From b89503fa8c5fb8c94f006257e4cbb439c8e776b7 Mon Sep 17 00:00:00 2001 From: Jason Woltje Date: Wed, 18 Mar 2026 21:17:57 -0500 Subject: [PATCH] chore: fix prettier formatting on scratchpad files Co-Authored-By: Claude Sonnet 4.6 --- docs/scratchpads/BUG-CLI-scratchpad.md | 7 +++ docs/scratchpads/p8-001-sso-providers.md | 62 ++++++++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 docs/scratchpads/p8-001-sso-providers.md diff --git a/docs/scratchpads/BUG-CLI-scratchpad.md b/docs/scratchpads/BUG-CLI-scratchpad.md index a69911e..4c37825 100644 --- a/docs/scratchpads/BUG-CLI-scratchpad.md +++ b/docs/scratchpads/BUG-CLI-scratchpad.md @@ -1,9 +1,11 @@ # BUG-CLI Scratchpad ## Objective + Fix 4 CLI/TUI polish bugs in a single PR (issues #192, #193, #194, #199). ## Issues + - #192: Ctrl+T leaks 't' into input - #193: Duplicate React keys in CommandAutocomplete - #194: /provider login false clipboard claim @@ -12,28 +14,33 @@ Fix 4 CLI/TUI polish bugs in a single PR (issues #192, #193, #194, #199). ## Plan and Fixes ### Bug #192 — Ctrl+T character leak + - Location: `packages/cli/src/tui/app.tsx` - Fix: Added `ctrlJustFired` ref. Set synchronously in Ctrl+T/L/N/K handlers, cleared via microtask. In the `onChange` wrapper passed to `InputBar`, if `ctrlJustFired.current` is true, suppress the leaked character and return early. ### Bug #193 — Duplicate React keys + - Location: `packages/cli/src/tui/components/command-autocomplete.tsx` - Fix: Changed `key={cmd.name}` to `key={`${cmd.execution}-${cmd.name}`}` for uniqueness. - Also: `packages/cli/src/tui/commands/registry.ts` — `getAll()` now deduplicates gateway commands that share a name with local commands. Local commands take precedence. ### Bug #194 — False clipboard claim + - Location: `apps/gateway/src/commands/command-executor.service.ts` - Fix: Removed the `\n\n(URL copied to clipboard)` suffix from the provider login message. ### Bug #199 — Hardcoded version "0.0.0" + - Location: `packages/cli/src/cli.ts` + `packages/cli/src/tui/app.tsx` - Fix: `cli.ts` reads version from `../package.json` via `createRequire`. Passes `version: CLI_VERSION` to TuiApp in both render calls. TuiApp has new optional `version` prop (defaults to '0.0.0'), passes it to TopBar instead of hardcoded `"0.0.0"`. ## Quality Gates + - CLI typecheck: PASSED - CLI lint: PASSED - Prettier format:check: PASSED diff --git a/docs/scratchpads/p8-001-sso-providers.md b/docs/scratchpads/p8-001-sso-providers.md new file mode 100644 index 0000000..f903753 --- /dev/null +++ b/docs/scratchpads/p8-001-sso-providers.md @@ -0,0 +1,62 @@ +# P8-001 — WorkOS + Keycloak SSO Providers + +**Branch:** feat/p8-001-sso-providers +**Started:** 2026-03-18 +**Mode:** Delivery + +## Objective + +Add WorkOS and Keycloak as optional SSO providers to the BetterAuth configuration, following the existing Authentik pattern. + +## Scope + +| Surface | Change | +| ---------------------------------------- | ----------------------------------------------------------------------- | +| `packages/auth/src/auth.ts` | Refactor provider array, add WorkOS + Keycloak conditional registration | +| `apps/web/src/lib/auth-client.ts` | Add `genericOAuthClient()` plugin | +| `apps/web/src/app/(auth)/login/page.tsx` | WorkOS + Keycloak SSO buttons gated by `NEXT_PUBLIC_*` env vars | +| `.env.example` | Document WorkOS + Keycloak env vars | +| `packages/auth/src/auth.test.ts` | Unit tests verifying env-var gating | + +## Plan + +1. ✅ Refactor `createAuth` to build `oauthProviders[]` conditionally +2. ✅ Add WorkOS provider (explicit URLs, no discovery) +3. ✅ Add Keycloak provider (discoveryUrl pattern) +4. ✅ Add `genericOAuthClient()` to auth-client.ts +5. ✅ Add SSO buttons to login page gated by `NEXT_PUBLIC_WORKOS_ENABLED` / `NEXT_PUBLIC_KEYCLOAK_ENABLED` +6. ✅ Update `.env.example` +7. ⏳ Write `auth.test.ts` with env-var gating tests +8. ⏳ Quality gates: typecheck + lint + format:check + test +9. ⏳ Commit + push + PR + +## Decisions + +- **WorkOS**: Uses explicit `authorizationUrl`, `tokenUrl`, `userInfoUrl` (no discovery endpoint available) +- **Keycloak**: Uses `discoveryUrl` pattern (`{URL}/realms/{REALM}/.well-known/openid-configuration`) +- **UI gating**: Login page uses `NEXT_PUBLIC_WORKOS_ENABLED` / `NEXT_PUBLIC_KEYCLOAK_ENABLED` feature flags (safer than exposing secret env var names client-side) +- **Refactor**: Authentik moved into same `oauthProviders[]` array pattern — cleaner, more extensible +- **Feature flag design**: `NEXT_PUBLIC_*` flags are opt-in alongside credentials (prevents accidental button render when creds not set) + +## Assumptions + +- `ASSUMPTION:` WorkOS OIDC discovery URL is not publicly documented; using direct URL pattern from WorkOS SSO docs. +- `ASSUMPTION:` `NEXT_PUBLIC_WORKOS_ENABLED=true` must be explicitly set — this is intentional (credential presence alone doesn't enable the button since NEXT_PUBLIC vars are baked at build time). + +## Tests + +- `auth.test.ts`: Mocks betterAuth stack, verifies WorkOS included/excluded based on env var +- `auth.test.ts`: Verifies Keycloak discoveryUrl constructed correctly + +## Quality Gate Results + +| Gate | Status | +| ------------------- | ------ | +| typecheck | ⏳ | +| lint | ⏳ | +| format:check | ⏳ | +| test (@mosaic/auth) | ⏳ | + +## Verification Evidence + +⏳ Pending