Disallow private static Trackio snapshots

Author: abidlabs

README.md

@@ -218,6 +218,8 @@ trackio.sync(
 
 This uploads your local project database to a new or existing Space. The Space will display all your logged experiments and metrics, and if a custom frontend is configured or passed explicitly it will be deployed there too.
 
+Static Trackio Spaces (`sdk="static"`) are read-only browser-only snapshots, so their snapshot data must be public. Use the default Gradio Space for private dashboards; `sdk="static"` does not support `private=True`.
+
 **Example workflow:**
 
 ```py

docs/source/cli_commands.md

@@ -39,6 +39,8 @@ Deploy as a static Space (reads from an HF Bucket, no server needed):
 trackio sync --project "my-project" --space-id "username/space_id" --sdk static
 ```
 
+Static Spaces serve data directly from the browser and therefore require public snapshot data. `--sdk static --private` is not supported; use the default Gradio SDK for private dashboards.
+
 Sync all projects that have unsynced data to their configured Spaces:
 
 ```sh
@@ -51,7 +53,7 @@ trackio sync --all
 | `--space-id` | The HF Space ID to sync to (e.g. `username/space_id`). If not provided, uses the previously-configured Space |
 | `--all` | Sync all projects with unsynced data |
 | `--sdk` | `gradio` (default) for a live server, or `static` for a read-only bucket-backed Space |
-| `--private` | Make the Space private if creating a new one |
+| `--private` | Make the Space private if creating a new Gradio Space. Not supported with `--sdk static` |
 | `--force` | Overwrite the existing database without prompting |
 
 ## Freeze Command
@@ -73,10 +75,11 @@ trackio freeze --space-id "username/my-space" --project "my-project" --new-space
 | `--space-id` | The source Gradio Space ID (required) |
 | `--project` | The project to freeze (required) |
 | `--new-space-id` | The destination static Space ID. Defaults to `{space_id}_static` |
-| `--private` | Make the new static Space private |
+| `--private` | Not supported for static frozen snapshots |
 
 > **Note:** The source must be a Gradio Space with a bucket mounted at `/data`. If the destination Space already exists and is not a Trackio static Space, `freeze` will refuse to overwrite it.
 > The frozen Space is a snapshot. Later metrics synced to the original Gradio Space do not appear in the frozen static Space unless you run `freeze` again.
+> Static frozen snapshots require public destination data, so `trackio freeze --private` is not supported.
 
 ## List Commands
 

docs/source/deploy_embed.md

@@ -42,7 +42,7 @@ trackio.sync(project="my-project", space_id="username/space_id", sdk="static")
 trackio sync --project "my-project" --space-id "username/space_id" --sdk static
 ```
 
-Static Spaces are lightweight and free — they serve a read-only dashboard backed by Parquet files in an HF Bucket.
+Static Spaces are lightweight and free — they serve a read-only dashboard backed by Parquet files in an HF Bucket. Because the dashboard runs entirely in the browser, static Trackio Spaces require public snapshot data and do not support `private=True`. Use the default Gradio Space (`sdk="gradio"`) for private dashboards.
 
 ## Freezing a Space Snapshot
 
@@ -61,6 +61,7 @@ trackio freeze --space-id "username/my-space" --project "my-project"
 This creates a new static Space (by default named `{space_id}_static`) containing a snapshot of the project's data from the source Space's bucket. The original Space is not modified.
 
 Note that`freeze()` is a one-time snapshot. If new metrics are later uploaded to the original Gradio Space, the frozen static Space will not update automatically.
+The source Gradio Space can use a private bucket, but the frozen static snapshot is public data. `freeze(private=True)` is not supported; use a Gradio Space if the frozen dashboard must stay private.
 
 You can customize the destination:
 
@@ -69,7 +70,6 @@ trackio.freeze(
     space_id="username/my-space",
     project="my-project",
     new_space_id="username/my-snapshot",
-    private=True,
 )
 ```
 

tests/unit/test_deploy.py

@@ -1,7 +1,10 @@
 import io
+import json
 from types import SimpleNamespace
 from unittest.mock import patch
 
+import pytest
+
 from trackio import deploy
 from trackio.bucket_storage import _list_bucket_file_paths
 from trackio.frontend_config import ResolvedFrontend
@@ -133,3 +136,86 @@ def test_deploy_as_static_space_uploads_resolved_frontend(tmp_path, monkeypatch)
     assert any(
         call["folder_path"] == str(frontend_dir) for call in fake_api.uploaded_folders
     )
+
+
+def test_deploy_as_static_space_does_not_embed_hf_token(tmp_path, monkeypatch):
+    frontend_dir = tmp_path / "custom-static"
+    frontend_dir.mkdir()
+    (frontend_dir / "index.html").write_text("<!doctype html>")
+
+    fake_api = _FakeHfApi()
+    monkeypatch.setattr(deploy.huggingface_hub, "HfApi", lambda: fake_api)
+    monkeypatch.setattr(deploy.huggingface_hub, "create_repo", lambda *a, **k: None)
+    monkeypatch.setattr(
+        deploy,
+        "resolve_frontend_dir",
+        lambda frontend_dir=None, announce=False: ResolvedFrontend(
+            path=frontend_dir.resolve(),
+            source="argument",
+            is_custom=True,
+        ),
+    )
+
+    deploy.deploy_as_static_space(
+        "abidlabs/static-space",
+        None,
+        "demo-project",
+        bucket_id="abidlabs/static-bucket",
+        private=False,
+        hf_token="hf_should_not_be_serialized",
+        frontend_dir=frontend_dir,
+    )
+
+    config_upload = next(
+        item for item in fake_api.uploaded_files if item["path_in_repo"] == "config.json"
+    )
+    config = json.loads(config_upload["payload"])
+    assert "hf_token" not in config
+
+
+def test_deploy_as_static_space_rejects_private(monkeypatch):
+    monkeypatch.setattr(
+        deploy.huggingface_hub,
+        "HfApi",
+        lambda: pytest.fail("HfApi should not be constructed"),
+    )
+
+    with pytest.raises(ValueError, match="private static Trackio Space"):
+        deploy.deploy_as_static_space(
+            "abidlabs/static-space",
+            None,
+            "demo-project",
+            private=True,
+            hf_token="hf_should_not_be_used",
+        )
+
+
+def test_sync_static_rejects_private_before_network(monkeypatch):
+    monkeypatch.setattr(
+        deploy.huggingface_hub,
+        "HfApi",
+        lambda: pytest.fail("HfApi should not be constructed"),
+    )
+
+    with pytest.raises(ValueError, match="private static Trackio Space"):
+        deploy.sync(
+            project="demo-project",
+            space_id="abidlabs/static-space",
+            sdk="static",
+            private=True,
+        )
+
+
+def test_freeze_rejects_private_before_network(monkeypatch):
+    monkeypatch.setattr(
+        deploy.huggingface_hub,
+        "HfApi",
+        lambda: pytest.fail("HfApi should not be constructed"),
+    )
+
+    with pytest.raises(ValueError, match="private static Trackio Space"):
+        deploy.freeze(
+            space_id="abidlabs/source-space",
+            project="demo-project",
+            private=True,
+        )

trackio/deploy.py

@@ -50,6 +50,17 @@
 _RESET = "\033[0m"
 
 
+def _raise_if_private_static_requested(action: str, private: bool | None) -> None:
+    if private is True:
+        raise ValueError(
+            f"Cannot {action} a private static Trackio Space. Static Spaces run "
+            "entirely in the browser, so reading private datasets or buckets would "
+            "require exposing a Hugging Face token to viewers. Use sdk='gradio' for "
+            "a private dashboard, or omit private=True to create a public static "
+            "snapshot."
+        )
+
+
 def raise_if_space_is_frozen_for_logging(space_id: str) -> None:
     try:
         info = huggingface_hub.HfApi().space_info(space_id)
@@ -902,12 +913,13 @@ def deploy_as_static_space(
     if on_spaces():
         return
 
+    _raise_if_private_static_requested("deploy", private)
     hf_api = huggingface_hub.HfApi()
 
     try:
         huggingface_hub.create_repo(
             space_id,
-            private=private,
+            private=False,
             space_sdk="static",
             repo_type="space",
             exist_ok=True,
@@ -918,7 +930,7 @@ def deploy_as_static_space(
             huggingface_hub.login(add_to_git_credential=False)
             huggingface_hub.create_repo(
                 space_id,
-                private=private,
+                private=False,
                 space_sdk="static",
                 repo_type="space",
                 exist_ok=True,
@@ -960,8 +972,6 @@ def deploy_as_static_space(
         config["bucket_id"] = bucket_id
     if dataset_id is not None:
         config["dataset_id"] = dataset_id
-    if hf_token and private:
-        config["hf_token"] = hf_token
 
     _retry_hf_write(
         "Static Space config upload",
@@ -1017,7 +1027,8 @@ def sync(
         private (`bool`, *optional*):
             Whether to make the Space private. If None (default), the repo will be
             public unless the organization's default is private. This value is ignored
-            if the repo already exists.
+            if the repo already exists. Not supported with ``sdk="static"`` because
+            static Trackio dashboards read snapshot data directly from the browser.
         force (`bool`, *optional*, defaults to `False`):
             If `True`, overwrite the existing database without prompting for confirmation.
             If `False`, prompt the user before overwriting an existing database.
@@ -1038,6 +1049,8 @@ def sync(
     """
     if sdk not in ("gradio", "static"):
         raise ValueError(f"sdk must be 'gradio' or 'static', got '{sdk}'")
+    if sdk == "static":
+        _raise_if_private_static_requested("sync", private)
     bucket_id_was_explicit = bucket_id is not None
 
     if space_id is None:
@@ -1064,18 +1077,16 @@ def _do_sync():
 
         if sdk == "static":
             if dataset_id is not None:
-                upload_dataset_for_static(project, dataset_id, private=private)
-                hf_token = huggingface_hub.utils.get_token() if private else None
+                upload_dataset_for_static(project, dataset_id, private=False)
                 deploy_as_static_space(
                     space_id,
                     dataset_id,
                     project,
-                    private=private,
-                    hf_token=hf_token,
+                    private=False,
                     frontend_dir=frontend_dir,
                 )
             elif bucket_id is not None:
-                create_bucket_if_not_exists(bucket_id, private=private)
+                create_bucket_if_not_exists(bucket_id, private=False)
                 upload_project_to_bucket_for_static(project, bucket_id)
                 print(
                     f"* Project data uploaded to bucket: https://huggingface.co/buckets/{bucket_id}"
@@ -1085,8 +1096,7 @@ def _do_sync():
                     None,
                     project,
                     bucket_id=bucket_id,
-                    private=private,
-                    hf_token=huggingface_hub.utils.get_token() if private else None,
+                    private=False,
                     frontend_dir=frontend_dir,
                 )
         else:
@@ -1165,15 +1175,16 @@ def freeze(
             The ID for the new static Space. If not provided, defaults to
             `"{space_id}_static"`.
         private (`bool`, *optional*):
-            Whether to make the new Space private. If None (default), the repo
-            will be public unless the organization's default is private.
+            Not supported. Frozen static dashboards read snapshot data directly
+            from the browser, so the destination snapshot must be public.
         bucket_id (`str`, *optional*):
             The ID of the HF Bucket for the new static Space's data storage.
             If not provided, one is auto-generated from the new Space ID.
 
     Returns:
         `str`: The Space ID of the newly created static Space.
     """
+    _raise_if_private_static_requested("freeze", private)
     space_id, _, _ = preprocess_space_and_dataset_ids(space_id, None, None)
 
     try:
@@ -1214,7 +1225,7 @@ def freeze(
     except RepositoryNotFoundError:
         pass
 
-    create_bucket_if_not_exists(bucket_id, private=private)
+    create_bucket_if_not_exists(bucket_id, private=False)
     export_from_bucket_for_static(source_bucket_id, bucket_id, project)
     print(
         f"* Project data uploaded to bucket: https://huggingface.co/buckets/{bucket_id}"
@@ -1224,8 +1235,7 @@ def freeze(
         None,
         project,
         bucket_id=bucket_id,
-        private=private,
-        hf_token=huggingface_hub.utils.get_token() if private else None,
+        private=False,
         frontend_dir=frontend_dir,
     )
     return new_space_id

trackio/frontend/src/lib/staticApi.js

@@ -16,9 +16,6 @@ function resolveUrl(filename) {
 }
 
 function authHeaders() {
-  if (config.hf_token) {
-    return { Authorization: `Bearer ${config.hf_token}` };
-  }
   return {};
 }