuery('scimTokenList', {
+    query: { silo: siloSelector.silo },
+  })
+
+  const [showCreateModal, setShowCreateModal] = useState(false)
+  const [createdToken, setCreatedToken] = useState<{
+    id: string
+    bearerToken: string
+    timeCreated: Date
+    timeExpires?: Date | null
+  } | null>(null)
+
+  const deleteToken = useApiMutation('scimTokenDelete', {
+    onSuccess() {
+      apiQueryClient.invalidateQueries('scimTokenList')
+    },
+  })
+
+  const deleteAllTokens = useApiMutation('scimTokenDeleteAll', {
+    onSuccess() {
+      apiQueryClient.invalidateQueries('scimTokenList')
+    },
+  })
+
+  const makeActions = useCallback(
+    (token: ScimClientBearerToken): MenuAction[] => [
+      {
+        label: 'Delete',
+        onActivate: confirmDelete({
+          doDelete: () =>
+            deleteToken.mutateAsync({
+              path: { tokenId: token.id },
+              query: { silo: siloSelector.silo },
+            }),
+          label: token.id,
+        }),
+      },
+    ],
+    [deleteToken, siloSelector.silo]
+  )
+
+  const staticColumns = useMemo(
+    () => [
+      colHelper.accessor('id', {
+        header: 'ID',
+        cell: (info) => {
+          const id = info.getValue()
+          return (
+            <Tooltip content={id}>
+              <span className="font-mono text-secondary">
+                {id.slice(0, 8)}...{id.slice(-6)}
+              </span>
+            </Tooltip>
+          )
+        },
+      }),
+      colHelper.accessor('timeCreated', Columns.timeCreated),
+      colHelper.accessor('timeExpires', {
+        header: 'Expires',
+        cell: (info) => {
+          const expires = info.getValue()
+          return expires ? (
+            <DateTime date={expires} />
+          ) : (
+            <Badge color="neutral">Never</Badge>
+          )
+        },
+      }),
+    ],
+    []
+  )
+
+  const columns = useColsWithActions(staticColumns, makeActions, 'Copy token ID')
+
+  const table = useReactTable({
+    data: tokens,
+    columns,
+    getCoreRowModel: getCoreRowModel(),
+  })
+  const { href, linkText } = docLinks.scim
+  return (
+    <>
+      <CardBlock>
+        <CardBlock.Header
+          title="SCIM Bearer Tokens"
+          titleId="scim-tokens-label"
+          description="Manage authentication tokens for SCIM identity provisioning"
+        >
+          {tokens.length > 0 && (
+            <Button
+              size="sm"
+              variant="ghost"
+              onClick={confirmDelete({
+                doDelete: () =>
+                  deleteAllTokens.mutateAsync({
+                    query: { silo: siloSelector.silo },
+                  }),
+                label: 'all SCIM tokens',
+              })}
+            >
+              Delete all
+            </Button>
+          )}
+          <CreateButton onClick={() => setShowCreateModal(true)}>Create token</CreateButton>
+        </CardBlock.Header>
+        <CardBlock.Body>
+          {tokens.length === 0 ? (
+            <EmptyState />
+          ) : (
+            <Table
+              aria-labelledby="scim-tokens-label"
+              table={table}
+              className="table-inline"
+            />
+          )}
+        </CardBlock.Body>
+        <CardBlock.Footer>
+          <div className="relative -ml-2 inline-block rounded py-1 pl-2 pr-7 text-sans-md text-raise group-hover:bg-tertiary">
+            <span className="inline-block max-w-[300px] truncate align-middle">
+              Learn more about{' '}
+              <a
+                href={href}
+                className="text-accent group-hover:text-accent"
+                target="_blank"
+                rel="noopener noreferrer"
+              >
+                {linkText}
+                <OpenLink12Icon className="absolute top-1.5 ml-1 translate-y-[1px]" />
+              </a>
+            </span>
+          </div>
+        </CardBlock.Footer>
+      </CardBlock>
+
+      {showCreateModal && (
+        <CreateTokenModal
+          siloSelector={siloSelector}
+          onDismiss={() => setShowCreateModal(false)}
+          onSuccess={(token) => {
+            setShowCreateModal(false)
+            setCreatedToken(token)
+          }}
+        />
+      )}
+
+      {createdToken && (
+        <TokenCreatedModal token={createdToken} onDismiss={() => setCreatedToken(null)} />
+      )}
+    </>
+  )
+}
+
+function CreateTokenModal({
+  siloSelector,
+  onDismiss,
+  onSuccess,
+}: {
+  siloSelector: { silo: string }
+  onDismiss: () => void
+  onSuccess: (token: {
+    id: string
+    bearerToken: string
+    timeCreated: Date
+    timeExpires?: Date | null
+  }) => void
+}) {
+  const createToken = useApiMutation('scimTokenCreate', {
+    onSuccess(token) {
+      apiQueryClient.invalidateQueries('scimTokenList')
+      onSuccess(token)
+    },
+    onError(err) {
+      addToast({ variant: 'error', title: 'Failed to create token', content: err.message })
+    },
+  })
+
+  return (
+    <Modal isOpen onDismiss={onDismiss} title="Create token">
+      <Modal.Section>
+        <Message
+          variant="info"
+          content="This token will have access to provision users and groups via SCIM. Store it securely and never share it publicly."
+        />
+      </Modal.Section>
+
+      <Modal.Footer
+        onDismiss={onDismiss}
+        onAction={() => {
+          createToken.mutate({ query: { silo: siloSelector.silo } })
+        }}
+        actionText="Create"
+        actionLoading={createToken.isPending}
+      />
+    </Modal>
+  )
+}
+
+function TokenCreatedModal({
+  token,
+  onDismiss,
+}: {
+  token: {
+    id: string
+    bearerToken: string
+    timeCreated: Date
+    timeExpires?: Date | null
+  }
+  onDismiss: () => void
+}) {
+  return (
+    <Modal isOpen onDismiss={onDismiss} title="Create token">
+      <Modal.Section>
+        {token.timeExpires && (
+          <div>
+            <div className="mb-1 text-sans-sm text-secondary">Expires</div>
+            <DateTime date={token.timeExpires} />
+          </div>
+        )}
+
+        <Message
+          variant="notice"
+          content="This is the only time you'll see this token. Copy it now and store it securely."
+        />
+
+        <div className="mt-4">
+          <div className="mb-2 font-medium text-sans-semi-md">Bearer Token</div>
+          <div className="font-mono flex items-center rounded border text-sans-sm text-raise bg-default border-default">
+            <div className="flex-1 overflow-hidden text-ellipsis p-3">
+              {token.bearerToken}
+            </div>
+            <div className="border-l p-3 border-default">
+              <CopyToClipboard text={token.bearerToken} />
+            </div>
+          </div>
+        </div>
+      </Modal.Section>
+
+      <Modal.Footer
+        onDismiss={onDismiss}
+        actionText="Done"
+        onAction={onDismiss}
+        showCancel={false}
+      />
+    </Modal>
+  )
+}
diff --git a/app/routes.tsx b/app/routes.tsx
index a085800cf..8c6d1bd5d 100644
--- a/app/routes.tsx
+++ b/app/routes.tsx
@@ -154,6 +154,10 @@ export const routes = createRoutesFromElements(
               path="fleet-roles"
               lazy={() => import('./pages/system/silos/SiloFleetRolesTab').then(convert)}
             />
+            <Route
+              path="scim"
+              lazy={() => import('./pages/system/silos/SiloScimTab').then(convert)}
+            />
           </Route>
         </Route>
         <Route path="issues" element={null} />
diff --git a/app/ui/lib/Modal.tsx b/app/ui/lib/Modal.tsx
index 9247c40b7..afb0da167 100644
--- a/app/ui/lib/Modal.tsx
+++ b/app/ui/lib/Modal.tsx
@@ -113,6 +113,7 @@ type FooterProps = {
   actionLoading?: boolean
   cancelText?: string
   disabled?: boolean
+  showCancel?: boolean
 } & MergeExclusive<{ formId: string }, { onAction: () => void }>
 
 Modal.Footer = ({
@@ -125,13 +126,16 @@ Modal.Footer = ({
   cancelText,
   disabled,
   formId,
+  showCancel = true,
 }: FooterProps) => (
   <footer className="flex items-center justify-between border-t px-4 py-3 border-secondary">
     <div className="mr-4">{children}</div>
     <div className="space-x-2">
-      <Button variant="secondary" size="sm" onClick={onDismiss}>
-        {cancelText || 'Cancel'}
-      </Button>
+      {showCancel && (
+        <Button variant="secondary" size="sm" onClick={onDismiss}>
+          {cancelText || 'Cancel'}
+        </Button>
+      )}
       <Button
         type={formId ? 'submit' : 'button'}
         form={formId}
diff --git a/app/util/links.ts b/app/util/links.ts
index 913f9c6f1..f35bdb939 100644
--- a/app/util/links.ts
+++ b/app/util/links.ts
@@ -43,6 +43,8 @@ export const links = {
   quickStart: 'https://docs.oxide.computer/guides/quickstart',
   routersDocs:
     'https://docs.oxide.computer/guides/configuring-guest-networking#_custom_routers',
+  // 🚨 TODO: link to section once it exists in the docs 🚨
+  scimAuthDocs: '',
   siloQuotasDocs:
     'https://docs.oxide.computer/guides/operator/silo-management#_silo_resource_quota_management',
   sledDocs:
@@ -127,6 +129,10 @@ export const docLinks = {
     href: links.routersDocs,
     linkText: 'Custom Routers',
   },
+  scim: {
+    href: links.scimAuthDocs,
+    linkText: 'SCIM Auth',
+  },
   sleds: {
     href: links.sledDocs,
     linkText: 'Server Sleds',
diff --git a/app/util/path-builder.ts b/app/util/path-builder.ts
index 18a1744fa..ab46ebae5 100644
--- a/app/util/path-builder.ts
+++ b/app/util/path-builder.ts
@@ -130,6 +130,7 @@ export const pb = {
   siloIpPools: (params: PP.Silo) => `${siloBase(params)}/ip-pools`,
   siloQuotas: (params: PP.Silo) => `${siloBase(params)}/quotas`,
   siloFleetRoles: (params: PP.Silo) => `${siloBase(params)}/fleet-roles`,
+  siloScim: (params: PP.Silo) => `${siloBase(params)}/scim`,
   samlIdp: (params: PP.IdentityProvider) =>
     `${siloBase(params)}/idps/saml/${params.provider}`,
 
diff --git a/mock-api/msw/db.ts b/mock-api/msw/db.ts
index 4b16b60b7..e35dce40b 100644
--- a/mock-api/msw/db.ts
+++ b/mock-api/msw/db.ts
@@ -504,6 +504,7 @@ const initDb = {
   projects: [...mock.projects],
   racks: [...mock.racks],
   roleAssignments: [...mock.roleAssignments],
+  scimTokens: [...mock.scimTokens],
   silos: [...mock.silos],
   siloQuotas: [...mock.siloQuotas],
   siloProvisioned: [...mock.siloProvisioned],
diff --git a/mock-api/msw/handlers.ts b/mock-api/msw/handlers.ts
index f85255995..a8de1a74d 100644
--- a/mock-api/msw/handlers.ts
+++ b/mock-api/msw/handlers.ts
@@ -1808,6 +1808,55 @@ export const handlers = makeHandlers({
     return paginated(query, affinityGroups)
   },
 
+  // SCIM token endpoints
+  scimTokenList({ query, cookies }) {
+    requireFleetViewer(cookies)
+    const silo = lookup.silo({ silo: query.silo })
+    // Filter by silo and strip out the siloId before returning
+    const tokens = db.scimTokens
+      .filter((t) => t.siloId === silo.id)
+      .map(({ siloId: _siloId, ...token }) => token)
+    return tokens
+  },
+  scimTokenCreate({ query, cookies }) {
+    requireFleetCollab(cookies)
+    const silo = lookup.silo({ silo: query.silo })
+
+    // Generate a 32-character hex string
+    const hexString = uuid().replace(/-/g, '')
+    const newToken: Json<Api.ScimClientBearerTokenValue> = {
+      id: uuid(),
+      bearer_token: `scim_${hexString}`,
+      time_created: new Date().toISOString(),
+      time_expires: null,
+    }
+
+    // Store without the bearer_token but with siloId for filtering
+    const { bearer_token: _bearerToken, ...tokenWithoutBearer } = newToken
+    db.scimTokens.push({ ...tokenWithoutBearer, siloId: silo.id })
+
+    return json(newToken, { status: 201 })
+  },
+  scimTokenView({ path, cookies }) {
+    requireFleetViewer(cookies)
+    const token = lookupById(db.scimTokens, path.tokenId)
+    // Strip out siloId before returning
+    const { siloId: _siloId, ...tokenResponse } = token
+    return tokenResponse
+  },
+  scimTokenDelete({ path, cookies }) {
+    requireFleetCollab(cookies)
+    const token = lookupById(db.scimTokens, path.tokenId)
+    db.scimTokens = db.scimTokens.filter((t) => t.id !== token.id)
+    return 204
+  },
+  scimTokenDeleteAll({ query, cookies }) {
+    requireFleetCollab(cookies)
+    const silo = lookup.silo({ silo: query.silo })
+    db.scimTokens = db.scimTokens.filter((t) => t.siloId !== silo.id)
+    return 204
+  },
+
   // Misc endpoints we're not using yet in the console
   affinityGroupCreate: NotImplemented,
   affinityGroupDelete: NotImplemented,
@@ -1920,11 +1969,6 @@ export const handlers = makeHandlers({
   systemUpdateTrustRootList: NotImplemented,
   systemUpdateTrustRootView: NotImplemented,
   targetReleaseUpdate: NotImplemented,
-  scimTokenList: NotImplemented,
-  scimTokenCreate: NotImplemented,
-  scimTokenDeleteAll: NotImplemented,
-  scimTokenView: NotImplemented,
-  scimTokenDelete: NotImplemented,
   userBuiltinList: NotImplemented,
   userBuiltinView: NotImplemented,
   userLogout: NotImplemented,
diff --git a/mock-api/silo.ts b/mock-api/silo.ts
index 48fd8a551..9e9fcbe3c 100644
--- a/mock-api/silo.ts
+++ b/mock-api/silo.ts
@@ -10,6 +10,7 @@ import * as R from 'remeda'
 import type {
   IdentityProvider,
   SamlIdentityProvider,
+  ScimClientBearerToken,
   Silo,
   SiloAuthSettings,
   SiloQuotas,
@@ -128,3 +129,27 @@ export const siloSettings: Json<SiloAuthSettings>[] = [
     device_token_max_ttl_seconds: 7200, // 2 hours in seconds
   },
 ]
+
+// SCIM tokens are stored with siloId for filtering, similar to identity providers
+type DbScimToken = Json<ScimClientBearerToken> & { siloId: string }
+
+export const scimTokens: DbScimToken[] = [
+  {
+    id: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
+    time_created: new Date(2025, 8, 15).toISOString(),
+    time_expires: null,
+    siloId: defaultSilo.id,
+  },
+  {
+    id: 'b2c3d4e5-f6a7-8901-bcde-f12345678901',
+    time_created: new Date(2025, 9, 20).toISOString(),
+    time_expires: new Date(2026, 9, 20).toISOString(),
+    siloId: defaultSilo.id,
+  },
+  {
+    id: 'c3d4e5f6-a7b8-9012-cdef-123456789012',
+    time_created: new Date(2025, 8, 10).toISOString(),
+    time_expires: null,
+    siloId: silos[1].id,
+  },
+]
diff --git a/scim-todos.txt b/scim-todos.txt
new file mode 100644
index 000000000..3310234cb
--- /dev/null
+++ b/scim-todos.txt
@@ -0,0 +1,3 @@
+- Ask about 'name' column / attribute; not present in API, but was present in designs; are we expecting a name attribute?
+- Note that the API doesn't currently accept a body for scimTokenCreate, and so we don't have a way to pass in the time_expires datetime
+- We should probably have more alarming copy than "Are you sure you want to delete all SCIM tokens?"?

From 781338f5677f60adc5c437672736aee2006f4674 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Sun, 12 Oct 2025 08:29:33 -0400
Subject: [PATCH 02/28] Add tests

---
 test/e2e/scim-tokens.e2e.ts | 139 ++++++++++++++++++++++++++++++++++++
 1 file changed, 139 insertions(+)
 create mode 100644 test/e2e/scim-tokens.e2e.ts

diff --git a/test/e2e/scim-tokens.e2e.ts b/test/e2e/scim-tokens.e2e.ts
new file mode 100644
index 000000000..a2ebafc1f
--- /dev/null
+++ b/test/e2e/scim-tokens.e2e.ts
@@ -0,0 +1,139 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * Copyright Oxide Computer Company
+ */
+import { expect, test } from '@playwright/test'
+
+import { clickRowAction, expectNotVisible, expectRowVisible, expectVisible } from './utils'
+
+test('SCIM tokens tab', async ({ page }) => {
+  await page.goto('/system/silos/maze-war/scim')
+
+  await expectVisible(page, [
+    page.getByText('SCIM Bearer Tokens'),
+    page.getByText('Manage authentication tokens for SCIM identity provisioning'),
+  ])
+
+  const table = page.getByRole('table', { name: 'SCIM Bearer Tokens' })
+
+  // Check that existing tokens are visible
+  await expectRowVisible(table, { ID: 'a1b2c3d4...567890' })
+  await expectRowVisible(table, { ID: 'b2c3d4e5...678901' })
+
+  // Check that the documentation link is visible
+  await expect(page.getByText('Learn more about')).toBeVisible()
+  await expect(page.getByRole('link', { name: 'SCIM Auth' })).toBeVisible()
+})
+
+test('Create SCIM token', async ({ page }) => {
+  await page.goto('/system/silos/maze-war/scim')
+
+  // Open create modal
+  await page.getByRole('button', { name: 'Create token' }).click()
+
+  const createModal = page.getByRole('dialog', { name: 'Create token' })
+  const createMessage = createModal.getByText(
+    'This token will have access to provision users and groups via SCIM'
+  )
+  await expect(createModal).toBeVisible()
+
+  // Check info message is visible
+  await expect(createMessage).toBeVisible()
+
+  // Create the token
+  await createModal.getByRole('button', { name: 'Create' }).click()
+
+  // Creation modal should go away
+  await expect(createMessage).toBeHidden()
+
+  // Check that the warning message is visible
+  const warning = createModal.getByText("This is the only time you'll see this token")
+  await expect(warning).toBeVisible()
+
+  // Check that the bearer token is visible and starts with scim_
+  const bearerTokenDiv = createModal.getByText(/^scim_[a-f0-9]{32}$/)
+  await expect(bearerTokenDiv).toBeVisible()
+
+  // Check that copy button is visible
+  const copyButton = createModal.getByRole('button', { name: 'Click to copy' })
+  await expect(copyButton).toBeVisible()
+
+  // Dismiss the modal
+  await createModal.getByRole('button', { name: 'Done' }).click()
+  await expect(createModal).toBeHidden()
+
+  // The token should NOT be visible in the table (bearer token is not shown after creation)
+  // But a new row should exist - check the table has 3 rows now (header + 2 original + 1 new)
+  const table = page.getByRole('table', { name: 'SCIM Bearer Tokens' })
+  await expect(table.getByRole('row')).toHaveCount(4) // header + 3 tokens
+})
+
+test('Delete SCIM token', async ({ page }) => {
+  await page.goto('/system/silos/maze-war/scim')
+
+  const table = page.getByRole('table', { name: 'SCIM Bearer Tokens' })
+
+  // Verify initial state - should have 2 tokens
+  await expect(table.getByRole('row')).toHaveCount(3) // header + 2 tokens
+
+  // Delete the first token
+  await clickRowAction(page, 'a1b2c3d4', 'Delete')
+
+  // Confirm deletion modal should appear
+  const confirmModal = page.getByRole('dialog', { name: 'Confirm delete' })
+  await expect(confirmModal).toBeVisible()
+  await expect(confirmModal.getByText('Are you sure you want to delete')).toBeVisible()
+
+  await confirmModal.getByRole('button', { name: 'Confirm' }).click()
+
+  // Modal should close
+  await expect(confirmModal).toBeHidden()
+
+  // Table should now only have 1 row
+  await expect(table.getByRole('row')).toHaveCount(2) // header + 1 token
+
+  // The deleted token should not be visible
+  await expectNotVisible(page, [page.getByText('a1b2c3d4...567890')])
+
+  // The other token should still be visible
+  await expectRowVisible(table, { ID: 'b2c3d4e5...678901' })
+})
+
+test('Delete all SCIM tokens', async ({ page }) => {
+  await page.goto('/system/silos/maze-war/scim')
+
+  const table = page.getByRole('table', { name: 'SCIM Bearer Tokens' })
+
+  // Verify initial state - should have 2 tokens
+  await expect(table.getByRole('row')).toHaveCount(3) // header + 2 tokens
+
+  // Click "Delete all" button
+  await page.getByRole('button', { name: 'Delete all' }).click()
+
+  // Confirm deletion modal should appear
+  const confirmModal = page.getByRole('dialog', { name: 'Confirm delete' })
+  await expect(confirmModal).toBeVisible()
+  await expect(
+    confirmModal.getByText('Are you sure you want to delete all SCIM tokens')
+  ).toBeVisible()
+
+  await confirmModal.getByRole('button', { name: 'Confirm' }).click()
+
+  // Modal should close
+  await expect(confirmModal).toBeHidden()
+
+  // Table should no longer be visible
+  await expect(table).toBeHidden()
+
+  // Empty state should be visible
+  await expectVisible(page, [
+    page.getByText('No SCIM tokens'),
+    page.getByText('Create a token to see it here'),
+  ])
+
+  // "Delete all" button should not be visible when there are no tokens
+  await expect(page.getByRole('button', { name: 'Delete all' })).toBeHidden()
+})

From 2e9fd5d7f83967148959bc341dd56ccae299d1d9 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Sun, 12 Oct 2025 15:59:12 -0400
Subject: [PATCH 03/28] Tweak truncation

---
 app/pages/system/silos/SiloScimTab.tsx | 19 ++++++-------------
 scim-todos.txt                         |  2 +-
 test/e2e/scim-tokens.e2e.ts            | 25 +++++++++++++++----------
 3 files changed, 22 insertions(+), 24 deletions(-)

diff --git a/app/pages/system/silos/SiloScimTab.tsx b/app/pages/system/silos/SiloScimTab.tsx
index 9e87a231f..1cb93d80d 100644
--- a/app/pages/system/silos/SiloScimTab.tsx
+++ b/app/pages/system/silos/SiloScimTab.tsx
@@ -34,7 +34,7 @@ import { EmptyMessage } from '~/ui/lib/EmptyMessage'
 import { Message } from '~/ui/lib/Message'
 import { Modal } from '~/ui/lib/Modal'
 import { TableEmptyBox } from '~/ui/lib/Table'
-import { Tooltip } from '~/ui/lib/Tooltip'
+import { Truncate } from '~/ui/lib/Truncate'
 import { docLinks } from '~/util/links'
 
 const colHelper = createColumnHelper<ScimClientBearerToken>()
@@ -102,16 +102,9 @@ export default function SiloScimTab() {
     () => [
       colHelper.accessor('id', {
         header: 'ID',
-        cell: (info) => {
-          const id = info.getValue()
-          return (
-            <Tooltip content={id}>
-              <span className="font-mono text-secondary">
-                {id.slice(0, 8)}...{id.slice(-6)}
-              </span>
-            </Tooltip>
-          )
-        },
+        cell: (info) => (
+          <Truncate text={info.getValue()} position="middle" maxLength={18} />
+        ),
       }),
       colHelper.accessor('timeCreated', Columns.timeCreated),
       colHelper.accessor('timeExpires', {
@@ -145,7 +138,7 @@ export default function SiloScimTab() {
           titleId="scim-tokens-label"
           description="Manage authentication tokens for SCIM identity provisioning"
         >
-          {tokens.length > 0 && (
+          {tokens.length > 1 && (
             <Button
               size="sm"
               variant="ghost"
@@ -154,7 +147,7 @@ export default function SiloScimTab() {
                   deleteAllTokens.mutateAsync({
                     query: { silo: siloSelector.silo },
                   }),
-                label: 'all SCIM tokens',
+                label: `${tokens.length === 2 ? 'both' : `all ${tokens.length}`} SCIM tokens`,
               })}
             >
               Delete all
diff --git a/scim-todos.txt b/scim-todos.txt
index 3310234cb..168df329a 100644
--- a/scim-todos.txt
+++ b/scim-todos.txt
@@ -1,3 +1,3 @@
 - Ask about 'name' column / attribute; not present in API, but was present in designs; are we expecting a name attribute?
 - Note that the API doesn't currently accept a body for scimTokenCreate, and so we don't have a way to pass in the time_expires datetime
-- We should probably have more alarming copy than "Are you sure you want to delete all SCIM tokens?"?
+- Is dynamic copy (both / all 6) on Delete All message too much?
diff --git a/test/e2e/scim-tokens.e2e.ts b/test/e2e/scim-tokens.e2e.ts
index a2ebafc1f..2dc07ab35 100644
--- a/test/e2e/scim-tokens.e2e.ts
+++ b/test/e2e/scim-tokens.e2e.ts
@@ -20,8 +20,8 @@ test('SCIM tokens tab', async ({ page }) => {
   const table = page.getByRole('table', { name: 'SCIM Bearer Tokens' })
 
   // Check that existing tokens are visible
-  await expectRowVisible(table, { ID: 'a1b2c3d4...567890' })
-  await expectRowVisible(table, { ID: 'b2c3d4e5...678901' })
+  await expectRowVisible(table, { ID: 'a1b2c3d4…34567890' })
+  await expectRowVisible(table, { ID: 'b2c3d4e5…45678901' })
 
   // Check that the documentation link is visible
   await expect(page.getByText('Learn more about')).toBeVisible()
@@ -35,9 +35,8 @@ test('Create SCIM token', async ({ page }) => {
   await page.getByRole('button', { name: 'Create token' }).click()
 
   const createModal = page.getByRole('dialog', { name: 'Create token' })
-  const createMessage = createModal.getByText(
-    'This token will have access to provision users and groups via SCIM'
-  )
+  const modalMessage = 'This token will have access to provision users and groups via SCIM'
+  const createMessage = createModal.getByText(modalMessage)
   await expect(createModal).toBeVisible()
 
   // Check info message is visible
@@ -69,6 +68,13 @@ test('Create SCIM token', async ({ page }) => {
   // But a new row should exist - check the table has 3 rows now (header + 2 original + 1 new)
   const table = page.getByRole('table', { name: 'SCIM Bearer Tokens' })
   await expect(table.getByRole('row')).toHaveCount(4) // header + 3 tokens
+
+  // A quick check on the Delete All modal copy
+  await page.getByRole('button', { name: 'Delete all' }).click()
+  const confirmModal = page.getByRole('dialog', { name: 'Confirm delete' })
+  await expect(confirmModal).toBeVisible()
+  const warningText = 'Are you sure you want to delete all 3 SCIM tokens'
+  await expect(confirmModal.getByText(warningText)).toBeVisible()
 })
 
 test('Delete SCIM token', async ({ page }) => {
@@ -96,10 +102,10 @@ test('Delete SCIM token', async ({ page }) => {
   await expect(table.getByRole('row')).toHaveCount(2) // header + 1 token
 
   // The deleted token should not be visible
-  await expectNotVisible(page, [page.getByText('a1b2c3d4...567890')])
+  await expectNotVisible(page, [page.getByText('a1b2c3d4…34567890')])
 
   // The other token should still be visible
-  await expectRowVisible(table, { ID: 'b2c3d4e5...678901' })
+  await expectRowVisible(table, { ID: 'b2c3d4e5…45678901' })
 })
 
 test('Delete all SCIM tokens', async ({ page }) => {
@@ -116,9 +122,8 @@ test('Delete all SCIM tokens', async ({ page }) => {
   // Confirm deletion modal should appear
   const confirmModal = page.getByRole('dialog', { name: 'Confirm delete' })
   await expect(confirmModal).toBeVisible()
-  await expect(
-    confirmModal.getByText('Are you sure you want to delete all SCIM tokens')
-  ).toBeVisible()
+  const warningText = 'Are you sure you want to delete both SCIM tokens'
+  await expect(confirmModal.getByText(warningText)).toBeVisible()
 
   await confirmModal.getByRole('button', { name: 'Confirm' }).click()
 

From 711e28628ebc2486658ad2c1858debb37e7d7b97 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Mon, 13 Oct 2025 10:35:54 -0700
Subject: [PATCH 04/28] Use 90 day default for expiration time in mock data

---
 app/pages/system/silos/SiloScimTab.tsx | 12 +++++++-----
 mock-api/msw/handlers.ts               |  8 ++++++--
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/app/pages/system/silos/SiloScimTab.tsx b/app/pages/system/silos/SiloScimTab.tsx
index 1cb93d80d..eb0ee4e97 100644
--- a/app/pages/system/silos/SiloScimTab.tsx
+++ b/app/pages/system/silos/SiloScimTab.tsx
@@ -262,12 +262,14 @@ function TokenCreatedModal({
   return (
     <Modal isOpen onDismiss={onDismiss} title="Create token">
       <Modal.Section>
-        {token.timeExpires && (
-          <div>
-            <div className="mb-1 text-sans-sm text-secondary">Expires</div>
+        <div className="rounded border p-3 text-sans-sm border-default">
+          <div className="mb-1 uppercase text-mono-sm text-tertiary">Expires</div>
+          {token.timeExpires ? (
             <DateTime date={token.timeExpires} />
-          </div>
-        )}
+          ) : (
+            <Badge color="neutral">Never</Badge>
+          )}
+        </div>
 
         <Message
           variant="notice"
diff --git a/mock-api/msw/handlers.ts b/mock-api/msw/handlers.ts
index a8de1a74d..fa3093640 100644
--- a/mock-api/msw/handlers.ts
+++ b/mock-api/msw/handlers.ts
@@ -1824,11 +1824,15 @@ export const handlers = makeHandlers({
 
     // Generate a 32-character hex string
     const hexString = uuid().replace(/-/g, '')
+    const now = new Date()
+    const expiration = new Date(now)
+    expiration.setDate(expiration.getDate() + 90)
+
     const newToken: Json<Api.ScimClientBearerTokenValue> = {
       id: uuid(),
       bearer_token: `scim_${hexString}`,
-      time_created: new Date().toISOString(),
-      time_expires: null,
+      time_created: now.toISOString(),
+      time_expires: expiration.toISOString(),
     }
 
     // Store without the bearer_token but with siloId for filtering

From 9a5b6220db88d1023e7e21d556088575d21e0e3d Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Mon, 13 Oct 2025 10:42:38 -0700
Subject: [PATCH 05/28] revert UI copy change

---
 app/pages/system/silos/SiloPage.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/pages/system/silos/SiloPage.tsx b/app/pages/system/silos/SiloPage.tsx
index 3f0b2b263..b23597e63 100644
--- a/app/pages/system/silos/SiloPage.tsx
+++ b/app/pages/system/silos/SiloPage.tsx
@@ -58,7 +58,7 @@ export default function SiloPage() {
 
       <RouteTabs fullWidth>
         <Tab to={pb.siloIdps(siloSelector)}>Identity Providers</Tab>
-        <Tab to={pb.siloIpPools(siloSelector)}>Linked Pools</Tab>
+        <Tab to={pb.siloIpPools(siloSelector)}>IP Pools</Tab>
         <Tab to={pb.siloQuotas(siloSelector)}>Quotas</Tab>
         <Tab to={pb.siloFleetRoles(siloSelector)}>Fleet roles</Tab>
         <Tab to={pb.siloScim(siloSelector)}>SCIM</Tab>

From 5d0ec9d7c0b8a57ae6e04231bf2f135df772671d Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Mon, 13 Oct 2025 12:21:38 -0700
Subject: [PATCH 06/28] TODOs update

---
 scim-todos.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scim-todos.txt b/scim-todos.txt
index 168df329a..d16b19b26 100644
--- a/scim-todos.txt
+++ b/scim-todos.txt
@@ -1,3 +1,3 @@
-- Ask about 'name' column / attribute; not present in API, but was present in designs; are we expecting a name attribute?
-- Note that the API doesn't currently accept a body for scimTokenCreate, and so we don't have a way to pass in the time_expires datetime
+- Will need to make pagination simiar to other pseudo-paginated endpoints, like https://github.com/oxidecomputer/omicron/blob/d74f5e3f1ae0a378dcdb9795a0ada2426702b046/nexus/src/external_api/http_entrypoints.rs#L5392
 - Is dynamic copy (both / all 6) on Delete All message too much?
+- Name attribute is in designs and might get added to API at some point, but not present yet.
\ No newline at end of file

From ddc38a0993f6324d975047258973c56356114e30 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Mon, 13 Oct 2025 12:32:07 -0700
Subject: [PATCH 07/28] Remove Delete All from UI and set handler to
 NotImplemented

---
 app/pages/system/silos/SiloScimTab.tsx | 22 ----------------
 mock-api/msw/handlers.ts               |  7 +----
 scim-todos.txt                         |  3 +--
 test/e2e/scim-tokens.e2e.ts            | 36 ++------------------------
 4 files changed, 4 insertions(+), 64 deletions(-)

diff --git a/app/pages/system/silos/SiloScimTab.tsx b/app/pages/system/silos/SiloScimTab.tsx
index eb0ee4e97..d02ff271e 100644
--- a/app/pages/system/silos/SiloScimTab.tsx
+++ b/app/pages/system/silos/SiloScimTab.tsx
@@ -25,7 +25,6 @@ import { useColsWithActions, type MenuAction } from '~/table/columns/action-col'
 import { Columns } from '~/table/columns/common'
 import { Table } from '~/table/Table'
 import { Badge } from '~/ui/lib/Badge'
-import { Button } from '~/ui/lib/Button'
 import { CardBlock } from '~/ui/lib/CardBlock'
 import { CopyToClipboard } from '~/ui/lib/CopyToClipboard'
 import { CreateButton } from '~/ui/lib/CreateButton'
@@ -75,12 +74,6 @@ export default function SiloScimTab() {
     },
   })
 
-  const deleteAllTokens = useApiMutation('scimTokenDeleteAll', {
-    onSuccess() {
-      apiQueryClient.invalidateQueries('scimTokenList')
-    },
-  })
-
   const makeActions = useCallback(
     (token: ScimClientBearerToken): MenuAction[] => [
       {
@@ -138,21 +131,6 @@ export default function SiloScimTab() {
           titleId="scim-tokens-label"
           description="Manage authentication tokens for SCIM identity provisioning"
         >
-          {tokens.length > 1 && (
-            <Button
-              size="sm"
-              variant="ghost"
-              onClick={confirmDelete({
-                doDelete: () =>
-                  deleteAllTokens.mutateAsync({
-                    query: { silo: siloSelector.silo },
-                  }),
-                label: `${tokens.length === 2 ? 'both' : `all ${tokens.length}`} SCIM tokens`,
-              })}
-            >
-              Delete all
-            </Button>
-          )}
           <CreateButton onClick={() => setShowCreateModal(true)}>Create token</CreateButton>
         </CardBlock.Header>
         <CardBlock.Body>
diff --git a/mock-api/msw/handlers.ts b/mock-api/msw/handlers.ts
index fa3093640..5afebd3b2 100644
--- a/mock-api/msw/handlers.ts
+++ b/mock-api/msw/handlers.ts
@@ -1854,12 +1854,6 @@ export const handlers = makeHandlers({
     db.scimTokens = db.scimTokens.filter((t) => t.id !== token.id)
     return 204
   },
-  scimTokenDeleteAll({ query, cookies }) {
-    requireFleetCollab(cookies)
-    const silo = lookup.silo({ silo: query.silo })
-    db.scimTokens = db.scimTokens.filter((t) => t.siloId !== silo.id)
-    return 204
-  },
 
   // Misc endpoints we're not using yet in the console
   affinityGroupCreate: NotImplemented,
@@ -1973,6 +1967,7 @@ export const handlers = makeHandlers({
   systemUpdateTrustRootList: NotImplemented,
   systemUpdateTrustRootView: NotImplemented,
   targetReleaseUpdate: NotImplemented,
+  scimTokenDeleteAll: NotImplemented,
   userBuiltinList: NotImplemented,
   userBuiltinView: NotImplemented,
   userLogout: NotImplemented,
diff --git a/scim-todos.txt b/scim-todos.txt
index d16b19b26..775510c33 100644
--- a/scim-todos.txt
+++ b/scim-todos.txt
@@ -1,3 +1,2 @@
-- Will need to make pagination simiar to other pseudo-paginated endpoints, like https://github.com/oxidecomputer/omicron/blob/d74f5e3f1ae0a378dcdb9795a0ada2426702b046/nexus/src/external_api/http_entrypoints.rs#L5392
-- Is dynamic copy (both / all 6) on Delete All message too much?
+- Will need to make pagination similar to other pseudo-paginated endpoints, like https://github.com/oxidecomputer/omicron/blob/d74f5e3f1ae0a378dcdb9795a0ada2426702b046/nexus/src/external_api/http_entrypoints.rs#L5392
 - Name attribute is in designs and might get added to API at some point, but not present yet.
\ No newline at end of file
diff --git a/test/e2e/scim-tokens.e2e.ts b/test/e2e/scim-tokens.e2e.ts
index 2dc07ab35..f0052c5a2 100644
--- a/test/e2e/scim-tokens.e2e.ts
+++ b/test/e2e/scim-tokens.e2e.ts
@@ -68,13 +68,6 @@ test('Create SCIM token', async ({ page }) => {
   // But a new row should exist - check the table has 3 rows now (header + 2 original + 1 new)
   const table = page.getByRole('table', { name: 'SCIM Bearer Tokens' })
   await expect(table.getByRole('row')).toHaveCount(4) // header + 3 tokens
-
-  // A quick check on the Delete All modal copy
-  await page.getByRole('button', { name: 'Delete all' }).click()
-  const confirmModal = page.getByRole('dialog', { name: 'Confirm delete' })
-  await expect(confirmModal).toBeVisible()
-  const warningText = 'Are you sure you want to delete all 3 SCIM tokens'
-  await expect(confirmModal.getByText(warningText)).toBeVisible()
 })
 
 test('Delete SCIM token', async ({ page }) => {
@@ -106,39 +99,14 @@ test('Delete SCIM token', async ({ page }) => {
 
   // The other token should still be visible
   await expectRowVisible(table, { ID: 'b2c3d4e5…45678901' })
-})
-
-test('Delete all SCIM tokens', async ({ page }) => {
-  await page.goto('/system/silos/maze-war/scim')
-
-  const table = page.getByRole('table', { name: 'SCIM Bearer Tokens' })
-
-  // Verify initial state - should have 2 tokens
-  await expect(table.getByRole('row')).toHaveCount(3) // header + 2 tokens
-
-  // Click "Delete all" button
-  await page.getByRole('button', { name: 'Delete all' }).click()
-
-  // Confirm deletion modal should appear
-  const confirmModal = page.getByRole('dialog', { name: 'Confirm delete' })
-  await expect(confirmModal).toBeVisible()
-  const warningText = 'Are you sure you want to delete both SCIM tokens'
-  await expect(confirmModal.getByText(warningText)).toBeVisible()
 
+  // Delete the second token
+  await clickRowAction(page, 'b2c3d4e5', 'Delete')
   await confirmModal.getByRole('button', { name: 'Confirm' }).click()
 
-  // Modal should close
-  await expect(confirmModal).toBeHidden()
-
-  // Table should no longer be visible
-  await expect(table).toBeHidden()
-
   // Empty state should be visible
   await expectVisible(page, [
     page.getByText('No SCIM tokens'),
     page.getByText('Create a token to see it here'),
   ])
-
-  // "Delete all" button should not be visible when there are no tokens
-  await expect(page.getByRole('button', { name: 'Delete all' })).toBeHidden()
 })

From 72b0478ee3789a1c4917b20cbd6dec74206d0408 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Tue, 14 Oct 2025 14:02:54 -0700
Subject: [PATCH 08/28] npm i

---
 package-lock.json | 46 ++++++++++++++++++++--------------------------
 1 file changed, 20 insertions(+), 26 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 90203cb8e..6d6b6395f 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -198,6 +198,7 @@
       "resolved": "https://registry.npmjs.org/@asciidoctor/opal-runtime/-/opal-runtime-3.0.1.tgz",
       "integrity": "sha512-iW7ACahOG0zZft4A/4CqDcc7JX+fWRNjV5tFAVkNCzwZD+EnFolPaUOPYt8jzadc0+Bgd80cQTtRMQnaaV1kkg==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "glob": "8.1.0",
         "unxhr": "1.2.0"
@@ -1107,7 +1108,6 @@
       "integrity": "sha512-F0/Hrcfpy8WuxlQyAWJTEren/uxKhYonOGY4OyWmwRdeTvkh9mMSCxowZLjNkhwi/2ipqCgtXwwOk7tW0mWXkA==",
       "dev": true,
       "license": "Apache-2.0",
-      "peer": true,
       "dependencies": {
         "@babel/generator": "^7.26.2",
         "@babel/parser": "^7.26.2",
@@ -4358,7 +4358,6 @@
       "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.56.2.tgz",
       "integrity": "sha512-SR0GzHVo6yzhN72pnRhkEFRAHMsUo5ZPzAxfTMvUxFIDVS6W9LYUp6nXW3fcHVdg0ZJl8opSH85jqahvm6DSVg==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@tanstack/query-core": "5.56.2"
       },
@@ -4861,7 +4860,6 @@
       "integrity": "sha512-oxLPMytKchWGbnQM9O7D67uPa9paTNxO7jVoNMXgkkErULBPhPARCfkKL9ytcIJJRGjbsVwW4ugJzyFFvm/Tiw==",
       "devOptional": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "csstype": "^3.0.2"
       }
@@ -4872,7 +4870,6 @@
       "integrity": "sha512-XGJkWF41Qq305SKWEILa1O8vzhb3aOo3ogBlSmiqNko/WmRb6QIaweuZCXjKygVDXpzXb5wyxKTSOsmkuqj+Qw==",
       "devOptional": true,
       "license": "MIT",
-      "peer": true,
       "peerDependencies": {
         "@types/react": "^19.0.0"
       }
@@ -4973,7 +4970,6 @@
       "integrity": "sha512-g3WpVQHngx0aLXn6kfIYCZxM6rRJlWzEkVpqEFLT3SgEDsp9cpCbxxgwnE504q4H+ruSDh/VGS6nqZIDynP+vg==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@typescript-eslint/scope-manager": "8.39.0",
         "@typescript-eslint/types": "8.39.0",
@@ -5348,8 +5344,7 @@
       "version": "5.5.0",
       "resolved": "https://registry.npmjs.org/@xterm/xterm/-/xterm-5.5.0.tgz",
       "integrity": "sha512-hqJHYaQb5OptNunnyAnkHyM8aCjZ1MEIDTQu1iIbbTD/xops91NB5yq1ZK/dC2JDbVWtF23zUtl9JE2NqwT87A==",
-      "license": "MIT",
-      "peer": true
+      "license": "MIT"
     },
     "node_modules/@yarnpkg/lockfile": {
       "version": "1.1.0",
@@ -5378,7 +5373,6 @@
       "integrity": "sha512-tcpGyI9zbizT9JbV6oYE477V6mTlXvvi0T0G3SNIYE2apm/G5huBa1+K89VGeovbg+jycCrfhl3ADxErOuO6Jg==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -5876,7 +5870,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "caniuse-lite": "^1.0.30001669",
         "electron-to-chromium": "^1.5.41",
@@ -6916,6 +6909,7 @@
       "resolved": "https://registry.npmjs.org/dom-serializer/-/dom-serializer-2.0.0.tgz",
       "integrity": "sha512-wIkAryiqt/nV5EQKqQpo3SToSOV9J0DnbJqwK7Wv/Trc92zIAYZ4FlMu+JPFW1DfGFt81ZTCGgDEabffXeLyJg==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "domelementtype": "^2.3.0",
         "domhandler": "^5.0.2",
@@ -6942,6 +6936,7 @@
       "resolved": "https://registry.npmjs.org/domhandler/-/domhandler-5.0.3.tgz",
       "integrity": "sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==",
       "license": "BSD-2-Clause",
+      "peer": true,
       "dependencies": {
         "domelementtype": "^2.3.0"
       },
@@ -6957,6 +6952,7 @@
       "resolved": "https://registry.npmjs.org/domutils/-/domutils-3.2.2.tgz",
       "integrity": "sha512-6kZKyUajlDuqlHKVX1w7gyslj9MPIXzIFiz/rGu35uC1wMi+kMhQwGhl4lt9unC9Vb9INnY9Z3/ZA3+FhASLaw==",
       "license": "BSD-2-Clause",
+      "peer": true,
       "dependencies": {
         "dom-serializer": "^2.0.0",
         "domelementtype": "^2.3.0",
@@ -7328,7 +7324,6 @@
       "deprecated": "This version is no longer supported. Please see https://eslint.org/version-support for other options.",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.2.0",
         "@eslint-community/regexpp": "^4.6.1",
@@ -7385,7 +7380,6 @@
       "integrity": "sha512-NSWl5BFQWEPi1j4TjVNItzYV7dZXZ+wP6I6ZhrBGpChQhZRUaElihE9uRRkcbRnNb76UMKDF3r+WTmNcGPKsqw==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "bin": {
         "eslint-config-prettier": "bin/cli.js"
       },
@@ -8628,6 +8622,7 @@
       "integrity": "sha512-r8hpEjiQEYlF2QU0df3dS+nxxSIreXQS1qRhMJM0Q5NDdR386C7jb7Hwwod8Fgiuex+k0GFjgft18yvxm5XoCQ==",
       "deprecated": "Glob versions prior to v9 are no longer supported",
       "license": "ISC",
+      "peer": true,
       "dependencies": {
         "fs.realpath": "^1.0.0",
         "inflight": "^1.0.4",
@@ -8659,6 +8654,7 @@
       "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz",
       "integrity": "sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==",
       "license": "ISC",
+      "peer": true,
       "dependencies": {
         "brace-expansion": "^2.0.1"
       },
@@ -8885,6 +8881,7 @@
       "resolved": "https://registry.npmjs.org/html-dom-parser/-/html-dom-parser-5.0.13.tgz",
       "integrity": "sha512-B7JonBuAfG32I7fDouUQEogBrz3jK9gAuN1r1AaXpED6dIhtg/JwiSRhjGL7aOJwRz3HU4efowCjQBaoXiREqg==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "domhandler": "5.0.3",
         "htmlparser2": "10.0.0"
@@ -8940,6 +8937,7 @@
       "resolved": "https://registry.npmjs.org/html-react-parser/-/html-react-parser-5.2.2.tgz",
       "integrity": "sha512-yA5012CJGSFWYZsgYzfr6HXJgDap38/AEP4ra8Cw+WHIi2ZRDXRX/QVYdumRf1P8zKyScKd6YOrWYvVEiPfGKg==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "domhandler": "5.0.3",
         "html-dom-parser": "5.0.13",
@@ -8978,6 +8976,7 @@
         }
       ],
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "domelementtype": "^2.3.0",
         "domhandler": "^5.0.3",
@@ -8990,6 +8989,7 @@
       "resolved": "https://registry.npmjs.org/entities/-/entities-6.0.0.tgz",
       "integrity": "sha512-aKstq2TDOndCn4diEyp9Uq/Flu2i1GlLkc6XIDQSDMuaFE3OPW5OphLCyQ5SpSJZTb4reN+kTcYru5yIfXoRPw==",
       "license": "BSD-2-Clause",
+      "peer": true,
       "engines": {
         "node": ">=0.12"
       },
@@ -9152,7 +9152,8 @@
       "version": "0.2.4",
       "resolved": "https://registry.npmjs.org/inline-style-parser/-/inline-style-parser-0.2.4.tgz",
       "integrity": "sha512-0aO8FkhNZlj/ZIbNi7Lxxr12obT7cL1moPfE4tg1LkX7LlLfC6DeX4l2ZEud1ukP9jNQyNnfzQVqwbwmAATY4Q==",
-      "license": "MIT"
+      "license": "MIT",
+      "peer": true
     },
     "node_modules/internal-slot": {
       "version": "1.1.0",
@@ -10483,7 +10484,6 @@
       "dev": true,
       "hasInstallScript": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@bundled-es-modules/cookie": "^2.0.1",
         "@bundled-es-modules/statuses": "^1.0.1",
@@ -11457,7 +11457,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "nanoid": "^3.3.11",
         "picocolors": "^1.1.1",
@@ -11656,7 +11655,6 @@
       "integrity": "sha512-9RbEr1Y7FFfptd/1eEdntyjMwLeghW1bHX9GWjXo19vx4ytPQhANltvVxDggzJl7mnWM+dX28kb6cyS/4iQjlQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "cssesc": "^3.0.0",
         "util-deprecate": "^1.0.2"
@@ -11710,7 +11708,6 @@
       "integrity": "sha512-e9MewbtFo+Fevyuxn/4rrcDAaq0IYxPGLvObpQjiZBMAzB9IGmzlnG9RZy3FFas+eBMu2vA0CszMeduow5dIuQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "bin": {
         "prettier": "bin/prettier.cjs"
       },
@@ -11980,7 +11977,6 @@
       "resolved": "https://registry.npmjs.org/react/-/react-19.1.0.tgz",
       "integrity": "sha512-FS+XFBNvn3GTAWq26joslQgWNoFu08F4kl0J4CgdNKADkdSGXQyTCnKteIAJy96Br6YbpEU1LSzV5dYtjMkMDg==",
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=0.10.0"
       }
@@ -12039,7 +12035,6 @@
       "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.1.0.tgz",
       "integrity": "sha512-Xs1hdnE+DyKgeHJeJznQmYMIBG3TKIHJJT95Q58nHLSrElKlGQqDTR2HQ9fx5CN/Gk6Vh/kupBTDLU11/nDk/g==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "scheduler": "^0.26.0"
       },
@@ -12095,7 +12090,8 @@
       "version": "2.0.2",
       "resolved": "https://registry.npmjs.org/react-property/-/react-property-2.0.2.tgz",
       "integrity": "sha512-+PbtI3VuDV0l6CleQMsx2gtK0JZbZKbpdu5ynr+lbsuvtmgbNcS3VM0tuY2QjFNOcWxvXeHjDpy42RO+4U2rug==",
-      "license": "MIT"
+      "license": "MIT",
+      "peer": true
     },
     "node_modules/react-remove-scroll": {
       "version": "2.6.3",
@@ -13414,6 +13410,7 @@
       "resolved": "https://registry.npmjs.org/style-to-js/-/style-to-js-1.1.16.tgz",
       "integrity": "sha512-/Q6ld50hKYPH3d/r6nr117TZkHR0w0kGGIVfpG9N6D8NymRPM9RqCUv4pRpJ62E5DqOYx2AFpbZMyCPnjQCnOw==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "style-to-object": "1.0.8"
       }
@@ -13423,6 +13420,7 @@
       "resolved": "https://registry.npmjs.org/style-to-object/-/style-to-object-1.0.8.tgz",
       "integrity": "sha512-xT47I/Eo0rwJmaXC4oilDGDWLohVhR6o/xAQcPQN8q6QBuZVL8qMYL85kLmST5cPjAorwvqIA4qXTRQoYHaL6g==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "inline-style-parser": "0.2.4"
       }
@@ -13538,7 +13536,6 @@
       "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.4.17.tgz",
       "integrity": "sha512-w33E2aCvSDP0tW9RZuNXadXlkHXqFzSkQew/aIa2i/Sj8fThxwovwlXHSPXTbAHwEIhBFXAedUhP2tueAKP8Og==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@alloc/quick-lru": "^5.2.0",
         "arg": "^5.0.2",
@@ -13712,7 +13709,6 @@
       "integrity": "sha512-M7BAV6Rlcy5u+m6oPhAPFgJTzAioX/6B0DxyvDlo9l8+T3nLKbrczg2WLUyzd45L8RqfUMyGPzekbMvX2Ldkwg==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -13938,7 +13934,6 @@
       "integrity": "sha512-4H8vUNGNjQ4V2EOoGw005+c+dGuPSnhpPBPHBtsZdGZBk/iJb4kguGlPWaZTZ3q5nMtFOEsY0nRDlh9PJyd6SQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "esbuild": "~0.25.0",
         "get-tsconfig": "^4.7.5"
@@ -14119,7 +14114,6 @@
       "integrity": "sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A==",
       "dev": true,
       "license": "Apache-2.0",
-      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -14152,7 +14146,8 @@
       "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.8.0.tgz",
       "integrity": "sha512-9UJ2xGDvQ43tYyVMpuHlsgApydB8ZKfVYTsLDhXkFL/6gfkp+U8xTGdh8pMJv1SpZna0zxG1DwsKZsreLbXBxw==",
       "dev": true,
-      "license": "MIT"
+      "license": "MIT",
+      "peer": true
     },
     "node_modules/unist-util-is": {
       "version": "6.0.0",
@@ -14247,6 +14242,7 @@
       "resolved": "https://registry.npmjs.org/unxhr/-/unxhr-1.2.0.tgz",
       "integrity": "sha512-6cGpm8NFXPD9QbSNx0cD2giy7teZ6xOkCUH3U89WKVkL9N9rBrWjlCwhR94Re18ZlAop4MOc3WU1M3Hv/bgpIw==",
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=8.11"
       }
@@ -14472,7 +14468,6 @@
       "integrity": "sha512-ixXJB1YRgDIw2OszKQS9WxGHKwLdCsbQNkpJN171udl6szi/rIySHL6/Os3s2+oE4P/FLD4dxg4mD7Wust+u5g==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "esbuild": "^0.25.0",
         "fdir": "^6.4.6",
@@ -14652,7 +14647,6 @@
       "integrity": "sha512-M7BAV6Rlcy5u+m6oPhAPFgJTzAioX/6B0DxyvDlo9l8+T3nLKbrczg2WLUyzd45L8RqfUMyGPzekbMvX2Ldkwg==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12"
       },

From 1f9d238817628908ef1a08daf2f4ec944a9d86a2 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Tue, 14 Oct 2025 14:04:38 -0700
Subject: [PATCH 09/28] update npm and re-run npm i

---
 package-lock.json | 46 ++++++++++++++++++++++++++--------------------
 1 file changed, 26 insertions(+), 20 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 6d6b6395f..90203cb8e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -198,7 +198,6 @@
       "resolved": "https://registry.npmjs.org/@asciidoctor/opal-runtime/-/opal-runtime-3.0.1.tgz",
       "integrity": "sha512-iW7ACahOG0zZft4A/4CqDcc7JX+fWRNjV5tFAVkNCzwZD+EnFolPaUOPYt8jzadc0+Bgd80cQTtRMQnaaV1kkg==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "glob": "8.1.0",
         "unxhr": "1.2.0"
@@ -1108,6 +1107,7 @@
       "integrity": "sha512-F0/Hrcfpy8WuxlQyAWJTEren/uxKhYonOGY4OyWmwRdeTvkh9mMSCxowZLjNkhwi/2ipqCgtXwwOk7tW0mWXkA==",
       "dev": true,
       "license": "Apache-2.0",
+      "peer": true,
       "dependencies": {
         "@babel/generator": "^7.26.2",
         "@babel/parser": "^7.26.2",
@@ -4358,6 +4358,7 @@
       "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.56.2.tgz",
       "integrity": "sha512-SR0GzHVo6yzhN72pnRhkEFRAHMsUo5ZPzAxfTMvUxFIDVS6W9LYUp6nXW3fcHVdg0ZJl8opSH85jqahvm6DSVg==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@tanstack/query-core": "5.56.2"
       },
@@ -4860,6 +4861,7 @@
       "integrity": "sha512-oxLPMytKchWGbnQM9O7D67uPa9paTNxO7jVoNMXgkkErULBPhPARCfkKL9ytcIJJRGjbsVwW4ugJzyFFvm/Tiw==",
       "devOptional": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "csstype": "^3.0.2"
       }
@@ -4870,6 +4872,7 @@
       "integrity": "sha512-XGJkWF41Qq305SKWEILa1O8vzhb3aOo3ogBlSmiqNko/WmRb6QIaweuZCXjKygVDXpzXb5wyxKTSOsmkuqj+Qw==",
       "devOptional": true,
       "license": "MIT",
+      "peer": true,
       "peerDependencies": {
         "@types/react": "^19.0.0"
       }
@@ -4970,6 +4973,7 @@
       "integrity": "sha512-g3WpVQHngx0aLXn6kfIYCZxM6rRJlWzEkVpqEFLT3SgEDsp9cpCbxxgwnE504q4H+ruSDh/VGS6nqZIDynP+vg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@typescript-eslint/scope-manager": "8.39.0",
         "@typescript-eslint/types": "8.39.0",
@@ -5344,7 +5348,8 @@
       "version": "5.5.0",
       "resolved": "https://registry.npmjs.org/@xterm/xterm/-/xterm-5.5.0.tgz",
       "integrity": "sha512-hqJHYaQb5OptNunnyAnkHyM8aCjZ1MEIDTQu1iIbbTD/xops91NB5yq1ZK/dC2JDbVWtF23zUtl9JE2NqwT87A==",
-      "license": "MIT"
+      "license": "MIT",
+      "peer": true
     },
     "node_modules/@yarnpkg/lockfile": {
       "version": "1.1.0",
@@ -5373,6 +5378,7 @@
       "integrity": "sha512-tcpGyI9zbizT9JbV6oYE477V6mTlXvvi0T0G3SNIYE2apm/G5huBa1+K89VGeovbg+jycCrfhl3ADxErOuO6Jg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -5870,6 +5876,7 @@
         }
       ],
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "caniuse-lite": "^1.0.30001669",
         "electron-to-chromium": "^1.5.41",
@@ -6909,7 +6916,6 @@
       "resolved": "https://registry.npmjs.org/dom-serializer/-/dom-serializer-2.0.0.tgz",
       "integrity": "sha512-wIkAryiqt/nV5EQKqQpo3SToSOV9J0DnbJqwK7Wv/Trc92zIAYZ4FlMu+JPFW1DfGFt81ZTCGgDEabffXeLyJg==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "domelementtype": "^2.3.0",
         "domhandler": "^5.0.2",
@@ -6936,7 +6942,6 @@
       "resolved": "https://registry.npmjs.org/domhandler/-/domhandler-5.0.3.tgz",
       "integrity": "sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==",
       "license": "BSD-2-Clause",
-      "peer": true,
       "dependencies": {
         "domelementtype": "^2.3.0"
       },
@@ -6952,7 +6957,6 @@
       "resolved": "https://registry.npmjs.org/domutils/-/domutils-3.2.2.tgz",
       "integrity": "sha512-6kZKyUajlDuqlHKVX1w7gyslj9MPIXzIFiz/rGu35uC1wMi+kMhQwGhl4lt9unC9Vb9INnY9Z3/ZA3+FhASLaw==",
       "license": "BSD-2-Clause",
-      "peer": true,
       "dependencies": {
         "dom-serializer": "^2.0.0",
         "domelementtype": "^2.3.0",
@@ -7324,6 +7328,7 @@
       "deprecated": "This version is no longer supported. Please see https://eslint.org/version-support for other options.",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.2.0",
         "@eslint-community/regexpp": "^4.6.1",
@@ -7380,6 +7385,7 @@
       "integrity": "sha512-NSWl5BFQWEPi1j4TjVNItzYV7dZXZ+wP6I6ZhrBGpChQhZRUaElihE9uRRkcbRnNb76UMKDF3r+WTmNcGPKsqw==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "bin": {
         "eslint-config-prettier": "bin/cli.js"
       },
@@ -8622,7 +8628,6 @@
       "integrity": "sha512-r8hpEjiQEYlF2QU0df3dS+nxxSIreXQS1qRhMJM0Q5NDdR386C7jb7Hwwod8Fgiuex+k0GFjgft18yvxm5XoCQ==",
       "deprecated": "Glob versions prior to v9 are no longer supported",
       "license": "ISC",
-      "peer": true,
       "dependencies": {
         "fs.realpath": "^1.0.0",
         "inflight": "^1.0.4",
@@ -8654,7 +8659,6 @@
       "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz",
       "integrity": "sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==",
       "license": "ISC",
-      "peer": true,
       "dependencies": {
         "brace-expansion": "^2.0.1"
       },
@@ -8881,7 +8885,6 @@
       "resolved": "https://registry.npmjs.org/html-dom-parser/-/html-dom-parser-5.0.13.tgz",
       "integrity": "sha512-B7JonBuAfG32I7fDouUQEogBrz3jK9gAuN1r1AaXpED6dIhtg/JwiSRhjGL7aOJwRz3HU4efowCjQBaoXiREqg==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "domhandler": "5.0.3",
         "htmlparser2": "10.0.0"
@@ -8937,7 +8940,6 @@
       "resolved": "https://registry.npmjs.org/html-react-parser/-/html-react-parser-5.2.2.tgz",
       "integrity": "sha512-yA5012CJGSFWYZsgYzfr6HXJgDap38/AEP4ra8Cw+WHIi2ZRDXRX/QVYdumRf1P8zKyScKd6YOrWYvVEiPfGKg==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "domhandler": "5.0.3",
         "html-dom-parser": "5.0.13",
@@ -8976,7 +8978,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "domelementtype": "^2.3.0",
         "domhandler": "^5.0.3",
@@ -8989,7 +8990,6 @@
       "resolved": "https://registry.npmjs.org/entities/-/entities-6.0.0.tgz",
       "integrity": "sha512-aKstq2TDOndCn4diEyp9Uq/Flu2i1GlLkc6XIDQSDMuaFE3OPW5OphLCyQ5SpSJZTb4reN+kTcYru5yIfXoRPw==",
       "license": "BSD-2-Clause",
-      "peer": true,
       "engines": {
         "node": ">=0.12"
       },
@@ -9152,8 +9152,7 @@
       "version": "0.2.4",
       "resolved": "https://registry.npmjs.org/inline-style-parser/-/inline-style-parser-0.2.4.tgz",
       "integrity": "sha512-0aO8FkhNZlj/ZIbNi7Lxxr12obT7cL1moPfE4tg1LkX7LlLfC6DeX4l2ZEud1ukP9jNQyNnfzQVqwbwmAATY4Q==",
-      "license": "MIT",
-      "peer": true
+      "license": "MIT"
     },
     "node_modules/internal-slot": {
       "version": "1.1.0",
@@ -10484,6 +10483,7 @@
       "dev": true,
       "hasInstallScript": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@bundled-es-modules/cookie": "^2.0.1",
         "@bundled-es-modules/statuses": "^1.0.1",
@@ -11457,6 +11457,7 @@
         }
       ],
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "nanoid": "^3.3.11",
         "picocolors": "^1.1.1",
@@ -11655,6 +11656,7 @@
       "integrity": "sha512-9RbEr1Y7FFfptd/1eEdntyjMwLeghW1bHX9GWjXo19vx4ytPQhANltvVxDggzJl7mnWM+dX28kb6cyS/4iQjlQ==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "cssesc": "^3.0.0",
         "util-deprecate": "^1.0.2"
@@ -11708,6 +11710,7 @@
       "integrity": "sha512-e9MewbtFo+Fevyuxn/4rrcDAaq0IYxPGLvObpQjiZBMAzB9IGmzlnG9RZy3FFas+eBMu2vA0CszMeduow5dIuQ==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "bin": {
         "prettier": "bin/prettier.cjs"
       },
@@ -11977,6 +11980,7 @@
       "resolved": "https://registry.npmjs.org/react/-/react-19.1.0.tgz",
       "integrity": "sha512-FS+XFBNvn3GTAWq26joslQgWNoFu08F4kl0J4CgdNKADkdSGXQyTCnKteIAJy96Br6YbpEU1LSzV5dYtjMkMDg==",
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=0.10.0"
       }
@@ -12035,6 +12039,7 @@
       "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.1.0.tgz",
       "integrity": "sha512-Xs1hdnE+DyKgeHJeJznQmYMIBG3TKIHJJT95Q58nHLSrElKlGQqDTR2HQ9fx5CN/Gk6Vh/kupBTDLU11/nDk/g==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "scheduler": "^0.26.0"
       },
@@ -12090,8 +12095,7 @@
       "version": "2.0.2",
       "resolved": "https://registry.npmjs.org/react-property/-/react-property-2.0.2.tgz",
       "integrity": "sha512-+PbtI3VuDV0l6CleQMsx2gtK0JZbZKbpdu5ynr+lbsuvtmgbNcS3VM0tuY2QjFNOcWxvXeHjDpy42RO+4U2rug==",
-      "license": "MIT",
-      "peer": true
+      "license": "MIT"
     },
     "node_modules/react-remove-scroll": {
       "version": "2.6.3",
@@ -13410,7 +13414,6 @@
       "resolved": "https://registry.npmjs.org/style-to-js/-/style-to-js-1.1.16.tgz",
       "integrity": "sha512-/Q6ld50hKYPH3d/r6nr117TZkHR0w0kGGIVfpG9N6D8NymRPM9RqCUv4pRpJ62E5DqOYx2AFpbZMyCPnjQCnOw==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "style-to-object": "1.0.8"
       }
@@ -13420,7 +13423,6 @@
       "resolved": "https://registry.npmjs.org/style-to-object/-/style-to-object-1.0.8.tgz",
       "integrity": "sha512-xT47I/Eo0rwJmaXC4oilDGDWLohVhR6o/xAQcPQN8q6QBuZVL8qMYL85kLmST5cPjAorwvqIA4qXTRQoYHaL6g==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "inline-style-parser": "0.2.4"
       }
@@ -13536,6 +13538,7 @@
       "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.4.17.tgz",
       "integrity": "sha512-w33E2aCvSDP0tW9RZuNXadXlkHXqFzSkQew/aIa2i/Sj8fThxwovwlXHSPXTbAHwEIhBFXAedUhP2tueAKP8Og==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@alloc/quick-lru": "^5.2.0",
         "arg": "^5.0.2",
@@ -13709,6 +13712,7 @@
       "integrity": "sha512-M7BAV6Rlcy5u+m6oPhAPFgJTzAioX/6B0DxyvDlo9l8+T3nLKbrczg2WLUyzd45L8RqfUMyGPzekbMvX2Ldkwg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -13934,6 +13938,7 @@
       "integrity": "sha512-4H8vUNGNjQ4V2EOoGw005+c+dGuPSnhpPBPHBtsZdGZBk/iJb4kguGlPWaZTZ3q5nMtFOEsY0nRDlh9PJyd6SQ==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "esbuild": "~0.25.0",
         "get-tsconfig": "^4.7.5"
@@ -14114,6 +14119,7 @@
       "integrity": "sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A==",
       "dev": true,
       "license": "Apache-2.0",
+      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -14146,8 +14152,7 @@
       "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.8.0.tgz",
       "integrity": "sha512-9UJ2xGDvQ43tYyVMpuHlsgApydB8ZKfVYTsLDhXkFL/6gfkp+U8xTGdh8pMJv1SpZna0zxG1DwsKZsreLbXBxw==",
       "dev": true,
-      "license": "MIT",
-      "peer": true
+      "license": "MIT"
     },
     "node_modules/unist-util-is": {
       "version": "6.0.0",
@@ -14242,7 +14247,6 @@
       "resolved": "https://registry.npmjs.org/unxhr/-/unxhr-1.2.0.tgz",
       "integrity": "sha512-6cGpm8NFXPD9QbSNx0cD2giy7teZ6xOkCUH3U89WKVkL9N9rBrWjlCwhR94Re18ZlAop4MOc3WU1M3Hv/bgpIw==",
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=8.11"
       }
@@ -14468,6 +14472,7 @@
       "integrity": "sha512-ixXJB1YRgDIw2OszKQS9WxGHKwLdCsbQNkpJN171udl6szi/rIySHL6/Os3s2+oE4P/FLD4dxg4mD7Wust+u5g==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "esbuild": "^0.25.0",
         "fdir": "^6.4.6",
@@ -14647,6 +14652,7 @@
       "integrity": "sha512-M7BAV6Rlcy5u+m6oPhAPFgJTzAioX/6B0DxyvDlo9l8+T3nLKbrczg2WLUyzd45L8RqfUMyGPzekbMvX2Ldkwg==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=12"
       },

From 9c180b5b54a2dd01c47eee28f0e99f2b0bc86f7e Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Wed, 15 Oct 2025 06:53:45 -0700
Subject: [PATCH 10/28] Remove todo list

---
 scim-todos.txt | 2 --
 1 file changed, 2 deletions(-)
 delete mode 100644 scim-todos.txt

diff --git a/scim-todos.txt b/scim-todos.txt
deleted file mode 100644
index 775510c33..000000000
--- a/scim-todos.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-- Will need to make pagination similar to other pseudo-paginated endpoints, like https://github.com/oxidecomputer/omicron/blob/d74f5e3f1ae0a378dcdb9795a0ada2426702b046/nexus/src/external_api/http_entrypoints.rs#L5392
-- Name attribute is in designs and might get added to API at some point, but not present yet.
\ No newline at end of file

From 5ccfbd569173fda2fb34f0988ad4060eb3597eb3 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Wed, 15 Oct 2025 07:09:20 -0700
Subject: [PATCH 11/28] Update import and className ordering

---
 app/pages/system/silos/SiloScimTab.tsx | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/app/pages/system/silos/SiloScimTab.tsx b/app/pages/system/silos/SiloScimTab.tsx
index d02ff271e..f293f9507 100644
--- a/app/pages/system/silos/SiloScimTab.tsx
+++ b/app/pages/system/silos/SiloScimTab.tsx
@@ -11,6 +11,7 @@ import { useCallback, useMemo, useState } from 'react'
 import { type LoaderFunctionArgs } from 'react-router'
 
 import { AccessToken24Icon, OpenLink12Icon } from '@oxide/design-system/icons/react'
+import { Badge } from '@oxide/design-system/ui'
 
 import {
   apiQueryClient,
@@ -24,7 +25,6 @@ import { addToast } from '~/stores/toast'
 import { useColsWithActions, type MenuAction } from '~/table/columns/action-col'
 import { Columns } from '~/table/columns/common'
 import { Table } from '~/table/Table'
-import { Badge } from '~/ui/lib/Badge'
 import { CardBlock } from '~/ui/lib/CardBlock'
 import { CopyToClipboard } from '~/ui/lib/CopyToClipboard'
 import { CreateButton } from '~/ui/lib/CreateButton'
@@ -145,7 +145,7 @@ export default function SiloScimTab() {
           )}
         </CardBlock.Body>
         <CardBlock.Footer>
-          <div className="relative -ml-2 inline-block rounded py-1 pl-2 pr-7 text-sans-md text-raise group-hover:bg-tertiary">
+          <div className="text-sans-md text-raise group-hover:bg-tertiary relative -ml-2 inline-block rounded py-1 pr-7 pl-2">
             <span className="inline-block max-w-[300px] truncate align-middle">
               Learn more about{' '}
               <a
@@ -240,8 +240,8 @@ function TokenCreatedModal({
   return (
     <Modal isOpen onDismiss={onDismiss} title="Create token">
       <Modal.Section>
-        <div className="rounded border p-3 text-sans-sm border-default">
-          <div className="mb-1 uppercase text-mono-sm text-tertiary">Expires</div>
+        <div className="text-sans-sm border-default rounded border p-3">
+          <div className="text-mono-sm text-tertiary mb-1 uppercase">Expires</div>
           {token.timeExpires ? (
             <DateTime date={token.timeExpires} />
           ) : (
@@ -255,12 +255,12 @@ function TokenCreatedModal({
         />
 
         <div className="mt-4">
-          <div className="mb-2 font-medium text-sans-semi-md">Bearer Token</div>
-          <div className="font-mono flex items-center rounded border text-sans-sm text-raise bg-default border-default">
-            <div className="flex-1 overflow-hidden text-ellipsis p-3">
+          <div className="text-sans-semi-md mb-2 font-medium">Bearer Token</div>
+          <div className="text-sans-sm text-raise bg-default border-default flex items-center rounded border font-mono">
+            <div className="flex-1 overflow-hidden p-3 text-ellipsis">
               {token.bearerToken}
             </div>
-            <div className="border-l p-3 border-default">
+            <div className="border-default border-l p-3">
               <CopyToClipboard text={token.bearerToken} />
             </div>
           </div>

From 732151c772b8119ad74ee6f8da8d9c80ac8fb8c0 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Wed, 15 Oct 2025 07:17:15 -0700
Subject: [PATCH 12/28] Update path snapshots

---
 app/util/__snapshots__/path-builder.spec.ts.snap | 10 ++++++++++
 app/util/path-builder.spec.ts                    |  1 +
 2 files changed, 11 insertions(+)

diff --git a/app/util/__snapshots__/path-builder.spec.ts.snap b/app/util/__snapshots__/path-builder.spec.ts.snap
index d2b4a4373..069c7927d 100644
--- a/app/util/__snapshots__/path-builder.spec.ts.snap
+++ b/app/util/__snapshots__/path-builder.spec.ts.snap
@@ -615,6 +615,16 @@ exports[`breadcrumbs 2`] = `
       "path": "/system/silos/s",
     },
   ],
+  "siloScim (/system/silos/s/scim)": [
+    {
+      "label": "Silos",
+      "path": "/system/silos",
+    },
+    {
+      "label": "s",
+      "path": "/system/silos/s",
+    },
+  ],
   "siloUtilization (/utilization)": [
     {
       "label": "Utilization",
diff --git a/app/util/path-builder.spec.ts b/app/util/path-builder.spec.ts
index af24b74b3..35aefaab2 100644
--- a/app/util/path-builder.spec.ts
+++ b/app/util/path-builder.spec.ts
@@ -88,6 +88,7 @@ test('path builder', () => {
         "siloImages": "/images",
         "siloIpPools": "/system/silos/s/ip-pools",
         "siloQuotas": "/system/silos/s/quotas",
+        "siloScim": "/system/silos/s/scim",
         "siloUtilization": "/utilization",
         "silos": "/system/silos",
         "silosNew": "/system/silos-new",

From 366107f8bdbfeb9f7616659186f28bff697e57c5 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Wed, 15 Oct 2025 10:18:17 -0700
Subject: [PATCH 13/28] tweak height of token pseudo input; order tokens by
 created_at

---
 app/pages/system/silos/SiloScimTab.tsx | 12 +++++++++---
 mock-api/silo.ts                       |  4 ++--
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/app/pages/system/silos/SiloScimTab.tsx b/app/pages/system/silos/SiloScimTab.tsx
index f293f9507..7dffd8685 100644
--- a/app/pages/system/silos/SiloScimTab.tsx
+++ b/app/pages/system/silos/SiloScimTab.tsx
@@ -56,10 +56,16 @@ export async function clientLoader({ params }: LoaderFunctionArgs) {
 
 export default function SiloScimTab() {
   const siloSelector = useSiloSelector()
-  const { data: tokens } = usePrefetchedApiQuery('scimTokenList', {
+  const { data } = usePrefetchedApiQuery('scimTokenList', {
     query: { silo: siloSelector.silo },
   })
 
+  // Order tokens by creation date, oldest first
+  const tokens = useMemo(
+    () => [...data].sort((a, b) => a.timeCreated.getTime() - b.timeCreated.getTime()),
+    [data]
+  )
+
   const [showCreateModal, setShowCreateModal] = useState(false)
   const [createdToken, setCreatedToken] = useState<{
     id: string
@@ -257,10 +263,10 @@ function TokenCreatedModal({
         <div className="mt-4">
           <div className="text-sans-semi-md mb-2 font-medium">Bearer Token</div>
           <div className="text-sans-sm text-raise bg-default border-default flex items-center rounded border font-mono">
-            <div className="flex-1 overflow-hidden p-3 text-ellipsis">
+            <div className="flex-1 overflow-hidden px-3 py-2 text-ellipsis">
               {token.bearerToken}
             </div>
-            <div className="border-default border-l p-3">
+            <div className="border-default border-l p-2">
               <CopyToClipboard text={token.bearerToken} />
             </div>
           </div>
diff --git a/mock-api/silo.ts b/mock-api/silo.ts
index 9e9fcbe3c..b64229e8a 100644
--- a/mock-api/silo.ts
+++ b/mock-api/silo.ts
@@ -142,8 +142,8 @@ export const scimTokens: DbScimToken[] = [
   },
   {
     id: 'b2c3d4e5-f6a7-8901-bcde-f12345678901',
-    time_created: new Date(2025, 9, 20).toISOString(),
-    time_expires: new Date(2026, 9, 20).toISOString(),
+    time_created: new Date(2025, 8, 20).toISOString(),
+    time_expires: new Date(2026, 8, 20).toISOString(),
     siloId: defaultSilo.id,
   },
   {

From 47e43af972205487d7f0a2633fbe8608f4c10fff Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Wed, 15 Oct 2025 15:29:44 -0700
Subject: [PATCH 14/28] Remove EXPIRES column and content from confirmation
 modal

---
 app/pages/system/silos/SiloScimTab.tsx | 31 +-------------------------
 1 file changed, 1 insertion(+), 30 deletions(-)

diff --git a/app/pages/system/silos/SiloScimTab.tsx b/app/pages/system/silos/SiloScimTab.tsx
index 7dffd8685..3eb7b3283 100644
--- a/app/pages/system/silos/SiloScimTab.tsx
+++ b/app/pages/system/silos/SiloScimTab.tsx
@@ -11,7 +11,6 @@ import { useCallback, useMemo, useState } from 'react'
 import { type LoaderFunctionArgs } from 'react-router'
 
 import { AccessToken24Icon, OpenLink12Icon } from '@oxide/design-system/icons/react'
-import { Badge } from '@oxide/design-system/ui'
 
 import {
   apiQueryClient,
@@ -28,7 +27,6 @@ import { Table } from '~/table/Table'
 import { CardBlock } from '~/ui/lib/CardBlock'
 import { CopyToClipboard } from '~/ui/lib/CopyToClipboard'
 import { CreateButton } from '~/ui/lib/CreateButton'
-import { DateTime } from '~/ui/lib/DateTime'
 import { EmptyMessage } from '~/ui/lib/EmptyMessage'
 import { Message } from '~/ui/lib/Message'
 import { Modal } from '~/ui/lib/Modal'
@@ -71,7 +69,6 @@ export default function SiloScimTab() {
     id: string
     bearerToken: string
     timeCreated: Date
-    timeExpires?: Date | null
   } | null>(null)
 
   const deleteToken = useApiMutation('scimTokenDelete', {
@@ -106,17 +103,6 @@ export default function SiloScimTab() {
         ),
       }),
       colHelper.accessor('timeCreated', Columns.timeCreated),
-      colHelper.accessor('timeExpires', {
-        header: 'Expires',
-        cell: (info) => {
-          const expires = info.getValue()
-          return expires ? (
-            <DateTime date={expires} />
-          ) : (
-            <Badge color="neutral">Never</Badge>
-          )
-        },
-      }),
     ],
     []
   )
@@ -193,12 +179,7 @@ function CreateTokenModal({
 }: {
   siloSelector: { silo: string }
   onDismiss: () => void
-  onSuccess: (token: {
-    id: string
-    bearerToken: string
-    timeCreated: Date
-    timeExpires?: Date | null
-  }) => void
+  onSuccess: (token: { id: string; bearerToken: string; timeCreated: Date }) => void
 }) {
   const createToken = useApiMutation('scimTokenCreate', {
     onSuccess(token) {
@@ -239,22 +220,12 @@ function TokenCreatedModal({
     id: string
     bearerToken: string
     timeCreated: Date
-    timeExpires?: Date | null
   }
   onDismiss: () => void
 }) {
   return (
     <Modal isOpen onDismiss={onDismiss} title="Create token">
       <Modal.Section>
-        <div className="text-sans-sm border-default rounded border p-3">
-          <div className="text-mono-sm text-tertiary mb-1 uppercase">Expires</div>
-          {token.timeExpires ? (
-            <DateTime date={token.timeExpires} />
-          ) : (
-            <Badge color="neutral">Never</Badge>
-          )}
-        </div>
-
         <Message
           variant="notice"
           content="This is the only time you'll see this token. Copy it now and store it securely."

From 6769f2f5bba2c72d4648b9e479e8d5b69462f3bf Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Wed, 15 Oct 2025 15:34:00 -0700
Subject: [PATCH 15/28] Simplify mock handler

---
 mock-api/msw/handlers.ts | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/mock-api/msw/handlers.ts b/mock-api/msw/handlers.ts
index 241657612..a51703f2d 100644
--- a/mock-api/msw/handlers.ts
+++ b/mock-api/msw/handlers.ts
@@ -1904,15 +1904,11 @@ export const handlers = makeHandlers({
 
     // Generate a 32-character hex string
     const hexString = uuid().replace(/-/g, '')
-    const now = new Date()
-    const expiration = new Date(now)
-    expiration.setDate(expiration.getDate() + 90)
 
     const newToken: Json<Api.ScimClientBearerTokenValue> = {
       id: uuid(),
       bearer_token: `scim_${hexString}`,
-      time_created: now.toISOString(),
-      time_expires: expiration.toISOString(),
+      time_created: new Date().toISOString(),
     }
 
     // Store without the bearer_token but with siloId for filtering

From 69283da26182dc9a48e91582385a26c9a3e80c30 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Wed, 15 Oct 2025 15:56:28 -0700
Subject: [PATCH 16/28] Revert "Remove EXPIRES column and content from
 confirmation modal"

This reverts commit 47e43af972205487d7f0a2633fbe8608f4c10fff.
---
 app/pages/system/silos/SiloScimTab.tsx | 31 +++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/app/pages/system/silos/SiloScimTab.tsx b/app/pages/system/silos/SiloScimTab.tsx
index 3eb7b3283..7dffd8685 100644
--- a/app/pages/system/silos/SiloScimTab.tsx
+++ b/app/pages/system/silos/SiloScimTab.tsx
@@ -11,6 +11,7 @@ import { useCallback, useMemo, useState } from 'react'
 import { type LoaderFunctionArgs } from 'react-router'
 
 import { AccessToken24Icon, OpenLink12Icon } from '@oxide/design-system/icons/react'
+import { Badge } from '@oxide/design-system/ui'
 
 import {
   apiQueryClient,
@@ -27,6 +28,7 @@ import { Table } from '~/table/Table'
 import { CardBlock } from '~/ui/lib/CardBlock'
 import { CopyToClipboard } from '~/ui/lib/CopyToClipboard'
 import { CreateButton } from '~/ui/lib/CreateButton'
+import { DateTime } from '~/ui/lib/DateTime'
 import { EmptyMessage } from '~/ui/lib/EmptyMessage'
 import { Message } from '~/ui/lib/Message'
 import { Modal } from '~/ui/lib/Modal'
@@ -69,6 +71,7 @@ export default function SiloScimTab() {
     id: string
     bearerToken: string
     timeCreated: Date
+    timeExpires?: Date | null
   } | null>(null)
 
   const deleteToken = useApiMutation('scimTokenDelete', {
@@ -103,6 +106,17 @@ export default function SiloScimTab() {
         ),
       }),
       colHelper.accessor('timeCreated', Columns.timeCreated),
+      colHelper.accessor('timeExpires', {
+        header: 'Expires',
+        cell: (info) => {
+          const expires = info.getValue()
+          return expires ? (
+            <DateTime date={expires} />
+          ) : (
+            <Badge color="neutral">Never</Badge>
+          )
+        },
+      }),
     ],
     []
   )
@@ -179,7 +193,12 @@ function CreateTokenModal({
 }: {
   siloSelector: { silo: string }
   onDismiss: () => void
-  onSuccess: (token: { id: string; bearerToken: string; timeCreated: Date }) => void
+  onSuccess: (token: {
+    id: string
+    bearerToken: string
+    timeCreated: Date
+    timeExpires?: Date | null
+  }) => void
 }) {
   const createToken = useApiMutation('scimTokenCreate', {
     onSuccess(token) {
@@ -220,12 +239,22 @@ function TokenCreatedModal({
     id: string
     bearerToken: string
     timeCreated: Date
+    timeExpires?: Date | null
   }
   onDismiss: () => void
 }) {
   return (
     <Modal isOpen onDismiss={onDismiss} title="Create token">
       <Modal.Section>
+        <div className="text-sans-sm border-default rounded border p-3">
+          <div className="text-mono-sm text-tertiary mb-1 uppercase">Expires</div>
+          {token.timeExpires ? (
+            <DateTime date={token.timeExpires} />
+          ) : (
+            <Badge color="neutral">Never</Badge>
+          )}
+        </div>
+
         <Message
           variant="notice"
           content="This is the only time you'll see this token. Copy it now and store it securely."

From e50b8dd9ca1483e64ef0255dd325a5109b52a1ce Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Wed, 15 Oct 2025 16:02:08 -0700
Subject: [PATCH 17/28] Set mock token data to have null expiration datetime

---
 mock-api/silo.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mock-api/silo.ts b/mock-api/silo.ts
index b64229e8a..e607c3399 100644
--- a/mock-api/silo.ts
+++ b/mock-api/silo.ts
@@ -143,7 +143,7 @@ export const scimTokens: DbScimToken[] = [
   {
     id: 'b2c3d4e5-f6a7-8901-bcde-f12345678901',
     time_created: new Date(2025, 8, 20).toISOString(),
-    time_expires: new Date(2026, 8, 20).toISOString(),
+    time_expires: null,
     siloId: defaultSilo.id,
   },
   {

From cbe165ed5ada4b9b757a21bd09d6d056043825f3 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Wed, 15 Oct 2025 17:21:45 -0700
Subject: [PATCH 18/28] Hide 'Learn about SCIM Auth' text until we have
 documentation up that we can link to

---
 app/pages/system/silos/SiloScimTab.tsx | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/app/pages/system/silos/SiloScimTab.tsx b/app/pages/system/silos/SiloScimTab.tsx
index 7dffd8685..16e23c6b4 100644
--- a/app/pages/system/silos/SiloScimTab.tsx
+++ b/app/pages/system/silos/SiloScimTab.tsx
@@ -10,7 +10,7 @@ import { createColumnHelper, getCoreRowModel, useReactTable } from '@tanstack/re
 import { useCallback, useMemo, useState } from 'react'
 import { type LoaderFunctionArgs } from 'react-router'
 
-import { AccessToken24Icon, OpenLink12Icon } from '@oxide/design-system/icons/react'
+import { AccessToken24Icon } from '@oxide/design-system/icons/react'
 import { Badge } from '@oxide/design-system/ui'
 
 import {
@@ -34,7 +34,6 @@ import { Message } from '~/ui/lib/Message'
 import { Modal } from '~/ui/lib/Modal'
 import { TableEmptyBox } from '~/ui/lib/Table'
 import { Truncate } from '~/ui/lib/Truncate'
-import { docLinks } from '~/util/links'
 
 const colHelper = createColumnHelper<ScimClientBearerToken>()
 
@@ -128,7 +127,7 @@ export default function SiloScimTab() {
     columns,
     getCoreRowModel: getCoreRowModel(),
   })
-  const { href, linkText } = docLinks.scim
+  // const { href, linkText } = docLinks.scim
   return (
     <>
       <CardBlock>
@@ -150,7 +149,7 @@ export default function SiloScimTab() {
             />
           )}
         </CardBlock.Body>
-        <CardBlock.Footer>
+        {/* <CardBlock.Footer>
           <div className="text-sans-md text-raise group-hover:bg-tertiary relative -ml-2 inline-block rounded py-1 pr-7 pl-2">
             <span className="inline-block max-w-[300px] truncate align-middle">
               Learn more about{' '}
@@ -165,7 +164,7 @@ export default function SiloScimTab() {
               </a>
             </span>
           </div>
-        </CardBlock.Footer>
+        </CardBlock.Footer> */}
       </CardBlock>
 
       {showCreateModal && (

From 31dbaae2b7cae34f03242d07aa2db384725c6bd1 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Wed, 15 Oct 2025 17:57:23 -0700
Subject: [PATCH 19/28] Remove unnecessary test

---
 test/e2e/scim-tokens.e2e.ts | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/test/e2e/scim-tokens.e2e.ts b/test/e2e/scim-tokens.e2e.ts
index f0052c5a2..524a33813 100644
--- a/test/e2e/scim-tokens.e2e.ts
+++ b/test/e2e/scim-tokens.e2e.ts
@@ -22,10 +22,6 @@ test('SCIM tokens tab', async ({ page }) => {
   // Check that existing tokens are visible
   await expectRowVisible(table, { ID: 'a1b2c3d4…34567890' })
   await expectRowVisible(table, { ID: 'b2c3d4e5…45678901' })
-
-  // Check that the documentation link is visible
-  await expect(page.getByText('Learn more about')).toBeVisible()
-  await expect(page.getByRole('link', { name: 'SCIM Auth' })).toBeVisible()
 })
 
 test('Create SCIM token', async ({ page }) => {

From fe07125e0ff8b4266f61d4004e04de5734549781 Mon Sep 17 00:00:00 2001
From: Charlie Park <charlie@oxidecomputer.com>
Date: Wed, 15 Oct 2025 20:27:00 -0700
Subject: [PATCH 20/28] For desktops, give a min-width to the Expires column so
 it doesn't feel so squeezed

---
 app/pages/system/silos/SiloScimTab.tsx | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/pages/system/silos/SiloScimTab.tsx b/app/pages/system/silos/SiloScimTab.tsx
index 16e23c6b4..fa1010f1e 100644
--- a/app/pages/system/silos/SiloScimTab.tsx
+++ b/app/pages/system/silos/SiloScimTab.tsx
@@ -115,6 +115,7 @@ export default function SiloScimTab() {
             <Badge color="neutral">Never</Badge>
           )
         },
+        meta: { thClassName: 'lg:w-1/4' },
       }),
     ],
     []

From d7a7f28dfc95d16b8e403dd26e9a3be9875872bf Mon Sep 17 00:00:00 2001
From: Benjamin Leonard <benji@oxide.computer>
Date: Mon, 27 Oct 2025 12:05:53 +0000
Subject: [PATCH 21/28] SCIM UI tweaks

---
 app/pages/system/silos/SiloScimTab.tsx | 23 +++++-------------
 app/ui/lib/Message.tsx                 | 32 +++++++++++++++-----------
 app/ui/styles/index.css                |  9 ++++++++
 3 files changed, 33 insertions(+), 31 deletions(-)

diff --git a/app/pages/system/silos/SiloScimTab.tsx b/app/pages/system/silos/SiloScimTab.tsx
index fa1010f1e..fc1e62bf7 100644
--- a/app/pages/system/silos/SiloScimTab.tsx
+++ b/app/pages/system/silos/SiloScimTab.tsx
@@ -213,10 +213,8 @@ function CreateTokenModal({
   return (
     <Modal isOpen onDismiss={onDismiss} title="Create token">
       <Modal.Section>
-        <Message
-          variant="info"
-          content="This token will have access to provision users and groups via SCIM. Store it securely and never share it publicly."
-        />
+        This token will have access to provision users and groups via SCIM. Store it
+        securely and never share it publicly.
       </Modal.Section>
 
       <Modal.Footer
@@ -246,27 +244,18 @@ function TokenCreatedModal({
   return (
     <Modal isOpen onDismiss={onDismiss} title="Create token">
       <Modal.Section>
-        <div className="text-sans-sm border-default rounded border p-3">
-          <div className="text-mono-sm text-tertiary mb-1 uppercase">Expires</div>
-          {token.timeExpires ? (
-            <DateTime date={token.timeExpires} />
-          ) : (
-            <Badge color="neutral">Never</Badge>
-          )}
-        </div>
-
         <Message
           variant="notice"
           content="This is the only time you'll see this token. Copy it now and store it securely."
         />
 
         <div className="mt-4">
-          <div className="text-sans-semi-md mb-2 font-medium">Bearer Token</div>
-          <div className="text-sans-sm text-raise bg-default border-default flex items-center rounded border font-mono">
-            <div className="flex-1 overflow-hidden px-3 py-2 text-ellipsis">
+          <div className="text-sans-semi-md mb-2">Bearer Token</div>
+          <div className="text-sans-md text-raise bg-default border-default flex items-stretch rounded border">
+            <div className="flex-1 overflow-hidden px-3 py-2.75 text-ellipsis">
               {token.bearerToken}
             </div>
-            <div className="border-default border-l p-2">
+            <div className="border-default flex w-8 items-center justify-center border-l">
               <CopyToClipboard text={token.bearerToken} />
             </div>
           </div>
diff --git a/app/ui/lib/Message.tsx b/app/ui/lib/Message.tsx
index 5971caeef..85e88828b 100644
--- a/app/ui/lib/Message.tsx
+++ b/app/ui/lib/Message.tsx
@@ -38,17 +38,17 @@ const defaultIcon: Record<Variant, ReactElement> = {
 }
 
 const color: Record<Variant, string> = {
-  success: 'bg-accent-secondary',
-  error: 'bg-error-secondary',
-  notice: 'bg-notice-secondary',
-  info: 'bg-info-secondary',
+  success: 'bg-accent-secondary border-accent/10',
+  error: 'bg-error-secondary border-destructive/10',
+  notice: 'bg-notice-secondary border-notice/10',
+  info: 'bg-info-secondary border-blue-800/10',
 }
 
 const textColor: Record<Variant, string> = {
-  success: 'text-accent *:text-accent',
-  error: 'text-error *:text-error',
-  notice: 'text-notice *:text-notice',
-  info: 'text-info *:text-info',
+  success: 'text-accent',
+  error: 'text-error',
+  notice: 'text-notice',
+  info: 'text-info',
 }
 
 const secondaryTextColor: Record<Variant, string> = {
@@ -77,22 +77,26 @@ export const Message = ({
   return (
     <div
       className={cn(
-        'elevation-1 relative flex items-start gap-2.5 overflow-hidden rounded-lg p-4',
+        'elevation-1 relative flex items-start gap-2.5 overflow-hidden rounded-lg border p-3 pr-5',
         color[variant],
         textColor[variant],
         className
       )}
     >
       {showIcon && (
-        <div className="mt-[2px] flex [&>svg]:h-3 [&>svg]:w-3">{defaultIcon[variant]}</div>
+        <div
+          className={cn(
+            'mt-[2px] flex [&>svg]:h-3 [&>svg]:w-3',
+            `[&>svg]:${textColor[variant]}`
+          )}
+        >
+          {defaultIcon[variant]}
+        </div>
       )}
       <div className="flex-1">
         {title && <div className="text-sans-semi-md">{title}</div>}
         <div
-          className={cn(
-            'text-sans-md [&>a]:underline',
-            title ? secondaryTextColor[variant] : textColor[variant]
-          )}
+          className={cn('text-sans-md [&>a]:tint-underline', secondaryTextColor[variant])}
         >
           {content}
         </div>
diff --git a/app/ui/styles/index.css b/app/ui/styles/index.css
index 2de1c5e6e..d20340c26 100644
--- a/app/ui/styles/index.css
+++ b/app/ui/styles/index.css
@@ -91,6 +91,15 @@
   }
 }
 
+@utility tint-underline {
+  text-decoration: underline;
+  text-decoration-color: color-mix(in srgb, currentColor 50%, transparent);
+
+  &:hover {
+    text-decoration-color: color-mix(in srgb, currentColor 80%, transparent);
+  }
+}
+
 @layer utilities {
   :root {
     --content-gutter: 2.5rem;

From 373cf628420f7a48b423cb950e5635bc3f971765 Mon Sep 17 00:00:00 2001
From: Benjamin Leonard <benji@oxide.computer>
Date: Mon, 27 Oct 2025 12:06:21 +0000
Subject: [PATCH 22/28] Fix funky modal (unrelated to SCIM)

---
 app/forms/anti-affinity-group-member-add.tsx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/forms/anti-affinity-group-member-add.tsx b/app/forms/anti-affinity-group-member-add.tsx
index bc0eec6e1..3aeee4089 100644
--- a/app/forms/anti-affinity-group-member-add.tsx
+++ b/app/forms/anti-affinity-group-member-add.tsx
@@ -63,9 +63,9 @@ export default function AddAntiAffinityGroupMemberForm({ instances, onDismiss }:
     <Modal isOpen onDismiss={onDismiss} title="Add instance to group">
       <Modal.Body>
         <Modal.Section>
-          <p className="text-sm text-gray-500">
+          <p>
             Select an instance to add to the anti-affinity group{' '}
-            <HL>{antiAffinityGroup}</HL>. Only stopped instances can be added to the group.
+            <HL>{antiAffinityGroup}</HL>.
           </p>
           <form id={formId} onSubmit={onSubmit}>
             <ComboboxField

From bb1b6efbddbf4507990daed92660bc5142107af1 Mon Sep 17 00:00:00 2001
From: Benjamin Leonard <benji@oxide.computer>
Date: Mon, 27 Oct 2025 12:08:13 +0000
Subject: [PATCH 23/28] Message spacing tweak

---
 app/ui/lib/Message.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/ui/lib/Message.tsx b/app/ui/lib/Message.tsx
index 85e88828b..81eb6198b 100644
--- a/app/ui/lib/Message.tsx
+++ b/app/ui/lib/Message.tsx
@@ -77,7 +77,7 @@ export const Message = ({
   return (
     <div
       className={cn(
-        'elevation-1 relative flex items-start gap-2.5 overflow-hidden rounded-lg border p-3 pr-5',
+        'elevation-1 relative flex items-start gap-2 overflow-hidden rounded-lg border p-3 pr-5',
         color[variant],
         textColor[variant],
         className

From 0ffff2451bcc77fed9fbcaf4a7cd41b0f4529070 Mon Sep 17 00:00:00 2001
From: Benjamin Leonard <benji@oxide.computer>
Date: Mon, 27 Oct 2025 12:09:34 +0000
Subject: [PATCH 24/28] Unify input label with others

---
 app/pages/system/silos/SiloScimTab.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/pages/system/silos/SiloScimTab.tsx b/app/pages/system/silos/SiloScimTab.tsx
index fc1e62bf7..c6fe74485 100644
--- a/app/pages/system/silos/SiloScimTab.tsx
+++ b/app/pages/system/silos/SiloScimTab.tsx
@@ -250,7 +250,7 @@ function TokenCreatedModal({
         />
 
         <div className="mt-4">
-          <div className="text-sans-semi-md mb-2">Bearer Token</div>
+          <div className="text-sans-md text-raise mb-2">Bearer Token</div>
           <div className="text-sans-md text-raise bg-default border-default flex items-stretch rounded border">
             <div className="flex-1 overflow-hidden px-3 py-2.75 text-ellipsis">
               {token.bearerToken}

From 317724424503d9fa60bf9984286c1403268f30af Mon Sep 17 00:00:00 2001
From: David Crespo <david.crespo@oxidecomputer.com>
Date: Tue, 28 Oct 2025 16:22:03 -0500
Subject: [PATCH 25/28] tweak copy, add saml_scim option in silo create

---
 app/forms/silo-create.tsx              |  1 +
 app/pages/system/silos/SiloScimTab.tsx | 46 ++++++++++++--------------
 app/util/links.ts                      |  8 ++---
 mock-api/msw/handlers.ts               | 10 ++++--
 test/e2e/scim-tokens.e2e.ts            | 43 +++++++++++-------------
 5 files changed, 52 insertions(+), 56 deletions(-)

diff --git a/app/forms/silo-create.tsx b/app/forms/silo-create.tsx
index 95da46ec0..9da98895b 100644
--- a/app/forms/silo-create.tsx
+++ b/app/forms/silo-create.tsx
@@ -147,6 +147,7 @@ export default function CreateSiloSideModalForm() {
         control={form.control}
         items={[
           { value: 'saml_jit', label: 'SAML' },
+          { value: 'saml_scim', label: 'SAML + SCIM' },
           { value: 'local_only', label: 'Local only' },
         ]}
       />
diff --git a/app/pages/system/silos/SiloScimTab.tsx b/app/pages/system/silos/SiloScimTab.tsx
index c6fe74485..905816cbf 100644
--- a/app/pages/system/silos/SiloScimTab.tsx
+++ b/app/pages/system/silos/SiloScimTab.tsx
@@ -25,7 +25,7 @@ import { addToast } from '~/stores/toast'
 import { useColsWithActions, type MenuAction } from '~/table/columns/action-col'
 import { Columns } from '~/table/columns/common'
 import { Table } from '~/table/Table'
-import { CardBlock } from '~/ui/lib/CardBlock'
+import { CardBlock, LearnMore } from '~/ui/lib/CardBlock'
 import { CopyToClipboard } from '~/ui/lib/CopyToClipboard'
 import { CreateButton } from '~/ui/lib/CreateButton'
 import { DateTime } from '~/ui/lib/DateTime'
@@ -34,6 +34,7 @@ import { Message } from '~/ui/lib/Message'
 import { Modal } from '~/ui/lib/Modal'
 import { TableEmptyBox } from '~/ui/lib/Table'
 import { Truncate } from '~/ui/lib/Truncate'
+import { links } from '~/util/links'
 
 const colHelper = createColumnHelper<ScimClientBearerToken>()
 
@@ -133,9 +134,9 @@ export default function SiloScimTab() {
     <>
       <CardBlock>
         <CardBlock.Header
-          title="SCIM Bearer Tokens"
+          title="SCIM Tokens"
           titleId="scim-tokens-label"
-          description="Manage authentication tokens for SCIM identity provisioning"
+          description="Tokens for authenticating requests to SCIM endpoints"
         >
           <CreateButton onClick={() => setShowCreateModal(true)}>Create token</CreateButton>
         </CardBlock.Header>
@@ -150,22 +151,9 @@ export default function SiloScimTab() {
             />
           )}
         </CardBlock.Body>
-        {/* <CardBlock.Footer>
-          <div className="text-sans-md text-raise group-hover:bg-tertiary relative -ml-2 inline-block rounded py-1 pr-7 pl-2">
-            <span className="inline-block max-w-[300px] truncate align-middle">
-              Learn more about{' '}
-              <a
-                href={href}
-                className="text-accent group-hover:text-accent"
-                target="_blank"
-                rel="noopener noreferrer"
-              >
-                {linkText}
-                <OpenLink12Icon className="absolute top-1.5 ml-1 translate-y-[1px]" />
-              </a>
-            </span>
-          </div>
-        </CardBlock.Footer> */}
+        <CardBlock.Footer>
+          <LearnMore href={links.scimDocs} text="SCIM" />
+        </CardBlock.Footer>
       </CardBlock>
 
       {showCreateModal && (
@@ -211,10 +199,11 @@ function CreateTokenModal({
   })
 
   return (
-    <Modal isOpen onDismiss={onDismiss} title="Create token">
+    <Modal isOpen onDismiss={onDismiss} title="Create SCIM token">
       <Modal.Section>
-        This token will have access to provision users and groups via SCIM. Store it
-        securely and never share it publicly.
+        Anyone with this token can manage users and groups in this silo via SCIM. Since
+        group membership grants roles, this token can be used to give a user admin
+        privileges. Store it securely and never share it publicly.
       </Modal.Section>
 
       <Modal.Footer
@@ -242,18 +231,25 @@ function TokenCreatedModal({
   onDismiss: () => void
 }) {
   return (
-    <Modal isOpen onDismiss={onDismiss} title="Create token">
+    <Modal isOpen onDismiss={onDismiss} title="SCIM token created">
       <Modal.Section>
         <Message
           variant="notice"
-          content="This is the only time you'll see this token. Copy it now and store it securely."
+          content=<>
+            This is the only time you’ll see this token. Copy it now and store it securely.
+          </>
         />
 
         <div className="mt-4">
           <div className="text-sans-md text-raise mb-2">Bearer Token</div>
           <div className="text-sans-md text-raise bg-default border-default flex items-stretch rounded border">
             <div className="flex-1 overflow-hidden px-3 py-2.75 text-ellipsis">
-              {token.bearerToken}
+              {/*
+               * TODO: looks like the API does not include oxide-scim- in the
+               * bearerToken field, but I think it should, so make sure to check
+               * this pending the outcome of that discussion
+               */}
+              oxide-scim-{token.bearerToken}
             </div>
             <div className="border-default flex w-8 items-center justify-center border-l">
               <CopyToClipboard text={token.bearerToken} />
diff --git a/app/util/links.ts b/app/util/links.ts
index 16fec9c97..45dcb637d 100644
--- a/app/util/links.ts
+++ b/app/util/links.ts
@@ -43,8 +43,8 @@ export const links = {
   quickStart: 'https://docs.oxide.computer/guides/quickstart',
   routersDocs:
     'https://docs.oxide.computer/guides/configuring-guest-networking#_custom_routers',
-  // 🚨 TODO: link to section once it exists in the docs 🚨
-  scimAuthDocs: '',
+  // TODO: make sure this is right
+  scimDocs: 'https://docs.oxide.computer/guides/operator/scim',
   siloQuotasDocs:
     'https://docs.oxide.computer/guides/operator/silo-management#_silo_resource_quota_management',
   sledDocs:
@@ -131,8 +131,8 @@ export const docLinks = {
     linkText: 'Custom Routers',
   },
   scim: {
-    href: links.scimAuthDocs,
-    linkText: 'SCIM Auth',
+    href: links.scimDocs,
+    linkText: 'SCIM',
   },
   sleds: {
     href: links.sledDocs,
diff --git a/mock-api/msw/handlers.ts b/mock-api/msw/handlers.ts
index a51703f2d..7b098a1c4 100644
--- a/mock-api/msw/handlers.ts
+++ b/mock-api/msw/handlers.ts
@@ -1902,12 +1902,16 @@ export const handlers = makeHandlers({
     requireFleetCollab(cookies)
     const silo = lookup.silo({ silo: query.silo })
 
-    // Generate a 32-character hex string
-    const hexString = uuid().replace(/-/g, '')
+    // Generate a 20-character hex string
+    const hexString = uuid().replace(/-/g, '').slice(0, 20)
 
     const newToken: Json<Api.ScimClientBearerTokenValue> = {
       id: uuid(),
-      bearer_token: `scim_${hexString}`,
+      // TODO: looks like the API does not include oxide-scim- in the token,
+      // but I think it should, so make sure to check this pending the outcome
+      // of that discussion
+      // https://github.com/oxidecomputer/omicron/blob/9617f40a/nexus/tests/integration_tests/scim.rs?plain=1#L449
+      bearer_token: hexString,
       time_created: new Date().toISOString(),
     }
 
diff --git a/test/e2e/scim-tokens.e2e.ts b/test/e2e/scim-tokens.e2e.ts
index 524a33813..708f1d754 100644
--- a/test/e2e/scim-tokens.e2e.ts
+++ b/test/e2e/scim-tokens.e2e.ts
@@ -12,12 +12,9 @@ import { clickRowAction, expectNotVisible, expectRowVisible, expectVisible } fro
 test('SCIM tokens tab', async ({ page }) => {
   await page.goto('/system/silos/maze-war/scim')
 
-  await expectVisible(page, [
-    page.getByText('SCIM Bearer Tokens'),
-    page.getByText('Manage authentication tokens for SCIM identity provisioning'),
-  ])
+  await expect(page.getByText('SCIM Tokens')).toBeVisible()
 
-  const table = page.getByRole('table', { name: 'SCIM Bearer Tokens' })
+  const table = page.getByRole('table', { name: 'SCIM Tokens' })
 
   // Check that existing tokens are visible
   await expectRowVisible(table, { ID: 'a1b2c3d4…34567890' })
@@ -30,46 +27,44 @@ test('Create SCIM token', async ({ page }) => {
   // Open create modal
   await page.getByRole('button', { name: 'Create token' }).click()
 
-  const createModal = page.getByRole('dialog', { name: 'Create token' })
-  const modalMessage = 'This token will have access to provision users and groups via SCIM'
-  const createMessage = createModal.getByText(modalMessage)
+  const createModal = page.getByRole('dialog', { name: 'Create SCIM token' })
   await expect(createModal).toBeVisible()
 
-  // Check info message is visible
-  await expect(createMessage).toBeVisible()
-
   // Create the token
   await createModal.getByRole('button', { name: 'Create' }).click()
 
   // Creation modal should go away
-  await expect(createMessage).toBeHidden()
+  await expect(createModal).toBeHidden()
 
-  // Check that the warning message is visible
-  const warning = createModal.getByText("This is the only time you'll see this token")
-  await expect(warning).toBeVisible()
+  // Now we have a new modal with the token in it
+  const tokenCreatedModal = page.getByRole('dialog', { name: 'SCIM token created' })
+  await expect(tokenCreatedModal).toBeVisible()
 
-  // Check that the bearer token is visible and starts with scim_
-  const bearerTokenDiv = createModal.getByText(/^scim_[a-f0-9]{32}$/)
+  // Check that the bearer token is visible and starts with oxide-scim-
+  const bearerTokenDiv = tokenCreatedModal.getByText(/^oxide-scim-[a-f0-9]{20}$/)
   await expect(bearerTokenDiv).toBeVisible()
+  const warning = tokenCreatedModal.getByText('This is the only')
+  await expect(warning).toBeVisible()
 
   // Check that copy button is visible
-  const copyButton = createModal.getByRole('button', { name: 'Click to copy' })
+  const copyButton = tokenCreatedModal.getByRole('button', { name: 'Click to copy' })
   await expect(copyButton).toBeVisible()
 
   // Dismiss the modal
-  await createModal.getByRole('button', { name: 'Done' }).click()
-  await expect(createModal).toBeHidden()
+  await tokenCreatedModal.getByRole('button', { name: 'Done' }).click()
+  await expect(tokenCreatedModal).toBeHidden()
 
-  // The token should NOT be visible in the table (bearer token is not shown after creation)
-  // But a new row should exist - check the table has 3 rows now (header + 2 original + 1 new)
-  const table = page.getByRole('table', { name: 'SCIM Bearer Tokens' })
+  // The token should NOT be visible in the table (bearer token is not shown
+  // after creation), but a new row should exist. Check the table has 3 rows now
+  // (header + 2 original + 1 new)
+  const table = page.getByRole('table', { name: 'SCIM Tokens' })
   await expect(table.getByRole('row')).toHaveCount(4) // header + 3 tokens
 })
 
 test('Delete SCIM token', async ({ page }) => {
   await page.goto('/system/silos/maze-war/scim')
 
-  const table = page.getByRole('table', { name: 'SCIM Bearer Tokens' })
+  const table = page.getByRole('table', { name: 'SCIM Tokens' })
 
   // Verify initial state - should have 2 tokens
   await expect(table.getByRole('row')).toHaveCount(3) // header + 2 tokens

From af34dfabfb7a1b954acb6e37511f8dc08cd80c72 Mon Sep 17 00:00:00 2001
From: David Crespo <david.crespo@oxidecomputer.com>
Date: Tue, 28 Oct 2025 17:39:43 -0500
Subject: [PATCH 26/28] put oxide-scim- back in. see
 https://github.com/oxidecomputer/omicron/pull/9301

---
 app/pages/system/silos/SiloScimTab.tsx | 7 +------
 mock-api/msw/handlers.ts               | 6 +-----
 2 files changed, 2 insertions(+), 11 deletions(-)

diff --git a/app/pages/system/silos/SiloScimTab.tsx b/app/pages/system/silos/SiloScimTab.tsx
index 905816cbf..ca7b84a30 100644
--- a/app/pages/system/silos/SiloScimTab.tsx
+++ b/app/pages/system/silos/SiloScimTab.tsx
@@ -244,12 +244,7 @@ function TokenCreatedModal({
           <div className="text-sans-md text-raise mb-2">Bearer Token</div>
           <div className="text-sans-md text-raise bg-default border-default flex items-stretch rounded border">
             <div className="flex-1 overflow-hidden px-3 py-2.75 text-ellipsis">
-              {/*
-               * TODO: looks like the API does not include oxide-scim- in the
-               * bearerToken field, but I think it should, so make sure to check
-               * this pending the outcome of that discussion
-               */}
-              oxide-scim-{token.bearerToken}
+              {token.bearerToken}
             </div>
             <div className="border-default flex w-8 items-center justify-center border-l">
               <CopyToClipboard text={token.bearerToken} />
diff --git a/mock-api/msw/handlers.ts b/mock-api/msw/handlers.ts
index 7b098a1c4..ad1c4fe36 100644
--- a/mock-api/msw/handlers.ts
+++ b/mock-api/msw/handlers.ts
@@ -1907,11 +1907,7 @@ export const handlers = makeHandlers({
 
     const newToken: Json<Api.ScimClientBearerTokenValue> = {
       id: uuid(),
-      // TODO: looks like the API does not include oxide-scim- in the token,
-      // but I think it should, so make sure to check this pending the outcome
-      // of that discussion
-      // https://github.com/oxidecomputer/omicron/blob/9617f40a/nexus/tests/integration_tests/scim.rs?plain=1#L449
-      bearer_token: hexString,
+      bearer_token: `oxide-scim-${hexString}`,
       time_created: new Date().toISOString(),
     }
 

From 95063f18055afb4d995fe3a633648b150c6bdcca Mon Sep 17 00:00:00 2001
From: David Crespo <david.crespo@oxidecomputer.com>
Date: Tue, 28 Oct 2025 17:55:38 -0500
Subject: [PATCH 27/28] fix e2e failure and bug around admin group name

---
 app/forms/silo-create.tsx | 11 ++++++++---
 test/e2e/silos.e2e.ts     |  2 +-
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/app/forms/silo-create.tsx b/app/forms/silo-create.tsx
index 9da98895b..7f05938bb 100644
--- a/app/forms/silo-create.tsx
+++ b/app/forms/silo-create.tsx
@@ -8,6 +8,7 @@
 import { useEffect } from 'react'
 import { useForm } from 'react-hook-form'
 import { useNavigate } from 'react-router'
+import { match } from 'ts-pattern'
 
 import { useApiMutation, useApiQueryClient, type SiloCreate } from '@oxide/api'
 
@@ -146,16 +147,20 @@ export default function CreateSiloSideModalForm() {
         column
         control={form.control}
         items={[
-          { value: 'saml_jit', label: 'SAML' },
+          { value: 'saml_jit', label: 'SAML + JIT' },
           { value: 'saml_scim', label: 'SAML + SCIM' },
           { value: 'local_only', label: 'Local only' },
         ]}
       />
-      {identityMode === 'saml_jit' && (
+      {match(identityMode)
+        .with('saml_jit', () => true)
+        .with('saml_scim', () => true)
+        .with('local_only', () => false)
+        .exhaustive() && (
         <TextField
           name="adminGroupName"
           label="Admin group name"
-          description="This group will be created and granted the Silo Admin role."
+          description="This group will be created and granted the admin role on the silo."
           control={form.control}
         />
       )}
diff --git a/test/e2e/silos.e2e.ts b/test/e2e/silos.e2e.ts
index a7d1885fd..4260e0a09 100644
--- a/test/e2e/silos.e2e.ts
+++ b/test/e2e/silos.e2e.ts
@@ -50,7 +50,7 @@ test('Create silo', async ({ page }) => {
   await expect(page.getByRole('checkbox', { name: 'Grant fleet admin' })).toBeChecked()
   await page.getByRole('radio', { name: 'Local only' }).click()
   await expect(page.getByRole('textbox', { name: 'Admin group name' })).toBeHidden()
-  await page.getByRole('radio', { name: 'SAML' }).click()
+  await page.getByRole('radio', { name: 'SAML + JIT' }).click()
   await expect(page.getByRole('textbox', { name: 'Admin group name' })).toHaveValue('')
   await expect(page.getByRole('checkbox', { name: 'Grant fleet admin' })).toBeChecked()
   await page.getByRole('textbox', { name: 'Admin group name' }).fill('admins')

From eb827964615bfe230dfd5ca114933c3befa5447c Mon Sep 17 00:00:00 2001
From: David Crespo <david.crespo@oxidecomputer.com>
Date: Tue, 28 Oct 2025 21:39:33 -0500
Subject: [PATCH 28/28] take out the docs link so we can merge

---
 app/pages/system/silos/SiloScimTab.tsx | 6 +++---
 app/util/links.ts                      | 4 ----
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/app/pages/system/silos/SiloScimTab.tsx b/app/pages/system/silos/SiloScimTab.tsx
index ca7b84a30..e23333745 100644
--- a/app/pages/system/silos/SiloScimTab.tsx
+++ b/app/pages/system/silos/SiloScimTab.tsx
@@ -25,7 +25,7 @@ import { addToast } from '~/stores/toast'
 import { useColsWithActions, type MenuAction } from '~/table/columns/action-col'
 import { Columns } from '~/table/columns/common'
 import { Table } from '~/table/Table'
-import { CardBlock, LearnMore } from '~/ui/lib/CardBlock'
+import { CardBlock } from '~/ui/lib/CardBlock'
 import { CopyToClipboard } from '~/ui/lib/CopyToClipboard'
 import { CreateButton } from '~/ui/lib/CreateButton'
 import { DateTime } from '~/ui/lib/DateTime'
@@ -34,7 +34,6 @@ import { Message } from '~/ui/lib/Message'
 import { Modal } from '~/ui/lib/Modal'
 import { TableEmptyBox } from '~/ui/lib/Table'
 import { Truncate } from '~/ui/lib/Truncate'
-import { links } from '~/util/links'
 
 const colHelper = createColumnHelper<ScimClientBearerToken>()
 
@@ -151,9 +150,10 @@ export default function SiloScimTab() {
             />
           )}
         </CardBlock.Body>
+        {/* TODO: put this back!
         <CardBlock.Footer>
           <LearnMore href={links.scimDocs} text="SCIM" />
-        </CardBlock.Footer>
+        </CardBlock.Footer> */}
       </CardBlock>
 
       {showCreateModal && (
diff --git a/app/util/links.ts b/app/util/links.ts
index 45dcb637d..3ffcf344e 100644
--- a/app/util/links.ts
+++ b/app/util/links.ts
@@ -130,10 +130,6 @@ export const docLinks = {
     href: links.routersDocs,
     linkText: 'Custom Routers',
   },
-  scim: {
-    href: links.scimDocs,
-    linkText: 'SCIM',
-  },
   sleds: {
     href: links.sledDocs,
     linkText: 'Server Sleds',