npm - @promptbook/cli - Versions diffs - 0.112.0-101 → 0.112.0-103 - Mend

@promptbook/cli 0.112.0-101 → 0.112.0-103

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (91) hide show

package/apps/agents-server/src/app/api/upload/route.ts CHANGED Viewed

@@ -1,31 +1,18 @@
-import { $getTableName } from '@/src/database/$getTableName';
-import { $provideSupabase } from '@/src/database/$provideSupabase';
 import { serializeError } from '@promptbook-local/utils';
-import type { PostgrestSingleResponse, SupabaseClient } from '@supabase/supabase-js';
-import { handleUpload, type HandleUploadBody } from '@vercel/blob/client';
 import { NextRequest, NextResponse } from 'next/server';
+import { spaceTrim } from 'spacetrim';
 import { assertsError } from '../../../../../../src/errors/assertsError';
-import { getUserIdFromRequest } from '../../../../src/utils/getUserIdFromRequest';
+import { LimitReachedError } from '../../../../../../src/errors/LimitReachedError';
+import { UnexpectedError } from '../../../../../../src/errors/UnexpectedError';
+import { $getTableName } from '../../../database/$getTableName';
+import { $provideSupabase } from '../../../database/$provideSupabase';
 import type { AgentsServerDatabase } from '../../../database/schema';
+import { $provideCdnForServer } from '../../../tools/$provideCdnForServer';
+import { getSafeCdnPath } from '../../../utils/cdn/utils/getSafeCdnPath';
 import { FILE_SECURITY_CHECKERS } from '../../../file-security-checkers';
+import { getUserIdFromRequest } from '../../../utils/getUserIdFromRequest';
 import { getMaxFileUploadSizeBytes } from '../../../utils/serverLimits';
-/**
- * Additional metadata accepted from the client-side upload helper.
- *
- * @private
- */
-type UploadClientPayload = {
-    purpose?: unknown;
-    contentType?: unknown;
-};
-/**
- * Generic object used for safe JSON parsing in upload payloads.
- *
- * @private
- */
-type JsonRecord = Record<string, unknown>;
+import { validateMimeType } from '../../../utils/validators/validateMimeType';
 /**
  * Default purpose used for uploads when the client does not provide one.
@@ -42,40 +29,30 @@ const DEFAULT_UPLOAD_PURPOSE = 'GENERIC_UPLOAD';
 const DEFAULT_UPLOAD_CONTENT_TYPE = 'application/octet-stream';
 /**
- * Minimal MIME type validation for values provided by client payload.
+ * Regular expression for path segments that are safe to keep as public object keys.
  *
  * @private
  */
-const MIME_TYPE_PATTERN = /^[a-z0-9!#$&^_.+-]+\/[a-z0-9!#$&^_.+-]+$/i;
+const SAFE_UPLOAD_PATH_PATTERN = /^[A-Za-z0-9][A-Za-z0-9._~!$&'()*+,;=:@/-]*$/;
 /**
- * Safely parses a JSON string into an object; returns empty object on invalid payload.
+ * Parsed upload request.
  *
  * @private
  */
-function parseJsonRecord(rawJson: string | null | undefined): JsonRecord {
-    if (!rawJson) {
-        return {};
-    }
-    try {
-        const parsed = JSON.parse(rawJson);
-        if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
-            return {};
-        }
-        return parsed as JsonRecord;
-    } catch {
-        return {};
-    }
-}
+type ParsedUploadRequest = {
+    file: File;
+    pathname: string;
+    purpose: string;
+    contentType: string;
+};
 /**
  * Normalizes upload purpose to a non-empty string.
  *
  * @private
  */
-function normalizeUploadPurpose(value: unknown): string {
+function normalizeUploadPurpose(value: FormDataEntryValue | null): string {
     if (typeof value !== 'string') {
         return DEFAULT_UPLOAD_PURPOSE;
     }
@@ -89,197 +66,166 @@ function normalizeUploadPurpose(value: unknown): string {
  *
  * @private
  */
-function normalizeUploadContentType(value: unknown): string {
-    if (typeof value !== 'string') {
+function normalizeUploadContentType(value: FormDataEntryValue | null, fallbackContentType: string): string {
+    const candidate = typeof value === 'string' && value.trim() ? value.trim() : fallbackContentType;
+    try {
+        return validateMimeType(candidate || DEFAULT_UPLOAD_CONTENT_TYPE);
+    } catch {
         return DEFAULT_UPLOAD_CONTENT_TYPE;
     }
+}
+/**
+ * Resolves and validates the storage key requested by the browser.
+ *
+ * @private
+ */
+function resolveUploadPathname(value: FormDataEntryValue | null): string {
+    if (typeof value !== 'string') {
+        throw new UnexpectedError('Upload request is missing `pathname`.');
+    }
-    const normalizedContentType = value.trim().toLowerCase();
-    if (!MIME_TYPE_PATTERN.test(normalizedContentType)) {
-        return DEFAULT_UPLOAD_CONTENT_TYPE;
+    const pathname = value.trim().replace(/\\/g, '/').replace(/^\/+/, '');
+    if (
+        pathname === '' ||
+        pathname.includes('/../') ||
+        pathname.startsWith('../') ||
+        pathname.endsWith('/..') ||
+        !SAFE_UPLOAD_PATH_PATTERN.test(pathname)
+    ) {
+        throw new UnexpectedError(
+            spaceTrim(`
+                Upload request contains an invalid \`pathname\`.
+                The upload key must be a relative CDN path without parent-directory segments.
+            `),
+        );
     }
-    return normalizedContentType;
+    return getSafeCdnPath({
+        pathname,
+        pathPrefix: process.env.NEXT_PUBLIC_CDN_PATH_PREFIX,
+    });
 }
 /**
- * Extracts normalized upload metadata from client payload.
+ * Parses the multipart request accepted by `/api/upload`.
  *
  * @private
  */
-function resolveUploadClientPayload(clientPayload: string | null | undefined): {
-    purpose: string;
-    contentType: string;
-} {
-    const payload = parseJsonRecord(clientPayload) as UploadClientPayload;
+async function parseUploadRequest(request: NextRequest): Promise<ParsedUploadRequest> {
+    const formData = await request.formData();
+    const file = formData.get('file');
+    if (!(file instanceof File)) {
+        throw new UnexpectedError('Upload request is missing `file`.');
+    }
     return {
-        purpose: normalizeUploadPurpose(payload.purpose),
-        contentType: normalizeUploadContentType(payload.contentType),
+        file,
+        pathname: resolveUploadPathname(formData.get('pathname')),
+        purpose: normalizeUploadPurpose(formData.get('purpose')),
+        contentType: normalizeUploadContentType(formData.get('contentType'), file.type),
     };
 }
 /**
- * Handles post.
+ * Runs all configured file-security checkers against the uploaded public URL.
+ *
+ * @private
  */
-export async function POST(request: NextRequest) {
-    try {
-        const body = (await request.json()) as HandleUploadBody;
-        const userId = await getUserIdFromRequest(request);
-        const supabase: SupabaseClient<AgentsServerDatabase> = $provideSupabase();
-        // Handle Vercel Blob client upload protocol
-        const jsonResponse = await handleUpload({
-            body,
-            request,
-            token: process.env.VERCEL_BLOB_READ_WRITE_TOKEN!,
-            onBeforeGenerateToken: async (pathname, clientPayload) => {
-                // Authenticate user and validate upload
-                // Parse client payload for additional metadata
-                const { purpose, contentType } = resolveUploadClientPayload(clientPayload);
-                const maxFileSize = await getMaxFileUploadSizeBytes();
-                // Generate the proper path with prefix
-                // Note: With client uploads, we use the original filename provided by the client
-                // The file will be stored at: {pathPrefix}/user/files/{filename}
-                const pathPrefix = process.env.NEXT_PUBLIC_CDN_PATH_PREFIX || '';
-                // Create a DB record at the start of the upload to track it
-                const uploadPurpose = purpose;
-                const {
-                    data: insertedFile,
-                    error: insertError,
-                }: PostgrestSingleResponse<Pick<AgentsServerDatabase['public']['Tables']['File']['Row'], 'id'>> =
-                    await supabase
-                        .from(await $getTableName('File'))
-                        .insert({
-                            userId: userId || null,
-                            fileName: pathname,
-                            fileSize: 0, // <- Will be updated when upload completes
-                            fileType: contentType,
-                            storageUrl: null, // <- To be updated on completion
-                            shortUrl: null, // <- To be updated on completion
-                            purpose: uploadPurpose,
-                            status: 'UPLOADING',
-                        })
-                        .select('id')
-                        .single();
+async function checkUploadedFileSecurity(storageUrl: string): Promise<Record<string, unknown>> {
+    const securityResults: Record<string, unknown> = {};
+    for (const checkerId of Object.keys(FILE_SECURITY_CHECKERS)) {
+        try {
+            const checker = FILE_SECURITY_CHECKERS[checkerId]!;
+            securityResults[checkerId] = await checker.checkFile(storageUrl);
+        } catch (error) {
+            securityResults[checkerId] = {
+                isSafe: false,
+                status: 'ERROR',
+                confidence: 0,
+                message: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
-                if (insertError) {
-                    console.error('🔼 Failed to create file record:', insertError);
-                }
+    return securityResults;
+}
-                console.info('🔼 Upload started, tracking file:', {
-                    pathname,
-                    fileId: insertedFile?.id,
-                    purpose: uploadPurpose,
-                });
+/**
+ * Stores security results for the file row created by `TrackedFilesStorage`.
+ *
+ * @private
+ */
+async function updateUploadedFileSecurityResult(
+    storageUrl: string,
+    securityResult: Record<string, unknown>,
+): Promise<void> {
+    if (Object.keys(securityResult).length === 0) {
+        return;
+    }
-                return {
-                    maximumSizeInBytes: maxFileSize,
-                    addRandomSuffix: true, // Add random suffix to avoid filename collisions since we can't hash content
-                    tokenPayload: JSON.stringify({
-                        userId: userId || null,
-                        purpose: uploadPurpose,
-                        fileId: insertedFile?.id || null,
-                        uploadPath: pathname,
-                        pathPrefix,
-                    }),
-                };
-            },
-            onUploadCompleted: async ({ blob, tokenPayload }) => {
-                // !!!!
-                // ⚠️ IMPORTANT: This callback is a WEBHOOK called by Vercel's servers AFTER the upload completes
-                // - It runs in a DIFFERENT request context (not the original user request)
-                // - It WON'T work in local development (Vercel can't reach localhost)
-                // - All data must come from tokenPayload (userId, fileId, etc.)
-                // - Need to create a fresh supabase client here
-                console.info('🔼 Upload completed (webhook callback):', { blob, tokenPayload });
+    const supabase = $provideSupabase();
+    const securityResultForDatabase =
+        securityResult as AgentsServerDatabase['public']['Tables']['File']['Update']['securityResult'];
+    const { error } = await supabase
+        .from(await $getTableName('File'))
+        .update({ securityResult: securityResultForDatabase })
+        .eq('storageUrl', storageUrl);
-                try {
-                    const payload = parseJsonRecord(tokenPayload);
-                    const fileId = typeof payload.fileId === 'number' ? payload.fileId : null;
-                    const tokenUserId = typeof payload.userId === 'number' ? payload.userId : null;
-                    const tokenPurpose = normalizeUploadPurpose(payload.purpose);
-                    const uploadPath = typeof payload.uploadPath === 'string' ? payload.uploadPath : null;
+    if (error) {
+        console.error('Failed to update uploaded file security result:', error);
+    }
+}
-                    // Create fresh supabase client for this webhook context
-                    const supabase = $provideSupabase();
+/**
+ * Handles file upload requests.
+ */
+export async function POST(request: NextRequest) {
+    try {
+        const { file, pathname, purpose, contentType } = await parseUploadRequest(request);
+        const fileBuffer = Buffer.from(await file.arrayBuffer());
+        const maxFileSize = await getMaxFileUploadSizeBytes();
+        if (fileBuffer.byteLength > maxFileSize) {
+            throw new LimitReachedError(
+                spaceTrim(`
+                    Uploaded file \`${file.name}\` exceeds the configured upload limit.
+                    Maximum supported size: **${maxFileSize} bytes**
+                `),
+            );
+        }
-                    // Security checks
-                    const securityResults: Record<string, unknown> = {};
-                    const securityResultForDatabase =
-                        securityResults as AgentsServerDatabase['public']['Tables']['File']['Update']['securityResult'];
-                    for (const checkerId in FILE_SECURITY_CHECKERS) {
-                        try {
-                            const checker = FILE_SECURITY_CHECKERS[checkerId]!;
-                            console.info(`🛡️ Checking file security with ${checker.title} (${blob.url})...`);
-                            const result = await checker.checkFile(blob.url);
-                            securityResults[checkerId] = result;
-                            console.info(`🛡️ Security check result from ${checker.title}:`, result.status);
-                        } catch (error) {
-                            console.error(`🛡️ Security check failed for ${checkerId}:`, error);
-                            securityResults[checkerId] = {
-                                isSafe: false,
-                                status: 'ERROR',
-                                confidence: 0,
-                                message: error instanceof Error ? error.message : String(error),
-                            };
-                        }
-                    }
+        const cdn = $provideCdnForServer();
+        const storageUrl = cdn.getItemUrl(pathname).href;
+        const userId = await getUserIdFromRequest(request);
-                    if (fileId) {
-                        // Update the existing record by ID
-                        const { error: updateError } = await supabase
-                            .from(await $getTableName('File'))
-                            .update({
-                                userId: tokenUserId || null,
-                                fileSize: 0, // <- !!!!
-                                fileType: blob.contentType,
-                                storageUrl: blob.url,
-                                // <- TODO: !!!! Split between storageUrl and shortUrl
-                                purpose: tokenPurpose,
-                                status: 'COMPLETED',
-                                securityResult: securityResultForDatabase,
-                            })
-                            .eq('id', fileId);
+        await cdn.setItem(pathname, {
+            type: contentType,
+            data: fileBuffer,
+            purpose,
+            userId: userId || undefined,
+            fileSize: fileBuffer.byteLength,
+        });
-                        if (updateError) {
-                            console.error('🔼 Failed to update file record:', updateError);
-                        } else {
-                            console.info('🔼 File record updated successfully:', { fileId, shortUrl: blob.url });
-                        }
-                    } else if (uploadPath) {
-                        // Fallback: Update by uploadPath if fileId is not available
-                        const { error: updateError } = await supabase
-                            .from(await $getTableName('File'))
-                            .update({
-                                fileSize: 0, // <- !!!!
-                                fileType: blob.contentType,
-                                storageUrl: blob.url,
-                                status: 'COMPLETED',
-                                securityResult: securityResultForDatabase,
-                            })
-                            .eq('fileName', uploadPath)
-                            .eq('status', 'UPLOADING');
+        const securityResult = await checkUploadedFileSecurity(storageUrl);
+        await updateUploadedFileSecurityResult(storageUrl, securityResult);
-                        if (updateError) {
-                            console.error('🔼 Failed to update file record by uploadPath:', updateError);
-                        }
-                    }
-                } catch (error) {
-                    console.error('🔼 Error in onUploadCompleted:', error);
-                }
-            },
+        return NextResponse.json({
+            url: storageUrl,
+            pathname,
+            contentType,
+            size: fileBuffer.byteLength,
         });
-        return NextResponse.json(jsonResponse);
     } catch (error) {
         assertsError(error);
-        console.error('🔼', error);
+        console.error('Upload failed:', error);
         return new Response(
             JSON.stringify(
@@ -296,10 +242,3 @@ export async function POST(request: NextRequest) {
         );
     }
 }
-// TODO: !!!! Change uploaded URLs from `storageUrl` to `shortUrl`
-// TODO: !!!! Record both `storageUrl` (actual storage location) and `shortUrl` in `File` table
-// TODO: !!!! Record `purpose` in `File` table
-// TODO: !!!! Record `userId` in `File` table
-// TODO: !!!! Record all things into `File` table
-// TODO: !!!! File type (mime type) of `.book` files should be `application/book` <- [🧠] !!!! Best mime type?!

package/apps/agents-server/src/app/api/users/[username]/route.ts CHANGED Viewed

@@ -34,7 +34,7 @@ export async function PATCH(request: Request, { params }: { params: Promise<{ us
             .from(await $getTableName('User'))
             .update(updates)
             .eq('username', usernameParam)
-            .select('id, username, createdAt, updatedAt, isAdmin')
+            .select('*')
             .single();
         if (error) {

package/apps/agents-server/src/app/api/users/route.ts CHANGED Viewed

@@ -16,7 +16,7 @@ export async function GET() {
         const supabase = $provideSupabaseForServer();
         const { data: users, error } = await supabase
             .from(await $getTableName('User'))
-            .select('id, username, createdAt, updatedAt, isAdmin')
+            .select('*')
             .order('username');
         if (error) {
@@ -58,18 +58,18 @@ export async function POST(request: Request) {
                 createdAt: new Date().toISOString(),
                 updatedAt: new Date().toISOString(),
             })
-            .select('id, username, createdAt, updatedAt, isAdmin')
+            .select('*')
             .single();
         if (error) {
-            if (error.code === '23505') { // unique_violation
-                 return NextResponse.json({ error: 'Username already exists' }, { status: 409 });
+            if (error.code === '23505') {
+                // unique_violation
+                return NextResponse.json({ error: 'Username already exists' }, { status: 409 });
             }
             throw error;
         }
         return NextResponse.json(newUser);
     } catch (error) {
         console.error('Create user error:', error);
         const passwordValidationMessage = getPasswordValidationMessage(error);

package/apps/agents-server/src/app/dashboard/page.tsx CHANGED Viewed

@@ -56,7 +56,7 @@ export default async function DashboardPage() {
     const host = (await headers()).get('host') || 'unknown';
     return (
-        <div className="min-h-screen bg-gradient-to-br from-blue-50 via-white to-purple-50">
+        <div className="min-h-screen bg-gradient-to-br from-blue-50 via-white to-purple-50 dark:from-slate-950 dark:via-slate-950 dark:to-slate-900">
             <div className="container mx-auto px-4 py-16">
                 <HomepagePrimarySections
                     agents={agents}

package/apps/agents-server/src/app/docs/[docId]/page.tsx CHANGED Viewed

@@ -32,7 +32,7 @@ export default async function DocPage(props: DocPageProps) {
     const { primary, aliases } = group;
     return (
-        <div className="min-h-screen bg-gradient-to-br from-blue-50 via-white to-purple-50">
+        <div className="min-h-screen bg-gradient-to-br from-blue-50 via-white to-purple-50 dark:from-slate-950 dark:via-slate-950 dark:to-slate-900">
             <div className="container mx-auto px-4 py-16">
                 <DocsToolbar />
                 <PrintHeader title={primary.type} />

package/apps/agents-server/src/app/docs/page.tsx CHANGED Viewed

@@ -19,7 +19,7 @@ export default function DocsPage() {
     const groupedCommitments = getVisibleCommitmentDefinitions();
     return (
-        <div className="min-h-screen bg-gradient-to-br from-blue-50 via-white to-purple-50">
+        <div className="min-h-screen bg-gradient-to-br from-blue-50 via-white to-purple-50 dark:from-slate-950 dark:via-slate-950 dark:to-slate-900">
             <div className="container mx-auto px-4 py-16">
                 <DocsToolbar />
                 <PrintHeader title="Full Documentation" />

package/apps/agents-server/src/app/globals.css CHANGED Viewed

@@ -640,6 +640,26 @@ html.dark .agent-chat-route-surface .agent-chat-sidebar-toggle.agent-chat-solid-
     box-shadow: 0 20px 38px rgba(2, 6, 23, 0.6), inset 1px 0 0 rgba(191, 219, 254, 0.18);
 }
+html.dark .agent-chat-sidebar-item-active {
+    border-color: rgba(125, 211, 252, 0.52) !important;
+    background: linear-gradient(145deg, rgba(8, 47, 73, 0.88), rgba(15, 23, 42, 0.96)) !important;
+    color: #e0f2fe !important;
+    box-shadow: 0 14px 30px rgba(2, 6, 23, 0.4), inset 0 0 0 1px rgba(125, 211, 252, 0.16) !important;
+}
+html.dark .agent-chat-sidebar-item-active .agent-chat-sidebar-item-preview-card {
+    border-color: rgba(125, 211, 252, 0.34) !important;
+    background: rgba(15, 23, 42, 0.82) !important;
+}
+html.dark .agent-chat-sidebar-item-active .agent-chat-sidebar-item-title {
+    color: #f8fafc !important;
+}
+html.dark .agent-chat-sidebar-item-active .agent-chat-sidebar-item-preview {
+    color: #bae6fd !important;
+}
 .agent-chat-route-surface .chat-scrollToBottom.chat-scrollToBottom + [role='status'] {
     top: auto;
     right: auto;
@@ -807,6 +827,36 @@ html.dark .bg-slate-100\/80 {
     background-color: #111827 !important;
 }
+html.dark .bg-gray-200,
+html.dark .bg-slate-200 {
+    background-color: rgba(30, 41, 59, 0.92) !important;
+}
+html.dark .bg-gray-300,
+html.dark .bg-slate-300 {
+    background-color: rgba(51, 65, 85, 0.94) !important;
+}
+html.dark .bg-blue-50,
+html.dark .bg-blue-100 {
+    background-color: rgba(30, 64, 175, 0.24) !important;
+}
+html.dark .bg-amber-50,
+html.dark .bg-amber-100 {
+    background-color: rgba(120, 53, 15, 0.28) !important;
+}
+html.dark .bg-red-50,
+html.dark .bg-red-100 {
+    background-color: rgba(127, 29, 29, 0.3) !important;
+}
+html.dark .bg-emerald-50,
+html.dark .bg-emerald-100 {
+    background-color: rgba(6, 78, 59, 0.28) !important;
+}
 html.dark .border-gray-100,
 html.dark .border-gray-200,
 html.dark .border-slate-100,
@@ -844,9 +894,34 @@ html.dark .text-slate-400 {
     color: #64748b !important;
 }
+html.dark .text-blue-600,
+html.dark .text-blue-700,
+html.dark .hover\:text-blue-700:hover {
+    color: #93c5fd !important;
+}
+html.dark .text-amber-700,
+html.dark .text-amber-800,
+html.dark .text-amber-900 {
+    color: #fcd34d !important;
+}
+html.dark .text-red-600,
+html.dark .text-red-700,
+html.dark .text-red-800,
+html.dark .text-red-900 {
+    color: #fca5a5 !important;
+}
+html.dark .text-emerald-600,
+html.dark .text-emerald-700 {
+    color: #86efac !important;
+}
 html.dark .hover\:bg-white:hover,
 html.dark .hover\:bg-gray-50:hover,
 html.dark .hover\:bg-gray-100:hover,
+html.dark .hover\:bg-gray-300:hover,
 html.dark .hover\:bg-slate-50:hover,
 html.dark .hover\:bg-slate-100:hover {
     background-color: #0f172a !important;
@@ -864,6 +939,31 @@ html.dark .hover\:border-slate-400:hover {
     border-color: rgba(125, 211, 252, 0.45) !important;
 }
+html.dark input:not([type='checkbox']):not([type='radio']):not([type='range']),
+html.dark textarea,
+html.dark select {
+    background-color: #0f172a;
+    color: #e2e8f0;
+    border-color: rgba(71, 85, 105, 0.92);
+}
+html.dark input:not([type='checkbox']):not([type='radio']):not([type='range'])::placeholder,
+html.dark textarea::placeholder {
+    color: #94a3b8;
+}
+html.dark input:not([type='checkbox']):not([type='radio']):not([type='range']):disabled,
+html.dark textarea:disabled,
+html.dark select:disabled {
+    background-color: #111827;
+    color: #64748b;
+}
+html.dark option {
+    background-color: #0f172a;
+    color: #e2e8f0;
+}
 html.dark .prose {
     color: #cbd5e1;
 }

package/apps/agents-server/src/app/layout.tsx CHANGED Viewed

@@ -46,6 +46,10 @@ import {
     CONTROL_PANEL_OPTION_AVAILABILITY_METADATA_KEYS,
     getControlPanelOptionAvailability,
 } from '../utils/getControlPanelOptionAvailability';
+import {
+    SHIBBOLETH_AUTHENTICATION_METADATA_KEYS,
+    resolveShibbolethAuthenticationMenuStatus,
+} from '../constants/shibbolethAuth';
 import '@prisma/studio-core/ui/index.css';
 import './globals.css';
@@ -257,6 +261,7 @@ export default async function RootLayout({
         DEFAULT_THEME_METADATA_KEY,
         SERVER_LANGUAGE_METADATA_KEY,
         IS_SERVER_LANGUAGE_ENFORCED_METADATA_KEY,
+        ...SHIBBOLETH_AUTHENTICATION_METADATA_KEYS,
         ...CONTROL_PANEL_OPTION_AVAILABILITY_METADATA_KEYS,
     ]);
     const currentUserPromise = getCurrentUser();
@@ -380,6 +385,7 @@ export default async function RootLayout({
         metadata: layoutMetadata,
         isPushNotificationsConfigured: Boolean(webPushPublicKey),
     });
+    const shibbolethAuthenticationStatus = resolveShibbolethAuthenticationMenuStatus(layoutMetadata);
     const themeModeBootstrapScript = createThemeModeBootstrapScript(defaultThemeMode);
     return (
@@ -414,6 +420,7 @@ export default async function RootLayout({
                     defaultIsNotificationsOn={defaultIsNotificationsOn}
                     isExperimental={isExperimental}
                     feedbackMode={feedbackMode}
+                    shibbolethAuthenticationStatus={shibbolethAuthenticationStatus}
                     isExperimentalPwaAppEnabled={isExperimentalPwaAppEnabled}
                     controlPanelOptionAvailability={controlPanelOptionAvailability}
                     defaultServerLanguage={serverLanguage}