npm - agent-relay - Versions diffs - 1.2.3 → 1.3.0 - Mend

agent-relay 1.2.3 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (200) hide show

package/dist/cloud/api/github-app.js CHANGED Viewed

@@ -27,22 +27,56 @@ githubAppRouter.get('/status', (_req, res) => {
 });
 /**
  * GET /api/github-app/repos
- * List repositories the user has connected via Nango
+ * List repositories the user has access to
+ *
+ * First tries database (populated by GitHub App OAuth).
+ * If empty, queries GitHub directly via user OAuth connection.
  */
 githubAppRouter.get('/repos', async (req, res) => {
     const userId = req.session.userId;
     try {
-        const repos = await db.repositories.findByUserId(userId);
+        // Try database first (from GitHub App OAuth flow)
+        const dbRepos = await db.repositories.findByUserId(userId);
+        if (dbRepos.length > 0) {
+            // Return repos from database
+            return res.json({
+                repositories: dbRepos.map((r) => ({
+                    id: r.id,
+                    fullName: r.githubFullName,
+                    isPrivate: r.isPrivate,
+                    defaultBranch: r.defaultBranch,
+                    syncStatus: r.syncStatus,
+                    hasNangoConnection: !!r.nangoConnectionId,
+                    lastSyncedAt: r.lastSyncedAt,
+                })),
+                source: 'database',
+            });
+        }
+        // Database empty - query GitHub directly via user OAuth
+        const user = await db.users.findById(userId);
+        if (!user?.nangoConnectionId) {
+            return res.json({
+                repositories: [],
+                source: 'none',
+                hint: 'User not connected to GitHub',
+            });
+        }
+        console.log(`[github-app/repos] Database empty, querying GitHub for user ${user.githubUsername}`);
+        const { repositories } = await nangoService.listUserAccessibleRepos(user.nangoConnectionId, {
+            perPage: 100,
+            type: 'all',
+        });
         res.json({
-            repositories: repos.map((r) => ({
-                id: r.id,
-                fullName: r.githubFullName,
+            repositories: repositories.map((r) => ({
+                id: null, // No database ID yet
+                fullName: r.fullName,
                 isPrivate: r.isPrivate,
                 defaultBranch: r.defaultBranch,
-                syncStatus: r.syncStatus,
-                hasNangoConnection: !!r.nangoConnectionId,
-                lastSyncedAt: r.lastSyncedAt,
+                syncStatus: 'live', // Queried from GitHub, not cached
+                hasNangoConnection: true,
+                lastSyncedAt: null,
             })),
+            source: 'github-api',
         });
     }
     catch (error) {

package/dist/cloud/api/nango-auth.js CHANGED Viewed

@@ -160,27 +160,17 @@ nangoAuthRouter.get('/repo-status/:connectionId', requireAuth, async (req, res)
  * Handle Nango webhooks for auth and sync events
  */
 nangoAuthRouter.post('/webhook', async (req, res) => {
-    // Use the preserved raw body from express.json verify callback
     const rawBody = req.rawBody || JSON.stringify(req.body);
-    // Verify signature using the new verifyIncomingWebhookRequest method
+    // Verify webhook signature if present
     const hasSignature = req.headers['x-nango-signature'] || req.headers['x-nango-hmac-sha256'];
-    const isDev = process.env.NODE_ENV !== 'production';
     if (hasSignature) {
         if (!nangoService.verifyWebhookSignature(rawBody, req.headers)) {
             console.error('[nango-webhook] Invalid signature');
             return res.status(401).json({ error: 'Invalid signature' });
         }
-        console.log('[nango-webhook] Signature verified');
-    }
-    else if (!isDev) {
-        console.error('[nango-webhook] Missing signature in production');
-        return res.status(401).json({ error: 'Missing signature' });
-    }
-    else {
-        console.warn('[nango-webhook] Skipping signature verification in development (no signature)');
     }
     const payload = req.body;
-    console.log(`[nango-webhook] Received ${payload.type} event`, JSON.stringify(payload, null, 2));
+    console.log(`[nango-webhook] Received ${payload.type} event`);
     try {
         switch (payload.type) {
             case 'auth':
@@ -190,8 +180,7 @@ nangoAuthRouter.post('/webhook', async (req, res) => {
                 console.log('[nango-webhook] Sync event received');
                 break;
             case 'forward':
-                // Nango forwards events from providers - typically not needed for our flow
-                console.log('[nango-webhook] Forward event from provider (ignored)');
+                await handleForwardWebhook(payload);
                 break;
             default:
                 console.log(`[nango-webhook] Unhandled event type: ${payload.type}`);
@@ -216,6 +205,72 @@ async function handleAuthWebhook(payload) {
         await handleRepoAuthWebhook(connectionId, endUser);
     }
 }
+/**
+ * Check user's repo access and auto-add them to workspaces
+ * Uses GitHub user OAuth to query accessible repos and persists them to database
+ */
+async function checkAndAutoAddToWorkspaces(userId, connectionId) {
+    try {
+        const user = await db.users.findById(userId);
+        if (!user)
+            return;
+        console.log(`[nango-webhook] Checking workspace auto-add for ${user.githubUsername}`);
+        // Query repos the user has access to via GitHub OAuth
+        const { repositories } = await nangoService.listUserAccessibleRepos(connectionId, {
+            perPage: 100,
+            type: 'all',
+        });
+        const workspacesToJoin = new Set();
+        // Check for workspace memberships - only persist repos that match existing workspaces
+        for (const repo of repositories) {
+            // Check if any user has this repo linked to a workspace
+            const allRepoRecords = await db.repositories.findByGithubFullName(repo.fullName);
+            let matchedWorkspaceId = null;
+            for (const record of allRepoRecords) {
+                if (record.workspaceId) {
+                    workspacesToJoin.add(record.workspaceId);
+                    matchedWorkspaceId = record.workspaceId; // Save the workspaceId to copy
+                }
+            }
+            // Only persist repos that are linked to workspaces
+            if (matchedWorkspaceId) {
+                await db.repositories.upsert({
+                    userId: user.id,
+                    githubFullName: repo.fullName,
+                    githubId: repo.id,
+                    isPrivate: repo.isPrivate,
+                    defaultBranch: repo.defaultBranch,
+                    nangoConnectionId: connectionId,
+                    workspaceId: matchedWorkspaceId, // Copy the workspaceId
+                    syncStatus: 'synced',
+                    lastSyncedAt: new Date(),
+                });
+            }
+        }
+        // Auto-add user to workspaces
+        for (const workspaceId of workspacesToJoin) {
+            const existingMembership = await db.workspaceMembers.findMembership(workspaceId, userId);
+            if (!existingMembership) {
+                const workspace = await db.workspaces.findById(workspaceId);
+                if (workspace) {
+                    console.log(`[nango-webhook] Auto-adding ${user.githubUsername} to workspace ${workspace.name}`);
+                    await db.workspaceMembers.addMember({
+                        workspaceId,
+                        userId,
+                        role: 'member',
+                        invitedBy: workspace.userId,
+                    });
+                    await db.workspaceMembers.acceptInvite(workspaceId, userId);
+                }
+            }
+        }
+        console.log(`[nango-webhook] Synced ${repositories.length} repos, auto-added ${user.githubUsername} to ${workspacesToJoin.size} workspaces`);
+    }
+    catch (error) {
+        console.error(`[nango-webhook] Error checking workspace auto-add:`, error);
+        // Non-fatal - don't throw
+    }
+}
 /**
  * Handle GitHub login webhook
  *
@@ -246,6 +301,8 @@ async function handleLoginWebhook(connectionId, _endUser) {
             email: newUser.email || undefined,
         });
         console.log(`[nango-webhook] New user created: ${githubUser.login}`);
+        // Check for auto-add to workspaces based on repo access
+        await checkAndAutoAddToWorkspaces(newUser.id, connectionId);
         return;
     }
     // SCENARIO 2: Returning user with existing connection - delete temp connection
@@ -269,6 +326,8 @@ async function handleLoginWebhook(connectionId, _endUser) {
             console.error(`[nango-webhook] Failed to delete temp connection:`, error);
             // Non-fatal - continue anyway
         }
+        // Check for auto-add using permanent connection
+        await checkAndAutoAddToWorkspaces(existingUser.id, existingUser.nangoConnectionId);
         return;
     }
     // SCENARIO 3: Existing user, first connection (or same connection)
@@ -284,6 +343,192 @@ async function handleLoginWebhook(connectionId, _endUser) {
         id: existingUser.id,
         email: existingUser.email || undefined,
     });
+    // Check for auto-add to workspaces
+    await checkAndAutoAddToWorkspaces(existingUser.id, connectionId);
+}
+/**
+ * Handle Nango forward webhook (GitHub events forwarded by Nango)
+ */
+async function handleForwardWebhook(payload) {
+    const githubPayload = payload.payload;
+    console.log(`[nango-webhook] Forward event: action=${githubPayload.action} from ${payload.providerConfigKey}`);
+    // Only process GitHub App events
+    if (payload.providerConfigKey !== NANGO_INTEGRATIONS.GITHUB_APP) {
+        console.log('[nango-webhook] Ignoring forward event from non-GitHub-App integration');
+        return;
+    }
+    try {
+        // Determine event type from payload structure
+        if (githubPayload.installation && githubPayload.action === 'created' && githubPayload.repositories) {
+            // Installation created event
+            await handleInstallationForward(githubPayload, payload.connectionId);
+        }
+        else if (githubPayload.repositories_added || githubPayload.repositories_removed) {
+            // Installation repositories added/removed
+            await handleInstallationRepositoriesForward(githubPayload, payload.connectionId);
+        }
+        else {
+            console.log(`[nango-webhook] Unhandled forward event structure: action=${githubPayload.action}`);
+        }
+    }
+    catch (error) {
+        console.error(`[nango-webhook] Error processing forward event:`, error);
+        throw error;
+    }
+}
+/**
+ * Handle GitHub installation events forwarded by Nango
+ */
+async function handleInstallationForward(body, connectionId) {
+    const { action, installation, repositories, sender } = body;
+    if (!installation || !sender)
+        return;
+    const installationId = String(installation.id);
+    console.log(`[nango-webhook] Installation ${action}: ${installation.account.login} (${installationId})`);
+    if (action === 'created') {
+        // Find user by GitHub ID
+        const user = await db.users.findByGithubId(String(sender.id));
+        // Create/update installation record
+        await db.githubInstallations.upsert({
+            installationId,
+            accountType: installation.account.type.toLowerCase(),
+            accountLogin: installation.account.login,
+            accountId: String(installation.account.id),
+            installedById: user?.id ?? null,
+            permissions: installation.permissions,
+            events: installation.events,
+        });
+        // Sync repositories if provided
+        if (repositories && user) {
+            const dbInstallation = await db.githubInstallations.findByInstallationId(installationId);
+            if (dbInstallation) {
+                const workspacesToJoin = new Set();
+                for (const repo of repositories) {
+                    const syncedRepo = await db.repositories.upsert({
+                        userId: user.id,
+                        githubFullName: repo.full_name,
+                        githubId: repo.id,
+                        isPrivate: repo.private,
+                        installationId: dbInstallation.id,
+                        nangoConnectionId: connectionId,
+                        syncStatus: 'synced',
+                        lastSyncedAt: new Date(),
+                    });
+                    // Check if repo is part of an existing workspace
+                    // Look for ANY user's record of this repo that has a workspaceId
+                    if (syncedRepo.workspaceId) {
+                        workspacesToJoin.add(syncedRepo.workspaceId);
+                    }
+                    else {
+                        // Check if other users have this repo linked to a workspace
+                        const allRepoRecords = await db.repositories.findByGithubFullName(repo.full_name);
+                        for (const otherRecord of allRepoRecords) {
+                            if (otherRecord.workspaceId && otherRecord.userId !== user.id) {
+                                workspacesToJoin.add(otherRecord.workspaceId);
+                            }
+                        }
+                    }
+                }
+                // Auto-join user to workspaces for repos they have access to
+                for (const workspaceId of workspacesToJoin) {
+                    const existingMembership = await db.workspaceMembers.findMembership(workspaceId, user.id);
+                    if (!existingMembership) {
+                        const workspace = await db.workspaces.findById(workspaceId);
+                        if (workspace) {
+                            console.log(`[nango-webhook] Auto-adding ${user.githubUsername} to workspace ${workspace.name}`);
+                            await db.workspaceMembers.addMember({
+                                workspaceId,
+                                userId: user.id,
+                                role: 'member',
+                                invitedBy: workspace.userId,
+                            });
+                            await db.workspaceMembers.acceptInvite(workspaceId, user.id);
+                        }
+                    }
+                }
+                console.log(`[nango-webhook] Installation created for ${installation.account.login}, auto-joined ${workspacesToJoin.size} workspaces`);
+            }
+        }
+    }
+}
+/**
+ * Handle installation_repositories events forwarded by Nango
+ */
+async function handleInstallationRepositoriesForward(body, connectionId) {
+    const { action, installation, repositories_added, repositories_removed, sender } = body;
+    if (!installation || !sender)
+        return;
+    const installationId = String(installation.id);
+    console.log(`[nango-webhook] Repositories ${action} for ${installation.account.login}`);
+    // Find installation in database
+    const dbInstallation = await db.githubInstallations.findByInstallationId(installationId);
+    if (!dbInstallation) {
+        console.error(`[nango-webhook] Installation ${installationId} not found in database`);
+        return;
+    }
+    // Find user who triggered this
+    const user = await db.users.findByGithubId(String(sender.id));
+    if (!user) {
+        console.error(`[nango-webhook] User ${sender.login} not found in database`);
+        return;
+    }
+    if (action === 'added' && repositories_added) {
+        const workspacesToJoin = new Set();
+        for (const repo of repositories_added) {
+            const syncedRepo = await db.repositories.upsert({
+                userId: user.id,
+                githubFullName: repo.full_name,
+                githubId: repo.id,
+                isPrivate: repo.private,
+                installationId: dbInstallation.id,
+                nangoConnectionId: connectionId,
+                syncStatus: 'synced',
+                lastSyncedAt: new Date(),
+            });
+            // Check if repo is part of an existing workspace
+            // Look for ANY user's record of this repo that has a workspaceId
+            if (syncedRepo.workspaceId) {
+                workspacesToJoin.add(syncedRepo.workspaceId);
+            }
+            else {
+                // Check if other users have this repo linked to a workspace
+                const allRepoRecords = await db.repositories.findByGithubFullName(repo.full_name);
+                for (const otherRecord of allRepoRecords) {
+                    if (otherRecord.workspaceId && otherRecord.userId !== user.id) {
+                        workspacesToJoin.add(otherRecord.workspaceId);
+                    }
+                }
+            }
+        }
+        // Auto-join user to workspaces for repos they have access to
+        for (const workspaceId of workspacesToJoin) {
+            const existingMembership = await db.workspaceMembers.findMembership(workspaceId, user.id);
+            if (!existingMembership) {
+                const workspace = await db.workspaces.findById(workspaceId);
+                if (workspace) {
+                    console.log(`[nango-webhook] Auto-adding ${user.githubUsername} to workspace ${workspace.name}`);
+                    await db.workspaceMembers.addMember({
+                        workspaceId,
+                        userId: user.id,
+                        role: 'member',
+                        invitedBy: workspace.userId,
+                    });
+                    await db.workspaceMembers.acceptInvite(workspaceId, user.id);
+                }
+            }
+        }
+        console.log(`[nango-webhook] Added ${repositories_added.length} repositories, auto-joined ${workspacesToJoin.size} workspaces`);
+    }
+    if (action === 'removed' && repositories_removed) {
+        for (const repo of repositories_removed) {
+            const repos = await db.repositories.findByUserId(user.id);
+            const existingRepo = repos.find(r => r.githubFullName === repo.full_name);
+            if (existingRepo) {
+                await db.repositories.updateSyncStatus(existingRepo.id, 'access_removed');
+            }
+        }
+        console.log(`[nango-webhook] Removed access to ${repositories_removed.length} repositories`);
+    }
 }
 /**
  * Handle GitHub App OAuth webhook (repo access)
@@ -339,9 +584,11 @@ async function handleRepoAuthWebhook(connectionId, endUser) {
         }
         // Fetch repos the user has access to
         const { repositories: repos } = await nangoService.listGithubAppRepos(connectionId);
+        // Track workspaces to auto-join
+        const workspacesToJoin = new Set();
         // Sync repos to database
         for (const repo of repos) {
-            await db.repositories.upsert({
+            const syncedRepo = await db.repositories.upsert({
                 userId: user.id,
                 githubFullName: repo.full_name,
                 githubId: repo.id,
@@ -352,10 +599,44 @@ async function handleRepoAuthWebhook(connectionId, endUser) {
                 syncStatus: 'synced',
                 lastSyncedAt: new Date(),
             });
+            // Check if this repo is part of an existing workspace
+            // Look for ANY user's record of this repo that has a workspaceId
+            if (syncedRepo.workspaceId) {
+                workspacesToJoin.add(syncedRepo.workspaceId);
+            }
+            else {
+                // Check if other users have this repo linked to a workspace
+                const allRepoRecords = await db.repositories.findByGithubFullName(repo.full_name);
+                for (const otherRecord of allRepoRecords) {
+                    if (otherRecord.workspaceId && otherRecord.userId !== user.id) {
+                        workspacesToJoin.add(otherRecord.workspaceId);
+                    }
+                }
+            }
+        }
+        // Auto-join user to workspaces for repos they have access to
+        for (const workspaceId of workspacesToJoin) {
+            // Check if already a member
+            const existingMembership = await db.workspaceMembers.findMembership(workspaceId, user.id);
+            if (!existingMembership) {
+                // Get workspace owner to use as invitedBy
+                const workspace = await db.workspaces.findById(workspaceId);
+                if (workspace) {
+                    console.log(`[nango-webhook] Auto-adding ${user.githubUsername} to workspace ${workspace.name}`);
+                    await db.workspaceMembers.addMember({
+                        workspaceId,
+                        userId: user.id,
+                        role: 'member',
+                        invitedBy: workspace.userId, // Workspace owner invited them
+                    });
+                    // Auto-accept since they have GitHub repo access
+                    await db.workspaceMembers.acceptInvite(workspaceId, user.id);
+                }
+            }
         }
         // Clear any pending installation request
         await db.users.clearPendingInstallationRequest(user.id);
-        console.log(`[nango-webhook] Synced ${repos.length} repos for ${user.githubUsername} (installation: ${githubInstallationId || 'unknown'})`);
+        console.log(`[nango-webhook] Synced ${repos.length} repos for ${user.githubUsername} (installation: ${githubInstallationId || 'unknown'}), auto-joined ${workspacesToJoin.size} workspaces`);
         // Note: We intentionally do NOT auto-provision workspaces here.
         // Users should go through the onboarding flow at /app to:
         // 1. Name their workspace

package/dist/cloud/api/onboarding.js CHANGED Viewed

@@ -13,7 +13,6 @@ import { Router } from 'express';
 import * as crypto from 'crypto';
 import { requireAuth } from './auth.js';
 import { db } from '../db/index.js';
-import { vault } from '../vault/index.js';
 // Import for local use
 import { CLI_AUTH_CONFIG, runCLIAuthViaPTY, stripAnsiCodes, matchesSuccessPattern, findMatchingPrompt, validateProviderConfig, validateAllProviderConfigs, getSupportedProviders, } from './cli-pty-runner.js';
 // Re-export from shared module for backward compatibility
@@ -56,9 +55,12 @@ onboardingRouter.post('/cli/:provider/start', async (req, res) => {
     console.log('[onboarding] Route handler entered! provider:', req.params.provider);
     const { provider } = req.params;
     const userId = req.session.userId;
-    const { workspaceId, useDeviceFlow } = req.body; // Optional: specific workspace, device flow option
-    console.log('[onboarding] userId:', userId, 'workspaceId:', workspaceId, 'useDeviceFlow:', useDeviceFlow);
+    const { workspaceId, useDeviceFlow: requestedDeviceFlow } = req.body; // Optional: specific workspace, device flow option
+    // Device flow is only used if explicitly requested by the client
+    // Standard flow: user runs `codex-auth` CLI locally to capture OAuth callback and forward to cloud
     const config = CLI_AUTH_CONFIG[provider];
+    const useDeviceFlow = requestedDeviceFlow ?? false;
+    console.log('[onboarding] userId:', userId, 'workspaceId:', workspaceId, 'useDeviceFlow:', useDeviceFlow);
     if (!config) {
         return res.status(400).json({
             error: 'Provider not supported for CLI auth',
@@ -153,6 +155,7 @@ onboardingRouter.post('/cli/:provider/start', async (req, res) => {
             status: session.status,
             authUrl: session.authUrl,
             workspaceId: workspace.id,
+            useDeviceFlow, // Tell dashboard whether device flow is being used (no CLI helper needed)
             message: session.authUrl ? 'Open the auth URL to complete login' : 'Auth session starting, poll for status',
         });
     }
@@ -185,6 +188,8 @@ onboardingRouter.get('/cli/:provider/status/:sessionId', async (req, res) => {
                 session.status = workspaceStatus.status || session.status;
                 session.authUrl = workspaceStatus.authUrl || session.authUrl;
                 session.error = workspaceStatus.error;
+                session.errorHint = workspaceStatus.errorHint;
+                session.recoverable = workspaceStatus.recoverable;
             }
         }
         catch (err) {
@@ -195,6 +200,8 @@ onboardingRouter.get('/cli/:provider/status/:sessionId', async (req, res) => {
         status: session.status,
         authUrl: session.authUrl,
         error: session.error,
+        errorHint: session.errorHint,
+        recoverable: session.recoverable,
     });
 });
 /**
@@ -220,7 +227,7 @@ onboardingRouter.post('/cli/:provider/complete/:sessionId', async (req, res) =>
     try {
         let accessToken = token || session.token;
         let refreshToken = session.refreshToken;
-        let tokenExpiresAt = session.tokenExpiresAt;
+        let _tokenExpiresAt = session.tokenExpiresAt;
         // If using workspace delegation, forward complete request first
         if (session.workspaceUrl && session.workspaceSessionId) {
             // Forward authCode to workspace if provided (for Codex-style redirects)
@@ -241,25 +248,52 @@ onboardingRouter.post('/cli/:provider/complete/:sessionId', async (req, res) =>
                 }
                 session.status = 'success';
             }
-            // Fetch credentials from workspace
+            // Fetch credentials from workspace with retry
+            // Credentials may not be immediately available after OAuth completes
             if (!accessToken) {
-                try {
-                    const credsResponse = await fetch(`${session.workspaceUrl}/auth/cli/${provider}/creds/${session.workspaceSessionId}`);
-                    if (credsResponse.ok) {
-                        const creds = await credsResponse.json();
-                        accessToken = creds.token;
-                        refreshToken = creds.refreshToken;
-                        if (creds.expiresAt) {
-                            tokenExpiresAt = new Date(creds.expiresAt);
+                const MAX_CREDS_RETRIES = 5;
+                const CREDS_RETRY_DELAY = 1000; // 1 second between retries
+                for (let attempt = 1; attempt <= MAX_CREDS_RETRIES; attempt++) {
+                    try {
+                        console.log(`[onboarding] Fetching credentials from workspace (attempt ${attempt}/${MAX_CREDS_RETRIES})`);
+                        const credsResponse = await fetch(`${session.workspaceUrl}/auth/cli/${provider}/creds/${session.workspaceSessionId}`);
+                        if (credsResponse.ok) {
+                            const creds = await credsResponse.json();
+                            accessToken = creds.token;
+                            refreshToken = creds.refreshToken;
+                            if (creds.tokenExpiresAt) {
+                                _tokenExpiresAt = new Date(creds.tokenExpiresAt);
+                            }
+                            console.log('[onboarding] Fetched credentials from workspace:', {
+                                hasToken: !!accessToken,
+                                hasRefreshToken: !!refreshToken,
+                                attempt,
+                            });
+                            break; // Success, exit retry loop
+                        }
+                        // Check if it's an error state (not just "not ready yet")
+                        const errorBody = await credsResponse.json().catch(() => ({}));
+                        if (errorBody.status === 'error') {
+                            // Auth failed, don't retry
+                            console.error('[onboarding] Auth failed in workspace:', errorBody);
+                            return res.status(400).json({
+                                error: errorBody.error || 'Authentication failed',
+                                errorHint: errorBody.errorHint,
+                                recoverable: errorBody.recoverable,
+                            });
+                        }
+                        // If not ready yet and we have more retries, wait and try again
+                        if (attempt < MAX_CREDS_RETRIES) {
+                            console.log(`[onboarding] Credentials not ready yet, retrying in ${CREDS_RETRY_DELAY}ms...`);
+                            await new Promise(resolve => setTimeout(resolve, CREDS_RETRY_DELAY));
+                        }
+                    }
+                    catch (err) {
+                        console.error(`[onboarding] Failed to get credentials from workspace (attempt ${attempt}):`, err);
+                        if (attempt < MAX_CREDS_RETRIES) {
+                            await new Promise(resolve => setTimeout(resolve, CREDS_RETRY_DELAY));
                         }
-                        console.log('[onboarding] Fetched credentials from workspace:', {
-                            hasToken: !!accessToken,
-                            hasRefreshToken: !!refreshToken,
-                        });
                     }
-                }
-                catch (err) {
-                    console.error('[onboarding] Failed to get credentials from workspace:', err);
                 }
             }
         }
@@ -268,13 +302,11 @@ onboardingRouter.post('/cli/:provider/complete/:sessionId', async (req, res) =>
                 error: 'No token found. Please complete authentication or paste your token.',
             });
         }
-        // Store in vault with refresh token and expiry
-        await vault.storeCredential({
+        // Mark provider as connected (tokens are not stored centrally - CLI tools
+        // authenticate directly on workspace instances)
+        await db.credentials.upsert({
             userId,
             provider,
-            accessToken,
-            refreshToken,
-            tokenExpiresAt,
             scopes: getProviderScopes(provider),
         });
         // Clean up session
@@ -297,8 +329,8 @@ onboardingRouter.post('/cli/:provider/complete/:sessionId', async (req, res) =>
 onboardingRouter.post('/cli/:provider/code/:sessionId', async (req, res) => {
     const { provider, sessionId } = req.params;
     const userId = req.session.userId;
-    const { code } = req.body;
-    console.log('[onboarding] Auth code submission request:', { provider, sessionId, codeLength: code?.length });
+    const { code, state } = req.body; // state is optional, used for Codex OAuth
+    console.log('[onboarding] Auth code submission request:', { provider, sessionId, codeLength: code?.length, hasState: !!state });
     if (!code || typeof code !== 'string') {
         return res.status(400).json({ error: 'Auth code is required' });
     }
@@ -324,7 +356,7 @@ onboardingRouter.post('/cli/:provider/code/:sessionId', async (req, res) => {
             const codeResponse = await fetch(targetUrl, {
                 method: 'POST',
                 headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({ code }),
+                body: JSON.stringify({ code, state }), // Forward state for Codex CSRF validation
             });
             console.log('[onboarding] Workspace response:', { status: codeResponse.status });
             if (codeResponse.ok) {
@@ -381,6 +413,37 @@ onboardingRouter.post('/cli/:provider/cancel/:sessionId', async (req, res) => {
     }
     res.json({ success: true });
 });
+/**
+ * POST /api/onboarding/mark-connected/:provider
+ * Mark a provider as connected without storing a token.
+ * Used by terminal-based setup where the CLI stores credentials locally.
+ */
+onboardingRouter.post('/mark-connected/:provider', async (req, res) => {
+    const { provider } = req.params;
+    const userId = req.session.userId;
+    // Validate provider
+    const validProviders = ['anthropic', 'openai', 'google', 'github'];
+    if (!validProviders.includes(provider)) {
+        return res.status(400).json({ error: 'Invalid provider' });
+    }
+    try {
+        // Mark provider as connected (tokens are stored by CLI on workspace)
+        await db.credentials.upsert({
+            userId,
+            provider,
+            scopes: getProviderScopes(provider),
+        });
+        console.log(`[onboarding] Marked ${provider} as connected for user ${userId}`);
+        res.json({
+            success: true,
+            message: `${provider} connected successfully`,
+        });
+    }
+    catch (error) {
+        console.error(`Error marking ${provider} as connected:`, error);
+        res.status(500).json({ error: 'Failed to mark provider as connected' });
+    }
+});
 /**
  * POST /api/onboarding/token/:provider
  * Directly store a token (for manual paste flow)
@@ -398,22 +461,23 @@ onboardingRouter.post('/token/:provider', async (req, res) => {
         if (!isValid) {
             return res.status(400).json({ error: 'Invalid token' });
         }
-        // Store in vault
-        await vault.storeCredential({
+        // Mark provider as connected (tokens are not stored centrally - CLI tools
+        // authenticate directly on workspace instances)
+        await db.credentials.upsert({
             userId,
             provider,
-            accessToken: token,
             scopes: getProviderScopes(provider),
             providerAccountEmail: email,
         });
         res.json({
             success: true,
             message: `${provider} connected successfully`,
+            note: 'Token validated. Configure this on your workspace for usage.',
         });
     }
     catch (error) {
-        console.error(`Error storing token for ${provider}:`, error);
-        res.status(500).json({ error: 'Failed to store token' });
+        console.error(`Error storing provider connection for ${provider}:`, error);
+        res.status(500).json({ error: 'Failed to store provider connection' });
     }
 });
 /**