refactor(web): fix tryGetPostHogDistinctId to use getAuthenticatedUser

tryGetPostHogDistinctId() was missing OAuth Bearer token resolution,
causing all MCP tool calls to get random distinct_ids (inflated DAU).

Fix: replace the manual cookie/session/API key checks with a call to
getAuthenticatedUser(), which already handles all auth methods (session,
OAuth, API keys). This removes the need to thread userId through
ToolContext, agent options, and all callers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: msukkari

packages/web/src/app/api/(server)/chat/route.ts

@@ -112,7 +112,6 @@ export const POST = apiHandler(async (req: NextRequest) => {
                 modelName: languageModelConfig.displayName ?? languageModelConfig.model,
                 modelProviderOptions: providerOptions,
                 modelTemperature: temperature,
-                userId: user?.id,
                 onFinish: async ({ messages }) => {
                     await updateChatMessages({ chatId: id, messages, prisma });
                 },

packages/web/src/app/api/(server)/mcp/route.ts

@@ -79,7 +79,7 @@ export const POST = apiHandler(async (request: NextRequest) => {
                 },
             });
 
-            const mcpServer = await createMcpServer({ userId: user?.id });
+            const mcpServer = await createMcpServer();
             await mcpServer.connect(transport);
 
             return transport.handleRequest(request);

packages/web/src/features/chat/agent.ts

@@ -43,8 +43,6 @@ interface CreateMessageStreamResponseProps {
     modelProviderOptions?: Record<string, Record<string, JSONValue>>;
     modelTemperature?: number;
     metadata?: Partial<SBChatMessageMetadata>;
-    /** User ID for telemetry attribution on tool_used events. */
-    userId?: string;
 }
 
 export const createMessageStream = async ({
@@ -58,7 +56,6 @@ export const createMessageStream = async ({
     modelTemperature,
     onFinish,
     onError,
-    userId,
 }: CreateMessageStreamResponseProps) => {
     const latestMessage = messages[messages.length - 1];
     const sources = latestMessage.parts
@@ -104,7 +101,6 @@ export const createMessageStream = async ({
                 inputMessages: messageHistory,
                 inputSources: sources,
                 selectedRepos,
-                userId,
                 onWriteSource: (source) => {
                     writer.write({
                         type: 'data-source',
@@ -158,7 +154,6 @@ interface AgentOptions {
     onWriteSource: (source: Source) => void;
     traceId: string;
     chatId: string;
-    userId?: string;
 }
 
 const createAgentStream = async ({
@@ -171,7 +166,6 @@ const createAgentStream = async ({
     onWriteSource,
     traceId,
     chatId,
-    userId,
 }: AgentOptions) => {
     // For every file source, resolve the source code so that we can include it in the system prompt.
     const fileSources = inputSources.filter((source) => source.type === 'file');
@@ -208,7 +202,7 @@ const createAgentStream = async ({
         providerOptions,
         messages: inputMessages,
         system: systemPrompt,
-        tools: createTools({ source: 'sourcebot-ask-agent', selectedRepos, userId }),
+        tools: createTools({ source: 'sourcebot-ask-agent', selectedRepos }),
         temperature: temperature ?? env.SOURCEBOT_CHAT_MODEL_TEMPERATURE,
         stopWhen: [
             stepCountIsGTE(env.SOURCEBOT_CHAT_MAX_STEP_COUNT),

packages/web/src/features/mcp/askCodebase.ts

@@ -159,7 +159,6 @@ export const askCodebase = (params: AskCodebaseParams): Promise<AskCodebaseResul
                 modelName,
                 modelProviderOptions: providerOptions,
                 modelTemperature: temperature,
-                userId: user?.id,
                 onFinish: async ({ messages }) => {
                     finalMessages = messages;
                 },

packages/web/src/features/mcp/server.ts

@@ -25,7 +25,7 @@ import {
 
 const dedent = _dedent.withOptions({ alignValues: true });
 
-export async function createMcpServer(options?: { userId?: string }): Promise<McpServer> {
+export async function createMcpServer(): Promise<McpServer> {
     const server = new McpServer({
         name: 'sourcebot-mcp-server',
         version: SOURCEBOT_VERSION,
@@ -36,7 +36,6 @@ export async function createMcpServer(options?: { userId?: string }): Promise<Mc
 
     const toolContext: ToolContext = {
         source: 'sourcebot-mcp-server',
-        userId: options?.userId,
     }
 
     registerMcpTool(server, grepDefinition, toolContext);
@@ -63,7 +62,7 @@ export async function createMcpServer(options?: { userId?: string }): Promise<Mc
                 toolName: 'list_language_models',
                 source: 'sourcebot-mcp-server',
                 success: true,
-            }, { distinctId: options?.userId });
+            });
             return { content: [{ type: "text", text: JSON.stringify(models) }] };
         }
     );
@@ -112,7 +111,7 @@ export async function createMcpServer(options?: { userId?: string }): Promise<Mc
                         toolName: 'ask_codebase',
                         source: 'sourcebot-mcp-server',
                         success: false,
-                    }, { distinctId: options?.userId });
+                    });
                     return {
                         content: [{ type: "text", text: `Failed to ask codebase: ${result.message}` }],
                     };
@@ -122,7 +121,7 @@ export async function createMcpServer(options?: { userId?: string }): Promise<Mc
                     toolName: 'ask_codebase',
                     source: 'sourcebot-mcp-server',
                     success: true,
-                }, { distinctId: options?.userId });
+                });
 
                 const formattedResponse = dedent`
                 ${result.answer}

packages/web/src/features/tools/adapters.ts

@@ -24,7 +24,7 @@ export function toVercelAITool<TName extends string, TShape extends z.ZodRawShap
                     toolName: def.name,
                     source: context.source ?? 'unknown',
                     success,
-                }, { distinctId: context.userId });
+                });
             }
         },
         toModelOutput: ({ output }) => ({
@@ -67,7 +67,7 @@ export function registerMcpTool<TName extends string, TShape extends z.ZodRawSha
                     toolName: def.name,
                     source: context.source ?? 'unknown',
                     success,
-                }, { distinctId: context.userId });
+                });
             }
         },
     );

packages/web/src/features/tools/types.ts

@@ -17,8 +17,6 @@ export type Source = z.infer<typeof sourceSchema>;
 export interface ToolContext {
     source?: string;
     selectedRepos?: string[];
-    /** User ID for telemetry attribution. When set, tool_used events will be attributed to this user. */
-    userId?: string;
 }
 
 export interface ToolDefinition<

packages/web/src/lib/posthog.ts

@@ -4,8 +4,7 @@ import { RequestCookies } from 'next/dist/compiled/@edge-runtime/cookies';
 import * as Sentry from "@sentry/nextjs";
 import { PosthogEvent, PosthogEventMap } from './posthogEvents';
 import { cookies, headers } from 'next/headers';
-import { auth } from '@/auth';
-import { getVerifiedApiObject } from '@/middleware/withAuth';
+import { getAuthenticatedUser } from '@/middleware/withAuth';
 
 /**
  * @note: This is a subset of the properties stored in the
@@ -53,28 +52,19 @@ const getPostHogCookie = (cookieStore: Pick<RequestCookies, 'get'>): PostHogCook
  * Attempts to retrieve the distinct id of the current user.
  */
 export const tryGetPostHogDistinctId = async () => {
-    // First, attempt to retrieve the distinct id from the cookie.
+    // First, attempt to retrieve the distinct id from the PostHog cookie
+    // (set by the client-side PostHog SDK). This preserves identity
+    // continuity between client-side and server-side events.
     const cookieStore = await cookies();
     const cookie = getPostHogCookie(cookieStore);
     if (cookie) {
         return cookie.distinct_id;
     }
 
-    // Next, from the session.
-    const session = await auth();
-    if (session) {
-        return session.user.id;
-    }
-
-    // Finally, from the api key.
-    const headersList = await headers();
-    const apiKeyString = headersList.get("X-Sourcebot-Api-Key") ?? undefined;
-    if (!apiKeyString) {
-        return undefined;
-    }
-
-    const apiKey = await getVerifiedApiObject(apiKeyString);
-    return apiKey?.createdById;
+    // Fall back to the authenticated user's ID. This covers all auth
+    // methods: session cookies, OAuth Bearer tokens, and API keys.
+    const authResult = await getAuthenticatedUser();
+    return authResult?.user.id;
 }
 
 export const createPostHogClient = async () => {
@@ -87,13 +77,13 @@ export const createPostHogClient = async () => {
     return posthog;
 }
 
-export async function captureEvent<E extends PosthogEvent>(event: E, properties: PosthogEventMap[E], options?: { distinctId?: string }) {
+export async function captureEvent<E extends PosthogEvent>(event: E, properties: PosthogEventMap[E]) {
     try {
         if (env.SOURCEBOT_TELEMETRY_DISABLED === 'true') {
             return;
         }
 
-        const distinctId = options?.distinctId ?? await tryGetPostHogDistinctId();
+        const distinctId = await tryGetPostHogDistinctId();
         const posthog = await createPostHogClient();
 
         const headersList = await headers();