Merge main into prod

.agents/skills/data-table-builder/SKILL.md

@@ -0,0 +1,8 @@
+---
+name: data-table-builder
+description: Read when working with filters in the data table
+---
+
+- Never query the entire table and then filter client-side to populate the filter dropdown options.
+  Create a view in duty/ repo instead that returns options for all the filters at once.
+  Reference: `config_access_summary_by_user` view in views/038_config_access.sql

AGENTS.md

@@ -1,2 +1,2 @@
 - Do not hand-write Shadcn components. Use the shadcn CLI to add new components.
-- Use npm run build to build
+- Do not run `npm run build` when dev server is running. use `npm run typecheck` instead.

app/api/chat/route.ts

@@ -141,50 +141,101 @@ function buildLLMModel(connection: LLMConnection): LanguageModelV3 {
   }
 }
 
+function tryParseJSON(value?: string) {
+  if (!value) {
+    return undefined;
+  }
+
+  try {
+    return JSON.parse(value);
+  } catch {
+    return value;
+  }
+}
+
+function getErrorDetail(error: unknown): unknown {
+  if (error instanceof HttpError) {
+    return tryParseJSON(error.body);
+  }
+
+  if (!(error instanceof Error) || !error.cause) {
+    return undefined;
+  }
+
+  if (error.cause instanceof Error) {
+    const cause = error.cause as Error & {
+      code?: string;
+      errno?: string | number;
+      address?: string;
+      port?: number;
+    };
+
+    return {
+      message: cause.message,
+      code: cause.code,
+      errno: cause.errno,
+      address: cause.address,
+      port: cause.port
+    };
+  }
+
+  return error.cause;
+}
+
 export async function POST(req: Request) {
+  let mcpClient: Awaited<ReturnType<typeof createMCPClient>> | undefined;
+
   const wideEvent: Record<string, any> = {
     event: "llm-conversation",
     timestamp: new Date().toISOString(),
     status: "started"
   };
 
-  const {
-    messages,
-    alwaysAllowedTools = []
-  }: { messages?: UIMessage[]; alwaysAllowedTools?: string[] } =
-    await req.json();
-  if (!Array.isArray(messages)) {
-    return new Response("Invalid request body", { status: 400 });
-  }
+  try {
+    const {
+      messages,
+      alwaysAllowedTools = []
+    }: { messages?: UIMessage[]; alwaysAllowedTools?: string[] } =
+      await req.json();
+
+    if (!Array.isArray(messages)) {
+      return new Response(JSON.stringify({ error: "Invalid request body" }), {
+        status: 400,
+        headers: {
+          "content-type": "application/json"
+        }
+      });
+    }
 
-  wideEvent.messages = messages.length;
+    wideEvent.messages = messages.length;
 
-  try {
     const backendUrl = await getBackendUrl();
     wideEvent.backendURL = backendUrl;
 
     const cookies = req.headers.get("cookie") ?? "";
     wideEvent.cookies = cookies.length;
 
     const llmConnection = await fetchLLMConnection(backendUrl, cookies);
-    const model = buildLLMModel(llmConnection);
     wideEvent.llm = {
       model: llmConnection.properties?.model,
       provider: llmConnection.type
     };
 
-    const mcpClient = await createMCPClient({
+    const model = buildLLMModel(llmConnection);
+
+    mcpClient = await createMCPClient({
       transport: {
         type: "http",
         url: buildURL(backendUrl, "/mcp").toString(),
         headers: {
-          // Use the user's cookie to authenticate for now.
-          // We need to add the more fine-grained MCP tokens
           Cookie: cookies
         }
       }
     });
+    wideEvent.mcpCreated = true;
+
     const tools = await buildChatTools(mcpClient, alwaysAllowedTools);
+    wideEvent.totalTools = Object.entries(tools).length;
 
     const loadedSkillTool = await loadSkillTool();
     wideEvent.skills = {
@@ -201,7 +252,6 @@ export async function POST(req: Request) {
       (tools as Record<string, unknown>).skill = loadedSkillTool.skillTool;
     }
 
-    // Build tools first so convertToModelMessages can resolve tool schemas
     const modelMessages = await convertToModelMessages(messages, { tools });
 
     const result = streamText({
@@ -213,35 +263,60 @@ export async function POST(req: Request) {
       experimental_transform: truncateToolResultTransform,
       onError: async (error) => {
         wideEvent.status = "error";
-        wideEvent.error =
-          error instanceof Error ? error.message : String(error);
+        wideEvent.error = {
+          error:
+            error instanceof Error ? error.message : "Internal Server Error",
+          detail: getErrorDetail(error),
+          provider: wideEvent.llm?.provider,
+          model: wideEvent.llm?.model
+        };
+
         await mcpClient?.close();
+        console.error(JSON.stringify(wideEvent));
       },
       onFinish: async (result) => {
         wideEvent.status = "completed";
         wideEvent.usage = {
           totalTokens: result.usage?.totalTokens
         };
         wideEvent.finishReason = result.finishReason;
+
         await mcpClient?.close();
+        console.log(JSON.stringify(wideEvent));
       }
     });
 
-    return result.toUIMessageStreamResponse({ sendReasoning: true });
+    return result.toUIMessageStreamResponse({
+      sendReasoning: true,
+      onError: (error) =>
+        JSON.stringify({
+          error:
+            error instanceof Error ? error.message : "Internal Server Error",
+          detail: getErrorDetail(error),
+          provider: wideEvent.llm?.provider,
+          model: wideEvent.llm?.model
+        })
+    });
   } catch (error) {
     wideEvent.status = "error";
-    wideEvent.error = error instanceof Error ? error.message : String(error);
-    if (error instanceof HttpError) {
-      return new Response(error.body ?? error.message, {
-        status: error.status
-      });
-    }
-    return new Response("Internal Server Error", { status: 500 });
-  } finally {
-    if (wideEvent.status === "error") {
-      console.error(JSON.stringify(wideEvent));
-    } else {
-      console.log(JSON.stringify(wideEvent));
-    }
+    wideEvent.error = {
+      error: error instanceof Error ? error.message : "Internal Server Error",
+      detail: getErrorDetail(error),
+      provider: wideEvent.llm?.provider,
+      model: wideEvent.llm?.model
+    };
+
+    try {
+      await mcpClient?.close();
+    } catch {}
+
+    console.error(JSON.stringify(wideEvent));
+
+    return new Response(JSON.stringify(wideEvent.error), {
+      status: error instanceof HttpError ? error.status : 500,
+      headers: {
+        "content-type": "application/json"
+      }
+    });
   }
 }

clerk.middleware.ts

@@ -4,7 +4,18 @@ import { NextResponse } from "next/server";
 const isPubliclyAccessibleRoute = createRouteMatcher([
   // all pages except the ones listed below are protected
   "/login(.*)",
-  "/registration(.*)"
+  "/registration(.*)",
+  "/.well-known(.*)",
+  "/authorize(.*)",
+  "/oauth(.*)",
+  "/userinfo",
+  "/revoke",
+  "/device_authorization",
+  "/keys",
+  "/end_session",
+  "/endsession",
+  "/oidc(.*)",
+  "/mcp(.*)"
 ]);
 
 export default clerkMiddleware(

next.config.js

@@ -39,22 +39,61 @@ const config = {
     ];
   },
   async rewrites() {
-    // if clerk is enabled, we will use next API routes to proxy requests to
-    // the backend
-    if (process.env.NEXT_PUBLIC_AUTH_IS_CLERK === "true") {
-      return [];
-    }
+    const isClerkAuth = process.env.NEXT_PUBLIC_AUTH_IS_CLERK === "true";
+    const isBasicAuth = process.env.NEXT_PUBLIC_AUTH_IS_BASIC === "true";
 
     // Read at build time. See Dockerfile for deployment related steps.
     const backendURL = process.env.BACKEND_URL || "http://localhost:3000/";
     const isCanary =
       process.env.NEXT_PUBLIC_APP_DEPLOYMENT === "CANARY_CHECKER";
     const canaryPrefix = isCanary ? "" : "/canary";
+    // OIDC protocol endpoints are mounted at the root of the backend (matching the
+    // issuer URL). These rewrites let the browser reach those endpoints through the
+    // Next.js server without authentication interference.
+    const OIDC_REWRITES = [
+      {
+        source: "/.well-known/:path*",
+        destination: `${backendURL}/.well-known/:path*`
+      },
+      { source: "/authorize", destination: `${backendURL}/authorize` },
+      {
+        source: "/authorize/:path*",
+        destination: `${backendURL}/authorize/:path*`
+      },
+      { source: "/oauth/token", destination: `${backendURL}/oauth/token` },
+      {
+        source: "/oauth/introspect",
+        destination: `${backendURL}/oauth/introspect`
+      },
+      { source: "/userinfo", destination: `${backendURL}/userinfo` },
+      { source: "/revoke", destination: `${backendURL}/revoke` },
+      {
+        source: "/device_authorization",
+        destination: `${backendURL}/device_authorization`
+      },
+      { source: "/keys", destination: `${backendURL}/keys` },
+      { source: "/end_session", destination: `${backendURL}/end_session` },
+      // Some clients use /endsession (no underscore) — proxy both.
+      { source: "/endsession", destination: `${backendURL}/endsession` },
+      // All OIDC sub-routes (login, callback, …)
+      { source: "/oidc/:path*", destination: `${backendURL}/oidc/:path*` },
+      // MCP transport endpoint
+      { source: "/mcp", destination: `${backendURL}/mcp` },
+      { source: "/mcp/:path*", destination: `${backendURL}/mcp/:path*` }
+    ];
+
+    // clerk and basic auth use next API routes for app endpoints, but OIDC protocol
+    // endpoints still need explicit rewrites.
+    if (isClerkAuth || isBasicAuth) {
+      return OIDC_REWRITES;
+    }
+
     const LOCALHOST_ENV_URL_REWRITES = [
       {
         source: "/api/:path*",
         destination: `${backendURL}/api/:path*`
-      }
+      },
+      ...OIDC_REWRITES
     ];
 
     const URL_REWRITES = [
@@ -71,7 +110,8 @@ const config = {
       {
         source: "/api/:path*",
         destination: `${backendURL}/:path*`
-      }
+      },
+      ...OIDC_REWRITES
     ];
     // NODE_ENV is set to "development" when running locally, so we can use it
     // to determine if we are running in a local environment.