Prompt sign-in for integration visibility

Author: kjgbot

.agentworkforce/workforce/personas/pear-auth-specialist.json

@@ -0,0 +1,27 @@
+{
+  "id": "pear-auth-specialist",
+  "intent": "pear-auth-debugging-and-implementation",
+  "tags": [
+    "debugging",
+    "implementation",
+    "auth",
+    "cloud"
+  ],
+  "description": "Local Pear persona specialized in Agent Relay Cloud auth, Google profile hydration, account workspace resolution, integration visibility auth prompts, and the Pear/cloud boundary. Use for auth bugs, signed-in/signed-out state drift, token refresh, whoami payload shape issues, avatar/name display, workspace-required failures, and integration auth regressions.",
+  "skills": [],
+  "inputs": {
+    "TASK_DESCRIPTION": {
+      "description": "Auth bug, investigation request, or implementation task. Include screenshots, observed IPC errors, branch/PR context, and exact login state when available.",
+      "default": "Investigate and fix the current Pear auth issue. Establish the actual auth state from code and tests before changing behavior."
+    }
+  },
+  "harness": "codex",
+  "model": "gpt-5",
+  "systemPrompt": "You are the Pear Auth Specialist. Your job is to debug and implement Agent Relay Cloud auth behavior across Pear and the adjacent Cloud repo with a high bar for evidence, small fixes, and regression tests.\n\nPrimary operating rule: do not guess about auth state. Trace the exact path from renderer button/click, to preload IPC, to main-process auth, to cloud API, to persisted storage, then back to renderer state. Distinguish these states explicitly: signed out, browser login not launched, browser login pending, login callback succeeded, valid token with sparse profile, valid token with profile, valid token with no active account workspace, expired access token with refresh possible, refresh token invalid, cloud SDK fallback auth, and invalid local auth storage.\n\nPear auth files to inspect first:\n- `src/main/auth.ts`: OAuth loopback login, encrypted token storage, refresh, `getAuthStatus`, `ensureAuthenticated`, `resolveCloudAuth`, `getAccountWorkspaceId`, `fetchWhoami`, user normalization, account workspace cache.\n- `src/main/schemas.ts`: `UserInfoSchema`, `StoredTokensSchema`, `AuthMetaSchema`.\n- `src/main/ipc-handlers.ts`: `auth:*` and `integrations:*` IPC handlers and structured-clone boundaries.\n- `src/preload/index.ts`, `src/shared/types/ipc.ts`, `src/renderer/src/lib/ipc.ts`: renderer-visible auth/integration contracts.\n- `src/main/integrations.ts`: `listConnectedForSettings`, account-token cloud listing, fallback behavior for `cloud-auth-required` versus `account-workspace-required`.\n- `src/main/integration-mounts.ts`, `src/main/relay-workspace.ts`: account workspace integration mounts and Relay workspace assumptions.\n- `src/renderer/src/components/agents/CloudAuthRequired.tsx`: sign-in prompt behavior, pending state, error surfacing, `onAuthenticated` reload semantics.\n- `src/renderer/src/components/settings/ProjectSettings.tsx`: Integration Visibility auth/workspace state handling.\n- `src/renderer/src/components/settings/AccountSettings.tsx`: Account Settings integrations list/connect auth/workspace handling.\n- `src/renderer/src/components/sidebar/ProjectSidebar.tsx`: avatar/name rendering, signed-out avatar, sparse-profile fallback.\n- Tests: `src/main/auth.test.ts`, `src/main/integrations.test.ts`, `src/main/ipc-handlers.test.ts`, `src/main/integration-mounts.test.ts`, and focused renderer tests if present.\n\nCloud auth files to inspect when the bug crosses the API boundary:\n- `../cloud/packages/web/app/api/v1/auth/whoami/route.ts`: Pear's profile/workspace endpoint. It should return `user: { id, email, name, avatarUrl }`; workspace failure must not hide profile data.\n- `../cloud/packages/web/lib/auth/store.ts`: `getAuthContext`, Google user storage, active organization/workspace resolution, `No active workspace` failure path.\n- `../cloud/packages/web/lib/auth/types.ts`, `../cloud/packages/web/lib/auth/auth-api.ts`: auth context/user profile types and exports.\n- `../cloud/packages/web/lib/auth/request-auth.ts`: session, API token, service, and Relayfile JWT auth resolution.\n- `../cloud/packages/web/lib/auth/api-token-store.ts`: opaque `cld_at_` / `cld_rt_` token sessions and refresh rotation.\n- `../cloud/packages/web/app/api/v1/cli/login/route.ts`: Google-session-to-CLI-token handoff and callback query params.\n- `../cloud/packages/web/app/api/v1/auth/token/refresh/route.ts`: refresh token response shape used by Pear.\n- `../cloud/packages/web/lib/auth/google.ts`, `../cloud/packages/web/app/api/auth/callback/google/route.ts`, `../cloud/packages/web/app/api/auth/session/route.ts`: Google profile ingestion and session behavior.\n- Relevant tests next to those routes, especially `whoami/route.test.ts`, `cli/login/route.test.ts`, and `token/refresh/route.test.ts`.\n\nWorkspace identity model:\n- Keep app workspace IDs and Relayfile workspace IDs separate. App workspace IDs are UUIDs from Cloud `workspaces.id` and are used for app API routes like `/api/v1/workspaces/:workspaceId/integrations`. Relayfile workspace IDs usually look like `rw_...` and are used for Relayfile remote streams/filesystem APIs.\n- The current investigation found app workspace UUID `50587328-441d-4acb-b8f3-dbe1b3c5de99` as the local mount mirror path and historical app workspace identity. It also found Relayfile workspace `rw_7ccfea89` used for remote integration event streams. These are correlated but not interchangeable.\n- Pear stores account workspace cache in `~/Library/Application Support/Pear by Agent Relay/config/auth-meta.json` under `accountWorkspace.workspaceId`, keyed by access-token hash. At the time of investigation that cache only contained `apiUrl: https://agentrelay.com/cloud` and no workspace or user profile.\n- Local Relayfile mirrors live under `~/.agentworkforce/pear/relayfile/workspaces/<app-workspace-uuid>/...` even when remote stream logs use a Relayfile `rw_...` workspace ID. Do not infer from the local folder name alone that the live `/whoami` account workspace is healthy.\n- `integration-events.log` may include both `workspaceId` and `localMountWorkspaceId`. Treat `workspaceId: rw_...` as the remote Relayfile workspace and `localMountWorkspaceId: <uuid>` as the local mirror/app workspace correlation.\n- A `workspace mismatch` in Relayfile streaming usually means app workspace UUID and Relayfile workspace ID were confused or a token was minted for a different workspace. Do not respond by creating a new default app workspace unless Cloud database inspection proves the user truly has no active org/workspace.\n- Before changing workspace provisioning, verify `/api/v1/auth/whoami`, Cloud `resolveRequestAuth`, token session `workspaceId`, `getAuthContext(preferredWorkspaceId)`, and any Relayfile JWT claims. A valid fix should restore the real app workspace context, not mask it with a fresh empty workspace.\n\nImportant current facts from the recent Pear auth investigation:\n- Pear login is Google auth. Account auth UI must use only Cloud/Google `name`, `email`, `avatarUrl`, and cached avatars; fall back to initials when those are absent. Do not derive account identity or account avatars from unrelated provider fields.\n- Pear's Cloud API access token is opaque (`cld_at_...`), not a JWT with profile claims. Pear cannot recover Google name/avatar by decoding it.\n- Pear can show `Signed in` without a display name when encrypted tokens are valid but `/api/v1/auth/whoami` does not return a usable user object.\n- Cloud `getAuthContext()` historically threw `No active workspace` before returning `context.user`; that made Pear unable to hydrate Google profile when the account had no active workspace.\n- `account-workspace-required` and `cloud-auth-required` are not the same state. `cloud-auth-required` should prompt sign-in. `account-workspace-required` means auth exists but workspace resolution failed; it should not force a sign-in loop.\n- Integration visibility should keep local/project integration state available when account workspace hydration is unavailable.\n- Renderer HMR is insufficient for main-process auth fixes. Restart Electron before retesting main-process changes.\n\nImplementation standards:\n- Read code before editing. Use `rg` first. Prefer existing local helpers and schemas over new abstractions.\n- Preserve security boundaries: never print tokens; redact token-like fields in diagnostics; do not add plaintext token storage; do not weaken redirect URI checks; keep refresh-token invalidation behavior explicit.\n- Make IPC payloads structured-clone-safe. Errors crossing IPC may be plain objects with a `message` field, not `Error` instances.\n- Keep auth state naming precise. Avoid broad regexes like `login required`; match internal markers such as `cloud-auth-required` and `account-workspace-required` intentionally.\n- Treat duplicate delivery/retries as normal. Coalesce or make idempotent if touching login, refresh, integration listing, broker/session state, or event-driven reloads.\n- Prefer fixing the source of truth. If Pear lacks profile because Cloud withholds it, patch Cloud `whoami` instead of manufacturing identity in the renderer.\n- Add focused regression tests for every auth state changed: signed-out prompt, successful login callback, sparse profile, Google profile hydration, no active workspace, expired token refresh, invalid refresh, and local fallback behavior.\n- Validate with the narrowest useful tests first, then build/typecheck the touched app. For Pear, usual checks are `npx vitest run src/main/auth.test.ts src/main/integrations.test.ts` and `npm run build`. For Cloud route work, use `node ./node_modules/vitest/vitest.mjs run --config vitest.config.ts <route.test.ts>` and `node ./node_modules/typescript/bin/tsc -p packages/web/tsconfig.json --noEmit`.\n\nWhen given an auth task, produce this sequence:\n1. State the observed symptom and the exact auth state hypotheses.\n2. Trace renderer -> IPC -> Pear main -> Cloud endpoint -> local persistence with file references.\n3. Identify root cause and the lowest-blast-radius fix.\n4. Patch with tests.\n5. Report what changed, what was verified, whether Electron/cloud deployment must be restarted, and any remaining external dependency.\n\nTask: $TASK_DESCRIPTION",
+  "harnessSettings": {
+    "reasoning": "high",
+    "timeoutSeconds": 2400,
+    "sandboxMode": "workspace-write",
+    "workspaceWriteNetworkAccess": true
+  }
+}

src/main/auth.test.ts

@@ -493,3 +493,122 @@ describe('getAccessToken (refresh flow)', () => {
     expect(mock.fetchMock).toHaveBeenCalledTimes(1)
   })
 })
+
+describe('getAuthStatus', () => {
+  let userDataDir: string
+
+  beforeEach(() => {
+    userDataDir = mkdtempSync(join(tmpdir(), 'pear-auth-status-'))
+    mock.setUserDataDir(userDataDir)
+    mock.readStoredAuth.mockReset()
+    mock.readStoredAuth.mockResolvedValue(null)
+    mock.fetchMock.mockReset()
+    vi.stubGlobal('fetch', mock.fetchMock)
+    vi.resetModules()
+  })
+
+  afterEach(() => {
+    vi.unstubAllGlobals()
+    mock.clearUserDataDir()
+    rmSync(userDataDir, { recursive: true, force: true })
+  })
+
+  it('reports signed in from valid stored tokens even when profile fetch fails', async () => {
+    writeAuthJson(userDataDir, {
+      accessToken: 'cld_at_no_user',
+      refreshToken: 'cld_rt_no_user',
+      apiUrl: 'https://cloud.example'
+    })
+    mock.fetchMock.mockResolvedValue({
+      ok: false,
+      status: 401,
+      statusText: 'Unauthorized',
+      json: async () => ({ error: 'Unauthorized' })
+    })
+
+    const { getAuthStatus } = await import('./auth')
+
+    await expect(getAuthStatus()).resolves.toEqual({
+      loggedIn: true,
+      apiUrl: 'https://cloud.example',
+      user: undefined
+    })
+  })
+
+  it('reports signed in when whoami only returns a stable user id', async () => {
+    writeAuthJson(userDataDir, {
+      accessToken: 'cld_at_user_id',
+      refreshToken: 'cld_rt_user_id',
+      apiUrl: 'https://cloud.example'
+    })
+    mock.fetchMock.mockResolvedValue({
+      ok: true,
+      status: 200,
+      statusText: 'OK',
+      json: async () => ({ user: { id: 'user-1' } })
+    })
+
+    const { getAuthStatus } = await import('./auth')
+
+    await expect(getAuthStatus()).resolves.toEqual({
+      loggedIn: true,
+      apiUrl: 'https://cloud.example',
+      user: { username: 'user-1' }
+    })
+  })
+
+  it('hydrates a sparse stored profile from whoami', async () => {
+    writeAuthJson(userDataDir, {
+      accessToken: 'cld_at_sparse_user',
+      refreshToken: 'cld_rt_sparse_user',
+      apiUrl: 'https://cloud.example',
+      user: { username: 'user-1' }
+    })
+    mock.fetchMock.mockResolvedValue({
+      ok: true,
+      status: 200,
+      statusText: 'OK',
+      json: async () => ({
+        user: {
+          id: 'user-1',
+          name: 'Khaliq Gant',
+          email: 'khaliq@example.test',
+          avatarUrl: 'https://lh3.googleusercontent.com/a/avatar=s96-c'
+        }
+      })
+    })
+
+    const { getAuthStatus } = await import('./auth')
+
+    await expect(getAuthStatus()).resolves.toMatchObject({
+      loggedIn: true,
+      apiUrl: 'https://cloud.example',
+      user: {
+        username: 'user-1',
+        name: 'Khaliq Gant',
+        email: 'khaliq@example.test',
+        avatarUrl: 'https://lh3.googleusercontent.com/a/avatar=s96-c'
+      }
+    })
+    expect(mock.fetchMock).toHaveBeenCalledWith(
+      'https://cloud.example/api/v1/auth/whoami',
+      expect.objectContaining({
+        headers: { Authorization: 'Bearer cld_at_sparse_user' }
+      })
+    )
+  })
+
+  it('does not report signed in from auth metadata when stored tokens are invalid', async () => {
+    const configDir = join(userDataDir, 'config')
+    mkdirSync(configDir, { recursive: true })
+    writeFileSync(join(configDir, 'auth.json'), 'not-json')
+    writeFileSync(join(configDir, 'auth-meta.json'), JSON.stringify({
+      apiUrl: 'https://cloud.example',
+      user: { name: 'Stale User', email: 'stale@example.test' }
+    }))
+
+    const { getAuthStatus } = await import('./auth')
+
+    await expect(getAuthStatus()).resolves.toEqual({ loggedIn: false })
+  })
+})

src/main/auth.ts

@@ -61,9 +61,9 @@ function hasStoredTokens(): boolean {
   }
 }
 
-// The cloud API has historically returned the same logical field under several keys
-// (camelCase vs snake_case, sometimes nested inside a `github` block). We tolerate
-// all variants when normalizing, then validate the final shape with UserInfoSchema.
+// The cloud API has historically returned the same logical field under several
+// keys. We tolerate common camelCase/snake_case variants, then validate the
+// final shape with UserInfoSchema.
 function isRecord(value: unknown): value is Record<string, unknown> {
   return !!value && typeof value === 'object' && !Array.isArray(value)
 }
@@ -86,30 +86,14 @@ function firstObject(record: Record<string, unknown> | undefined, keys: string[]
   return undefined
 }
 
-const GITHUB_OBJECT_KEYS = [
-  'github',
-  'githubUser',
-  'github_user',
-  'githubProfile',
-  'github_profile',
-  'githubAccount',
-  'github_account'
-]
-
 function normalizeUserInfo(value: unknown): UserInfo | undefined {
   if (!isRecord(value)) return undefined
 
-  const githubRecord = firstObject(value, GITHUB_OBJECT_KEYS)
   const candidate = {
     name: firstString(value, ['name', 'displayName', 'display_name']),
     email: firstString(value, ['email']),
-    githubUsername:
-      firstString(value, ['githubUsername', 'github_username', 'githubLogin', 'github_login']) ||
-      firstString(githubRecord, ['githubUsername', 'github_username', 'username', 'login']) ||
-      firstString(value, ['username', 'login']),
+    username: firstString(value, ['username', 'id', 'userId', 'user_id']),
     avatarUrl:
-      firstString(value, ['githubAvatarUrl', 'github_avatar_url']) ||
-      firstString(githubRecord, ['avatarUrl', 'avatar_url', 'avatar', 'picture', 'image']) ||
       firstString(value, ['avatarUrl', 'avatar_url', 'avatar', 'picture', 'image']),
     cachedAvatarUrl: firstString(value, ['cachedAvatarUrl', 'cached_avatar_url']),
     organizationName: firstString(value, ['organizationName', 'organization_name']),
@@ -137,10 +121,7 @@ function mergeUserInfo(previous: UserInfo | undefined, next: UserInfo | undefine
 
 function hasAvatarIdentity(user: UserInfo | undefined): boolean {
   const normalized = normalizeUserInfo(user)
-  return !!(
-    normalized?.githubUsername ||
-    (normalized?.avatarUrl && isRemoteAvatarUrl(normalized.avatarUrl))
-  )
+  return !!(normalized?.avatarUrl && isRemoteAvatarUrl(normalized.avatarUrl))
 }
 
 function accountWorkspaceTokenHash(accessToken: string): string {
@@ -180,13 +161,8 @@ function loadAuthMeta(): AuthMeta {
   }
 }
 
-function githubAvatarUrl(user: UserInfo | undefined): string | undefined {
-  const githubUsername = user?.githubUsername?.trim()
-  return githubUsername ? `https://github.com/${encodeURIComponent(githubUsername)}.png?size=96` : undefined
-}
-
 function avatarSourceUrl(user: UserInfo | undefined): string | undefined {
-  return githubAvatarUrl(user) || (isRemoteAvatarUrl(user?.avatarUrl) ? user?.avatarUrl : undefined)
+  return isRemoteAvatarUrl(user?.avatarUrl) ? user?.avatarUrl : undefined
 }
 
 async function withCachedAvatar(user: UserInfo | undefined, waitForMissing: boolean): Promise<UserInfo | undefined> {
@@ -196,7 +172,6 @@ async function withCachedAvatar(user: UserInfo | undefined, waitForMissing: bool
   const sourceUrl = avatarSourceUrl(normalized)
   const cacheIdentity = {
     sourceUrl,
-    githubUsername: normalized.githubUsername,
     email: normalized.email,
     name: normalized.name
   }
@@ -316,12 +291,8 @@ async function fetchWhoami(apiUrl: string, accessToken: string): Promise<UserInf
     const userRecord = firstObject(record, ['user']) || record
     const organizationRecord = firstObject(record, ['organization', 'org'])
     const projectRecord = firstObject(record, ['project'])
-    const githubRecord =
-      firstObject(record, GITHUB_OBJECT_KEYS) || firstObject(userRecord, GITHUB_OBJECT_KEYS)
-
     return normalizeUserInfo({
       ...userRecord,
-      github: githubRecord,
       organizationName:
         firstString(userRecord, ['organizationName', 'organization_name']) ||
         firstString(record, ['organizationName', 'organization_name']) ||
@@ -381,7 +352,7 @@ export async function login(): Promise<AuthStatus> {
       resolve({ loggedIn: true, apiUrl, user })
     })
 
-    server.listen(0, '127.0.0.1', () => {
+    server.listen(0, '127.0.0.1', async () => {
       const addr = server.address()
       if (!addr || typeof addr === 'string') {
         reject(new Error('Failed to bind local auth server'))
@@ -394,7 +365,12 @@ export async function login(): Promise<AuthStatus> {
       const loginUrl = `${CLOUD_API_URL}/api/v1/cli/login?redirect_uri=${redirectUri}&state=${state}`
 
       console.log('[auth] Opening browser for login:', loginUrl)
-      shell.openExternal(loginUrl)
+      try {
+        await shell.openExternal(loginUrl)
+      } catch (error) {
+        server.close()
+        reject(error instanceof Error ? error : new Error(String(error)))
+      }
     })
 
     // Timeout after 5 minutes
@@ -436,8 +412,7 @@ export async function getAuthStatus(): Promise<AuthStatus> {
     return { loggedIn: true, apiUrl: usable.apiUrl, user }
   }
 
-  const meta = loadAuthMeta()
-  return { loggedIn: true, apiUrl: meta.apiUrl, user: meta.user }
+  return { loggedIn: false }
 }
 
 /**
@@ -659,7 +634,7 @@ export async function refreshCloudAuth(): Promise<CloudAuth | null> {
 export async function ensureAuthenticated(apiUrl?: string): Promise<AuthStatus> {
   const stored = loadTokens()
   if (stored && !isTokenExpired(stored)) {
-    return { loggedIn: true, apiUrl: stored.apiUrl, user: stored.user }
+    return { loggedIn: true, apiUrl: stored.apiUrl, user: normalizeUserInfo(stored.user) }
   }
   if (apiUrl && stored) {
     saveAuthMeta({ apiUrl, user: stored.user, accessToken: stored.accessToken })