Oak Flats UI Primitives Catalogue

Auto-built TOC bound to the docs body via IntersectionObserver. Scroll-spy keeps the active section highlighted; the progress bar tracks how far through the article the reader is.

Use case

Pins to the right of every long-form docs article. Floor staff scan the rail to jump straight to the bit they need rather than ctrl-F the page.

Why this exists

The trade account API exists so supplier portals can read stock and write order intent without sitting in front of the Mufflermen workshop terminal. Every endpoint here is scoped per-supplier and audited.

Before you start

Pre-issued keys

Your portal admin pre-provisions two keys — one production, one sandbox. They never share the same prefix.

Sandbox env vars

Sandbox keys are prefixed sandbox_. Production keys are prefixed live_. Anything else is a forgery.

issue-token.shbash

curl -X POST https://trade.mufflermen.com.au/v2/tokens \
  -H "Authorization: Bearer $MUFFLERMEN_ADMIN_KEY" \
  -H "X-Mufflermen-Workshop: oak-flats" \
  -d '{"supplier":"magnaflow-anz","scopes":["stock.read","orders.write"]}'

error-envelope.diff

   "status": 400,-  "error": "bad request"+  "error": {+    "code": "scope_not_allowed",+    "scope": "billing.read"+  }

TypeScriptts

import { TradeClient } from "@mufflermen/trade"

const client = new TradeClient({
  workshop: "oak-flats",
  adminKey: process.env.MUFFLERMEN_ADMIN_KEY!,
})

const token = await client.tokens.issue({
  supplier: "magnaflow-anz",
  scopes: ["stock.read", "orders.write"],
})

Rotation cadence

Grace window

Tokens rotate every 90 days. The old token is honoured for 24 hours after the new one is issued so portals can roll over without downtime.

Auditing access

Every call logs to audit.tokens.v2 with the calling IP, scopes used, and the supplier identifier. Logs retain for 18 months.