@promptbook/cli 0.112.0-100 → 0.112.0-102

package/apps/agents-server/src/database/metadataDefaults.ts

@@ -2,11 +2,6 @@ import { spaceTrim } from 'spacetrim';
 import { CORE_AGENTS_SERVER } from '../../../../servers';
 import { DEFAULT_THINKING_MESSAGES } from '../../../../src/utils/DEFAULT_THINKING_MESSAGES';
 import { ANALYTICS_METADATA_KEYS, getAnalyticsMetadataDefinition } from '../constants/analyticsMetadata';
-import {
-    AUTHENTICATION_METHOD_VALUES,
-    AUTHENTICATION_METHODS_METADATA_KEY,
-    DEFAULT_AUTHENTICATION_METHODS_METADATA_VALUE,
-} from '../constants/authenticationMethods';
 import {
     DEFAULT_FEDERATED_AGENT_IMPORT_RETRY_DELAY_MS,
     FEDERATED_AGENT_IMPORT_RETRY_DELAY_MS_METADATA_KEY,
@@ -25,24 +20,23 @@ import {
 import { DEFAULT_THEME_METADATA_KEY, DEFAULT_THEME_MODE, THEME_MODE_OPTIONS } from '../constants/themeMode';
 import { DEFAULT_NAME_POOL, NAME_POOL_METADATA_KEY, NAME_POOL_OPTIONS } from '../constants/namePool';
 import { NEW_AGENT_WIZZARD_METADATA_KEY, NEW_AGENT_WIZZARD_OPTIONS } from '../constants/newAgentWizard';
+import {
+    DEFAULT_SHIBBOLETH_DISPLAY_NAME_ATTRIBUTE_NAMES,
+    DEFAULT_SHIBBOLETH_EMAIL_ATTRIBUTE_NAMES,
+    DEFAULT_SHIBBOLETH_UNSTRUCTURED_NAME_ATTRIBUTE_NAMES,
+    IS_SHIBBOLETH_AUTH_ACTIVE_METADATA_KEY,
+    SHIBBOLETH_DISPLAY_NAME_ATTRIBUTE_NAMES_METADATA_KEY,
+    SHIBBOLETH_EMAIL_ATTRIBUTE_NAMES_METADATA_KEY,
+    SHIBBOLETH_IDENTITY_PROVIDER_METADATA_URL_METADATA_KEY,
+    SHIBBOLETH_IDENTITY_PROVIDER_METADATA_XML_METADATA_KEY,
+    SHIBBOLETH_SERVICE_PROVIDER_ENTITY_ID_METADATA_KEY,
+    SHIBBOLETH_UNSTRUCTURED_NAME_ATTRIBUTE_NAMES_METADATA_KEY,
+} from '../constants/shibbolethAuth';
 import {
     DEFAULT_SERVER_LIMIT_VALUES,
     MAX_FILE_UPLOAD_SIZE_MB_METADATA_KEY,
     SERVER_LIMIT_KEYS,
 } from '../constants/serverLimits';
-import {
-    DEFAULT_SHIBBOLETH_PROVIDER_LABEL,
-    DEFAULT_SHIBBOLETH_USERNAME_ATTRIBUTE,
-    SHIBBOLETH_AUTO_CREATE_USERS_METADATA_KEY,
-    SHIBBOLETH_CALLBACK_URL_METADATA_KEY,
-    SHIBBOLETH_ENTITY_ID_METADATA_KEY,
-    SHIBBOLETH_IDP_CERTIFICATE_METADATA_KEY,
-    SHIBBOLETH_IDP_ENTRYPOINT_METADATA_KEY,
-    SHIBBOLETH_IDP_ISSUER_METADATA_KEY,
-    SHIBBOLETH_IDP_METADATA_URL_METADATA_KEY,
-    SHIBBOLETH_PROVIDER_LABEL_METADATA_KEY,
-    SHIBBOLETH_USERNAME_ATTRIBUTE_METADATA_KEY,
-} from '../constants/shibbolethAuthentication';
 import { DEFAULT_TOOL_USAGE_LIMITS, TOOL_USAGE_LIMITS_METADATA_KEY } from '../constants/toolUsageLimits';
 import {
     IS_SERVER_LANGUAGE_ENFORCED_METADATA_KEY,
@@ -163,6 +157,48 @@ export const metadataDefaults = [
         type: 'TEXT_SINGLE_LINE',
         options: SERVER_VISIBILITY_OPTIONS,
     },
+    {
+        key: IS_SHIBBOLETH_AUTH_ACTIVE_METADATA_KEY,
+        value: 'false',
+        note: 'Enable Shibboleth authentication alongside standard username/password login.',
+        type: 'BOOLEAN',
+    },
+    {
+        key: SHIBBOLETH_IDENTITY_PROVIDER_METADATA_URL_METADATA_KEY,
+        value: '',
+        note: 'URL of the Shibboleth Identity Provider metadata XML. For Silesian University this is https://idp-cro.slu.cz/idp/shibboleth.',
+        type: 'TEXT_SINGLE_LINE',
+    },
+    {
+        key: SHIBBOLETH_IDENTITY_PROVIDER_METADATA_XML_METADATA_KEY,
+        value: '',
+        note: 'Optional pasted Shibboleth Identity Provider metadata XML. Used instead of SHIBBOLETH_IDP_METADATA_URL when filled.',
+        type: 'TEXT',
+    },
+    {
+        key: SHIBBOLETH_SERVICE_PROVIDER_ENTITY_ID_METADATA_KEY,
+        value: '',
+        note: 'Optional Service Provider entity ID override. When empty, Agents Server uses the generated Shibboleth metadata endpoint URL.',
+        type: 'TEXT_SINGLE_LINE',
+    },
+    {
+        key: SHIBBOLETH_EMAIL_ATTRIBUTE_NAMES_METADATA_KEY,
+        value: DEFAULT_SHIBBOLETH_EMAIL_ATTRIBUTE_NAMES,
+        note: 'Space-separated SAML attribute names accepted as the user email during Shibboleth login.',
+        type: 'TEXT_SINGLE_LINE',
+    },
+    {
+        key: SHIBBOLETH_DISPLAY_NAME_ATTRIBUTE_NAMES_METADATA_KEY,
+        value: DEFAULT_SHIBBOLETH_DISPLAY_NAME_ATTRIBUTE_NAMES,
+        note: 'Space-separated SAML attribute names accepted as the user display name during Shibboleth login.',
+        type: 'TEXT_SINGLE_LINE',
+    },
+    {
+        key: SHIBBOLETH_UNSTRUCTURED_NAME_ATTRIBUTE_NAMES_METADATA_KEY,
+        value: DEFAULT_SHIBBOLETH_UNSTRUCTURED_NAME_ATTRIBUTE_NAMES,
+        note: 'Space-separated SAML attribute names accepted as the institutional identifier during Shibboleth login.',
+        type: 'TEXT_SINGLE_LINE',
+    },
     {
         key: 'AGENT_NAMING',
         value: 'Agent / Agents',
@@ -427,68 +463,6 @@ export const metadataDefaults = [
         note: 'Administrator email address used for password reset and user registration requests.',
         type: 'TEXT_SINGLE_LINE',
     },
-    {
-        key: AUTHENTICATION_METHODS_METADATA_KEY,
-        value: DEFAULT_AUTHENTICATION_METHODS_METADATA_VALUE,
-        note: `Comma-separated login methods enabled on this server. Available values: ${AUTHENTICATION_METHOD_VALUES.join(
-            ', ',
-        )}. Shibboleth is inactive unless SHIBBOLETH is included here.`,
-        type: 'TEXT_SINGLE_LINE',
-    },
-    {
-        key: SHIBBOLETH_IDP_METADATA_URL_METADATA_KEY,
-        value: '',
-        note: 'URL of the Shibboleth Identity Provider metadata XML. When set, the IdP SSO URL and signing certificates are loaded from this document.',
-        type: 'TEXT_SINGLE_LINE',
-    },
-    {
-        key: SHIBBOLETH_IDP_ENTRYPOINT_METADATA_KEY,
-        value: '',
-        note: 'Fallback Shibboleth Identity Provider SSO URL used when it cannot be loaded from metadata.',
-        type: 'TEXT_SINGLE_LINE',
-    },
-    {
-        key: SHIBBOLETH_IDP_CERTIFICATE_METADATA_KEY,
-        value: '',
-        note: 'Fallback Shibboleth IdP signing certificate in PEM or base64 form. Multiple certificates can be separated by blank lines.',
-        type: 'TEXT',
-    },
-    {
-        key: SHIBBOLETH_IDP_ISSUER_METADATA_KEY,
-        value: '',
-        note: 'Optional expected Shibboleth IdP entity ID. Leave empty to use the entityID from IdP metadata.',
-        type: 'TEXT_SINGLE_LINE',
-    },
-    {
-        key: SHIBBOLETH_ENTITY_ID_METADATA_KEY,
-        value: '',
-        note: 'Optional SAML Service Provider EntityID. Leave empty to use this server public URL plus /api/auth/shibboleth/metadata.',
-        type: 'TEXT_SINGLE_LINE',
-    },
-    {
-        key: SHIBBOLETH_CALLBACK_URL_METADATA_KEY,
-        value: '',
-        note: 'Optional SAML Assertion Consumer Service URL. Leave empty to use this server public URL plus /api/auth/shibboleth/acs.',
-        type: 'TEXT_SINGLE_LINE',
-    },
-    {
-        key: SHIBBOLETH_USERNAME_ATTRIBUTE_METADATA_KEY,
-        value: DEFAULT_SHIBBOLETH_USERNAME_ATTRIBUTE,
-        note: 'SAML attribute used as the Agents Server username. For Silesian University this is usually mail or unstructuredName.',
-        type: 'TEXT_SINGLE_LINE',
-    },
-    {
-        key: SHIBBOLETH_AUTO_CREATE_USERS_METADATA_KEY,
-        value: 'true',
-        note: 'Create a non-admin Agents Server user automatically after a valid Shibboleth login when no matching username exists.',
-        type: 'BOOLEAN',
-    },
-    {
-        key: SHIBBOLETH_PROVIDER_LABEL_METADATA_KEY,
-        value: DEFAULT_SHIBBOLETH_PROVIDER_LABEL,
-        note: 'User-facing label for the Shibboleth login button.',
-        type: 'TEXT_SINGLE_LINE',
-    },
     {
         key: DEFAULT_VISIBILITY_METADATA_KEY,
         value: 'UNLISTED',

package/apps/agents-server/src/database/migrate.ts

@@ -5,8 +5,14 @@ import {
     resolveDatabaseMigrationRuntimeConfiguration,
     runDatabaseMigrations,
 } from './runDatabaseMigrations';
+import { isAgentsServerSqliteMode } from './agentsServerDatabaseMode';
 
-dotenv.config();
+/**
+ * Environment variable pointing to the installed Agents Server `.env` file.
+ */
+const AGENTS_SERVER_ENV_FILE_ENV_NAME = 'PTBK_AGENTS_SERVER_ENV_FILE';
+
+loadDatabaseMigrationEnvironment();
 
 /**
  * Runs manual migration command from CLI arguments.
@@ -14,6 +20,11 @@ dotenv.config();
 async function migrate(): Promise<void> {
     console.info(colors.bgBlue('🚀 Starting database migration'));
 
+    if (isAgentsServerSqliteMode()) {
+        console.info(colors.yellow('⏭️ Skipping PostgreSQL migrations because Agents Server uses local SQLite.'));
+        return;
+    }
+
     const runtimeConfiguration = await resolveDatabaseMigrationRuntimeConfiguration(console);
     if (!runtimeConfiguration) {
         return;
@@ -46,6 +57,24 @@ async function migrate(): Promise<void> {
     }
 }
 
+/**
+ * Loads database migration environment variables.
+ *
+ * Self-update runs the migration command from the repository checkout, while
+ * the deployed Agents Server `.env` lives in the installation directory.
+ */
+function loadDatabaseMigrationEnvironment(): void {
+    const explicitEnvFilePath = process.env[AGENTS_SERVER_ENV_FILE_ENV_NAME]?.trim();
+    if (explicitEnvFilePath) {
+        const explicitLoadResult = dotenv.config({ path: explicitEnvFilePath });
+        if (!explicitLoadResult.error) {
+            return;
+        }
+    }
+
+    dotenv.config();
+}
+
 /**
  * Parses optional `--only` flag from CLI arguments.
  *

package/apps/agents-server/src/database/migrations/2026-06-0100-shibboleth-auth.sql

@@ -0,0 +1,136 @@
+ALTER TABLE "prefix_User"
+    ADD COLUMN IF NOT EXISTS "email" TEXT NULL,
+    ADD COLUMN IF NOT EXISTS "displayName" TEXT NULL,
+    ADD COLUMN IF NOT EXISTS "authenticationProvider" TEXT NOT NULL DEFAULT 'LOCAL';
+
+COMMENT ON COLUMN "prefix_User"."email" IS 'Email address used for external authentication providers such as Shibboleth.';
+COMMENT ON COLUMN "prefix_User"."displayName" IS 'Human-readable display name from external authentication providers.';
+COMMENT ON COLUMN "prefix_User"."authenticationProvider" IS 'Primary authentication provider marker. Values include LOCAL, SHIBBOLETH, and LOCAL_AND_SHIBBOLETH.';
+
+CREATE TABLE IF NOT EXISTS "prefix_ShibbolethUserIdentity" (
+    "id" BIGINT GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
+    "createdAt" TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT now(),
+    "updatedAt" TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT now(),
+    "userId" BIGINT NOT NULL,
+    "email" TEXT NOT NULL,
+    "displayName" TEXT NULL,
+    "nameId" TEXT NULL,
+    "nameIdFormat" TEXT NULL,
+    "unstructuredName" TEXT NULL,
+    "eduPersonPrincipalName" TEXT NULL,
+    "rawAttributes" JSONB NULL,
+    "lastLoggedInAt" TIMESTAMP WITH TIME ZONE NULL,
+    "loginCount" BIGINT NOT NULL DEFAULT 0
+);
+
+COMMENT ON TABLE "prefix_ShibbolethUserIdentity" IS 'Link between Agents Server users and Shibboleth identities.';
+COMMENT ON COLUMN "prefix_ShibbolethUserIdentity"."rawAttributes" IS 'Raw SAML assertion profile attributes received from Shibboleth.';
+
+CREATE UNIQUE INDEX IF NOT EXISTS "prefix_ShibbolethUserIdentity_userId_idx"
+    ON "prefix_ShibbolethUserIdentity" ("userId");
+CREATE UNIQUE INDEX IF NOT EXISTS "prefix_ShibbolethUserIdentity_email_idx"
+    ON "prefix_ShibbolethUserIdentity" ("email");
+CREATE UNIQUE INDEX IF NOT EXISTS "prefix_ShibbolethUserIdentity_nameId_idx"
+    ON "prefix_ShibbolethUserIdentity" ("nameId");
+CREATE INDEX IF NOT EXISTS "prefix_ShibbolethUserIdentity_lastLoggedInAt_idx"
+    ON "prefix_ShibbolethUserIdentity" ("lastLoggedInAt" DESC);
+
+ALTER TABLE "prefix_ShibbolethUserIdentity"
+    DROP CONSTRAINT IF EXISTS "prefix_ShibbolethUserIdentity_userId_fkey",
+    ADD CONSTRAINT "prefix_ShibbolethUserIdentity_userId_fkey"
+    FOREIGN KEY ("userId")
+    REFERENCES "prefix_User"("id")
+    ON DELETE CASCADE;
+
+ALTER TABLE "prefix_ShibbolethUserIdentity" ENABLE ROW LEVEL SECURITY;
+
+CREATE TABLE IF NOT EXISTS "prefix_ShibbolethAuthenticationAttempt" (
+    "id" BIGINT GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
+    "createdAt" TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT now(),
+    "stage" TEXT NOT NULL,
+    "status" TEXT NOT NULL,
+    "userId" BIGINT NULL,
+    "email" TEXT NULL,
+    "displayName" TEXT NULL,
+    "nameId" TEXT NULL,
+    "relayState" TEXT NULL,
+    "ip" TEXT NULL,
+    "userAgent" TEXT NULL,
+    "errorMessage" TEXT NULL,
+    "rawAttributes" JSONB NULL
+);
+
+COMMENT ON TABLE "prefix_ShibbolethAuthenticationAttempt" IS 'Audit log of Shibboleth authentication attempts.';
+COMMENT ON COLUMN "prefix_ShibbolethAuthenticationAttempt"."stage" IS 'Authentication process stage such as LOGIN_REQUEST or ASSERTION_CONSUMER_SERVICE.';
+COMMENT ON COLUMN "prefix_ShibbolethAuthenticationAttempt"."status" IS 'Attempt result such as STARTED, REDIRECTED, SUCCESS, FAILED, or REJECTED.';
+COMMENT ON COLUMN "prefix_ShibbolethAuthenticationAttempt"."rawAttributes" IS 'Raw SAML assertion profile attributes when available.';
+
+CREATE INDEX IF NOT EXISTS "prefix_ShibbolethAuthenticationAttempt_createdAt_idx"
+    ON "prefix_ShibbolethAuthenticationAttempt" ("createdAt" DESC);
+CREATE INDEX IF NOT EXISTS "prefix_ShibbolethAuthenticationAttempt_email_idx"
+    ON "prefix_ShibbolethAuthenticationAttempt" ("email");
+
+ALTER TABLE "prefix_ShibbolethAuthenticationAttempt"
+    DROP CONSTRAINT IF EXISTS "prefix_ShibbolethAuthenticationAttempt_userId_fkey",
+    ADD CONSTRAINT "prefix_ShibbolethAuthenticationAttempt_userId_fkey"
+    FOREIGN KEY ("userId")
+    REFERENCES "prefix_User"("id")
+    ON DELETE SET NULL;
+
+ALTER TABLE "prefix_ShibbolethAuthenticationAttempt" ENABLE ROW LEVEL SECURITY;
+
+INSERT INTO "prefix_Metadata" ("key", "value", "note", "createdAt", "updatedAt")
+SELECT 'IS_SHIBBOLETH_AUTH_ACTIVE',
+       'false',
+       'Enable Shibboleth authentication alongside standard username/password login.',
+       NOW(),
+       NOW()
+WHERE NOT EXISTS (SELECT 1 FROM "prefix_Metadata" WHERE "key" = 'IS_SHIBBOLETH_AUTH_ACTIVE');
+
+INSERT INTO "prefix_Metadata" ("key", "value", "note", "createdAt", "updatedAt")
+SELECT 'SHIBBOLETH_IDP_METADATA_URL',
+       '',
+       'URL of the Shibboleth Identity Provider metadata XML. For Silesian University this is https://idp-cro.slu.cz/idp/shibboleth.',
+       NOW(),
+       NOW()
+WHERE NOT EXISTS (SELECT 1 FROM "prefix_Metadata" WHERE "key" = 'SHIBBOLETH_IDP_METADATA_URL');
+
+INSERT INTO "prefix_Metadata" ("key", "value", "note", "createdAt", "updatedAt")
+SELECT 'SHIBBOLETH_IDP_METADATA_XML',
+       '',
+       'Optional pasted Shibboleth Identity Provider metadata XML. Used instead of SHIBBOLETH_IDP_METADATA_URL when filled.',
+       NOW(),
+       NOW()
+WHERE NOT EXISTS (SELECT 1 FROM "prefix_Metadata" WHERE "key" = 'SHIBBOLETH_IDP_METADATA_XML');
+
+INSERT INTO "prefix_Metadata" ("key", "value", "note", "createdAt", "updatedAt")
+SELECT 'SHIBBOLETH_SP_ENTITY_ID',
+       '',
+       'Optional Service Provider entity ID override. When empty, Agents Server uses the generated Shibboleth metadata endpoint URL.',
+       NOW(),
+       NOW()
+WHERE NOT EXISTS (SELECT 1 FROM "prefix_Metadata" WHERE "key" = 'SHIBBOLETH_SP_ENTITY_ID');
+
+INSERT INTO "prefix_Metadata" ("key", "value", "note", "createdAt", "updatedAt")
+SELECT 'SHIBBOLETH_EMAIL_ATTRIBUTE_NAMES',
+       'mail email urn:oid:0.9.2342.19200300.100.1.3',
+       'Space-separated SAML attribute names accepted as the user email during Shibboleth login.',
+       NOW(),
+       NOW()
+WHERE NOT EXISTS (SELECT 1 FROM "prefix_Metadata" WHERE "key" = 'SHIBBOLETH_EMAIL_ATTRIBUTE_NAMES');
+
+INSERT INTO "prefix_Metadata" ("key", "value", "note", "createdAt", "updatedAt")
+SELECT 'SHIBBOLETH_DISPLAY_NAME_ATTRIBUTE_NAMES',
+       'displayName urn:oid:2.16.840.1.113730.3.1.241',
+       'Space-separated SAML attribute names accepted as the user display name during Shibboleth login.',
+       NOW(),
+       NOW()
+WHERE NOT EXISTS (SELECT 1 FROM "prefix_Metadata" WHERE "key" = 'SHIBBOLETH_DISPLAY_NAME_ATTRIBUTE_NAMES');
+
+INSERT INTO "prefix_Metadata" ("key", "value", "note", "createdAt", "updatedAt")
+SELECT 'SHIBBOLETH_UNSTRUCTURED_NAME_ATTRIBUTE_NAMES',
+       'unstructuredName eduPersonPrincipalName urn:oid:1.3.6.1.4.1.5923.1.1.1.6 uid',
+       'Space-separated SAML attribute names accepted as the institutional identifier during Shibboleth login.',
+       NOW(),
+       NOW()
+WHERE NOT EXISTS (SELECT 1 FROM "prefix_Metadata" WHERE "key" = 'SHIBBOLETH_UNSTRUCTURED_NAME_ATTRIBUTE_NAMES');

package/apps/agents-server/src/database/sqlite/$provideLocalSqliteSupabase.ts

@@ -86,19 +86,14 @@ const JSON_COLUMNS_BY_TABLE = new Map<string, ReadonlySet<string>>([
     ['ShareTargetPayload', new Set(['attachments'])],
     ['CalendarConnection', new Set(['scopes'])],
     ['CalendarActivity', new Set(['details'])],
+    ['ShibbolethUserIdentity', new Set(['rawAttributes'])],
+    ['ShibbolethAuthenticationAttempt', new Set(['rawAttributes'])],
 ]);
 
 /**
  * Boolean columns stored as integers by SQLite and restored as booleans.
  */
-const BOOLEAN_COLUMNS = new Set([
-    'isAdmin',
-    'isRevoked',
-    'isGlobal',
-    'isUserScoped',
-    'isSuccessful',
-    'isChatFocused',
-]);
+const BOOLEAN_COLUMNS = new Set(['isAdmin', 'isRevoked', 'isGlobal', 'isUserScoped', 'isSuccessful', 'isChatFocused']);
 
 /**
  * Tables whose primary key is provided as text rather than generated numerically.
@@ -122,6 +117,7 @@ const UNIQUE_INDEX_COLUMNS_BY_TABLE = new Map<string, ReadonlyArray<ReadonlyArra
     ['AgentExternals', [['type', 'hash']]],
     ['VectorStoreKnowledgeSourceHashes', [['source']]],
     ['User', [['username']]],
+    ['ShibbolethUserIdentity', [['userId'], ['email'], ['nameId']]],
     ['UserChatJob', [['chatId', 'clientMessageId']]],
     ['LlmCache', [['hash']]],
     ['OpenAiAssistantCache', [['agentHash']]],
@@ -158,7 +154,9 @@ export function $provideLocalSqliteSupabase(): SupabaseClient {
         return localSqliteSupabase;
     }
 
-    localSqliteSupabase = new LocalSqliteSupabaseClient($provideAgentsServerSqliteDatabase()) as unknown as SupabaseClient;
+    localSqliteSupabase = new LocalSqliteSupabaseClient(
+        $provideAgentsServerSqliteDatabase(),
+    ) as unknown as SupabaseClient;
     return localSqliteSupabase;
 }
 
@@ -188,10 +186,7 @@ class LocalSqliteSupabaseClient {
  * Supabase-shaped table entry point. Every operation starts a fresh query builder.
  */
 class LocalSqliteTable {
-    public constructor(
-        private readonly database: AgentsServerSqliteDatabase,
-        private readonly tableName: string,
-    ) {}
+    public constructor(private readonly database: AgentsServerSqliteDatabase, private readonly tableName: string) {}
 
     /**
      * Starts a select query.
@@ -248,10 +243,7 @@ class LocalSqliteQueryBuilder implements PromiseLike<LocalSqliteQueryResult> {
     private signal: AbortSignal | null = null;
     private isReturningSelection = false;
 
-    public constructor(
-        private readonly database: AgentsServerSqliteDatabase,
-        private readonly tableName: string,
-    ) {}
+    public constructor(private readonly database: AgentsServerSqliteDatabase, private readonly tableName: string) {}
 
     /**
      * Configures selected columns or mutation return columns.
@@ -569,10 +561,16 @@ class LocalSqliteQueryBuilder implements PromiseLike<LocalSqliteQueryResult> {
 
         if (rowids.length > 0 && updateColumns.length > 0) {
             const assignments = updateColumns.map((column) => `${quoteIdentifier(column)} = ?`).join(', ');
-            const values = updateColumns.map((column) => serializeValue(this.tableName, column, this.mutationValues[column]));
+            const values = updateColumns.map((column) =>
+                serializeValue(this.tableName, column, this.mutationValues[column]),
+            );
             const rowidPlaceholders = rowids.map(() => '?').join(', ');
             this.database
-                .prepare(`UPDATE ${quoteIdentifier(this.tableName)} SET ${assignments} WHERE rowid IN (${rowidPlaceholders})`)
+                .prepare(
+                    `UPDATE ${quoteIdentifier(
+                        this.tableName,
+                    )} SET ${assignments} WHERE rowid IN (${rowidPlaceholders})`,
+                )
                 .run(...values, ...rowids);
         }
 
@@ -591,7 +589,9 @@ class LocalSqliteQueryBuilder implements PromiseLike<LocalSqliteQueryResult> {
         const rowids = this.selectMatchingRowids();
         if (rowids.length > 0) {
             const rowidPlaceholders = rowids.map(() => '?').join(', ');
-            this.database.prepare(`DELETE FROM ${quoteIdentifier(this.tableName)} WHERE rowid IN (${rowidPlaceholders})`).run(...rowids);
+            this.database
+                .prepare(`DELETE FROM ${quoteIdentifier(this.tableName)} WHERE rowid IN (${rowidPlaceholders})`)
+                .run(...rowids);
         }
 
         return this.createMutationResponse([]);
@@ -608,7 +608,10 @@ class LocalSqliteQueryBuilder implements PromiseLike<LocalSqliteQueryResult> {
         for (const rawRow of this.mutationRows) {
             const row = withInsertDefaults(tableBaseName, rawRow);
             ensureTable(this.database, this.tableName, [...Object.keys(row), ...conflictColumns]);
-            const existingRowid = conflictColumns.length > 0 ? findConflictRowid(this.database, this.tableName, row, conflictColumns) : null;
+            const existingRowid =
+                conflictColumns.length > 0
+                    ? findConflictRowid(this.database, this.tableName, row, conflictColumns)
+                    : null;
 
             if (existingRowid !== null) {
                 updateRowid(this.database, this.tableName, existingRowid, row);
@@ -634,7 +637,12 @@ class LocalSqliteQueryBuilder implements PromiseLike<LocalSqliteQueryResult> {
             };
         }
 
-        const data = selectRowsByRowids(this.database, this.tableName, rowids, parseSelectedColumns(this.selectedColumns));
+        const data = selectRowsByRowids(
+            this.database,
+            this.tableName,
+            rowids,
+            parseSelectedColumns(this.selectedColumns),
+        );
         return this.finalizeDataResponse(data, null);
     }
 
@@ -824,7 +832,9 @@ function ensureTable(
         }
 
         database.exec(
-            `ALTER TABLE ${quoteIdentifier(tableName)} ADD COLUMN ${quoteIdentifier(column)} ${resolveSqliteColumnType(column)}`,
+            `ALTER TABLE ${quoteIdentifier(tableName)} ADD COLUMN ${quoteIdentifier(column)} ${resolveSqliteColumnType(
+                column,
+            )}`,
         );
         existingColumns.add(column);
     }
@@ -841,7 +851,11 @@ function ensureUniqueIndexes(database: AgentsServerSqliteDatabase, tableName: st
     for (const columns of uniqueIndexes) {
         const indexName = `idx_${sanitizeSqlIdentifier(tableName)}_${columns.join('_')}_unique`;
         const columnSql = columns.map(quoteIdentifier).join(', ');
-        database.exec(`CREATE UNIQUE INDEX IF NOT EXISTS ${quoteIdentifier(indexName)} ON ${quoteIdentifier(tableName)} (${columnSql})`);
+        database.exec(
+            `CREATE UNIQUE INDEX IF NOT EXISTS ${quoteIdentifier(indexName)} ON ${quoteIdentifier(
+                tableName,
+            )} (${columnSql})`,
+        );
     }
 }
 
@@ -861,7 +875,9 @@ function insertRow(
 
     const placeholders = columns.map(() => '?').join(', ');
     const values = columns.map((column) => serializeValue(tableName, column, row[column]));
-    const sql = `INSERT INTO ${quoteIdentifier(tableName)} (${columns.map(quoteIdentifier).join(', ')}) VALUES (${placeholders})`;
+    const sql = `INSERT INTO ${quoteIdentifier(tableName)} (${columns
+        .map(quoteIdentifier)
+        .join(', ')}) VALUES (${placeholders})`;
 
     return database.prepare(sql).run(...values);
 }
@@ -900,7 +916,9 @@ function findConflictRowid(
 
     const conditions = conflictColumns.map((column) => `${quoteIdentifier(column)} = ?`).join(' AND ');
     const values = conflictColumns.map((column) => serializeValue(tableName, column, row[column]));
-    const result = database.prepare(`SELECT rowid FROM ${quoteIdentifier(tableName)} WHERE ${conditions} LIMIT 1`).get(...values);
+    const result = database
+        .prepare(`SELECT rowid FROM ${quoteIdentifier(tableName)} WHERE ${conditions} LIMIT 1`)
+        .get(...values);
 
     return result ? (result.rowid as number | bigint) : null;
 }
@@ -922,7 +940,9 @@ function selectRowsByRowids(
     const placeholders = rowids.map(() => '?').join(', ');
     const rows = database
         .prepare(
-            `SELECT ${createSelectExpression(selectedColumns)} FROM ${quoteIdentifier(tableName)} WHERE rowid IN (${placeholders})`,
+            `SELECT ${createSelectExpression(selectedColumns)} FROM ${quoteIdentifier(
+                tableName,
+            )} WHERE rowid IN (${placeholders})`,
         )
         .all(...rowids);
 
@@ -941,17 +961,25 @@ function createFilterCondition(
 
     switch (filter.operator) {
         case 'eq':
-            return value === null ? { sql: `${column} IS NULL`, values: [] } : { sql: `${column} = ?`, values: [value] };
+            return value === null
+                ? { sql: `${column} IS NULL`, values: [] }
+                : { sql: `${column} = ?`, values: [value] };
         case 'neq':
             return value === null
                 ? { sql: `${column} IS NOT NULL`, values: [] }
                 : { sql: `${column} <> ?`, values: [value] };
         case 'is':
-            return filter.value === null ? { sql: `${column} IS NULL`, values: [] } : { sql: `${column} IS ?`, values: [value] };
+            return filter.value === null
+                ? { sql: `${column} IS NULL`, values: [] }
+                : { sql: `${column} IS ?`, values: [value] };
         case 'not-is':
-            return filter.value === null ? { sql: `${column} IS NOT NULL`, values: [] } : { sql: `${column} IS NOT ?`, values: [value] };
+            return filter.value === null
+                ? { sql: `${column} IS NOT NULL`, values: [] }
+                : { sql: `${column} IS NOT ?`, values: [value] };
         case 'in': {
-            const values = Array.isArray(filter.value) ? filter.value.map((item) => serializeValue(tableName, filter.column, item)) : [];
+            const values = Array.isArray(filter.value)
+                ? filter.value.map((item) => serializeValue(tableName, filter.column, item))
+                : [];
             if (values.length === 0) {
                 return { sql: '0 = 1', values: [] };
             }
@@ -1190,6 +1218,30 @@ function withInsertDefaults(tableBaseName: string, row: Record<string, unknown>)
         case 'User':
             result.isAdmin ??= false;
             result.profileImageUrl ??= null;
+            result.email ??= null;
+            result.displayName ??= null;
+            result.authenticationProvider ??= 'LOCAL';
+            break;
+        case 'ShibbolethUserIdentity':
+            result.displayName ??= null;
+            result.nameId ??= null;
+            result.nameIdFormat ??= null;
+            result.unstructuredName ??= null;
+            result.eduPersonPrincipalName ??= null;
+            result.rawAttributes ??= null;
+            result.lastLoggedInAt ??= null;
+            result.loginCount ??= 0;
+            break;
+        case 'ShibbolethAuthenticationAttempt':
+            result.userId ??= null;
+            result.email ??= null;
+            result.displayName ??= null;
+            result.nameId ??= null;
+            result.relayState ??= null;
+            result.ip ??= null;
+            result.userAgent ??= null;
+            result.errorMessage ??= null;
+            result.rawAttributes ??= null;
             break;
         case 'UserChat':
             result.messages ??= [];
@@ -1342,10 +1394,7 @@ function resolveUniqueIndexColumns(tableBaseName: string): Array<string> {
 /**
  * Resolves upsert conflict columns.
  */
-function resolveUpsertConflictColumns(
-    tableBaseName: string,
-    options: LocalSqliteUpsertOptions,
-): ReadonlyArray<string> {
+function resolveUpsertConflictColumns(tableBaseName: string, options: LocalSqliteUpsertOptions): ReadonlyArray<string> {
     if (options.onConflict) {
         return options.onConflict
             .split(',')
@@ -1367,7 +1416,10 @@ function normalizeSqliteError(error: unknown): LocalSqliteError {
             : undefined;
 
     return {
-        code: sqliteCode === 'SQLITE_CONSTRAINT_UNIQUE' || sqliteCode === 'SQLITE_CONSTRAINT_PRIMARYKEY' ? '23505' : sqliteCode,
+        code:
+            sqliteCode === 'SQLITE_CONSTRAINT_UNIQUE' || sqliteCode === 'SQLITE_CONSTRAINT_PRIMARYKEY'
+                ? '23505'
+                : sqliteCode,
         message,
     };
 }

package/apps/agents-server/src/languages/ServerTranslationKeys.ts

@@ -128,6 +128,7 @@ export const SERVER_TRANSLATION_KEYS = [
     'header.myAccount',
     'header.superAdmin',
     'header.administration',
+    'header.loginMethods',
     'header.monitoringAndUsage',
     'header.integrationsAndKeys',
     'header.developerDebug',
@@ -168,6 +169,7 @@ export const SERVER_TRANSLATION_KEYS = [
     'header.imagesGallery',
     'header.files',
     'header.users',
+    'header.shibboleth',
     'header.versionInfo',
     'header.experiments',
     'header.story',
@@ -198,8 +200,8 @@ export const SERVER_TRANSLATION_KEYS = [
     'login.passwordPlaceholder',
     'login.loggingIn',
     'login.loginAction',
-    'login.shibbolethAction',
-    'login.methodDivider',
+    'login.shibbolethLoginAction',
+    'login.shibbolethNotConfigured',
     'login.forgottenPassword',
     'login.registerNewUser',
     'login.errorOccurred',

package/apps/agents-server/src/languages/translations/czech.yaml

@@ -122,6 +122,7 @@ header.menuLabel: Nabídka
 header.myAccount: Můj účet
 header.superAdmin: Super administrace
 header.administration: Administrace
+header.loginMethods: Metody přihlášení
 header.monitoringAndUsage: Monitoring a využití
 header.integrationsAndKeys: Integrace a klíče
 header.developerDebug: Vývoj a ladění
@@ -162,6 +163,7 @@ header.errorSimulation: Simulace chyb
 header.imagesGallery: Galerie obrázků
 header.files: Soubory
 header.users: Uživatelé
+header.shibboleth: Shibboleth
 header.versionInfo: Informace o verzi
 header.experiments: Experimenty
 header.story: Příběh
@@ -192,8 +194,8 @@ login.passwordLabel: Heslo
 login.passwordPlaceholder: Zadejte heslo
 login.loggingIn: Přihlašuji…
 login.loginAction: Přihlásit se
-login.shibbolethAction: Pokračovat přes {provider}
-login.methodDivider: nebo
+login.shibbolethLoginAction: Pokračovat přes Shibboleth
+login.shibbolethNotConfigured: Přihlášení přes Shibboleth je aktivní, ale vyžaduje nastavení správcem.
 login.forgottenPassword: Zapomněli jste heslo?
 login.registerNewUser: Zaregistrovat nového uživatele
 login.errorOccurred: Došlo k chybě