docs: update for 1.69 release

[drernie]

Summary

Minimal docs updates aligned with the 1.69 platform release notes:

• Connect: document wildcard suffix entry format (e.g. .benchling.com) in ConnectAllowedHosts
• Qurator: note that platform MCP tools work in-catalog without enabling Quilt Connect
• Admin: theme logo file upload; new sections for stack-managed bucket protection and role-scoped admin bucket listings
• SSO: document the new union_roles: true flag
• Benchling: async canvas updates and reviewRecord trigger

Test plan

• Render docs locally / on preview and verify links
• Spot-check tables in Connect.md and Catalog/Admin.md

🤖 Generated with Claude Code

Greptile Summary

This PR updates documentation for the 1.69 platform release across five files, covering wildcard host entries in ConnectAllowedHosts, in-catalog MCP tool availability in Qurator, theme logo file upload, stack-managed bucket protection, role-scoped admin bucket listings, the new union_roles: true SSO flag, and async Benchling canvas updates with reviewRecord trigger support. The changes are minimal, accurate, and consistent with the existing documentation style.

Confidence Score: 5/5

Safe to merge — documentation-only changes with no code impact.

All five files contain accurate, well-scoped documentation additions. No logic, security, or formatting issues were found. Changes are consistent with the existing document style throughout the repo.

No files require special attention.

Important Files Changed

Filename	Overview
docs/Catalog/Admin.md	Adds logo upload format clarification and two new sections for stack-managed bucket protection and role-scoped admin bucket listings; content is accurate and consistent with existing doc style.
docs/Catalog/Connect.md	Adds wildcard-suffix entry format row to the ConnectAllowedHosts table; the example, match description, and leading-dot note are correct and consistent with the other rows.
docs/Catalog/Qurator.md	Adds one sentence clarifying that platform MCP tools work in-catalog without Quilt Connect and execute under the user's existing session permissions; no issues.
docs/advanced-features/sso-permissions.md	Inserts a blockquote note documenting the new union_roles: true flag with correct lazy-continuation formatting consistent with the file's existing note style.
docs/examples/benchling.md	Updates the Update button description to document async canvas state and the reviewRecord trigger; wording is clear and accurate.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[SSO Login] --> B{union_roles: true?}
    B -- No --> C[First matching mapping applied]
    B -- Yes --> D[All matching mappings evaluated]
    D --> E[Union of roles granted]
    E --> F[User can switch roles via role switcher]
    E --> G[Roles not in match set revoked on next login]
    C --> F

    H[ConnectAllowedHosts entry] --> I{Format?}
    I -- Hostname --> J["https://hostname/*"]
    I -- Wildcard suffix --> K["https://subdomain.domain/*"]
    I -- Custom scheme --> L["scheme://any-host/*"]
    I -- localhost --> M["http://localhost:port/*"]

Loading

_{Reviews (1): Last reviewed commit: "docs: update for 1.69 release" | Re-trigger Greptile}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 46.51%. Comparing base (66e7637) to head (93fda08).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #4867   +/-   ##
=======================================
  Coverage   46.51%   46.51%           
=======================================
  Files         832      832           
  Lines       34116    34116           
  Branches     5828     5828           
=======================================
  Hits        15868    15868           
  Misses      16243    16243           
  Partials     2005     2005           

Flag	Coverage Δ
api-python	93.14% <ø> (ø)
catalog	21.48% <ø> (ø)
lambda	96.63% <ø> (ø)
py-shared	98.18% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[sir-sigurd]

1. Admin.md — drop "Stack-managed buckets" section

docs/Catalog/Admin.md:108-112. Two reasons:

1. Wrong home — this file documents the catalog admin panel UI; the new section is about an S3-policy-level guardrail applied by CloudFormation.
2. Self-surfacing — admins who try a console change get a clear AWS denial at that moment, with the bucket policy as the explanation. A reader not mid-incident has no reason to encounter this section; one mid-incident gets the answer from the error itself.

Already covered in the 1.69 release notes — drop here.

2. Admin.md — drop "Role-scoped bucket listings" section

docs/Catalog/Admin.md:114-119. "Rather than every bucket on the stack" is changelog-shaped — only meaningful to a reader who already knows the prior behavior. The substantive product fact (admins are also scoped by role grants) is already covered at lines 46-47, which currently reads as if it excludes admins. Drop the new section and clarify there instead.

3. sso-permissions.md — list item 3 misnested

docs/advanced-features/sso-permissions.md:70-76. Item 3 ("all other users will have ReadQuiltBucket role") applies regardless of union_roles, but it's nested under the "With union_roles: true" header. Reader can infer the default_role fallback is union-mode-specific.

4. Connect.md — wildcard semantics underspecified

docs/Catalog/Connect.md:39. New row says .benchling.com matches https://<any-subdomain>.benchling.com/*. Two questions unanswered:

• Does it match the apex (https://benchling.com/*)?
• Does it match nested subdomains (https://app.us.benchling.com/*)?

Also, lines 50-53 ("use a bare hostname for HTTPS clients") are now stale — should mention the wildcard form.

[drernie]

Thanks @sir-sigurd — addressed all four in 9517ffb:

1. Admin.md "Stack-managed buckets" — dropped; release notes cover it and AWS surfaces the policy denial directly.
2. Admin.md "Role-scoped bucket listings" — dropped; reworded the existing managed-roles paragraph (lines 45-47) to "Users of managed roles — including administrators — only see, list, and search buckets for which their role is explicitly granted read access," so the admin case is no longer an implied exception.
3. sso-permissions.md — pulled item 3 out of the union_roles: true list; the default_role fallback now sits below both union_roles branches as the catch-all it actually is.
4. Connect.md wildcard semantics — clarified the row to "any subdomain at any depth (e.g. app.benchling.com, app.us.benchling.com); does not match the apex https://benchling.com/*," and updated the bare-hostname guidance below to mention the .-prefixed wildcard form.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[sir-sigurd]

All four prior review items addressed in 9517ffb / 705a822, plus self-driven cleanups (3071e69 for logo formats, 9bec043 for benchling Update bullets). One naming nit inline.

[sir-sigurd]

Rename applied in 93fda08 — re-approving.