fix(apps-proxy): satisfy linters on kai-preview branch

Fix all 52 golangci-lint failures reported by CI run 25903961499:

- noctx(25): replace httptest.NewRequest → NewRequestWithContext(t.Context(), …) in all kaipreview test files
- tagliatelle(3): rename JSON tags app_id → appId and ttl_s → ttlS in jwt.go (HandshakeClaims, SessionClaims)
- errchkjson(7): check errors from json.Marshal / json.NewEncoder().Encode() in bootstrap.go, handshake_token.go, exchange_test.go, storage_token_verifier_test.go
- nilerr(4): add //nolint:nilerr with explanation where HTTP handlers deliberately swallow errors
- gochecknoglobals(2): var PathPrefix → const PathPrefix in handler.go; //nolint:gochecknoglobals on bootstrapTmpl
- gci(4): fix struct-field alignment in manager.go / apphandler.go; add missing spaces after commas in cookie_test.go, cors_test.go
- contextcheck(2): add //nolint:contextcheck on the two false-positive req.Context() call sites in apphandler.go; extract serveKaiPreview helper to reduce nestif complexity
- paralleltest(1)+tparallel(1): add t.Parallel() to TestIsIframeDocumentLoad subtests
- testifylint(1): assert.False(strings.Contains(…)) → assert.NotContains(…)
- errname(1): rename stubErr → stubError in handshake_token_test.go
- gosec G203(1): //nolint:gosec on template.JS(bs) conversion in bootstrap.go
- unparam(1): remove unused devMode bool param from newTestCompositeHandler; inline true
- usetesting(6): context.Background() → t.Context() in storage_token_verifier_test.go

Author: pepamartinec

internal/pkg/service/appsproxy/proxy/apphandler/apphandler.go

@@ -52,16 +52,16 @@ func newAppHandler(manager *Manager, app api.AppConfig, appUpstream chain.Handle
 		upstream:           appUpstream,
 		authHandlerPerRule: make(map[ruleIndex]chain.Handler),
 		kaiPreview: kpendpoints.NewHandler(kpendpoints.HandlerDeps{
-			Clock:             manager.clock,
+			Clock:                manager.clock,
 			StorageTokenVerifier: manager.storageTokenVerifier,
-			DevMode:           devModeChecker,
-			CORS:              kaipreview.NewCORS(manager.config.KaiPreview.AllowedOrigins),
-			HandshakeKey:      manager.config.KaiPreview.HandshakeSigningKey,
-			SessionKey:        manager.config.KaiPreview.SessionSigningKey,
-			SessionTTL:        manager.config.KaiPreview.SessionTTL,
-			AllowedOrigins:    manager.config.KaiPreview.AllowedOrigins,
-			AppID:             string(app.ID),
-			AppProjectID:      app.ProjectID,
+			DevMode:              devModeChecker,
+			CORS:                 kaipreview.NewCORS(manager.config.KaiPreview.AllowedOrigins),
+			HandshakeKey:         manager.config.KaiPreview.HandshakeSigningKey,
+			SessionKey:           manager.config.KaiPreview.SessionSigningKey,
+			SessionTTL:           manager.config.KaiPreview.SessionTTL,
+			AllowedOrigins:       manager.config.KaiPreview.AllowedOrigins,
+			AppID:                string(app.ID),
+			AppProjectID:         app.ProjectID,
 		}),
 	}
 
@@ -170,39 +170,9 @@ func (h *appHandler) serveHTTPOrError(w http.ResponseWriter, req *http.Request)
 
 	// kai-preview: dev-mode iframe-auth path.
 	// (routing decision documented in spec § "apps-proxy: routing decision for dev-mode apps")
-	if h.isDevMode(req.Context()) {
-		// 1. /_proxy/kai-preview/* routes go to the kai-preview composite handler.
-		if strings.HasPrefix(req.URL.Path, kpendpoints.PathPrefix) {
-			return h.kaiPreview.ServeHTTPOrError(w, req)
-		}
-		// 2. Valid session cookie → forward to upstream (skip AuthRules), with sliding refresh.
-		if claims, ok := kaipreview.ValidateSessionCookie(
-			req,
-			h.manager.config.KaiPreview.SessionSigningKey,
-			h.manager.clock,
-			string(h.app.ID),
-			h.app.ProjectID,
-		); ok {
-			if claims.NeedsRefresh(h.manager.clock.Now()) {
-				newJWT, err := kaipreview.MintSessionJWT(
-					h.manager.config.KaiPreview.SessionSigningKey,
-					h.manager.clock,
-					string(h.app.ID),
-					h.app.ProjectID,
-					h.manager.config.KaiPreview.SessionTTL,
-				)
-				if err == nil {
-					kaipreview.SetSessionCookie(w, newJWT, h.manager.config.KaiPreview.SessionTTL)
-				}
-				// If mint fails, just forward without refresh — the existing cookie is still valid.
-			}
-			return h.upstream.ServeHTTPOrError(w, req)
-		}
-		// 3. Iframe document load on a dev-mode app with no session → serve bootstrap shim.
-		if kaipreview.IsIframeDocumentLoad(req) {
-			bootstrapReq := req.Clone(req.Context())
-			bootstrapReq.URL.Path = kpendpoints.PathPrefix + "/bootstrap"
-			return h.kaiPreview.ServeHTTPOrError(w, bootstrapReq)
+	if h.isDevMode(req.Context()) { //nolint:contextcheck // false positive: req.Context() is the correct context here
+		if handled, err := h.serveKaiPreview(w, req); handled {
+			return err
 		}
 	}
 
@@ -234,6 +204,51 @@ func (h *appHandler) serveRule(w http.ResponseWriter, req *http.Request, index r
 	return h.upstream.ServeHTTPOrError(w, req)
 }
 
+// serveKaiPreview handles the three dev-mode routing cases for the kai-preview iframe-auth path.
+// Returns (true, err) when it handled the request, or (false, nil) when the caller should continue routing.
+func (h *appHandler) serveKaiPreview(w http.ResponseWriter, req *http.Request) (bool, error) {
+	// 1. /_proxy/kai-preview/* routes go to the kai-preview composite handler.
+	if strings.HasPrefix(req.URL.Path, kpendpoints.PathPrefix) {
+		return true, h.kaiPreview.ServeHTTPOrError(w, req)
+	}
+	// 2. Valid session cookie → forward to upstream (skip AuthRules), with sliding refresh.
+	if claims, ok := kaipreview.ValidateSessionCookie(
+		req,
+		h.manager.config.KaiPreview.SessionSigningKey,
+		h.manager.clock,
+		string(h.app.ID),
+		h.app.ProjectID,
+	); ok {
+		h.maybeRefreshSessionCookie(w, claims)
+		return true, h.upstream.ServeHTTPOrError(w, req)
+	}
+	// 3. Iframe document load on a dev-mode app with no session → serve bootstrap shim.
+	if kaipreview.IsIframeDocumentLoad(req) {
+		bootstrapReq := req.Clone(req.Context()) //nolint:contextcheck // false positive: req.Context() is the correct context here
+		bootstrapReq.URL.Path = kpendpoints.PathPrefix + "/bootstrap"
+		return true, h.kaiPreview.ServeHTTPOrError(w, bootstrapReq)
+	}
+	return false, nil
+}
+
+// maybeRefreshSessionCookie re-mints the session JWT when the session has passed its midpoint.
+// If minting fails, the existing cookie is left in place (it is still valid).
+func (h *appHandler) maybeRefreshSessionCookie(w http.ResponseWriter, claims *kaipreview.SessionClaims) {
+	if !claims.NeedsRefresh(h.manager.clock.Now()) {
+		return
+	}
+	newJWT, err := kaipreview.MintSessionJWT(
+		h.manager.config.KaiPreview.SessionSigningKey,
+		h.manager.clock,
+		string(h.app.ID),
+		h.app.ProjectID,
+		h.manager.config.KaiPreview.SessionTTL,
+	)
+	if err == nil {
+		kaipreview.SetSessionCookie(w, newJWT, h.manager.config.KaiPreview.SessionTTL)
+	}
+}
+
 // isDevMode reports whether this app currently has DevMode enabled.
 // It reads from the live K8s state cache so toggling DevMode on the App CRD takes
 // effect on the next request without requiring handler recreation.

internal/pkg/service/appsproxy/proxy/apphandler/authproxy/kaipreview/cookie_test.go

@@ -40,15 +40,15 @@ func TestSetSessionCookie_Attributes(t *testing.T) {
 
 func TestReadSessionCookie_Present(t *testing.T) {
 	t.Parallel()
-	r := httptest.NewRequest("GET", "/", nil)
+	r := httptest.NewRequestWithContext(t.Context(), "GET", "/", nil)
 	r.AddCookie(&http.Cookie{Name: SessionCookieName, Value: "the-jwt"})
 	got := ReadSessionCookie(r)
 	assert.Equal(t, "the-jwt", got)
 }
 
 func TestReadSessionCookie_Missing(t *testing.T) {
 	t.Parallel()
-	r := httptest.NewRequest("GET", "/", nil)
+	r := httptest.NewRequestWithContext(t.Context(), "GET", "/", nil)
 	got := ReadSessionCookie(r)
 	assert.Empty(t, got)
 }
@@ -85,7 +85,7 @@ func TestValidateSessionCookie_Valid(t *testing.T) {
 	jwt, err := MintSessionJWT(testSessionKey, clock, "app-123", "proj-456", 4*time.Hour)
 	require.NoError(t, err)
 
-	r := httptest.NewRequest("GET", "/anything", nil)
+	r := httptest.NewRequestWithContext(t.Context(), "GET", "/anything", nil)
 	r.AddCookie(&http.Cookie{Name: SessionCookieName, Value: jwt})
 
 	claims, ok := ValidateSessionCookie(r, testSessionKey, clock, "app-123", "proj-456")
@@ -97,7 +97,7 @@ func TestValidateSessionCookie_Valid(t *testing.T) {
 func TestValidateSessionCookie_Missing(t *testing.T) {
 	t.Parallel()
 	clock := clockwork.NewFakeClock()
-	r := httptest.NewRequest("GET", "/anything", nil)
+	r := httptest.NewRequestWithContext(t.Context(), "GET", "/anything", nil)
 	_, ok := ValidateSessionCookie(r, testSessionKey, clock, "app-123", "proj-456")
 	assert.False(t, ok)
 }
@@ -107,7 +107,7 @@ func TestValidateSessionCookie_AppMismatch(t *testing.T) {
 	clock := clockwork.NewFakeClock()
 	jwt, err := MintSessionJWT(testSessionKey, clock, "different-app", "proj-456", 4*time.Hour)
 	require.NoError(t, err)
-	r := httptest.NewRequest("GET", "/anything", nil)
+	r := httptest.NewRequestWithContext(t.Context(), "GET", "/anything", nil)
 	r.AddCookie(&http.Cookie{Name: SessionCookieName, Value: jwt})
 
 	_, ok := ValidateSessionCookie(r, testSessionKey, clock, "app-123", "proj-456")
@@ -120,7 +120,7 @@ func TestValidateSessionCookie_Expired(t *testing.T) {
 	jwt, err := MintSessionJWT(testSessionKey, clock, "app-123", "proj-456", 4*time.Hour)
 	require.NoError(t, err)
 	clock.Advance(5 * time.Hour)
-	r := httptest.NewRequest("GET", "/anything", nil)
+	r := httptest.NewRequestWithContext(t.Context(), "GET", "/anything", nil)
 	r.AddCookie(&http.Cookie{Name: SessionCookieName, Value: jwt})
 
 	_, ok := ValidateSessionCookie(r, testSessionKey, clock, "app-123", "proj-456")
@@ -132,7 +132,7 @@ func TestValidateSessionCookie_ProjectMismatch(t *testing.T) {
 	clock := clockwork.NewFakeClock()
 	jwt, err := MintSessionJWT(testSessionKey, clock, "app-123", "different-project", 4*time.Hour)
 	require.NoError(t, err)
-	r := httptest.NewRequest("GET", "/anything", nil)
+	r := httptest.NewRequestWithContext(t.Context(), "GET", "/anything", nil)
 	r.AddCookie(&http.Cookie{Name: SessionCookieName, Value: jwt})
 
 	_, ok := ValidateSessionCookie(r, testSessionKey, clock, "app-123", "proj-456")

internal/pkg/service/appsproxy/proxy/apphandler/authproxy/kaipreview/cors_test.go

@@ -12,7 +12,7 @@ func TestCORS_AllowedOrigin_Preflight(t *testing.T) {
 	t.Parallel()
 	cors := NewCORS([]string{"https://connection.keboola.com"})
 
-	r := httptest.NewRequest(http.MethodOptions, "/_proxy/kai-preview/handshake-token", nil)
+	r := httptest.NewRequestWithContext(t.Context(), http.MethodOptions, "/_proxy/kai-preview/handshake-token", nil)
 	r.Header.Set("Origin", "https://connection.keboola.com")
 	r.Header.Set("Access-Control-Request-Method", "POST")
 	r.Header.Set("Access-Control-Request-Headers", "X-StorageApi-Token, Content-Type")
@@ -30,7 +30,7 @@ func TestCORS_DisallowedOrigin_Preflight(t *testing.T) {
 	t.Parallel()
 	cors := NewCORS([]string{"https://connection.keboola.com"})
 
-	r := httptest.NewRequest(http.MethodOptions, "/_proxy/kai-preview/handshake-token", nil)
+	r := httptest.NewRequestWithContext(t.Context(), http.MethodOptions, "/_proxy/kai-preview/handshake-token", nil)
 	r.Header.Set("Origin", "https://evil.example.com")
 	w := httptest.NewRecorder()
 
@@ -53,7 +53,7 @@ func TestCORS_WriteResponseHeaders(t *testing.T) {
 func TestCORS_NonPreflightPassesThrough(t *testing.T) {
 	t.Parallel()
 	cors := NewCORS([]string{"https://connection.keboola.com"})
-	r := httptest.NewRequest(http.MethodPost, "/_proxy/kai-preview/handshake-token", nil)
+	r := httptest.NewRequestWithContext(t.Context(), http.MethodPost, "/_proxy/kai-preview/handshake-token", nil)
 	w := httptest.NewRecorder()
 	handled := cors.HandlePreflight(w, r)
 	assert.False(t, handled)

internal/pkg/service/appsproxy/proxy/apphandler/authproxy/kaipreview/endpoints/bootstrap.go

@@ -13,7 +13,7 @@ import (
 //go:embed template/bootstrap.gohtml
 var bootstrapFS embed.FS
 
-var bootstrapTmpl = template.Must(template.ParseFS(bootstrapFS, "template/bootstrap.gohtml"))
+var bootstrapTmpl = template.Must(template.ParseFS(bootstrapFS, "template/bootstrap.gohtml")) //nolint:gochecknoglobals // template must be parsed at package init
 
 type BootstrapHandler struct {
 	allowedOrigins []string
@@ -23,10 +23,14 @@ type BootstrapHandler struct {
 }
 
 func NewBootstrapHandler(allowedOrigins []string, devMode DevModeChecker, appID string) *BootstrapHandler {
-	bs, _ := json.Marshal(allowedOrigins) // []string round-trip never errors for []string
+	bs, err := json.Marshal(allowedOrigins)
+	if err != nil {
+		// []string marshalling never fails; this is a safety guard.
+		bs = []byte("[]")
+	}
 	return &BootstrapHandler{
 		allowedOrigins: allowedOrigins,
-		originsJSON:    template.JS(bs),
+		originsJSON:    template.JS(bs), //nolint:gosec // G203: bs is json.Marshal output of config-supplied URL strings, safe to embed as JS literal
 		devMode:        devMode,
 		appID:          appID,
 	}

internal/pkg/service/appsproxy/proxy/apphandler/authproxy/kaipreview/endpoints/bootstrap_test.go

@@ -13,7 +13,7 @@ import (
 func TestBootstrapHandler_ServesHTMLWithCSP(t *testing.T) {
 	t.Parallel()
 	h := NewBootstrapHandler([]string{"https://connection.keboola.com"}, &stubDevModeChecker{devMode: true}, "app-123")
-	r := httptest.NewRequest("GET", "/_proxy/kai-preview/bootstrap", nil)
+	r := httptest.NewRequestWithContext(t.Context(), "GET", "/_proxy/kai-preview/bootstrap", nil)
 	w := httptest.NewRecorder()
 
 	err := h.ServeHTTPOrError(w, r)
@@ -34,7 +34,7 @@ func TestBootstrapHandler_ServesHTMLWithCSP(t *testing.T) {
 func TestBootstrapHandler_WrongMethod(t *testing.T) {
 	t.Parallel()
 	h := NewBootstrapHandler([]string{"https://connection.keboola.com"}, &stubDevModeChecker{devMode: true}, "app-123")
-	r := httptest.NewRequest("POST", "/_proxy/kai-preview/bootstrap", nil)
+	r := httptest.NewRequestWithContext(t.Context(), "POST", "/_proxy/kai-preview/bootstrap", nil)
 	w := httptest.NewRecorder()
 	err := h.ServeHTTPOrError(w, r)
 	require.NoError(t, err)
@@ -44,7 +44,7 @@ func TestBootstrapHandler_WrongMethod(t *testing.T) {
 func TestBootstrapHandler_NonDevModeReturns404(t *testing.T) {
 	t.Parallel()
 	h := NewBootstrapHandler([]string{"https://connection.keboola.com"}, &stubDevModeChecker{devMode: false}, "app-123")
-	r := httptest.NewRequest(http.MethodGet, "/_proxy/kai-preview/bootstrap", nil)
+	r := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/_proxy/kai-preview/bootstrap", nil)
 	w := httptest.NewRecorder()
 	err := h.ServeHTTPOrError(w, r)
 	require.NoError(t, err)

internal/pkg/service/appsproxy/proxy/apphandler/authproxy/kaipreview/endpoints/exchange.go

@@ -46,13 +46,13 @@ func (h *ExchangeHandler) ServeHTTPOrError(w http.ResponseWriter, r *http.Reques
 	}
 	if err := json.NewDecoder(r.Body).Decode(&body); err != nil || body.Token == "" {
 		http.Error(w, "invalid body", http.StatusBadRequest)
-		return nil
+		return nil //nolint:nilerr // intentional: decode error handled via HTTP 400 response
 	}
 
 	claims, err := kaipreview.VerifyHandshakeJWT(h.deps.HandshakeKey, h.deps.Clock, body.Token)
 	if err != nil {
 		http.Error(w, "invalid handshake token", http.StatusUnauthorized)
-		return nil
+		return nil //nolint:nilerr // intentional: invalid token handled via HTTP 401 response
 	}
 	if claims.AppID != h.deps.AppID || claims.ProjectID != h.deps.AppProjectID {
 		http.Error(w, "handshake token scope mismatch", http.StatusForbidden)

internal/pkg/service/appsproxy/proxy/apphandler/authproxy/kaipreview/endpoints/exchange_test.go

@@ -40,12 +40,13 @@ func TestExchangeHandler_Success(t *testing.T) {
 	h := newTestExchangeHandler(true)
 	jwt := mintForTest(t, "app-123", "proj-456")
 
-	body, _ := json.Marshal(map[string]string{"token": jwt})
-	r := httptest.NewRequest(http.MethodPost, "/_proxy/kai-preview/exchange", bytes.NewReader(body))
+	body, err := json.Marshal(map[string]string{"token": jwt})
+	require.NoError(t, err)
+	r := httptest.NewRequestWithContext(t.Context(), http.MethodPost, "/_proxy/kai-preview/exchange", bytes.NewReader(body))
 	r.Header.Set("Content-Type", "application/json")
 	w := httptest.NewRecorder()
 
-	err := h.ServeHTTPOrError(w, r)
+	err = h.ServeHTTPOrError(w, r)
 	require.NoError(t, err)
 	assert.Equal(t, http.StatusOK, w.Code)
 
@@ -59,11 +60,12 @@ func TestExchangeHandler_InvalidJWT(t *testing.T) {
 	t.Parallel()
 	h := newTestExchangeHandler(true)
 
-	body, _ := json.Marshal(map[string]string{"token": "not-a-jwt"})
-	r := httptest.NewRequest(http.MethodPost, "/_proxy/kai-preview/exchange", bytes.NewReader(body))
+	body, err := json.Marshal(map[string]string{"token": "not-a-jwt"})
+	require.NoError(t, err)
+	r := httptest.NewRequestWithContext(t.Context(), http.MethodPost, "/_proxy/kai-preview/exchange", bytes.NewReader(body))
 	w := httptest.NewRecorder()
 
-	err := h.ServeHTTPOrError(w, r)
+	err = h.ServeHTTPOrError(w, r)
 	require.NoError(t, err)
 	assert.Equal(t, http.StatusUnauthorized, w.Code)
 }
@@ -73,11 +75,12 @@ func TestExchangeHandler_AppIDMismatch(t *testing.T) {
 	h := newTestExchangeHandler(true)
 	jwt := mintForTest(t, "different-app", "proj-456")
 
-	body, _ := json.Marshal(map[string]string{"token": jwt})
-	r := httptest.NewRequest(http.MethodPost, "/_proxy/kai-preview/exchange", bytes.NewReader(body))
+	body, err := json.Marshal(map[string]string{"token": jwt})
+	require.NoError(t, err)
+	r := httptest.NewRequestWithContext(t.Context(), http.MethodPost, "/_proxy/kai-preview/exchange", bytes.NewReader(body))
 	w := httptest.NewRecorder()
 
-	err := h.ServeHTTPOrError(w, r)
+	err = h.ServeHTTPOrError(w, r)
 	require.NoError(t, err)
 	assert.Equal(t, http.StatusForbidden, w.Code)
 }
@@ -87,11 +90,12 @@ func TestExchangeHandler_ProjectMismatch(t *testing.T) {
 	h := newTestExchangeHandler(true)
 	jwt := mintForTest(t, "app-123", "different-project")
 
-	body, _ := json.Marshal(map[string]string{"token": jwt})
-	r := httptest.NewRequest(http.MethodPost, "/_proxy/kai-preview/exchange", bytes.NewReader(body))
+	body, err := json.Marshal(map[string]string{"token": jwt})
+	require.NoError(t, err)
+	r := httptest.NewRequestWithContext(t.Context(), http.MethodPost, "/_proxy/kai-preview/exchange", bytes.NewReader(body))
 	w := httptest.NewRecorder()
 
-	err := h.ServeHTTPOrError(w, r)
+	err = h.ServeHTTPOrError(w, r)
 	require.NoError(t, err)
 	assert.Equal(t, http.StatusForbidden, w.Code)
 }
@@ -101,19 +105,20 @@ func TestExchangeHandler_DevModeOff(t *testing.T) {
 	h := newTestExchangeHandler(false)
 	jwt := mintForTest(t, "app-123", "proj-456")
 
-	body, _ := json.Marshal(map[string]string{"token": jwt})
-	r := httptest.NewRequest(http.MethodPost, "/_proxy/kai-preview/exchange", bytes.NewReader(body))
+	body, err := json.Marshal(map[string]string{"token": jwt})
+	require.NoError(t, err)
+	r := httptest.NewRequestWithContext(t.Context(), http.MethodPost, "/_proxy/kai-preview/exchange", bytes.NewReader(body))
 	w := httptest.NewRecorder()
 
-	err := h.ServeHTTPOrError(w, r)
+	err = h.ServeHTTPOrError(w, r)
 	require.NoError(t, err)
 	assert.Equal(t, http.StatusNotFound, w.Code)
 }
 
 func TestExchangeHandler_WrongMethod(t *testing.T) {
 	t.Parallel()
 	h := newTestExchangeHandler(true)
-	r := httptest.NewRequest(http.MethodGet, "/_proxy/kai-preview/exchange", nil)
+	r := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/_proxy/kai-preview/exchange", nil)
 	w := httptest.NewRecorder()
 
 	err := h.ServeHTTPOrError(w, r)
@@ -124,7 +129,7 @@ func TestExchangeHandler_WrongMethod(t *testing.T) {
 func TestExchangeHandler_EmptyBody(t *testing.T) {
 	t.Parallel()
 	h := newTestExchangeHandler(true)
-	r := httptest.NewRequest(http.MethodPost, "/_proxy/kai-preview/exchange", bytes.NewReader([]byte("{}")))
+	r := httptest.NewRequestWithContext(t.Context(), http.MethodPost, "/_proxy/kai-preview/exchange", bytes.NewReader([]byte("{}")))
 	w := httptest.NewRecorder()
 
 	err := h.ServeHTTPOrError(w, r)

internal/pkg/service/appsproxy/proxy/apphandler/authproxy/kaipreview/endpoints/handler.go

@@ -13,7 +13,7 @@ import (
 )
 
 // PathPrefix is the URL prefix all kai-preview endpoints live under.
-var PathPrefix = config.InternalPrefix + "/kai-preview"
+const PathPrefix = config.InternalPrefix + "/kai-preview"
 
 const (
 	pathHandshakeToken = "/handshake-token"