Skip to content

WIP: Add GitLab platform OAuth config#1545

Draft
simple-agent-manager[bot] wants to merge 6 commits into
mainfrom
sam/gitlab-platform-config-wip
Draft

WIP: Add GitLab platform OAuth config#1545
simple-agent-manager[bot] wants to merge 6 commits into
mainfrom
sam/gitlab-platform-config-wip

Conversation

@simple-agent-manager

@simple-agent-manager simple-agent-manager Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

WIP status

DRAFT PR. DO NOT MARK READY. DO NOT MERGE.

DO NOT DEPLOY TO STAGING, DO NOT RUN STAGING VERIFICATION, AND DO NOT MUTATE STAGING. Phase 6 was intentionally skipped by explicit user instruction.

Summary

  • Adds GitLab OAuth to DB-backed platform integration config with encrypted runtime secret storage and optional GITLAB_* environment fallback.
  • Supports validated self-managed GitLab hosts and GitLab-only setup completion without adding repository/workspace support.
  • Wires GitLab sign-in through BetterAuth and the existing setup, admin, landing, device-auth, and trial login surfaces.
  • Preserves the separate GOOGLE_LOGIN_* versus GOOGLE_* infrastructure OAuth invariant from feat: first-run admin setup wizard with DB-backed platform config #1528.
  • Updates deployment mappings, public self-hosting/configuration/security docs, and focused tests.

Conflict resolution

Merged current origin/main normally. The only conflicts were the self-hosting and configuration documentation tables. Resolution retained main's Cloudflare Containers permission wording and Google login-vs-infra split while adding GitLab fallback rows.

Validation

  • Focused API tests: 5 files, 42 tests passed.
  • pnpm lint: passed.
  • pnpm typecheck: passed.
  • Local mocked Playwright audit: passed for iPhone SE (375x667) and Desktop (1280x800), covering setup/admin/landing/device/trial login surfaces with overflow assertions and screenshots.
  • Full pnpm test and pnpm build were launched after dependency synchronization; final local result is pending while CI runs.

Specialist Review Evidence

Reviewer Status Outcome
security-auditor PASS Direct checklist review: encrypted secret path retained, no plaintext response/logging, HTTPS host validation with localhost-only HTTP exception.
cloudflare-specialist PASS D1 settings and encrypted platform_credentials patterns reuse existing Workers-safe services; wrangler secrets remain secret bindings.
env-validator PASS GITLAB_* names align across Env, examples, wrangler, workflow, configure-secrets, and deploy types; GOOGLE_LOGIN_* split preserved.
ui-ux-specialist PASS Mocked mobile and desktop Playwright audit passed across all changed login/config surfaces with overflow assertions.
doc-sync-validator PASS Public self-hosting, configuration, and security docs match runtime/config behavior and static callback URI.
constitution-validator PASS Config derives GitLab host/endpoints from runtime/env values; no new deployment-specific internal URL or timeout/limit.
test-engineer PASS Resolver, encryption, route persistence, setup validation/completion, provider status/auth wiring, UI unit and Playwright coverage present.
task-completion-validator PASS Checks A-F passed: checklist maps to diff; criteria covered; GitLab form fields propagate UI → request types/routes → encrypted D1 storage.

Staging

Intentionally skipped by explicit instruction. No staging deploy, staging verification, staging mutation, production deploy, PR readiness change, or merge was performed.

Exceptions

  • Scope: /do Phase 6 staging verification.
  • Rationale: Explicit user instruction because other agents are actively using staging.
  • Expiration: This draft PR only.

Agent Preflight (Required)

  • Preflight completed before code changes

Classification

  • external-api-change
  • cross-component-change
  • business-logic-change
  • public-surface-change
  • docs-sync-change
  • security-sensitive-change
  • ui-change
  • infra-change

External References

Official documentation for the GitLab OAuth provider was consulted: https://docs.gitlab.com/integration/oauth_provider/ and https://docs.gitlab.com/api/oauth2/. The installed BetterAuth GitLab provider contract was also verified for self-managed issuer endpoint derivation.

Codebase Impact Analysis

Data flow: apps/web setup/admin form fields build the platform config request; apps/api setup/admin routes parse GitLab input; apps/api platform-config validation enforces the host/client contract; apps/api platform-config persists host/client ID in D1 platform_settings and the secret encrypted in platform_credentials; apps/api auth resolves runtime-first/env-fallback config into BetterAuth; apps/web login surfaces consume the provider-status endpoint. scripts/deploy and wrangler mappings provide optional environment fallback.

Documentation & Specs

Updated apps/www/src/content/docs/docs/guides/self-hosting.mdx, apps/www/src/content/docs/docs/reference/configuration.md, apps/www/src/content/docs/docs/architecture/security.md, and the active task record.

Constitution & Risk Check

Checked Principles II, III, IV, VI, X, XI, XII, and XIII. Key risks were credential exposure, setup lockout, self-managed host correctness, Google login/infra OAuth regression, hardcoded deployment URLs, and accidental expansion into GitLab repository support. Secrets remain encrypted, callback URLs derive from BASE_DOMAIN, and repository/workspace support remains out of scope.

@codspeed-hq

codspeed-hq Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Merging this PR will not alter performance

✅ 6 untouched benchmarks


Comparing sam/gitlab-platform-config-wip (cd034b0) with main (688db71)

Open in CodSpeed

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant