WIP: Add GitLab platform OAuth config#1545
Draft
simple-agent-manager[bot] wants to merge 6 commits into
Draft
Conversation
Contributor
29 tasks
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



WIP status
DRAFT PR. DO NOT MARK READY. DO NOT MERGE.
DO NOT DEPLOY TO STAGING, DO NOT RUN STAGING VERIFICATION, AND DO NOT MUTATE STAGING. Phase 6 was intentionally skipped by explicit user instruction.
Summary
Conflict resolution
Merged current origin/main normally. The only conflicts were the self-hosting and configuration documentation tables. Resolution retained main's Cloudflare Containers permission wording and Google login-vs-infra split while adding GitLab fallback rows.
Validation
Specialist Review Evidence
Staging
Intentionally skipped by explicit instruction. No staging deploy, staging verification, staging mutation, production deploy, PR readiness change, or merge was performed.
Exceptions
Agent Preflight (Required)
Classification
External References
Official documentation for the GitLab OAuth provider was consulted: https://docs.gitlab.com/integration/oauth_provider/ and https://docs.gitlab.com/api/oauth2/. The installed BetterAuth GitLab provider contract was also verified for self-managed issuer endpoint derivation.
Codebase Impact Analysis
Data flow: apps/web setup/admin form fields build the platform config request; apps/api setup/admin routes parse GitLab input; apps/api platform-config validation enforces the host/client contract; apps/api platform-config persists host/client ID in D1 platform_settings and the secret encrypted in platform_credentials; apps/api auth resolves runtime-first/env-fallback config into BetterAuth; apps/web login surfaces consume the provider-status endpoint. scripts/deploy and wrangler mappings provide optional environment fallback.
Documentation & Specs
Updated apps/www/src/content/docs/docs/guides/self-hosting.mdx, apps/www/src/content/docs/docs/reference/configuration.md, apps/www/src/content/docs/docs/architecture/security.md, and the active task record.
Constitution & Risk Check
Checked Principles II, III, IV, VI, X, XI, XII, and XIII. Key risks were credential exposure, setup lockout, self-managed host correctness, Google login/infra OAuth regression, hardcoded deployment URLs, and accidental expansion into GitLab repository support. Secrets remain encrypted, callback URLs derive from BASE_DOMAIN, and repository/workspace support remains out of scope.