docs: platform client v0.1.2, security context, deployment-scoped API keys

[vasilev-alex]

Summary

Documentation updates for the latest platform client release and two Cube Cloud feature changes.

API reference — platform client v0.1.2

• Regenerated changelog.mdx and api.yaml from the platform client release (v0.1.1 + v0.1.2).
• New GET /v1/app-config endpoint and App Theme nav group; notification dashboard filters, workbook duplicate shared flag, and other additive schema changes.
• Verified all 45 spec endpoints are in sync with docs.json nav (no drift).

Security context (expanded behavior)

• Overrides are now honored across workbooks, dashboards, Explore, and queries run by AI agents (in the workbook or the IDE).
• Documented the Groups (Inherit / Custom / None) and user attribute override options.
• Clarified permissions: setting a context requires developer or admin (deployment edit access); overriding Cube Cloud groups/attributes is admin-only.
• Documented that email is never overridable — no impersonation, no querying on another user's behalf.
• Cross-linked from Explore and Analytics Chat.

Deployment-scoped API keys (CUB-2852)

• API keys can now be scoped to one or more deployments; default is unscoped (All deployments), backward compatible.
• Deployment-scoped endpoints require the key be scoped to that deployment or to all deployments; other endpoints are unaffected. Out-of-scope requests return 403.
• Documented on the API keys page, with notes in the authentication and generate-session references.

Notes / open questions

• Security context permissions: per the implementation, overriding Cube Cloud groups/attributes is admin-only (general overrides allow developers too). Documented both precisely — adjust if product intent differs.
• API key scope editing: documented scope as set at create/edit time per the source PR; narrow to creation-only if edit isn't shipping this release.

🤖 Generated with Claude Code

[claude]

Claude finished @vasilev-alex's task in 53s —— View job

---

Review

Verdict: LGTM — docs-only, well-structured. 0 high, 0 medium, 1 low (anchor link nit).

Details

• Read PR diff
• Review docs content
• Spot-check api.yaml & changelog
• Post review

Scope: docs-only across 9 files. Content reads cleanly, follows the docs-mintlify/CLAUDE.md conventions (frontmatter, no body H1, Mintlify callouts, root-relative links), and the navigation entry for the new App Theme group is added to docs.json.

What's good

• api-keys.mdx — the new Deployment scope section clearly distinguishes deployment-scoped vs. non-deployment endpoints and calls out the backward-compatible default. The <Note> at the end is the right callout choice.
• authentication.mdx — the new paragraph and the updated <Warning> ("unless an API key is scoped to specific deployments") match the new behavior precisely; the closing 401 vs. 403 paragraph is a nice touch.
• querying-data.mdx — the Applying a security context section cleanly documents the three Groups options (Inherit / Custom / None), the developer-vs-admin permission split, and the email-never-overridable rule. The cross-links from explore.mdx and analytics-chat.mdx close the loop.
• changelog.mdx — generated file is in sync with the v0.1.1/v0.1.2 entries; new schemas and renamed response types are called out, including the BREAKING marker.
• docs.json — new App Theme group added in the right place; valid JSON.

Nit (low)

• reference/embed-apis/generate-session.mdx:18 — the link [scoped to specific deployments][ref-api-keys] resolves to /admin/account-billing/api-keys, but authentication.mdx deep-links to #deployment-scope for the same concept. Consider matching for consistency:

  If the API key is [scoped to specific deployments](/admin/account-billing/api-keys#deployment-scope), ...

  Not blocking.

On the two open questions in the PR description

• Permissions split (developer for context, admin for Cube Cloud groups/attrs) reads correctly and is precisely documented — fine to ship as-is and adjust if product intent differs.
• API key scope phrasing ("set at create/edit time") is also documented precisely; if edit isn't shipping this release, the easiest narrowing is api-keys.mdx:21 → When creating a key, you can scope it to one or more....

· branch: `docs/platform-client-security-context-api-keys`

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
cubed3	🟢 Ready	View Preview	Jun 18, 2026, 1:26 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[claude]

Claude finished @vasilev-alex's task in 27s —— View job

---

Re-review (after sync)

Verdict: LGTM — new commit only swaps the two security context demo video URLs in querying-data.mdx. No content/structure changes; prior review still stands (0 high, 0 medium, 1 low nit on generate-session.mdx anchor link).

Details

• Read new commit (3109737)
• Re-verify diff against origin/master
• Confirm no regressions in nav/links

What changed since the last review

• docs-mintlify/docs/explore-analyze/workbooks/querying-data.mdx:208,216 — ucarecd.net/<id>/ placeholder URLs replaced with the real CDN assets (ucarecdn.com/.../c67da299-light.mp4, .../103430ef-dark.mp4). Light/dark variants and the dark:hidden / hidden dark:block Tailwind switches are preserved.

Outstanding from prior review (still applicable)

• Low: reference/embed-apis/generate-session.mdx:18 — link goes to /admin/account-billing/api-keys while authentication.mdx deep-links to #deployment-scope. Consider matching for consistency; not blocking.

· branch: `docs/platform-client-security-context-api-keys` ·