refactor: streamline OAuth2 consent screens

[ChiragAgg5k]

What

Redesigns the OAuth2 consent screen (shared by both the authorization and device flows) to be cleaner and more in line with familiar consent UIs, without dropping any information the user needs to make a decision.

Also includes a small correctness fix: the Full access to your account item now appears only when the app actually requests the account.admin scope, instead of always being shown.

Why

The previous screen felt busy: every scope sat in its own tinted icon tile (a noisy grid), each row repeated a description, rich authorization details were a second boxed list, and the footer stacked two-to-three separate lines. It was also full of hardcoded color fallbacks that didn't track the theme.

Changes

• Grouped permission list — one bordered container with hairline dividers and small inline icons, instead of separate tinted tiles. The account.admin row leads and is emphasized.
• Descriptions only where they help — kept on full-access / custom scopes; dropped from the self-explanatory profile/email one-liners.
• Account chip under the heading (avatar + email), replacing the "Signed in as…" footer line.
• Authorization details rendered as compact tags ("Also requested") rather than a boxed list with a repeated icon.
• Footer collapsed to a single line (redirect / device note · Privacy · Terms).
• Design tokens used throughout — removed ~30 hardcoded hex fallbacks.

Authorization flow

Before	After

Device flow

Before	After

Adapts to requested scopes

When an app doesn't request account.admin, the full-access row is omitted entirely:

Testing

• bun run format · bun run check (0 errors) · bun run lint (0 errors)
• Rendered both flows against mock grants in all scope combinations (full access + identity, identity only, with/without authorization details, with/without privacy/terms links).

_{Screenshots are hosted on the throwaway pr-assets/oauth2-consent-redesign branch; safe to delete after merge.}

---

Account → Applications tab

The Appwrite CLI (and any app authorized through the console OAuth2 server) signs in via the device flow, stored as an oauth2:<appId> identity grant — not a session, and with no session↔app link. Rather than mixing it into Sessions, this adds a dedicated Account → Applications tab that resolves each grant to its app metadata via apps.get() (name, logo, tagline, device-flow badge) with a Revoke action.

To keep each surface single-purpose, oauth2 grants are also filtered out of the Sessions tab and the Overview Identities list.

[appwrite]

Console (appwrite/console)

Project ID: 688b7bf400350cbd60e9

Sites (1)

Site	Status	Logs	Preview	QR
console-stage 688b7cf6003b1842c9dc	Ready	View Logs	Preview URL

Tip

Our Discord community has grown to 24K developers, and counting

[greptile-apps]

Greptile Summary

This PR redesigns the OAuth2 consent screen with a cleaner grouped-scope layout, removes ~30 hardcoded hex color fallbacks in favour of design tokens, and adds a dedicated Account → Applications tab that surfaces console OAuth2 grants (e.g. the Appwrite CLI device flow) separately from browser sessions and sign-in identities.

• Consent card: scopes rendered in a single bordered container with hairline dividers; account chip replaces the "Signed in as…" footer; authorization details collapsed to compact monospace tags; footer reduced to one flex line.
• describeConsentScopes fix: "Full access" row now shown only when account.admin is requested; falls back to an openid "Verify your identity" row for minimal OIDC-only requests so the list is never empty.
• Applications tab: new account/applications route resolves each oauth2:<appId> identity grant to app metadata via apps.get(), with a Revoke action; oauth2: grants are filtered out of Sessions and the Overview Identities list so each surface stays single-purpose.

Confidence Score: 4/5

Safe to merge after fixing the oauth2 prefix string in the Sessions filter — everything else is well-implemented.

The sessions filter uses 'oauth2' (no colon) while every other callsite — identities.svelte, applications/+page.ts, and the defined OAUTH2_PREFIX constant — uses 'oauth2:'. In practice Appwrite social providers don't use the oauth2 prefix, so no sessions are wrongly hidden today, but the divergence from the established constant means any future provider whose name begins with oauth2 would be silently excluded from the Sessions tab without an obvious reason.

src/routes/(console)/account/sessions/+page.svelte — the provider prefix string in the visibleSessions filter should use 'oauth2:' to match the constant and the other two filter sites.

Important Files Changed

Filename	Overview
src/routes/(console)/account/sessions/+page.svelte	Adds visibleSessions filter to exclude oauth2 grants from the Sessions list, but uses 'oauth2' (no colon) while all other filters and the OAUTH2_PREFIX constant use 'oauth2:' — a string inconsistency that could over-filter.
src/routes/(public)/oauth2/consent-card.svelte	Full UI redesign of the consent card: grouped scope list, account chip, compact authorization-details tags, collapsed footnote. Design-token migration removes ~30 hardcoded hex fallbacks. No logic regressions found.
src/lib/helpers/oauth2-scopes.ts	Refactors consent scope building: account.admin is now conditional instead of always-on, BUILTIN_SCOPES extended with the admin entry, and a fallback to openid row when no other scopes apply. Logic is correct and well-commented.
src/routes/(console)/account/applications/+page.svelte	New Applications tab UI. Lists oauth2 grants resolved to app metadata, with Revoke action and graceful null fallback for unknown apps. Well-structured.
src/routes/(console)/account/applications/+page.ts	Loads oauth2-prefixed identity grants from the parent layout and resolves each to app metadata with .catch(() => null) safety. Correct use of depends for invalidation.
src/routes/(console)/account/identities.svelte	Filters out oauth2: identity grants so the Identities list shows only sign-in providers. Uses the correct 'oauth2:' prefix. No issues.
src/routes/(console)/account/header.svelte	Inserts the new Applications tab between Sessions and Activity. Straightforward one-entry addition to the nav list.

_{Reviews (4): Last reviewed commit: "refactor: move authorized OAuth apps to ..." | Re-trigger Greptile}