RubyGems - legate - Versions diffs - 0.1.0 - Mend

legate 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (317) hide show

checksums.yaml +7 -0
data/LICENSE +21 -0
data/README.md +345 -0
data/bin/legate +13 -0
data/examples/00_quickstart.rb +51 -0
data/examples/01_simple_agent.rb +105 -0
data/examples/02_multi_tool_agent.rb +140 -0
data/examples/03_custom_tool.rb +93 -0
data/examples/04_agent_instructions.rb +84 -0
data/examples/05_state_and_sessions.rb +91 -0
data/examples/06_callbacks.rb +186 -0
data/examples/07_async_jobs.rb +112 -0
data/examples/08_loop_agent.rb +197 -0
data/examples/09_sequential_workflow.rb +40 -0
data/examples/10_parallel_workflow.rb +34 -0
data/examples/11_agent_delegation.rb +24 -0
data/examples/12_http_client_tool.rb +156 -0
data/examples/13_authentication.rb +220 -0
data/examples/14_mcp_client.rb +154 -0
data/examples/15_mcp_server.rb +79 -0
data/examples/16_webhooks.rb +91 -0
data/examples/README_sequential_agents.md +164 -0
data/examples/advanced/auth/cookie_auth_tool.rb +146 -0
data/examples/advanced/auth/custom_auth_flows_example.rb +626 -0
data/examples/advanced/auth/excon_middleware.rb +317 -0
data/examples/advanced/auth/excon_middleware_auth.rb +399 -0
data/examples/advanced/auth/fiber_auth_example.rb +281 -0
data/examples/advanced/auth/fiber_oidc_example.rb +403 -0
data/examples/advanced/auth/httpbin_bearer_tool.rb +159 -0
data/examples/advanced/auth/oauth2_auth.rb +419 -0
data/examples/advanced/auth/oidc_auth.rb +514 -0
data/examples/advanced/auth/openweather_api.rb +251 -0
data/examples/advanced/auth/openweather_tool.rb +153 -0
data/examples/advanced/auth/query_param_middleware_test.rb +138 -0
data/examples/advanced/auth/service_account.rb +135 -0
data/examples/advanced/auth/test_with_httpbin.rb +202 -0
data/examples/advanced/auth/token_lifecycle_example.rb +428 -0
data/examples/advanced/callback_monitoring.rb +679 -0
data/examples/advanced/mas/fixed_delegation_example.rb +191 -0
data/examples/advanced/mas/loop_workflow.rb +28 -0
data/examples/advanced/mas/mock_planner.rb +77 -0
data/examples/advanced/mas/proper_delegation_example.rb +276 -0
data/examples/advanced/mcp/legate_mcp_server_resource_example.rb +182 -0
data/examples/advanced/mcp/mcp_resource_server_example.rb +309 -0
data/examples/advanced/mcp/mcp_server_async.rb +76 -0
data/examples/advanced/mcp/mcp_server_async_tools.rb +122 -0
data/examples/advanced/mcp/mcp_server_legate_agent.rb +95 -0
data/examples/advanced/mcp/mcp_server_rack.rb +89 -0
data/examples/advanced/random_calculator.rb +104 -0
data/examples/advanced/sleep_agent.rb +153 -0
data/examples/advanced/webhooks/webhook_e2e_runner.rb +110 -0
data/examples/advanced/webhooks/webhook_receiver_agent.rb +58 -0
data/examples/advanced/workflows/task_refinement_loop_agent.rb +278 -0
data/examples/advanced/workflows/travel_planner_auto_sequential.rb +444 -0
data/examples/advanced/workflows/travel_planner_parallel.rb +656 -0
data/examples/advanced/workflows/travel_planner_sequential.rb +512 -0
data/examples/tools/oauth2_example.rb +136 -0
data/examples/tools/sleepy_tool.rb +42 -0
data/lib/legate/activity_log.rb +71 -0
data/lib/legate/agent.rb +959 -0
data/lib/legate/agent_code_generator.rb +185 -0
data/lib/legate/agent_definition.rb +812 -0
data/lib/legate/agentic/decision.rb +49 -0
data/lib/legate/agentic/loop.rb +134 -0
data/lib/legate/agentic.rb +5 -0
data/lib/legate/agents/loop_agent.rb +248 -0
data/lib/legate/agents/parallel_agent.rb +163 -0
data/lib/legate/agents/sequential_agent.rb +190 -0
data/lib/legate/agents.rb +14 -0
data/lib/legate/auth/config.rb +148 -0
data/lib/legate/auth/coordinator.rb +218 -0
data/lib/legate/auth/coordinators/oauth2_coordinator.rb +99 -0
data/lib/legate/auth/coordinators/oidc_coordinator.rb +68 -0
data/lib/legate/auth/coordinators/service_account_coordinator.rb +122 -0
data/lib/legate/auth/credential.rb +157 -0
data/lib/legate/auth/encryption.rb +108 -0
data/lib/legate/auth/error.rb +94 -0
data/lib/legate/auth/exchanged_credential.rb +180 -0
data/lib/legate/auth/excon_middleware.rb +285 -0
data/lib/legate/auth/http_client_utils.rb +364 -0
data/lib/legate/auth/manager.rb +531 -0
data/lib/legate/auth/manager_store.rb +394 -0
data/lib/legate/auth/middleware_factory.rb +290 -0
data/lib/legate/auth/runner.rb +279 -0
data/lib/legate/auth/scheme.rb +125 -0
data/lib/legate/auth/schemes/api_key.rb +212 -0
data/lib/legate/auth/schemes/google_service_account.rb +108 -0
data/lib/legate/auth/schemes/http_bearer.rb +98 -0
data/lib/legate/auth/schemes/oauth2.rb +396 -0
data/lib/legate/auth/schemes/openid_connect.rb +346 -0
data/lib/legate/auth/schemes/service_account.rb +388 -0
data/lib/legate/auth/schemes.rb +40 -0
data/lib/legate/auth/token_manager.rb +362 -0
data/lib/legate/auth/token_store.rb +86 -0
data/lib/legate/auth/tool_context_extension.rb +97 -0
data/lib/legate/auth/tool_integration.rb +188 -0
data/lib/legate/auth/url_guard.rb +81 -0
data/lib/legate/auth.rb +453 -0
data/lib/legate/callbacks/callback_context.rb +71 -0
data/lib/legate/cli/agent_commands.rb +950 -0
data/lib/legate/cli/auth_commands.rb +520 -0
data/lib/legate/cli/base_command.rb +24 -0
data/lib/legate/cli/deployment_commands.rb +934 -0
data/lib/legate/cli/output_helper.rb +108 -0
data/lib/legate/cli/session_commands.rb +138 -0
data/lib/legate/cli/skaffold_commands.rb +223 -0
data/lib/legate/cli/tool_commands.rb +261 -0
data/lib/legate/cli/web_commands.rb +182 -0
data/lib/legate/cli.rb +40 -0
data/lib/legate/configuration/webhooks.rb +113 -0
data/lib/legate/configuration.rb +39 -0
data/lib/legate/definition_store.rb +23 -0
data/lib/legate/errors.rb +118 -0
data/lib/legate/event.rb +161 -0
data/lib/legate/gemini_ai_beta_patch.rb +39 -0
data/lib/legate/generators/agent_generator.rb +412 -0
data/lib/legate/generators/code_validator.rb +48 -0
data/lib/legate/generators/legate/install_generator.rb +35 -0
data/lib/legate/generators/legate/templates/create_legate_tables.rb.tt +36 -0
data/lib/legate/generators/legate/templates/initializer.rb +18 -0
data/lib/legate/generators/runtime_tool_loader.rb +76 -0
data/lib/legate/generators/tool_generator.rb +408 -0
data/lib/legate/generators.rb +11 -0
data/lib/legate/global_definition_registry.rb +506 -0
data/lib/legate/global_tool_manager.rb +135 -0
data/lib/legate/llm/adapter.rb +69 -0
data/lib/legate/llm/gemini.rb +172 -0
data/lib/legate/llm/ollama.rb +80 -0
data/lib/legate/llm.rb +34 -0
data/lib/legate/mcp/client.rb +320 -0
data/lib/legate/mcp/connection/sse.rb +292 -0
data/lib/legate/mcp/connection/stdio.rb +273 -0
data/lib/legate/mcp/connection_manager.rb +103 -0
data/lib/legate/mcp/server/legate_agent_adapter.rb +170 -0
data/lib/legate/mcp/server/legate_direct_agent_adapter.rb +140 -0
data/lib/legate/mcp/server/legate_tool_adapter.rb +119 -0
data/lib/legate/mcp/tool_wrapper.rb +138 -0
data/lib/legate/mcp/util/schema_converter.rb +134 -0
data/lib/legate/mcp.rb +23 -0
data/lib/legate/plan_executor.rb +375 -0
data/lib/legate/planner.rb +839 -0
data/lib/legate/rails/railtie.rb +43 -0
data/lib/legate/rails.rb +9 -0
data/lib/legate/redaction.rb +32 -0
data/lib/legate/session.rb +299 -0
data/lib/legate/session_service/active_record.rb +300 -0
data/lib/legate/session_service/base.rb +68 -0
data/lib/legate/session_service/event_broadcast.rb +74 -0
data/lib/legate/session_service/in_memory.rb +188 -0
data/lib/legate/tool/metadata_dsl.rb +122 -0
data/lib/legate/tool.rb +276 -0
data/lib/legate/tool_code_generator.rb +103 -0
data/lib/legate/tool_context.rb +350 -0
data/lib/legate/tool_loader.rb +39 -0
data/lib/legate/tool_registry.rb +73 -0
data/lib/legate/tool_result.rb +61 -0
data/lib/legate/tools/agent_tool.rb +187 -0
data/lib/legate/tools/base/http_client.rb +319 -0
data/lib/legate/tools/base/safe_url.rb +56 -0
data/lib/legate/tools/base_async_job_tool.rb +91 -0
data/lib/legate/tools/calculator.rb +89 -0
data/lib/legate/tools/cat_facts.rb +81 -0
data/lib/legate/tools/check_job_status_tool.rb +48 -0
data/lib/legate/tools/current_time_tool.rb +64 -0
data/lib/legate/tools/echo.rb +43 -0
data/lib/legate/tools/http_request_tool.rb +105 -0
data/lib/legate/tools/random_number_tool.rb +64 -0
data/lib/legate/tools/read_webpage_tool.rb +92 -0
data/lib/legate/tools/sleepy_tool.rb +74 -0
data/lib/legate/tools/webhook_tool.rb +146 -0
data/lib/legate/version.rb +5 -0
data/lib/legate/web/app.rb +984 -0
data/lib/legate/web/public/css/main.css +4980 -0
data/lib/legate/web/public/images/favicon-256.png +0 -0
data/lib/legate/web/public/images/favicon-32.png +0 -0
data/lib/legate/web/public/images/legate-logo-dark.png +0 -0
data/lib/legate/web/public/images/legate-logo-light.png +0 -0
data/lib/legate/web/public/js/legate.js +616 -0
data/lib/legate/web/public/styles/main.scss +4402 -0
data/lib/legate/web/routes/agent_authentication_routes.rb +530 -0
data/lib/legate/web/routes/agent_definition_routes.rb +803 -0
data/lib/legate/web/routes/agent_generator_routes.rb +80 -0
data/lib/legate/web/routes/agent_interaction_routes.rb +734 -0
data/lib/legate/web/routes/agent_runtime_routes.rb +323 -0
data/lib/legate/web/routes/api_routes.rb +56 -0
data/lib/legate/web/routes/authentication_routes.rb +1541 -0
data/lib/legate/web/routes/core_routes.rb +111 -0
data/lib/legate/web/routes/documentation_routes.rb +220 -0
data/lib/legate/web/routes/tool_generator_routes.rb +81 -0
data/lib/legate/web/routes/tools_ui_routes.rb +207 -0
data/lib/legate/web/sass_compiler.rb +73 -0
data/lib/legate/web/views/_active_session_info.slim +25 -0
data/lib/legate/web/views/_activity_list.slim +55 -0
data/lib/legate/web/views/_agent_card.slim +56 -0
data/lib/legate/web/views/_agent_generator_modal.slim +382 -0
data/lib/legate/web/views/_agent_status_controls.slim +71 -0
data/lib/legate/web/views/_agent_tool_table.slim +74 -0
data/lib/legate/web/views/_chat_message.slim +95 -0
data/lib/legate/web/views/_display_agent_configuration.slim +26 -0
data/lib/legate/web/views/_display_agent_description.slim +11 -0
data/lib/legate/web/views/_display_agent_fallback.slim +15 -0
data/lib/legate/web/views/_display_agent_hierarchy.slim +93 -0
data/lib/legate/web/views/_display_agent_instruction.slim +17 -0
data/lib/legate/web/views/_display_agent_mcp.slim +13 -0
data/lib/legate/web/views/_display_agent_model.slim +17 -0
data/lib/legate/web/views/_display_agent_name.slim +42 -0
data/lib/legate/web/views/_display_agent_output_key.slim +26 -0
data/lib/legate/web/views/_display_agent_type.slim +65 -0
data/lib/legate/web/views/_edit_agent_configuration.slim +74 -0
data/lib/legate/web/views/_edit_agent_description.slim +16 -0
data/lib/legate/web/views/_edit_agent_fallback.slim +25 -0
data/lib/legate/web/views/_edit_agent_hierarchy.slim +98 -0
data/lib/legate/web/views/_edit_agent_instruction.slim +49 -0
data/lib/legate/web/views/_edit_agent_mcp.slim +33 -0
data/lib/legate/web/views/_edit_agent_model.slim +23 -0
data/lib/legate/web/views/_edit_agent_output_key.slim +36 -0
data/lib/legate/web/views/_edit_agent_tools.slim +40 -0
data/lib/legate/web/views/_edit_agent_type.slim +67 -0
data/lib/legate/web/views/_session_error.slim +4 -0
data/lib/legate/web/views/_skeleton.slim +69 -0
data/lib/legate/web/views/_tool_card.slim +9 -0
data/lib/legate/web/views/_tool_generator_modal.slim +311 -0
data/lib/legate/web/views/agent.slim +436 -0
data/lib/legate/web/views/agent_auth.slim +562 -0
data/lib/legate/web/views/agents.slim +369 -0
data/lib/legate/web/views/auth.slim +112 -0
data/lib/legate/web/views/auth_credential_detail.slim +327 -0
data/lib/legate/web/views/auth_credentials.slim +261 -0
data/lib/legate/web/views/auth_debug.slim +94 -0
data/lib/legate/web/views/auth_mapping_detail.slim +151 -0
data/lib/legate/web/views/auth_mapping_new.slim +123 -0
data/lib/legate/web/views/auth_mappings.slim +120 -0
data/lib/legate/web/views/auth_scheme_detail.slim +274 -0
data/lib/legate/web/views/auth_schemes.slim +259 -0
data/lib/legate/web/views/auth_test.slim +418 -0
data/lib/legate/web/views/chat.slim +192 -0
data/lib/legate/web/views/docs_index.slim +105 -0
data/lib/legate/web/views/docs_show.slim +105 -0
data/lib/legate/web/views/error_404.slim +5 -0
data/lib/legate/web/views/index.slim +148 -0
data/lib/legate/web/views/layout.slim +144 -0
data/lib/legate/web/views/tool_detail.slim +87 -0
data/lib/legate/web/views/tools.slim +50 -0
data/lib/legate/web/webhook_listener.rb +367 -0
data/lib/legate/web.rb +9 -0
data/lib/legate.rb +220 -0
data/public/docs/advanced/callbacks.md +828 -0
data/public/docs/advanced/mcp_schema_conversion.md +59 -0
data/public/docs/authentication/api_reference/config.md +210 -0
data/public/docs/authentication/api_reference/credential.md +246 -0
data/public/docs/authentication/api_reference/encryption.md +218 -0
data/public/docs/authentication/api_reference/exchanged_credential.md +271 -0
data/public/docs/authentication/api_reference/excon_middleware.md +175 -0
data/public/docs/authentication/api_reference/index.md +30 -0
data/public/docs/authentication/api_reference/scheme.md +250 -0
data/public/docs/authentication/api_reference/schemes/api_key.md +175 -0
data/public/docs/authentication/api_reference/schemes/google_service_account.md +221 -0
data/public/docs/authentication/api_reference/schemes/http_bearer.md +169 -0
data/public/docs/authentication/api_reference/schemes/oauth2.md +343 -0
data/public/docs/authentication/api_reference/schemes/oidc.md +73 -0
data/public/docs/authentication/api_reference/schemes/openid_connect.md +311 -0
data/public/docs/authentication/api_reference/schemes/service_account.md +287 -0
data/public/docs/authentication/api_reference/token_manager.md +221 -0
data/public/docs/authentication/api_reference/token_store.md +146 -0
data/public/docs/authentication/api_reference/tool_context_extension.md +166 -0
data/public/docs/authentication/guides/api_key.md +190 -0
data/public/docs/authentication/guides/bearer.md +172 -0
data/public/docs/authentication/guides/configuration.md +255 -0
data/public/docs/authentication/guides/custom_flow.md +523 -0
data/public/docs/authentication/guides/index.md +24 -0
data/public/docs/authentication/guides/migration.md +435 -0
data/public/docs/authentication/guides/oauth2.md +252 -0
data/public/docs/authentication/guides/oidc.md +241 -0
data/public/docs/authentication/guides/overview.md +155 -0
data/public/docs/authentication/guides/secure_storage.md +301 -0
data/public/docs/authentication/guides/service_account.md +228 -0
data/public/docs/authentication/guides/token_lifecycle.md +295 -0
data/public/docs/authentication/guides/web_ui_integration.md +504 -0
data/public/docs/authentication/index.md +58 -0
data/public/docs/authentication/troubleshooting/credential_storage.md +550 -0
data/public/docs/authentication/troubleshooting/environment_variables.md +540 -0
data/public/docs/authentication/troubleshooting/index.md +11 -0
data/public/docs/authentication/troubleshooting/oauth2_issues.md +220 -0
data/public/docs/authentication/troubleshooting/oidc_issues.md +412 -0
data/public/docs/authentication/troubleshooting/token_refresh.md +338 -0
data/public/docs/cli/legate_cli_usage.md +363 -0
data/public/docs/core_concepts/legate_agent_lifecycle.md +124 -0
data/public/docs/core_concepts/legate_architecture_overview.md +110 -0
data/public/docs/core_concepts/legate_configuration.md +116 -0
data/public/docs/core_concepts/legate_definition_store.md +102 -0
data/public/docs/core_concepts/legate_planner.md +94 -0
data/public/docs/core_concepts/legate_session_service.md +104 -0
data/public/docs/error_handling/legate_error_handling.md +122 -0
data/public/docs/examples.md +199 -0
data/public/docs/getting_started.md +111 -0
data/public/docs/guides/agentic_agents.md +137 -0
data/public/docs/guides/ai_code_generators.md +437 -0
data/public/docs/guides/auto_loading.md +326 -0
data/public/docs/guides/configuring_agent_webhooks.md +219 -0
data/public/docs/guides/http_client_usage.md +264 -0
data/public/docs/guides/llm_providers.md +137 -0
data/public/docs/guides/mcp_client_integration.md +232 -0
data/public/docs/guides/mcp_server_exposure.md +206 -0
data/public/docs/guides/rails_integration.md +128 -0
data/public/docs/guides/sending_outbound_webhooks.md +227 -0
data/public/docs/guides/streaming.md +112 -0
data/public/docs/guides/webhooks.md +288 -0
data/public/docs/introduction.md +51 -0
data/public/docs/multi_agent_systems/advanced_features.md +57 -0
data/public/docs/multi_agent_systems/agent_delegation.md +190 -0
data/public/docs/multi_agent_systems/agent_hierarchy.md +49 -0
data/public/docs/multi_agent_systems/state_management.md +47 -0
data/public/docs/multi_agent_systems/workflow_agents.md +72 -0
data/public/docs/tools/legate_built_in_tools.md +332 -0
data/public/docs/tools/legate_tools_and_registry.md +263 -0
data/public/docs/web_ui/legate_web_ui.md +137 -0
metadata +823 -0

data/lib/legate/web/routes/authentication_routes.rb ADDED Viewed

@@ -0,0 +1,1541 @@
+# File: lib/legate/web/routes/authentication_routes.rb
+# frozen_string_literal: true
+require_relative '../../auth/url_guard' # SSRF guard for credential-test URLs
+module Legate
+  module Web
+    module AuthenticationRoutes
+      def self.registered(app)
+        # Add helper methods to the app
+        app.helpers do
+          # Helper method to get a description for a scheme
+          def get_scheme_description(scheme)
+            case scheme.scheme_type
+            when :api_key
+              'Simple API key authentication for services that use API keys in headers or query parameters'
+            when :http_bearer
+              'HTTP Bearer token authentication and basic auth support'
+            when :oauth2
+              'OAuth2 authorization code flow for secure third-party authentication'
+            when :oidc, :openid_connect
+              'OpenID Connect authentication extending OAuth2 with identity information'
+            when :service_account
+              'Service account authentication with automatic token exchange'
+            when :google_service_account
+              'Google Cloud service account authentication with JSON key files'
+            else
+              "Authentication scheme of type: #{scheme.scheme_type}"
+            end
+          end
+          # Helper method to get a description for a credential
+          def get_credential_description(credential)
+            case credential.auth_type
+            when :api_key
+              'API key credential for service authentication'
+            when :oauth2, :oidc
+              'OAuth2/OIDC client credentials for authorization flows'
+            when :service_account, :google_service_account
+              'Service account credentials for automated authentication'
+            when :http_bearer
+              'Bearer token or basic auth credentials'
+            else
+              "Credential of type: #{credential.auth_type}"
+            end
+          end
+          # Helper method to get masked credential information for display
+          def get_masked_credential_info(credential)
+            info_parts = []
+            # Check for common credential fields and mask them appropriately
+            if credential[:api_key, resolve_env: false]
+              masked_key = mask_sensitive_value(credential[:api_key, resolve_env: false])
+              info_parts << "API Key: #{masked_key}"
+            end
+            info_parts << "Client ID: #{credential[:client_id, resolve_env: false]}" if credential[:client_id, resolve_env: false]
+            if credential[:client_secret, resolve_env: false]
+              masked_secret = mask_sensitive_value(credential[:client_secret, resolve_env: false])
+              info_parts << "Client Secret: #{masked_secret}"
+            end
+            if credential[:bearer_token, resolve_env: false]
+              masked_token = mask_sensitive_value(credential[:bearer_token, resolve_env: false])
+              info_parts << "Bearer Token: #{masked_token}"
+            end
+            info_parts << "Username: #{credential[:username, resolve_env: false]}" if credential[:username, resolve_env: false]
+            info_parts << "Password: #{mask_sensitive_value(credential[:password, resolve_env: false])}" if credential[:password, resolve_env: false]
+            info_parts.empty? ? 'No displayable information' : info_parts.join(', ')
+          end
+          # Helper method to mask sensitive values for display
+          def mask_sensitive_value(value)
+            return '[Not Set]' if value.nil? || value.empty?
+            value_str = value.to_s
+            # Never reveal the head, and never reveal any characters of a short
+            # secret (the old first-3/last-3 mask exposed "secret" as "sec***ret").
+            return '••••••••' if value_str.length < 12
+            "••••••••#{value_str[-4..]}"
+          end
+          # Helper method to get scheme configuration fields
+          def get_scheme_config_fields(scheme_type)
+            case scheme_type.to_sym
+            when :api_key
+              []  # API Key scheme has no configuration
+            when :http_bearer
+              []  # HTTP Bearer scheme has no configuration
+            when :oauth2
+              [
+                { name: 'authorization_url', type: 'url', required: true, label: 'Authorization URL' },
+                { name: 'token_url', type: 'url', required: true, label: 'Token URL' },
+                { name: 'scopes', type: 'text', required: false, label: 'Scopes (space-separated)' },
+                { name: 'use_pkce', type: 'checkbox', required: false, label: 'Use PKCE' },
+                { name: 'revocation_url', type: 'url', required: false, label: 'Revocation URL' }
+              ]
+            when :oidc, :openid_connect
+              [
+                { name: 'authorization_url', type: 'url', required: true, label: 'Authorization URL' },
+                { name: 'token_url', type: 'url', required: true, label: 'Token URL' },
+                { name: 'userinfo_url', type: 'url', required: false, label: 'UserInfo URL' },
+                { name: 'scopes', type: 'text', required: false, label: 'Scopes (space-separated)' },
+                { name: 'use_pkce', type: 'checkbox', required: false, label: 'Use PKCE' }
+              ]
+            when :service_account
+              [
+                { name: 'token_url', type: 'url', required: true, label: 'Token URL' },
+                { name: 'scopes', type: 'text', required: false, label: 'Scopes (space-separated)' }
+              ]
+            when :google_service_account
+              [
+                { name: 'scopes', type: 'text', required: false, label: 'Scopes (space-separated)' }
+              ]
+            else
+              []
+            end
+          end
+          # Helper method to get current scheme configuration
+          def get_scheme_current_config(scheme)
+            config = {}
+            case scheme.scheme_type
+            when :oauth2, :oidc, :openid_connect
+              config['authorization_url'] = scheme.authorization_url if scheme.respond_to?(:authorization_url)
+              config['token_url'] = scheme.token_url if scheme.respond_to?(:token_url)
+              config['scopes'] = scheme.scopes.join(' ') if scheme.respond_to?(:scopes) && scheme.scopes
+              config['use_pkce'] = scheme.use_pkce if scheme.respond_to?(:use_pkce)
+              config['revocation_url'] = scheme.revocation_url if scheme.respond_to?(:revocation_url)
+              config['userinfo_url'] = scheme.userinfo_url if scheme.respond_to?(:userinfo_url)
+            when :service_account, :google_service_account
+              config['token_url'] = scheme.token_url if scheme.respond_to?(:token_url)
+              config['scopes'] = scheme.scopes.join(' ') if scheme.respond_to?(:scopes) && scheme.scopes
+            end
+            config
+          end
+          # Helper method to get compatible credential types for a scheme
+          def get_compatible_credential_types(scheme_type)
+            case scheme_type.to_sym
+            when :api_key
+              ['api_key']
+            when :http_bearer
+              %w[http_bearer bearer_token]
+            when :oauth2, :oidc, :openid_connect
+              %w[oauth2 oidc]
+            when :service_account, :google_service_account
+              %w[service_account google_service_account]
+            else
+              []
+            end
+          end
+          # Helper method to get credential configuration fields
+          def get_credential_config_fields(auth_type)
+            case auth_type.to_sym
+            when :api_key
+              [
+                { name: 'api_key', type: 'password', required: true, label: 'API Key', placeholder: 'Enter your API key' },
+                { name: 'location', type: 'select', required: false, label: 'Location', options: %w[header query cookie], default: 'header' },
+                { name: 'name', type: 'text', required: false, label: 'Parameter Name', placeholder: 'X-API-Key' }
+              ]
+            when :http_bearer
+              [
+                { name: 'bearer_token', type: 'password', required: true, label: 'Bearer Token', placeholder: 'Enter bearer token' }
+              ]
+            when :oauth2, :oidc
+              [
+                { name: 'client_id', type: 'text', required: true, label: 'Client ID', placeholder: 'Enter client ID' },
+                { name: 'client_secret', type: 'password', required: true, label: 'Client Secret', placeholder: 'Enter client secret' },
+                { name: 'redirect_uri', type: 'url', required: false, label: 'Redirect URI', placeholder: 'https://your-app.com/callback' },
+                { name: 'scopes', type: 'text', required: false, label: 'Scopes (space-separated)', placeholder: 'read write' }
+              ]
+            when :service_account
+              [
+                { name: 'client_email', type: 'email', required: true, label: 'Client Email', placeholder: 'service-account@project.iam.gserviceaccount.com' },
+                { name: 'private_key', type: 'textarea', required: true, label: 'Private Key', placeholder: '-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----' },
+                { name: 'project_id', type: 'text', required: false, label: 'Project ID', placeholder: 'your-project-id' }
+              ]
+            when :google_service_account
+              [
+                { name: 'service_account_key', type: 'textarea', required: true, label: 'Service Account Key (JSON)', placeholder: '{"type": "service_account", "project_id": "..."}' }
+              ]
+            when :basic
+              [
+                { name: 'username', type: 'text', required: true, label: 'Username', placeholder: 'Enter username' },
+                { name: 'password', type: 'password', required: true, label: 'Password', placeholder: 'Enter password' }
+              ]
+            else
+              []
+            end
+          end
+          # Helper method to get current credential configuration (masked)
+          def get_credential_current_config(credential)
+            config = {}
+            # Get all attributes but mask sensitive ones
+            credential.to_h(resolve_env: false).each do |key, value|
+              next if key == :auth_type
+              config[key.to_s] = if sensitive_credential_field?(key)
+                                   mask_sensitive_value(value)
+                                 else
+                                   value
+                                 end
+            end
+            config
+          end
+          # Helper method to check if a credential field is sensitive
+          def sensitive_credential_field?(field_name)
+            sensitive_fields = %i[api_key client_secret bearer_token password private_key service_account_key token]
+            sensitive_fields.include?(field_name.to_sym)
+          end
+          # Helper method to get compatible schemes for a credential type
+          def get_compatible_schemes_for_credential(auth_type)
+            auth_manager = Legate::Auth::Manager.instance
+            schemes = auth_manager.schemes || {}
+            compatible_schemes = schemes.select do |scheme_name, scheme|
+              case auth_type.to_sym
+              when :api_key
+                scheme.scheme_type == :api_key
+              when :http_bearer
+                scheme.scheme_type == :http_bearer
+              when :oauth2, :oidc
+                %i[oauth2 oidc openid_connect].include?(scheme.scheme_type)
+              when :service_account, :google_service_account
+                %i[service_account google_service_account].include?(scheme.scheme_type)
+              when :basic
+                scheme.scheme_type == :http_bearer
+              else
+                false
+              end
+            end
+            compatible_schemes.keys
+          end
+          # Helper method to get mapping configuration fields
+          def get_mapping_config_fields
+            [
+              { name: 'pattern', type: 'text', required: true, label: 'URL Pattern', placeholder: 'e.g. https://api.example.com/v1/* or ^https://.*\\.example\\.com/.*$' },
+              { name: 'pattern_type', type: 'select', required: true, label: 'Pattern Type', options: %w[string regex], default: 'string' },
+              { name: 'scheme_name', type: 'select', required: true, label: 'Authentication Scheme' },
+              { name: 'credential_name', type: 'select', required: true, label: 'Credential' },
+              { name: 'priority', type: 'number', required: false, label: 'Priority', placeholder: '1' },
+              { name: 'active', type: 'checkbox', required: false, label: 'Active', default: true }
+            ]
+          end
+          # Helper to validate a mapping pattern
+          def valid_mapping_pattern?(pattern, pattern_type)
+            return false if pattern.nil? || pattern.strip.empty?
+            if pattern_type == 'regex'
+              begin
+                Regexp.new(pattern)
+                true
+              rescue RegexpError
+                false
+              end
+            else
+              true
+            end
+          end
+          # Helper to check scheme/credential compatibility
+          def mapping_scheme_credential_compatible?(scheme, credential)
+            return false unless scheme && credential
+            compatible_types = get_compatible_credential_types(scheme.scheme_type)
+            compatible_types.include?(credential.auth_type.to_s) || compatible_types.include?(credential.auth_type)
+          end
+          # Helper method to perform credential testing
+          def test_credential_functionality(credential, test_options = {})
+            test_results = { success: true, tests: [], credential_name: credential.to_s }
+            begin
+              # Test 1: Basic validation
+              credential.to_h(resolve_env: true)
+              test_results[:tests] << {
+                name: 'Basic Validation',
+                status: 'passed',
+                message: 'Credential structure and environment variables are valid'
+              }
+            rescue StandardError => e
+              test_results[:success] = false
+              test_results[:tests] << {
+                name: 'Basic Validation',
+                status: 'failed',
+                message: "Validation failed: #{e.message}"
+              }
+              return test_results
+            end
+            # Test 2: Type-specific validation
+            test_results[:tests] << case credential.auth_type
+                                    when :api_key
+                                      test_api_key_credential(credential, test_options)
+                                    when :oauth2, :oidc
+                                      test_oauth_credential(credential, test_options)
+                                    when :service_account, :google_service_account
+                                      test_service_account_credential(credential, test_options)
+                                    when :http_bearer
+                                      test_bearer_credential(credential, test_options)
+                                    else
+                                      {
+                                        name: 'Type-Specific Test',
+                                        status: 'skipped',
+                                        message: "No specific test available for credential type: #{credential.auth_type}"
+                                      }
+                                    end
+            # Check if any test failed
+            test_results[:success] = test_results[:tests].all? { |test| test[:status] != 'failed' }
+            test_results
+          end
+          # Test API key credential
+          def test_api_key_credential(credential, options = {})
+            api_key = credential[:api_key]
+            return { name: 'API Key Test', status: 'failed', message: 'API key is missing' } unless api_key
+            if options[:test_url]
+              # Test against provided URL
+              begin
+                require 'net/http'
+                Legate::Auth::UrlGuard.validate!(options[:test_url], label: 'Test URL')
+                uri = URI(options[:test_url])
+                http = Net::HTTP.new(uri.host, uri.port)
+                http.use_ssl = uri.scheme == 'https'
+                http.read_timeout = 10
+                request = Net::HTTP::Get.new(uri)
+                # Add API key based on location
+                location = credential[:location] || 'header'
+                key_name = credential[:name] || 'X-API-Key'
+                case location
+                when 'header'
+                  request[key_name] = api_key
+                when 'query'
+                  uri.query = "#{key_name}=#{api_key}"
+                  request = Net::HTTP::Get.new(uri)
+                end
+                response = http.request(request)
+                if response.code.to_i < 400
+                  { name: 'API Key Test', status: 'passed', message: "API key accepted (HTTP #{response.code})" }
+                else
+                  { name: 'API Key Test', status: 'failed', message: "API key rejected (HTTP #{response.code})" }
+                end
+              rescue StandardError => e
+                { name: 'API Key Test', status: 'failed', message: "Network error: #{e.message}" }
+              end
+            else
+              { name: 'API Key Test', status: 'passed', message: 'API key format is valid (no test URL provided)' }
+            end
+          end
+          # Test OAuth credential
+          def test_oauth_credential(credential, _options = {})
+            client_id = credential[:client_id]
+            client_secret = credential[:client_secret]
+            return { name: 'OAuth Test', status: 'failed', message: 'Client ID is missing' } unless client_id
+            return { name: 'OAuth Test', status: 'failed', message: 'Client secret is missing' } unless client_secret
+            { name: 'OAuth Test', status: 'passed', message: 'OAuth credentials are properly formatted' }
+          end
+          # Test service account credential
+          def test_service_account_credential(credential, _options = {})
+            if credential.auth_type == :google_service_account
+              key_data = credential[:service_account_key]
+              return { name: 'Service Account Test', status: 'failed', message: 'Service account key is missing' } unless key_data
+              begin
+                parsed_key = JSON.parse(key_data)
+                required_fields = %w[type project_id private_key_id private_key client_email client_id]
+                missing_fields = required_fields.reject { |field| parsed_key.key?(field) }
+                if missing_fields.empty?
+                  { name: 'Service Account Test', status: 'passed', message: 'Service account key is valid JSON with all required fields' }
+                else
+                  { name: 'Service Account Test', status: 'failed', message: "Missing required fields: #{missing_fields.join(', ')}" }
+                end
+              rescue JSON::ParserError
+                { name: 'Service Account Test', status: 'failed', message: 'Service account key is not valid JSON' }
+              end
+            else
+              client_email = credential[:client_email]
+              private_key = credential[:private_key]
+              return { name: 'Service Account Test', status: 'failed', message: 'Client email is missing' } unless client_email
+              return { name: 'Service Account Test', status: 'failed', message: 'Private key is missing' } unless private_key
+              if private_key.include?('BEGIN PRIVATE KEY')
+                { name: 'Service Account Test', status: 'passed', message: 'Service account credentials are properly formatted' }
+              else
+                { name: 'Service Account Test', status: 'failed', message: 'Private key does not appear to be in PEM format' }
+              end
+            end
+          end
+          # Test bearer token credential
+          def test_bearer_credential(credential, options = {})
+            bearer_token = credential[:bearer_token]
+            return { name: 'Bearer Token Test', status: 'failed', message: 'Bearer token is missing' } unless bearer_token
+            if options[:test_url]
+              begin
+                require 'net/http'
+                Legate::Auth::UrlGuard.validate!(options[:test_url], label: 'Test URL')
+                uri = URI(options[:test_url])
+                http = Net::HTTP.new(uri.host, uri.port)
+                http.use_ssl = uri.scheme == 'https'
+                http.read_timeout = 10
+                request = Net::HTTP::Get.new(uri)
+                request['Authorization'] = "Bearer #{bearer_token}"
+                response = http.request(request)
+                if response.code.to_i < 400
+                  { name: 'Bearer Token Test', status: 'passed', message: "Bearer token accepted (HTTP #{response.code})" }
+                else
+                  { name: 'Bearer Token Test', status: 'failed', message: "Bearer token rejected (HTTP #{response.code})" }
+                end
+              rescue StandardError => e
+                { name: 'Bearer Token Test', status: 'failed', message: "Network error: #{e.message}" }
+              end
+            else
+              { name: 'Bearer Token Test', status: 'passed', message: 'Bearer token format is valid (no test URL provided)' }
+            end
+          end
+          # Helper to test API calls with authentication
+          def test_authenticated_api_call(url, scheme_name, credential_name, _options = {})
+            auth_manager = Legate::Auth::Manager.instance
+            scheme = auth_manager.get_scheme(scheme_name.to_sym)
+            credential = auth_manager.get_credential(credential_name.to_sym)
+            return { success: false, error: 'Scheme not found' } unless scheme
+            return { success: false, error: 'Credential not found' } unless credential
+            return { success: false, error: 'Scheme and credential are not compatible' } unless mapping_scheme_credential_compatible?(scheme, credential)
+            begin
+              require 'net/http'
+              Legate::Auth::UrlGuard.validate!(url, label: 'Test URL')
+              uri = URI(url)
+              http = Net::HTTP.new(uri.host, uri.port)
+              http.use_ssl = uri.scheme == 'https'
+              http.read_timeout = 15
+              request = Net::HTTP::Get.new(uri)
+              # Apply authentication based on scheme type
+              case scheme.scheme_type
+              when :api_key
+                location = credential[:location] || 'header'
+                key_name = credential[:name] || 'X-API-Key'
+                api_key = credential[:api_key]
+                case location
+                when 'header'
+                  request[key_name] = api_key
+                when 'query'
+                  uri.query = "#{key_name}=#{api_key}"
+                  request = Net::HTTP::Get.new(uri)
+                end
+              when :http_bearer
+                request['Authorization'] = "Bearer #{credential[:bearer_token]}"
+              when :oauth2, :oidc
+                # For OAuth2, we'd need an access token, which requires a full flow
+                return { success: false, error: 'OAuth2 testing requires a complete authentication flow' }
+              when :service_account, :google_service_account
+                # Service account testing would require token generation
+                return { success: false, error: 'Service account testing requires token generation' }
+              end
+              response = http.request(request)
+              {
+                success: true,
+                status_code: response.code.to_i,
+                status_message: response.message,
+                headers: response.to_hash,
+                body_preview: response.body&.slice(0, 500),
+                authenticated: response.code.to_i < 400
+              }
+            rescue StandardError => e
+              { success: false, error: "Network error: #{e.message}" }
+            end
+          end
+        end
+        # GET /auth - Main authentication management dashboard
+        app.get '/auth' do
+          logger.info('GET /auth route handler entered (from AuthenticationRoutes)')
+          # Access the authentication manager
+          auth_manager = Legate::Auth::Manager.instance
+          # Get basic counts for dashboard
+          schemes_count = auth_manager.schemes&.size || 0
+          credentials_count = auth_manager.credentials&.size || 0
+          mappings_count = auth_manager.url_mappings&.size || 0
+          # Set instance variables for the view
+          instance_variable_set(:@auth_manager_available, true)
+          instance_variable_set(:@schemes_count, schemes_count)
+          instance_variable_set(:@credentials_count, credentials_count)
+          instance_variable_set(:@mappings_count, mappings_count)
+          slim :auth
+        rescue StandardError => e
+          logger.error("Error in /auth route (from AuthenticationRoutes): #{e.class} - #{e.message}")
+          instance_variable_set(:@auth_manager_available, false)
+          instance_variable_set(:@error_message, e.message)
+          slim :auth
+        end
+        # GET /auth/schemes - List all available authentication schemes
+        app.get '/auth/schemes' do
+          logger.info('GET /auth/schemes route handler entered (from AuthenticationRoutes)')
+          content_type :html
+          auth_manager = Legate::Auth::Manager.instance
+          schemes = auth_manager.schemes || {}
+          credentials = auth_manager.credentials || {}
+          url_mappings = auth_manager.url_mappings || []
+          # Convert schemes to a more view-friendly format with usage information
+          schemes_data = schemes.map do |name, scheme|
+            # Find compatible credentials
+            compatible_credentials = credentials.select do |cred_name, credential|
+              auth_manager.send(:credential_compatible_with_scheme?, credential, scheme)
+            end
+            # Find URL mappings using this scheme
+            scheme_mappings = url_mappings.select { |mapping| mapping[:scheme_name] == name }
+            {
+              name: name,
+              scheme_type: scheme.scheme_type,
+              class_name: scheme.class.name.split('::').last,
+              description: get_scheme_description(scheme),
+              compatible_credentials_count: compatible_credentials.size,
+              url_mappings_count: scheme_mappings.size,
+              config_fields: get_scheme_config_fields(scheme.scheme_type),
+              has_config: !get_scheme_config_fields(scheme.scheme_type).empty?
+            }
+          end
+          instance_variable_set(:@schemes, schemes_data)
+          slim :auth_schemes
+        rescue StandardError => e
+          logger.error("Error in /auth/schemes route (from AuthenticationRoutes): #{e.class} - #{e.message}")
+          halt 500, "Error loading authentication schemes: #{e.message}"
+        end
+        # GET /auth/schemes/:name - Individual scheme details and configuration
+        app.get '/auth/schemes/:name' do
+          logger.info("GET /auth/schemes/#{params[:name]} route handler entered (from AuthenticationRoutes)")
+          content_type :html
+          scheme_name = params[:name].to_sym
+          auth_manager = Legate::Auth::Manager.instance
+          scheme = auth_manager.get_scheme(scheme_name)
+          halt 404, "Scheme not found: #{Rack::Utils.escape_html(params[:name])}" unless scheme
+          credentials = auth_manager.credentials || {}
+          url_mappings = auth_manager.url_mappings || []
+          # Find compatible credentials
+          compatible_credentials = credentials.select do |cred_name, credential|
+            auth_manager.send(:credential_compatible_with_scheme?, credential, scheme)
+          end.map do |cred_name, credential|
+            {
+              name: cred_name,
+              auth_type: credential.auth_type,
+              description: get_credential_description(credential),
+              masked_info: get_masked_credential_info(credential)
+            }
+          end
+          # Find URL mappings using this scheme
+          scheme_mappings = url_mappings.select { |mapping| mapping[:scheme_name] == scheme_name }
+                                        .map.with_index do |mapping, index|
+            {
+              id: index,
+              pattern: mapping[:pattern].is_a?(Regexp) ? mapping[:pattern].source : mapping[:pattern].to_s,
+              pattern_type: mapping[:pattern].is_a?(Regexp) ? 'regex' : 'string',
+              credential_name: mapping[:credential_name]
+            }
+          end
+          scheme_data = {
+            name: scheme_name,
+            scheme_type: scheme.scheme_type,
+            class_name: scheme.class.name.split('::').last,
+            description: get_scheme_description(scheme),
+            config_fields: get_scheme_config_fields(scheme.scheme_type),
+            current_config: get_scheme_current_config(scheme),
+            compatible_credential_types: get_compatible_credential_types(scheme.scheme_type),
+            compatible_credentials: compatible_credentials,
+            url_mappings: scheme_mappings
+          }
+          instance_variable_set(:@scheme, scheme_data)
+          slim :auth_scheme_detail
+        rescue StandardError => e
+          logger.error("Error in /auth/schemes/#{params[:name]} route (from AuthenticationRoutes): #{e.class} - #{e.message}")
+          halt 500, "Error loading scheme details: #{e.message}"
+        end
+        # POST /auth/schemes - Register new scheme instance
+        app.post '/auth/schemes' do
+          logger.info('POST /auth/schemes route handler entered (from AuthenticationRoutes)')
+          content_type :json
+          scheme_type = params[:scheme_type]&.to_sym
+          scheme_name = params[:scheme_name]&.to_sym
+          halt 400, { error: 'Scheme type is required' }.to_json unless scheme_type
+          halt 400, { error: 'Scheme name is required' }.to_json unless scheme_name
+          auth_manager = Legate::Auth::Manager.instance
+          # Check if scheme name already exists
+          halt 400, { error: "Scheme with name '#{scheme_name}' already exists" }.to_json if auth_manager.get_scheme(scheme_name)
+          begin
+            # Create new scheme instance based on type
+            scheme = case scheme_type
+                     when :api_key
+                       Legate::Auth::Schemes::ApiKey.new
+                     when :http_bearer
+                       Legate::Auth::Schemes::HTTPBearer.new
+                     when :oauth2
+                       Legate::Auth::Schemes::OAuth2.new(
+                         authorization_url: params[:authorization_url],
+                         token_url: params[:token_url],
+                         scopes: params[:scopes]&.split(/\s+/),
+                         use_pkce: params[:use_pkce] == 'true',
+                         revocation_url: params[:revocation_url]
+                       )
+                     when :oidc, :openid_connect
+                       Legate::Auth::Schemes::OpenIDConnect.new(
+                         authorization_url: params[:authorization_url],
+                         token_url: params[:token_url],
+                         userinfo_url: params[:userinfo_url],
+                         scopes: params[:scopes]&.split(/\s+/),
+                         use_pkce: params[:use_pkce] == 'true'
+                       )
+                     when :service_account
+                       Legate::Auth::Schemes::ServiceAccount.new(
+                         token_url: params[:token_url],
+                         scopes: params[:scopes]&.split(/\s+/)
+                       )
+                     when :google_service_account
+                       Legate::Auth::Schemes::GoogleServiceAccount.new(
+                         scopes: params[:scopes]&.split(/\s+/)
+                       )
+                     else
+                       halt 400, { error: "Unsupported scheme type: #{scheme_type}" }.to_json
+                     end
+            # Register the new scheme
+            auth_manager.register_scheme(scheme, scheme_name)
+            logger.info("Successfully registered new scheme '#{scheme_name}' of type '#{scheme_type}'")
+            { success: true, message: "Scheme '#{scheme_name}' registered successfully" }.to_json
+          rescue StandardError => e
+            logger.error("Error registering scheme '#{scheme_name}': #{e.class} - #{e.message}")
+            halt 500, { error: "Failed to register scheme: #{e.message}" }.to_json
+          end
+        end
+        # PUT /auth/schemes/:name - Update scheme configuration
+        app.put '/auth/schemes/:name' do
+          logger.info("PUT /auth/schemes/#{params[:name]} route handler entered (from AuthenticationRoutes)")
+          content_type :json
+          scheme_name = params[:name].to_sym
+          auth_manager = Legate::Auth::Manager.instance
+          existing_scheme = auth_manager.get_scheme(scheme_name)
+          halt 404, { error: "Scheme not found: #{params[:name]}" }.to_json unless existing_scheme
+          begin
+            # Create updated scheme instance with new configuration
+            scheme_type = existing_scheme.scheme_type
+            updated_scheme = case scheme_type
+                             when :oauth2
+                               Legate::Auth::Schemes::OAuth2.new(
+                                 authorization_url: params[:authorization_url],
+                                 token_url: params[:token_url],
+                                 scopes: params[:scopes]&.split(/\s+/),
+                                 use_pkce: params[:use_pkce] == 'true',
+                                 revocation_url: params[:revocation_url]
+                               )
+                             when :oidc, :openid_connect
+                               Legate::Auth::Schemes::OpenIDConnect.new(
+                                 authorization_url: params[:authorization_url],
+                                 token_url: params[:token_url],
+                                 userinfo_url: params[:userinfo_url],
+                                 scopes: params[:scopes]&.split(/\s+/),
+                                 use_pkce: params[:use_pkce] == 'true'
+                               )
+                             when :service_account
+                               Legate::Auth::Schemes::ServiceAccount.new(
+                                 token_url: params[:token_url],
+                                 scopes: params[:scopes]&.split(/\s+/)
+                               )
+                             when :google_service_account
+                               Legate::Auth::Schemes::GoogleServiceAccount.new(
+                                 scopes: params[:scopes]&.split(/\s+/)
+                               )
+                             else
+                               halt 400, { error: "Scheme type '#{scheme_type}' does not support configuration updates" }.to_json
+                             end
+            # Replace the existing scheme
+            auth_manager.register_scheme(updated_scheme, scheme_name)
+            logger.info("Successfully updated scheme '#{scheme_name}' configuration")
+            { success: true, message: "Scheme '#{scheme_name}' updated successfully" }.to_json
+          rescue StandardError => e
+            logger.error("Error updating scheme '#{scheme_name}': #{e.class} - #{e.message}")
+            halt 500, { error: "Failed to update scheme: #{e.message}" }.to_json
+          end
+        end
+        # DELETE /auth/schemes/:name - Remove scheme instance
+        app.delete '/auth/schemes/:name' do
+          logger.info("DELETE /auth/schemes/#{params[:name]} route handler entered (from AuthenticationRoutes)")
+          content_type :json
+          scheme_name = params[:name].to_sym
+          auth_manager = Legate::Auth::Manager.instance
+          scheme = auth_manager.get_scheme(scheme_name)
+          halt 404, { error: "Scheme not found: #{params[:name]}" }.to_json unless scheme
+          # Check if scheme is used in URL mappings
+          url_mappings = auth_manager.url_mappings || []
+          dependent_mappings = url_mappings.select { |mapping| mapping[:scheme_name] == scheme_name }
+          if dependent_mappings.any?
+            mapping_patterns = dependent_mappings.map { |m| m[:pattern] }.join(', ')
+            halt 400, {
+              error: "Cannot delete scheme '#{scheme_name}' - it is used by URL mappings: #{mapping_patterns}"
+            }.to_json
+          end
+          begin
+            # Remove the scheme from the manager (persists via the store)
+            auth_manager.unregister_scheme(scheme_name)
+            logger.info("Successfully deleted scheme '#{scheme_name}'")
+            { success: true, message: "Scheme '#{scheme_name}' deleted successfully" }.to_json
+          rescue StandardError => e
+            logger.error("Error deleting scheme '#{scheme_name}': #{e.class} - #{e.message}")
+            halt 500, { error: "Failed to delete scheme: #{e.message}" }.to_json
+          end
+        end
+        # GET /auth/credentials - List all configured credentials
+        app.get '/auth/credentials' do
+          logger.info('GET /auth/credentials route handler entered (from AuthenticationRoutes)')
+          content_type :html
+          auth_manager = Legate::Auth::Manager.instance
+          credentials = auth_manager.credentials || {}
+          url_mappings = auth_manager.url_mappings || []
+          # Convert credentials to a view-friendly format with usage information
+          credentials_data = credentials.map do |name, credential|
+            # Find URL mappings using this credential
+            credential_mappings = url_mappings.select { |mapping| mapping[:credential_name] == name }
+            # Find compatible schemes
+            compatible_schemes = get_compatible_schemes_for_credential(credential.auth_type)
+            {
+              name: name,
+              auth_type: credential.auth_type,
+              description: get_credential_description(credential),
+              masked_info: get_masked_credential_info(credential),
+              url_mappings_count: credential_mappings.size,
+              compatible_schemes_count: compatible_schemes.size,
+              config_fields: get_credential_config_fields(credential.auth_type)
+            }
+          end
+          instance_variable_set(:@credentials, credentials_data)
+          slim :auth_credentials
+        rescue StandardError => e
+          logger.error("Error in /auth/credentials route (from AuthenticationRoutes): #{e.class} - #{e.message}")
+          halt 500, "Error loading authentication credentials: #{e.message}"
+        end
+        # GET /auth/credentials/:name - Individual credential details and configuration
+        app.get '/auth/credentials/:name' do
+          logger.info("GET /auth/credentials/#{params[:name]} route handler entered (from AuthenticationRoutes)")
+          content_type :html
+          credential_name = params[:name].to_sym
+          auth_manager = Legate::Auth::Manager.instance
+          credential = auth_manager.get_credential(credential_name)
+          halt 404, "Credential not found: #{Rack::Utils.escape_html(params[:name])}" unless credential
+          url_mappings = auth_manager.url_mappings || []
+          # Find URL mappings using this credential
+          credential_mappings = url_mappings.select { |mapping| mapping[:credential_name] == credential_name }
+                                            .map.with_index do |mapping, index|
+            {
+              id: index,
+              pattern: mapping[:pattern].is_a?(Regexp) ? mapping[:pattern].source : mapping[:pattern].to_s,
+              pattern_type: mapping[:pattern].is_a?(Regexp) ? 'regex' : 'string',
+              scheme_name: mapping[:scheme_name]
+            }
+          end
+          # Find compatible schemes
+          compatible_schemes = get_compatible_schemes_for_credential(credential.auth_type)
+          credential_data = {
+            name: credential_name,
+            auth_type: credential.auth_type,
+            description: get_credential_description(credential),
+            config_fields: get_credential_config_fields(credential.auth_type),
+            current_config: get_credential_current_config(credential),
+            compatible_schemes: compatible_schemes,
+            url_mappings: credential_mappings
+          }
+          instance_variable_set(:@credential, credential_data)
+          slim :auth_credential_detail
+        rescue StandardError => e
+          logger.error("Error in /auth/credentials/#{params[:name]} route (from AuthenticationRoutes): #{e.class} - #{e.message}")
+          halt 500, "Error loading credential details: #{e.message}"
+        end
+        # POST /auth/credentials - Create new credential
+        app.post '/auth/credentials' do
+          logger.info('POST /auth/credentials route handler entered (from AuthenticationRoutes)')
+          content_type :json
+          auth_type = params[:auth_type]&.to_sym
+          credential_name = params[:credential_name]&.to_sym
+          halt 400, { error: 'Credential type is required' }.to_json unless auth_type
+          halt 400, { error: 'Credential name is required' }.to_json unless credential_name
+          auth_manager = Legate::Auth::Manager.instance
+          # Check if credential name already exists
+          halt 400, { error: "Credential with name '#{credential_name}' already exists" }.to_json if auth_manager.get_credential(credential_name)
+          begin
+            # Build credential attributes based on type
+            credential_attrs = { auth_type: auth_type }
+            case auth_type
+            when :api_key
+              credential_attrs[:api_key] = params[:api_key]
+              credential_attrs[:location] = params[:location] if params[:location] && !params[:location].empty?
+              credential_attrs[:name] = params[:name] if params[:name] && !params[:name].empty?
+            when :http_bearer
+              credential_attrs[:bearer_token] = params[:bearer_token]
+            when :oauth2, :oidc
+              credential_attrs[:client_id] = params[:client_id]
+              credential_attrs[:client_secret] = params[:client_secret]
+              credential_attrs[:redirect_uri] = params[:redirect_uri] if params[:redirect_uri] && !params[:redirect_uri].empty?
+              credential_attrs[:scopes] = params[:scopes] if params[:scopes] && !params[:scopes].empty?
+            when :service_account
+              credential_attrs[:client_email] = params[:client_email]
+              credential_attrs[:private_key] = params[:private_key]
+              credential_attrs[:project_id] = params[:project_id] if params[:project_id] && !params[:project_id].empty?
+            when :google_service_account
+              credential_attrs[:service_account_key] = params[:service_account_key]
+            when :basic
+              credential_attrs[:username] = params[:username]
+              credential_attrs[:password] = params[:password]
+            else
+              halt 400, { error: "Unsupported credential type: #{auth_type}" }.to_json
+            end
+            # Create new credential
+            credential = Legate::Auth::Credential.new(**credential_attrs)
+            # Register the new credential
+            auth_manager.register_credential(credential, credential_name)
+            logger.info("Successfully registered new credential '#{credential_name}' of type '#{auth_type}'")
+            { success: true, message: "Credential '#{credential_name}' created successfully" }.to_json
+          rescue Legate::Auth::CredentialError => e
+            logger.error("Credential validation error for '#{credential_name}': #{e.message}")
+            halt 400, { error: "Invalid credential: #{e.message}" }.to_json
+          rescue StandardError => e
+            logger.error("Error creating credential '#{credential_name}': #{e.class} - #{e.message}")
+            halt 500, { error: "Failed to create credential: #{e.message}" }.to_json
+          end
+        end
+        # PUT /auth/credentials/:name - Update existing credential
+        app.put '/auth/credentials/:name' do
+          logger.info("PUT /auth/credentials/#{params[:name]} route handler entered (from AuthenticationRoutes)")
+          content_type :json
+          credential_name = params[:name].to_sym
+          auth_manager = Legate::Auth::Manager.instance
+          existing_credential = auth_manager.get_credential(credential_name)
+          halt 404, { error: "Credential not found: #{params[:name]}" }.to_json unless existing_credential
+          begin
+            # Build updated credential attributes
+            auth_type = existing_credential.auth_type
+            credential_attrs = { auth_type: auth_type }
+            case auth_type
+            when :api_key
+              credential_attrs[:api_key] = params[:api_key]
+              credential_attrs[:location] = params[:location] if params[:location] && !params[:location].empty?
+              credential_attrs[:name] = params[:name] if params[:name] && !params[:name].empty?
+            when :http_bearer
+              credential_attrs[:bearer_token] = params[:bearer_token]
+            when :oauth2, :oidc
+              credential_attrs[:client_id] = params[:client_id]
+              credential_attrs[:client_secret] = params[:client_secret]
+              credential_attrs[:redirect_uri] = params[:redirect_uri] if params[:redirect_uri] && !params[:redirect_uri].empty?
+              credential_attrs[:scopes] = params[:scopes] if params[:scopes] && !params[:scopes].empty?
+            when :service_account
+              credential_attrs[:client_email] = params[:client_email]
+              credential_attrs[:private_key] = params[:private_key]
+              credential_attrs[:project_id] = params[:project_id] if params[:project_id] && !params[:project_id].empty?
+            when :google_service_account
+              credential_attrs[:service_account_key] = params[:service_account_key]
+            when :basic
+              credential_attrs[:username] = params[:username]
+              credential_attrs[:password] = params[:password]
+            else
+              halt 400, { error: "Credential type '#{auth_type}' does not support updates" }.to_json
+            end
+            # Create updated credential
+            updated_credential = Legate::Auth::Credential.new(**credential_attrs)
+            # Replace the existing credential
+            auth_manager.register_credential(updated_credential, credential_name)
+            logger.info("Successfully updated credential '#{credential_name}'")
+            { success: true, message: "Credential '#{credential_name}' updated successfully" }.to_json
+          rescue Legate::Auth::CredentialError => e
+            logger.error("Credential validation error for '#{credential_name}': #{e.message}")
+            halt 400, { error: "Invalid credential: #{e.message}" }.to_json
+          rescue StandardError => e
+            logger.error("Error updating credential '#{credential_name}': #{e.class} - #{e.message}")
+            halt 500, { error: "Failed to update credential: #{e.message}" }.to_json
+          end
+        end
+        # DELETE /auth/credentials/:name - Remove credential
+        app.delete '/auth/credentials/:name' do
+          logger.info("DELETE /auth/credentials/#{params[:name]} route handler entered (from AuthenticationRoutes)")
+          content_type :json
+          credential_name = params[:name].to_sym
+          auth_manager = Legate::Auth::Manager.instance
+          credential = auth_manager.get_credential(credential_name)
+          halt 404, { error: "Credential not found: #{params[:name]}" }.to_json unless credential
+          # Check if credential is used in URL mappings
+          url_mappings = auth_manager.url_mappings || []
+          dependent_mappings = url_mappings.select { |mapping| mapping[:credential_name] == credential_name }
+          if dependent_mappings.any?
+            mapping_patterns = dependent_mappings.map { |m| m[:pattern] }.join(', ')
+            halt 400, {
+              error: "Cannot delete credential '#{credential_name}' - it is used by URL mappings: #{mapping_patterns}"
+            }.to_json
+          end
+          begin
+            # Remove the credential from the manager (persists via the store)
+            auth_manager.unregister_credential(credential_name)
+            logger.info("Successfully deleted credential '#{credential_name}'")
+            { success: true, message: "Credential '#{credential_name}' deleted successfully" }.to_json
+          rescue StandardError => e
+            logger.error("Error deleting credential '#{credential_name}': #{e.class} - #{e.message}")
+            halt 500, { error: "Failed to delete credential: #{e.message}" }.to_json
+          end
+        end
+        # POST /auth/credentials/:name/test - Test credential validity
+        app.post '/auth/credentials/:name/test' do
+          logger.info("POST /auth/credentials/#{params[:name]}/test route handler entered (from AuthenticationRoutes)")
+          content_type :json
+          credential_name = params[:name].to_sym
+          auth_manager = Legate::Auth::Manager.instance
+          credential = auth_manager.get_credential(credential_name)
+          halt 404, { error: "Credential not found: #{params[:name]}" }.to_json unless credential
+          begin
+            # Basic validation - check if credential can resolve environment variables
+            test_result = { success: true, tests: [] }
+            # Test 1: Environment variable resolution
+            begin
+              credential.to_h(resolve_env: true)
+              test_result[:tests] << {
+                name: 'Environment Variable Resolution',
+                status: 'passed',
+                message: 'All environment variables resolved successfully'
+              }
+            rescue Legate::Auth::EnvironmentVariableNotFoundError => e
+              test_result[:success] = false
+              test_result[:tests] << {
+                name: 'Environment Variable Resolution',
+                status: 'failed',
+                message: "Environment variable not found: #{e.message}"
+              }
+            end
+            # Test 2: Required fields validation
+            begin
+              # Create a new credential with the same attributes to validate
+              Legate::Auth::Credential.new(**credential.to_h(resolve_env: false))
+              test_result[:tests] << {
+                name: 'Required Fields Validation',
+                status: 'passed',
+                message: 'All required fields are present'
+              }
+            rescue Legate::Auth::CredentialError => e
+              test_result[:success] = false
+              test_result[:tests] << {
+                name: 'Required Fields Validation',
+                status: 'failed',
+                message: e.message
+              }
+            end
+            # Test 3: Format validation for specific types
+            case credential.auth_type
+            when :google_service_account
+              begin
+                key_data = credential[:service_account_key]
+                if key_data
+                  JSON.parse(key_data)
+                  test_result[:tests] << {
+                    name: 'Service Account Key Format',
+                    status: 'passed',
+                    message: 'Service account key is valid JSON'
+                  }
+                end
+              rescue JSON::ParserError
+                test_result[:success] = false
+                test_result[:tests] << {
+                  name: 'Service Account Key Format',
+                  status: 'failed',
+                  message: 'Service account key is not valid JSON'
+                }
+              end
+            when :service_account
+              begin
+                private_key = credential[:private_key]
+                if private_key && !private_key.include?('BEGIN PRIVATE KEY')
+                  test_result[:success] = false
+                  test_result[:tests] << {
+                    name: 'Private Key Format',
+                    status: 'failed',
+                    message: 'Private key does not appear to be in PEM format'
+                  }
+                else
+                  test_result[:tests] << {
+                    name: 'Private Key Format',
+                    status: 'passed',
+                    message: 'Private key appears to be in correct PEM format'
+                  }
+                end
+              rescue StandardError => e
+                test_result[:success] = false
+                test_result[:tests] << {
+                  name: 'Private Key Format',
+                  status: 'failed',
+                  message: "Private key validation error: #{e.message}"
+                }
+              end
+            end
+            logger.info("Credential test completed for '#{credential_name}': #{test_result[:success] ? 'PASSED' : 'FAILED'}")
+            test_result.to_json
+          rescue StandardError => e
+            logger.error("Error testing credential '#{credential_name}': #{e.class} - #{e.message}")
+            halt 500, { error: "Failed to test credential: #{e.message}" }.to_json
+          end
+        end
+        # GET /auth/mappings - List all URL mappings
+        app.get '/auth/mappings' do
+          logger.info('GET /auth/mappings route handler entered (from AuthenticationRoutes)')
+          content_type :html
+          auth_manager = Legate::Auth::Manager.instance
+          mappings = auth_manager.url_mappings || []
+          # Convert mappings to a view-friendly format
+          mappings_data = mappings.map.with_index do |mapping, index|
+            {
+              id: index,
+              pattern: mapping[:pattern].is_a?(Regexp) ? mapping[:pattern].source : mapping[:pattern].to_s,
+              pattern_type: mapping[:pattern].is_a?(Regexp) ? 'regex' : 'string',
+              scheme_name: mapping[:scheme_name],
+              credential_name: mapping[:credential_name]
+            }
+          end
+          instance_variable_set(:@mappings, mappings_data)
+          slim :auth_mappings
+        rescue StandardError => e
+          logger.error("Error in /auth/mappings route (from AuthenticationRoutes): #{e.class} - #{e.message}")
+          halt 500, "Error loading URL mappings: #{e.message}"
+        end
+        # GET /auth/debug - Debug information about authentication state
+        app.get '/auth/debug' do
+          logger.info('GET /auth/debug route handler entered (from AuthenticationRoutes)')
+          content_type :html
+          auth_manager = Legate::Auth::Manager.instance
+          # Gather debug information
+          debug_info = {
+            manager_class: auth_manager.class.name,
+            schemes_registered: auth_manager.schemes&.keys || [],
+            credentials_registered: auth_manager.credentials&.keys || [],
+            url_mappings_count: auth_manager.url_mappings&.size || 0,
+            manager_instance_id: auth_manager.object_id
+          }
+          instance_variable_set(:@debug_info, debug_info)
+          slim :auth_debug
+        rescue StandardError => e
+          logger.error("Error in /auth/debug route (from AuthenticationRoutes): #{e.class} - #{e.message}")
+          halt 500, "Error gathering debug information: #{e.message}"
+        end
+        # GET /auth/test - Main testing dashboard
+        app.get '/auth/test' do
+          logger.info('GET /auth/test route handler entered (from AuthenticationRoutes)')
+          content_type :html
+          auth_manager = Legate::Auth::Manager.instance
+          schemes = auth_manager.schemes || {}
+          credentials = auth_manager.credentials || {}
+          mappings = auth_manager.url_mappings || []
+          # Convert to view-friendly format
+          schemes_data = schemes.map do |name, scheme|
+            {
+              name: name,
+              scheme_type: scheme.scheme_type,
+              description: get_scheme_description(scheme)
+            }
+          end
+          credentials_data = credentials.map do |name, credential|
+            {
+              name: name,
+              auth_type: credential.auth_type,
+              description: get_credential_description(credential)
+            }
+          end
+          instance_variable_set(:@schemes, schemes_data)
+          instance_variable_set(:@credentials, credentials_data)
+          instance_variable_set(:@mappings_count, mappings.size)
+          slim :auth_test
+        rescue StandardError => e
+          logger.error("Error in /auth/test route (from AuthenticationRoutes): #{e.class} - #{e.message}")
+          halt 500, "Error loading testing dashboard: #{e.message}"
+        end
+        # POST /auth/test/credential/:name - Test individual credential
+        app.post '/auth/test/credential/:name' do
+          logger.info("POST /auth/test/credential/#{params[:name]} route handler entered (from AuthenticationRoutes)")
+          content_type :json
+          credential_name = params[:name].to_sym
+          auth_manager = Legate::Auth::Manager.instance
+          credential = auth_manager.get_credential(credential_name)
+          halt 404, { error: "Credential not found: #{params[:name]}" }.to_json unless credential
+          begin
+            test_options = {}
+            test_options[:test_url] = params[:test_url] if params[:test_url] && !params[:test_url].empty?
+            test_results = test_credential_functionality(credential, test_options)
+            test_results[:credential_name] = credential_name.to_s
+            logger.info("Credential test completed for '#{credential_name}': #{test_results[:success] ? 'PASSED' : 'FAILED'}")
+            test_results.to_json
+          rescue StandardError => e
+            logger.error("Error testing credential '#{credential_name}': #{e.class} - #{e.message}")
+            halt 500, { error: "Failed to test credential: #{e.message}" }.to_json
+          end
+        end
+        # POST /auth/test/scheme/:name - Test authentication scheme
+        app.post '/auth/test/scheme/:name' do
+          logger.info("POST /auth/test/scheme/#{params[:name]} route handler entered (from AuthenticationRoutes)")
+          content_type :json
+          scheme_name = params[:name].to_sym
+          auth_manager = Legate::Auth::Manager.instance
+          scheme = auth_manager.get_scheme(scheme_name)
+          halt 404, { error: "Scheme not found: #{params[:name]}" }.to_json unless scheme
+          begin
+            test_results = { success: true, tests: [], scheme_name: scheme_name.to_s }
+            # Test 1: Scheme configuration validation
+            case scheme.scheme_type
+            when :oauth2, :oidc, :openid_connect
+              if scheme.respond_to?(:authorization_url) && scheme.authorization_url
+                test_results[:tests] << {
+                  name: 'Authorization URL',
+                  status: 'passed',
+                  message: "Valid authorization URL: #{scheme.authorization_url}"
+                }
+              else
+                test_results[:success] = false
+                test_results[:tests] << {
+                  name: 'Authorization URL',
+                  status: 'failed',
+                  message: 'Authorization URL is missing or invalid'
+                }
+              end
+              if scheme.respond_to?(:token_url) && scheme.token_url
+                test_results[:tests] << {
+                  name: 'Token URL',
+                  status: 'passed',
+                  message: "Valid token URL: #{scheme.token_url}"
+                }
+              else
+                test_results[:success] = false
+                test_results[:tests] << {
+                  name: 'Token URL',
+                  status: 'failed',
+                  message: 'Token URL is missing or invalid'
+                }
+              end
+            when :service_account, :google_service_account
+              test_results[:tests] << if scheme.respond_to?(:token_url) && scheme.token_url
+                                        {
+                                          name: 'Token URL',
+                                          status: 'passed',
+                                          message: "Valid token URL: #{scheme.token_url}"
+                                        }
+                                      else
+                                        {
+                                          name: 'Token URL',
+                                          status: 'skipped',
+                                          message: 'No token URL configured (using default)'
+                                        }
+                                      end
+            else
+              test_results[:tests] << {
+                name: 'Scheme Configuration',
+                status: 'passed',
+                message: "Scheme type #{scheme.scheme_type} requires no additional configuration"
+              }
+            end
+            # Test 2: Compatible credentials check
+            credentials = auth_manager.credentials || {}
+            compatible_credentials = credentials.select do |cred_name, credential|
+              mapping_scheme_credential_compatible?(scheme, credential)
+            end
+            test_results[:tests] << if compatible_credentials.any?
+                                      {
+                                        name: 'Compatible Credentials',
+                                        status: 'passed',
+                                        message: "Found #{compatible_credentials.size} compatible credential(s)"
+                                      }
+                                    else
+                                      {
+                                        name: 'Compatible Credentials',
+                                        status: 'warning',
+                                        message: 'No compatible credentials found'
+                                      }
+                                    end
+            logger.info("Scheme test completed for '#{scheme_name}': #{test_results[:success] ? 'PASSED' : 'FAILED'}")
+            test_results.to_json
+          rescue StandardError => e
+            logger.error("Error testing scheme '#{scheme_name}': #{e.class} - #{e.message}")
+            halt 500, { error: "Failed to test scheme: #{e.message}" }.to_json
+          end
+        end
+        # POST /auth/test/api - Test API call with authentication
+        app.post '/auth/test/api' do
+          logger.info('POST /auth/test/api route handler entered (from AuthenticationRoutes)')
+          content_type :json
+          url = params[:url]
+          scheme_name = params[:scheme_name]
+          credential_name = params[:credential_name]
+          halt 400, { error: 'URL is required' }.to_json unless url && !url.empty?
+          halt 400, { error: 'Scheme name is required' }.to_json unless scheme_name && !scheme_name.empty?
+          halt 400, { error: 'Credential name is required' }.to_json unless credential_name && !credential_name.empty?
+          begin
+            result = test_authenticated_api_call(url, scheme_name, credential_name)
+            logger.info("API test completed for URL '#{url}' with scheme '#{scheme_name}' and credential '#{credential_name}': #{result[:success] ? 'SUCCESS' : 'FAILED'}")
+            result.to_json
+          rescue StandardError => e
+            logger.error("Error testing API call: #{e.class} - #{e.message}")
+            halt 500, { error: "Failed to test API call: #{e.message}" }.to_json
+          end
+        end
+        # POST /auth/test/flow - Test complete authentication flow
+        app.post '/auth/test/flow' do
+          logger.info('POST /auth/test/flow route handler entered (from AuthenticationRoutes)')
+          content_type :json
+          scheme_name = params[:scheme_name]
+          credential_name = params[:credential_name]
+          halt 400, { error: 'Scheme name is required' }.to_json unless scheme_name && !scheme_name.empty?
+          halt 400, { error: 'Credential name is required' }.to_json unless credential_name && !credential_name.empty?
+          begin
+            auth_manager = Legate::Auth::Manager.instance
+            scheme = auth_manager.get_scheme(scheme_name.to_sym)
+            credential = auth_manager.get_credential(credential_name.to_sym)
+            halt 404, { error: 'Scheme not found' }.to_json unless scheme
+            halt 404, { error: 'Credential not found' }.to_json unless credential
+            halt 400, { error: 'Scheme and credential are not compatible' }.to_json unless mapping_scheme_credential_compatible?(scheme, credential)
+            flow_results = { success: true, steps: [], scheme_type: scheme.scheme_type }
+            case scheme.scheme_type
+            when :api_key
+              flow_results[:steps] << {
+                step: 'API Key Authentication',
+                status: 'passed',
+                message: 'API key authentication is ready for use'
+              }
+            when :http_bearer
+              flow_results[:steps] << {
+                step: 'Bearer Token Authentication',
+                status: 'passed',
+                message: 'Bearer token authentication is ready for use'
+              }
+            when :oauth2, :oidc, :openid_connect
+              flow_results[:steps] << {
+                step: 'OAuth2 Flow Simulation',
+                status: 'simulated',
+                message: 'OAuth2 flow would redirect to authorization URL and exchange code for token'
+              }
+            when :service_account, :google_service_account
+              flow_results[:steps] << {
+                step: 'Service Account Flow Simulation',
+                status: 'simulated',
+                message: 'Service account would generate JWT and exchange for access token'
+              }
+            else
+              flow_results[:success] = false
+              flow_results[:steps] << {
+                step: 'Unknown Flow',
+                status: 'failed',
+                message: "No flow simulation available for scheme type: #{scheme.scheme_type}"
+              }
+            end
+            logger.info("Flow test completed for scheme '#{scheme_name}' and credential '#{credential_name}': #{flow_results[:success] ? 'SUCCESS' : 'FAILED'}")
+            flow_results.to_json
+          rescue StandardError => e
+            logger.error("Error testing authentication flow: #{e.class} - #{e.message}")
+            halt 500, { error: "Failed to test authentication flow: #{e.message}" }.to_json
+          end
+        end
+        # GET /auth/mappings/new - Form for creating new mapping
+        app.get '/auth/mappings/new' do
+          auth_manager = Legate::Auth::Manager.instance
+          schemes = auth_manager.schemes || {}
+          credentials = auth_manager.credentials || {}
+          mapping_fields = get_mapping_config_fields
+          instance_variable_set(:@schemes, schemes)
+          instance_variable_set(:@credentials, credentials)
+          instance_variable_set(:@mapping_fields, mapping_fields)
+          slim :auth_mapping_new
+        end
+        # GET /auth/mappings/:id - Mapping detail/edit
+        app.get '/auth/mappings/:id' do
+          auth_manager = Legate::Auth::Manager.instance
+          mappings = auth_manager.url_mappings || []
+          id = params[:id].to_i
+          mapping = mappings[id] or halt 404, 'Mapping not found'
+          schemes = auth_manager.schemes || {}
+          credentials = auth_manager.credentials || {}
+          mapping_fields = get_mapping_config_fields
+          instance_variable_set(:@mapping, mapping)
+          instance_variable_set(:@schemes, schemes)
+          instance_variable_set(:@credentials, credentials)
+          instance_variable_set(:@mapping_fields, mapping_fields)
+          slim :auth_mapping_detail
+        end
+        # POST /auth/mappings - Create new mapping
+        app.post '/auth/mappings' do
+          content_type :json
+          auth_manager = Legate::Auth::Manager.instance
+          mappings = auth_manager.url_mappings || []
+          pattern = params[:pattern]
+          pattern_type = params[:pattern_type]
+          scheme_name = params[:scheme_name]&.to_sym
+          credential_name = params[:credential_name]&.to_sym
+          priority = params[:priority]&.to_i || 1
+          active = %w[on true].include?(params[:active])
+          # Validate pattern
+          halt 400, { error: 'Invalid pattern' }.to_json unless valid_mapping_pattern?(pattern, pattern_type)
+          # Validate scheme/credential
+          scheme = auth_manager.get_scheme(scheme_name)
+          credential = auth_manager.get_credential(credential_name)
+          halt 400, { error: 'Scheme and credential are not compatible' }.to_json unless mapping_scheme_credential_compatible?(scheme, credential)
+          # Build mapping
+          mapping = {
+            pattern: pattern_type == 'regex' ? Regexp.new(pattern) : pattern,
+            pattern_type: pattern_type,
+            scheme_name: scheme_name,
+            credential_name: credential_name,
+            priority: priority,
+            active: active
+          }
+          mappings << mapping
+          auth_manager.replace_url_mappings(mappings)
+          { success: true, message: 'Mapping created', id: mappings.size - 1 }.to_json
+        end
+        # PUT /auth/mappings/:id - Update mapping
+        app.put '/auth/mappings/:id' do
+          content_type :json
+          auth_manager = Legate::Auth::Manager.instance
+          mappings = auth_manager.url_mappings || []
+          id = params[:id].to_i
+          mapping = mappings[id] or halt 404, { error: 'Mapping not found' }.to_json
+          pattern = params[:pattern]
+          pattern_type = params[:pattern_type]
+          scheme_name = params[:scheme_name]&.to_sym
+          credential_name = params[:credential_name]&.to_sym
+          priority = params[:priority]&.to_i || 1
+          active = %w[on true].include?(params[:active])
+          halt 400, { error: 'Invalid pattern' }.to_json unless valid_mapping_pattern?(pattern, pattern_type)
+          scheme = auth_manager.get_scheme(scheme_name)
+          credential = auth_manager.get_credential(credential_name)
+          halt 400, { error: 'Scheme and credential are not compatible' }.to_json unless mapping_scheme_credential_compatible?(scheme, credential)
+          mapping[:pattern] = pattern_type == 'regex' ? Regexp.new(pattern) : pattern
+          mapping[:pattern_type] = pattern_type
+          mapping[:scheme_name] = scheme_name
+          mapping[:credential_name] = credential_name
+          mapping[:priority] = priority
+          mapping[:active] = active
+          auth_manager.replace_url_mappings(mappings)
+          { success: true, message: 'Mapping updated' }.to_json
+        end
+        # DELETE /auth/mappings/:id - Remove mapping
+        app.delete '/auth/mappings/:id' do
+          content_type :json
+          auth_manager = Legate::Auth::Manager.instance
+          mappings = auth_manager.url_mappings || []
+          id = params[:id].to_i
+          mapping = mappings[id] or halt 404, { error: 'Mapping not found' }.to_json
+          mappings.delete_at(id)
+          auth_manager.replace_url_mappings(mappings)
+          { success: true, message: 'Mapping deleted' }.to_json
+        end
+        # POST /auth/mappings/test - Test pattern matching
+        app.post '/auth/mappings/test' do
+          content_type :json
+          pattern = params[:pattern]
+          pattern_type = params[:pattern_type]
+          url = params[:url]
+          halt 400, { error: 'Invalid pattern' }.to_json unless valid_mapping_pattern?(pattern, pattern_type)
+          begin
+            matched =
+              if pattern_type == 'regex'
+                !!(url =~ Regexp.new(pattern))
+              elsif pattern.include?('*')
+                regex = Regexp.new('^' + Regexp.escape(pattern).gsub('\\*', '.*') + '$')
+                !!(url =~ regex)
+              else
+                url == pattern
+              end
+            { success: true, matched: matched }.to_json
+          rescue StandardError => e
+            halt 400, { error: "Pattern test error: #{e.message}" }.to_json
+          end
+        end
+      end
+    end
+  end
+end