npm - ruflo - Versions diffs - 3.10.36 → 3.10.38 - Mend

ruflo 3.10.36 → 3.10.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (498) hide show

package/README.md +416 -416
package/bin/ruflo.js +77 -77
package/package.json +113 -113
package/src/chat-ui/Dockerfile +25 -25
package/src/chat-ui/patch-mcp-url-safety.sh +28 -28
package/src/config/config.example.json +76 -76
package/src/mcp-bridge/Dockerfile +45 -45
package/src/mcp-bridge/index.js +1692 -1692
package/src/mcp-bridge/mcp-stdio-kernel.js +159 -159
package/src/mcp-bridge/package.json +17 -17
package/src/mcp-bridge/test-harness.js +470 -470
package/src/nginx/Dockerfile +10 -10
package/src/nginx/nginx.conf +67 -67
package/src/nginx/static/favicon-dark.svg +4 -4
package/src/nginx/static/favicon.svg +4 -4
package/src/nginx/static/icon.svg +5 -5
package/src/nginx/static/logo.svg +9 -9
package/src/nginx/static/manifest.json +22 -22
package/src/nginx/static/welcome.js +184 -184
package/src/ruvocal/.claude/skills/add-model-descriptions/SKILL.md +73 -73
package/src/ruvocal/.devcontainer/Dockerfile +9 -9
package/src/ruvocal/.devcontainer/devcontainer.json +36 -36
package/src/ruvocal/.dockerignore +16 -16
package/src/ruvocal/.eslintignore +13 -13
package/src/ruvocal/.eslintrc.cjs +45 -45
package/src/ruvocal/.gcloudignore +18 -18
package/src/ruvocal/.github/ISSUE_TEMPLATE/bug-report--chat-ui-.md +43 -43
package/src/ruvocal/.github/ISSUE_TEMPLATE/config-support.md +9 -9
package/src/ruvocal/.github/ISSUE_TEMPLATE/feature-request--chat-ui-.md +17 -17
package/src/ruvocal/.github/ISSUE_TEMPLATE/huggingchat.md +11 -11
package/src/ruvocal/.github/release.yml +16 -16
package/src/ruvocal/.github/workflows/build-docs.yml +18 -18
package/src/ruvocal/.github/workflows/build-image.yml +142 -142
package/src/ruvocal/.github/workflows/build-pr-docs.yml +20 -20
package/src/ruvocal/.github/workflows/deploy-dev.yml +63 -63
package/src/ruvocal/.github/workflows/deploy-prod.yml +78 -78
package/src/ruvocal/.github/workflows/lint-and-test.yml +84 -84
package/src/ruvocal/.github/workflows/slugify.yaml +72 -72
package/src/ruvocal/.github/workflows/trufflehog.yml +17 -17
package/src/ruvocal/.github/workflows/upload-pr-documentation.yml +16 -16
package/src/ruvocal/.husky/lint-stage-config.js +4 -4
package/src/ruvocal/.husky/pre-commit +2 -2
package/src/ruvocal/.prettierignore +14 -14
package/src/ruvocal/.prettierrc +7 -7
package/src/ruvocal/CLAUDE.md +126 -126
package/src/ruvocal/Dockerfile +96 -96
package/src/ruvocal/LICENSE +202 -202
package/src/ruvocal/PRIVACY.md +41 -41
package/src/ruvocal/README.md +164 -164
package/src/ruvocal/chart/Chart.yaml +5 -5
package/src/ruvocal/chart/env/dev.yaml +260 -260
package/src/ruvocal/chart/env/prod.yaml +273 -273
package/src/ruvocal/chart/templates/_helpers.tpl +22 -22
package/src/ruvocal/chart/templates/config.yaml +10 -10
package/src/ruvocal/chart/templates/deployment.yaml +81 -81
package/src/ruvocal/chart/templates/hpa.yaml +45 -45
package/src/ruvocal/chart/templates/infisical.yaml +24 -24
package/src/ruvocal/chart/templates/ingress-internal.yaml +32 -32
package/src/ruvocal/chart/templates/ingress.yaml +32 -32
package/src/ruvocal/chart/templates/network-policy.yaml +36 -36
package/src/ruvocal/chart/templates/service-account.yaml +13 -13
package/src/ruvocal/chart/templates/service-monitor.yaml +17 -17
package/src/ruvocal/chart/templates/service.yaml +21 -21
package/src/ruvocal/chart/values.yaml +73 -73
package/src/ruvocal/cloudbuild.yaml +68 -68
package/src/ruvocal/config/branding.env.example +19 -19
package/src/ruvocal/docker-compose.yml +21 -21
package/src/ruvocal/docs/adr/ADR-029-HUGGINGFACE-CHAT-UI-CLOUD-RUN.md +1236 -1236
package/src/ruvocal/docs/adr/ADR-033-RUVECTOR-RUFLO-MCP-INTEGRATION.md +111 -111
package/src/ruvocal/docs/adr/ADR-034-OPTIONAL-MCP-BACKENDS.md +117 -117
package/src/ruvocal/docs/adr/ADR-035-MCP-TOOL-GROUPS.md +186 -186
package/src/ruvocal/docs/adr/ADR-037-AUTOPILOT-CHAT-MODE.md +1500 -1500
package/src/ruvocal/docs/adr/ADR-038-RUVOCAL-FORK.md +286 -286
package/src/ruvocal/docs/source/_toctree.yml +30 -30
package/src/ruvocal/docs/source/configuration/common-issues.md +38 -38
package/src/ruvocal/docs/source/configuration/llm-router.md +105 -105
package/src/ruvocal/docs/source/configuration/mcp-tools.md +84 -84
package/src/ruvocal/docs/source/configuration/metrics.md +9 -9
package/src/ruvocal/docs/source/configuration/open-id.md +57 -57
package/src/ruvocal/docs/source/configuration/overview.md +89 -89
package/src/ruvocal/docs/source/configuration/theming.md +20 -20
package/src/ruvocal/docs/source/developing/architecture.md +48 -48
package/src/ruvocal/docs/source/index.md +53 -53
package/src/ruvocal/docs/source/installation/docker.md +43 -43
package/src/ruvocal/docs/source/installation/helm.md +43 -43
package/src/ruvocal/docs/source/installation/local.md +62 -62
package/src/ruvocal/entrypoint.sh +18 -18
package/src/ruvocal/mcp-bridge/Dockerfile +45 -45
package/src/ruvocal/mcp-bridge/cloudbuild.yaml +49 -49
package/src/ruvocal/mcp-bridge/index.js +1902 -1902
package/src/ruvocal/mcp-bridge/mcp-stdio-kernel.js +159 -159
package/src/ruvocal/mcp-bridge/package-lock.json +762 -762
package/src/ruvocal/mcp-bridge/package.json +17 -17
package/src/ruvocal/mcp-bridge/test-harness.js +470 -470
package/src/ruvocal/package-lock.json +11741 -11741
package/src/ruvocal/package.json +121 -121
package/src/ruvocal/postcss.config.js +6 -6
package/src/ruvocal/rvf.manifest.json +204 -204
package/src/ruvocal/scripts/config.ts +64 -64
package/src/ruvocal/scripts/generate-welcome.mjs +181 -181
package/src/ruvocal/scripts/populate.ts +288 -288
package/src/ruvocal/scripts/samples.txt +194 -194
package/src/ruvocal/scripts/setups/vitest-setup-server.ts +44 -44
package/src/ruvocal/scripts/updateLocalEnv.ts +48 -48
package/src/ruvocal/src/ambient.d.ts +7 -7
package/src/ruvocal/src/app.d.ts +29 -29
package/src/ruvocal/src/app.html +53 -53
package/src/ruvocal/src/hooks.server.ts +32 -32
package/src/ruvocal/src/hooks.ts +6 -6
package/src/ruvocal/src/lib/APIClient.ts +148 -148
package/src/ruvocal/src/lib/actions/clickOutside.ts +18 -18
package/src/ruvocal/src/lib/actions/snapScrollToBottom.ts +346 -346
package/src/ruvocal/src/lib/buildPrompt.ts +33 -33
package/src/ruvocal/src/lib/components/AnnouncementBanner.svelte +20 -20
package/src/ruvocal/src/lib/components/BackgroundGenerationPoller.svelte +168 -168
package/src/ruvocal/src/lib/components/CodeBlock.svelte +73 -73
package/src/ruvocal/src/lib/components/CopyToClipBoardBtn.svelte +92 -92
package/src/ruvocal/src/lib/components/DeleteConversationModal.svelte +75 -75
package/src/ruvocal/src/lib/components/EditConversationModal.svelte +100 -100
package/src/ruvocal/src/lib/components/ExpandNavigation.svelte +22 -22
package/src/ruvocal/src/lib/components/FoundationBackground.svelte +242 -242
package/src/ruvocal/src/lib/components/HoverTooltip.svelte +44 -44
package/src/ruvocal/src/lib/components/HtmlPreviewModal.svelte +143 -143
package/src/ruvocal/src/lib/components/InfiniteScroll.svelte +50 -50
package/src/ruvocal/src/lib/components/MobileNav.svelte +300 -300
package/src/ruvocal/src/lib/components/Modal.svelte +115 -115
package/src/ruvocal/src/lib/components/ModelCardMetadata.svelte +71 -71
package/src/ruvocal/src/lib/components/NavConversationItem.svelte +151 -151
package/src/ruvocal/src/lib/components/NavMenu.svelte +313 -313
package/src/ruvocal/src/lib/components/Pagination.svelte +97 -97
package/src/ruvocal/src/lib/components/PaginationArrow.svelte +27 -27
package/src/ruvocal/src/lib/components/Portal.svelte +24 -24
package/src/ruvocal/src/lib/components/RetryBtn.svelte +18 -18
package/src/ruvocal/src/lib/components/RuFloUniverse.svelte +185 -185
package/src/ruvocal/src/lib/components/RufloHelpModal.svelte +411 -411
package/src/ruvocal/src/lib/components/ScrollToBottomBtn.svelte +47 -47
package/src/ruvocal/src/lib/components/ScrollToPreviousBtn.svelte +77 -77
package/src/ruvocal/src/lib/components/ShareConversationModal.svelte +182 -182
package/src/ruvocal/src/lib/components/StopGeneratingBtn.svelte +69 -69
package/src/ruvocal/src/lib/components/SubscribeModal.svelte +87 -87
package/src/ruvocal/src/lib/components/Switch.svelte +36 -36
package/src/ruvocal/src/lib/components/SystemPromptModal.svelte +44 -44
package/src/ruvocal/src/lib/components/Toast.svelte +27 -27
package/src/ruvocal/src/lib/components/Tooltip.svelte +30 -30
package/src/ruvocal/src/lib/components/WelcomeModal.svelte +46 -46
package/src/ruvocal/src/lib/components/chat/Alternatives.svelte +77 -77
package/src/ruvocal/src/lib/components/chat/BlockWrapper.svelte +72 -72
package/src/ruvocal/src/lib/components/chat/ChatInput.svelte +490 -490
package/src/ruvocal/src/lib/components/chat/ChatIntroduction.svelte +123 -123
package/src/ruvocal/src/lib/components/chat/ChatMessage.svelte +548 -548
package/src/ruvocal/src/lib/components/chat/ChatWindow.svelte +1057 -1057
package/src/ruvocal/src/lib/components/chat/FileDropzone.svelte +92 -92
package/src/ruvocal/src/lib/components/chat/ImageLightbox.svelte +66 -66
package/src/ruvocal/src/lib/components/chat/MarkdownBlock.svelte +23 -23
package/src/ruvocal/src/lib/components/chat/MarkdownRenderer.svelte +69 -69
package/src/ruvocal/src/lib/components/chat/MarkdownRenderer.svelte.test.ts +58 -58
package/src/ruvocal/src/lib/components/chat/MessageAvatar.svelte +103 -103
package/src/ruvocal/src/lib/components/chat/ModelSwitch.svelte +64 -64
package/src/ruvocal/src/lib/components/chat/OpenReasoningResults.svelte +81 -81
package/src/ruvocal/src/lib/components/chat/TaskGroup.svelte +88 -88
package/src/ruvocal/src/lib/components/chat/ToolUpdate.svelte +273 -273
package/src/ruvocal/src/lib/components/chat/UploadedFile.svelte +253 -253
package/src/ruvocal/src/lib/components/chat/UrlFetchModal.svelte +203 -203
package/src/ruvocal/src/lib/components/chat/VoiceRecorder.svelte +214 -214
package/src/ruvocal/src/lib/components/icons/IconBurger.svelte +20 -20
package/src/ruvocal/src/lib/components/icons/IconCheap.svelte +20 -20
package/src/ruvocal/src/lib/components/icons/IconChevron.svelte +24 -24
package/src/ruvocal/src/lib/components/icons/IconDazzled.svelte +40 -40
package/src/ruvocal/src/lib/components/icons/IconFast.svelte +20 -20
package/src/ruvocal/src/lib/components/icons/IconLoading.svelte +22 -22
package/src/ruvocal/src/lib/components/icons/IconMCP.svelte +28 -28
package/src/ruvocal/src/lib/components/icons/IconMoon.svelte +21 -21
package/src/ruvocal/src/lib/components/icons/IconNew.svelte +20 -20
package/src/ruvocal/src/lib/components/icons/IconOmni.svelte +90 -90
package/src/ruvocal/src/lib/components/icons/IconPaperclip.svelte +24 -24
package/src/ruvocal/src/lib/components/icons/IconPro.svelte +37 -37
package/src/ruvocal/src/lib/components/icons/IconShare.svelte +21 -21
package/src/ruvocal/src/lib/components/icons/IconSun.svelte +93 -93
package/src/ruvocal/src/lib/components/icons/Logo.svelte +68 -68
package/src/ruvocal/src/lib/components/icons/LogoHuggingFaceBorderless.svelte +54 -54
package/src/ruvocal/src/lib/components/mcp/AddServerForm.svelte +250 -250
package/src/ruvocal/src/lib/components/mcp/MCPServerManager.svelte +185 -185
package/src/ruvocal/src/lib/components/mcp/ServerCard.svelte +203 -203
package/src/ruvocal/src/lib/components/players/AudioPlayer.svelte +82 -82
package/src/ruvocal/src/lib/components/voice/AudioWaveform.svelte +96 -96
package/src/ruvocal/src/lib/components/wasm/GalleryPanel.svelte +357 -357
package/src/ruvocal/src/lib/constants/mcpExamples.ts +114 -114
package/src/ruvocal/src/lib/constants/mime.ts +11 -11
package/src/ruvocal/src/lib/constants/pagination.ts +1 -1
package/src/ruvocal/src/lib/constants/publicSepToken.ts +1 -1
package/src/ruvocal/src/lib/constants/routerExamples.ts +133 -133
package/src/ruvocal/src/lib/constants/rvagentPresets.ts +206 -206
package/src/ruvocal/src/lib/createShareLink.ts +27 -27
package/src/ruvocal/src/lib/jobs/refresh-conversation-stats.ts +297 -297
package/src/ruvocal/src/lib/migrations/lock.ts +56 -56
package/src/ruvocal/src/lib/migrations/migrations.spec.ts +74 -74
package/src/ruvocal/src/lib/migrations/migrations.ts +109 -109
package/src/ruvocal/src/lib/migrations/routines/01-update-search-assistants.ts +50 -50
package/src/ruvocal/src/lib/migrations/routines/02-update-assistants-models.ts +48 -48
package/src/ruvocal/src/lib/migrations/routines/04-update-message-updates.ts +151 -151
package/src/ruvocal/src/lib/migrations/routines/05-update-message-files.ts +56 -56
package/src/ruvocal/src/lib/migrations/routines/06-trim-message-updates.ts +56 -56
package/src/ruvocal/src/lib/migrations/routines/08-update-featured-to-review.ts +32 -32
package/src/ruvocal/src/lib/migrations/routines/09-delete-empty-conversations.spec.ts +214 -214
package/src/ruvocal/src/lib/migrations/routines/09-delete-empty-conversations.ts +88 -88
package/src/ruvocal/src/lib/migrations/routines/10-update-reports-assistantid.ts +29 -29
package/src/ruvocal/src/lib/migrations/routines/index.ts +15 -15
package/src/ruvocal/src/lib/server/__tests__/conversation-stop-generating.spec.ts +103 -103
package/src/ruvocal/src/lib/server/abortRegistry.ts +57 -57
package/src/ruvocal/src/lib/server/abortedGenerations.ts +43 -43
package/src/ruvocal/src/lib/server/adminToken.ts +62 -62
package/src/ruvocal/src/lib/server/api/__tests__/conversations-id.spec.ts +296 -296
package/src/ruvocal/src/lib/server/api/__tests__/conversations-message.spec.ts +216 -216
package/src/ruvocal/src/lib/server/api/__tests__/conversations.spec.ts +235 -235
package/src/ruvocal/src/lib/server/api/__tests__/misc.spec.ts +72 -72
package/src/ruvocal/src/lib/server/api/__tests__/testHelpers.ts +86 -86
package/src/ruvocal/src/lib/server/api/__tests__/user-reports.spec.ts +78 -78
package/src/ruvocal/src/lib/server/api/__tests__/user.spec.ts +239 -239
package/src/ruvocal/src/lib/server/api/types.ts +37 -37
package/src/ruvocal/src/lib/server/api/utils/requireAuth.ts +22 -22
package/src/ruvocal/src/lib/server/api/utils/resolveConversation.ts +69 -69
package/src/ruvocal/src/lib/server/api/utils/resolveModel.ts +27 -27
package/src/ruvocal/src/lib/server/api/utils/superjsonResponse.ts +15 -15
package/src/ruvocal/src/lib/server/apiToken.ts +11 -11
package/src/ruvocal/src/lib/server/auth.ts +554 -554
package/src/ruvocal/src/lib/server/config.ts +187 -187
package/src/ruvocal/src/lib/server/conversation.ts +83 -83
package/src/ruvocal/src/lib/server/database/__tests__/rvf.spec.ts +709 -709
package/src/ruvocal/src/lib/server/database/postgres.ts +700 -700
package/src/ruvocal/src/lib/server/database/rvf.ts +1078 -1078
package/src/ruvocal/src/lib/server/database.ts +145 -145
package/src/ruvocal/src/lib/server/endpoints/document.ts +68 -68
package/src/ruvocal/src/lib/server/endpoints/endpoints.ts +43 -43
package/src/ruvocal/src/lib/server/endpoints/images.ts +211 -211
package/src/ruvocal/src/lib/server/endpoints/openai/endpointOai.ts +266 -266
package/src/ruvocal/src/lib/server/endpoints/openai/openAIChatToTextGenerationStream.ts +212 -212
package/src/ruvocal/src/lib/server/endpoints/openai/openAICompletionToTextGenerationStream.ts +32 -32
package/src/ruvocal/src/lib/server/endpoints/preprocessMessages.ts +61 -61
package/src/ruvocal/src/lib/server/exitHandler.ts +59 -59
package/src/ruvocal/src/lib/server/files/downloadFile.ts +34 -34
package/src/ruvocal/src/lib/server/files/uploadFile.ts +29 -29
package/src/ruvocal/src/lib/server/findRepoRoot.ts +13 -13
package/src/ruvocal/src/lib/server/generateFromDefaultEndpoint.ts +46 -46
package/src/ruvocal/src/lib/server/hooks/error.ts +37 -37
package/src/ruvocal/src/lib/server/hooks/fetch.ts +22 -22
package/src/ruvocal/src/lib/server/hooks/handle.ts +250 -250
package/src/ruvocal/src/lib/server/hooks/init.ts +51 -51
package/src/ruvocal/src/lib/server/isURLLocal.spec.ts +31 -31
package/src/ruvocal/src/lib/server/isURLLocal.ts +74 -74
package/src/ruvocal/src/lib/server/logger.ts +42 -42
package/src/ruvocal/src/lib/server/mcp/clientPool.spec.ts +175 -175
package/src/ruvocal/src/lib/server/mcp/hf.ts +32 -32
package/src/ruvocal/src/lib/server/mcp/httpClient.ts +122 -122
package/src/ruvocal/src/lib/server/mcp/registry.ts +76 -76
package/src/ruvocal/src/lib/server/mcp/tools.ts +196 -196
package/src/ruvocal/src/lib/server/metrics.ts +255 -255
package/src/ruvocal/src/lib/server/models.ts +518 -518
package/src/ruvocal/src/lib/server/requestContext.ts +55 -55
package/src/ruvocal/src/lib/server/router/arch.ts +230 -230
package/src/ruvocal/src/lib/server/router/endpoint.ts +316 -316
package/src/ruvocal/src/lib/server/router/multimodal.ts +28 -28
package/src/ruvocal/src/lib/server/router/policy.ts +49 -49
package/src/ruvocal/src/lib/server/router/toolsRoute.ts +51 -51
package/src/ruvocal/src/lib/server/router/types.ts +21 -21
package/src/ruvocal/src/lib/server/sendSlack.ts +23 -23
package/src/ruvocal/src/lib/server/textGeneration/generate.ts +258 -258
package/src/ruvocal/src/lib/server/textGeneration/index.ts +96 -96
package/src/ruvocal/src/lib/server/textGeneration/mcp/fileRefs.ts +155 -155
package/src/ruvocal/src/lib/server/textGeneration/mcp/routerResolution.ts +108 -108
package/src/ruvocal/src/lib/server/textGeneration/mcp/runMcpFlow.ts +831 -831
package/src/ruvocal/src/lib/server/textGeneration/mcp/toolInvocation.ts +349 -349
package/src/ruvocal/src/lib/server/textGeneration/mcp/wasmTools.test.ts +633 -633
package/src/ruvocal/src/lib/server/textGeneration/reasoning.ts +23 -23
package/src/ruvocal/src/lib/server/textGeneration/title.ts +83 -83
package/src/ruvocal/src/lib/server/textGeneration/types.ts +28 -28
package/src/ruvocal/src/lib/server/textGeneration/utils/prepareFiles.ts +88 -88
package/src/ruvocal/src/lib/server/textGeneration/utils/routing.ts +21 -21
package/src/ruvocal/src/lib/server/textGeneration/utils/toolPrompt.ts +49 -49
package/src/ruvocal/src/lib/server/urlSafety.ts +77 -77
package/src/ruvocal/src/lib/server/usageLimits.ts +30 -30
package/src/ruvocal/src/lib/stores/autopilotStore.svelte.ts +175 -175
package/src/ruvocal/src/lib/stores/backgroundGenerations.svelte.ts +32 -32
package/src/ruvocal/src/lib/stores/backgroundGenerations.ts +1 -1
package/src/ruvocal/src/lib/stores/errors.ts +9 -9
package/src/ruvocal/src/lib/stores/isAborted.ts +3 -3
package/src/ruvocal/src/lib/stores/isPro.ts +4 -4
package/src/ruvocal/src/lib/stores/loading.ts +3 -3
package/src/ruvocal/src/lib/stores/mcpServers.ts +534 -534
package/src/ruvocal/src/lib/stores/pendingChatInput.ts +3 -3
package/src/ruvocal/src/lib/stores/pendingMessage.ts +9 -9
package/src/ruvocal/src/lib/stores/settings.ts +182 -182
package/src/ruvocal/src/lib/stores/shareModal.ts +13 -13
package/src/ruvocal/src/lib/stores/titleUpdate.ts +8 -8
package/src/ruvocal/src/lib/stores/wasmMcp.ts +472 -472
package/src/ruvocal/src/lib/switchTheme.ts +124 -124
package/src/ruvocal/src/lib/types/AbortedGeneration.ts +8 -8
package/src/ruvocal/src/lib/types/Assistant.ts +31 -31
package/src/ruvocal/src/lib/types/AssistantStats.ts +11 -11
package/src/ruvocal/src/lib/types/ConfigKey.ts +4 -4
package/src/ruvocal/src/lib/types/ConvSidebar.ts +9 -9
package/src/ruvocal/src/lib/types/Conversation.ts +27 -27
package/src/ruvocal/src/lib/types/ConversationStats.ts +13 -13
package/src/ruvocal/src/lib/types/Message.ts +41 -41
package/src/ruvocal/src/lib/types/MessageEvent.ts +10 -10
package/src/ruvocal/src/lib/types/MessageUpdate.ts +139 -139
package/src/ruvocal/src/lib/types/MigrationResult.ts +7 -7
package/src/ruvocal/src/lib/types/Model.ts +23 -23
package/src/ruvocal/src/lib/types/Report.ts +12 -12
package/src/ruvocal/src/lib/types/Review.ts +6 -6
package/src/ruvocal/src/lib/types/Semaphore.ts +19 -19
package/src/ruvocal/src/lib/types/Session.ts +22 -22
package/src/ruvocal/src/lib/types/Settings.ts +93 -93
package/src/ruvocal/src/lib/types/SharedConversation.ts +9 -9
package/src/ruvocal/src/lib/types/Template.ts +6 -6
package/src/ruvocal/src/lib/types/Timestamps.ts +4 -4
package/src/ruvocal/src/lib/types/TokenCache.ts +6 -6
package/src/ruvocal/src/lib/types/Tool.ts +77 -77
package/src/ruvocal/src/lib/types/UrlDependency.ts +5 -5
package/src/ruvocal/src/lib/types/User.ts +14 -14
package/src/ruvocal/src/lib/utils/PublicConfig.svelte.ts +75 -75
package/src/ruvocal/src/lib/utils/auth.ts +17 -17
package/src/ruvocal/src/lib/utils/chunk.ts +33 -33
package/src/ruvocal/src/lib/utils/cookiesAreEnabled.ts +13 -13
package/src/ruvocal/src/lib/utils/debounce.ts +17 -17
package/src/ruvocal/src/lib/utils/deepestChild.ts +6 -6
package/src/ruvocal/src/lib/utils/favicon.ts +21 -21
package/src/ruvocal/src/lib/utils/fetchJSON.ts +23 -23
package/src/ruvocal/src/lib/utils/file2base64.ts +14 -14
package/src/ruvocal/src/lib/utils/formatUserCount.ts +37 -37
package/src/ruvocal/src/lib/utils/generationState.spec.ts +75 -75
package/src/ruvocal/src/lib/utils/generationState.ts +26 -26
package/src/ruvocal/src/lib/utils/getHref.ts +41 -41
package/src/ruvocal/src/lib/utils/getReturnFromGenerator.ts +7 -7
package/src/ruvocal/src/lib/utils/haptics.ts +64 -64
package/src/ruvocal/src/lib/utils/hashConv.ts +12 -12
package/src/ruvocal/src/lib/utils/hf.ts +17 -17
package/src/ruvocal/src/lib/utils/isDesktop.ts +7 -7
package/src/ruvocal/src/lib/utils/isUrl.ts +8 -8
package/src/ruvocal/src/lib/utils/isVirtualKeyboard.ts +16 -16
package/src/ruvocal/src/lib/utils/loadAttachmentsFromUrls.ts +115 -115
package/src/ruvocal/src/lib/utils/marked.spec.ts +96 -96
package/src/ruvocal/src/lib/utils/marked.ts +531 -531
package/src/ruvocal/src/lib/utils/mcpValidation.ts +147 -147
package/src/ruvocal/src/lib/utils/mergeAsyncGenerators.ts +38 -38
package/src/ruvocal/src/lib/utils/messageUpdates.spec.ts +262 -262
package/src/ruvocal/src/lib/utils/messageUpdates.ts +324 -324
package/src/ruvocal/src/lib/utils/mime.ts +56 -56
package/src/ruvocal/src/lib/utils/models.ts +14 -14
package/src/ruvocal/src/lib/utils/parseBlocks.ts +120 -120
package/src/ruvocal/src/lib/utils/parseIncompleteMarkdown.ts +644 -644
package/src/ruvocal/src/lib/utils/parseStringToList.ts +10 -10
package/src/ruvocal/src/lib/utils/randomUuid.ts +14 -14
package/src/ruvocal/src/lib/utils/searchTokens.ts +33 -33
package/src/ruvocal/src/lib/utils/sha256.ts +7 -7
package/src/ruvocal/src/lib/utils/stringifyError.ts +12 -12
package/src/ruvocal/src/lib/utils/sum.ts +3 -3
package/src/ruvocal/src/lib/utils/template.spec.ts +59 -59
package/src/ruvocal/src/lib/utils/template.ts +53 -53
package/src/ruvocal/src/lib/utils/timeout.ts +9 -9
package/src/ruvocal/src/lib/utils/toolProgress.spec.ts +46 -46
package/src/ruvocal/src/lib/utils/toolProgress.ts +11 -11
package/src/ruvocal/src/lib/utils/tree/addChildren.spec.ts +102 -102
package/src/ruvocal/src/lib/utils/tree/addChildren.ts +48 -48
package/src/ruvocal/src/lib/utils/tree/addSibling.spec.ts +81 -81
package/src/ruvocal/src/lib/utils/tree/addSibling.ts +41 -41
package/src/ruvocal/src/lib/utils/tree/buildSubtree.spec.ts +110 -110
package/src/ruvocal/src/lib/utils/tree/buildSubtree.ts +24 -24
package/src/ruvocal/src/lib/utils/tree/convertLegacyConversation.spec.ts +31 -31
package/src/ruvocal/src/lib/utils/tree/convertLegacyConversation.ts +36 -36
package/src/ruvocal/src/lib/utils/tree/isMessageId.spec.ts +15 -15
package/src/ruvocal/src/lib/utils/tree/isMessageId.ts +5 -5
package/src/ruvocal/src/lib/utils/tree/tree.d.ts +14 -14
package/src/ruvocal/src/lib/utils/tree/treeHelpers.spec.ts +167 -167
package/src/ruvocal/src/lib/utils/updates.ts +39 -39
package/src/ruvocal/src/lib/utils/urlParams.ts +13 -13
package/src/ruvocal/src/lib/wasm/idb.ts +438 -438
package/src/ruvocal/src/lib/wasm/index.ts +1213 -1213
package/src/ruvocal/src/lib/wasm/tests/wasm-capabilities.test.ts +565 -565
package/src/ruvocal/src/lib/wasm/wasm.worker.ts +332 -332
package/src/ruvocal/src/lib/wasm/workerClient.ts +166 -166
package/src/ruvocal/src/lib/workers/autopilotWorker.ts +221 -221
package/src/ruvocal/src/lib/workers/detailFetchWorker.ts +100 -100
package/src/ruvocal/src/lib/workers/markdownWorker.ts +61 -61
package/src/ruvocal/src/routes/+error.svelte +20 -20
package/src/ruvocal/src/routes/+layout.svelte +324 -324
package/src/ruvocal/src/routes/+layout.ts +91 -91
package/src/ruvocal/src/routes/+page.svelte +168 -168
package/src/ruvocal/src/routes/.well-known/oauth-cimd/+server.ts +37 -37
package/src/ruvocal/src/routes/__debug/openai/+server.ts +21 -21
package/src/ruvocal/src/routes/admin/export/+server.ts +159 -159
package/src/ruvocal/src/routes/admin/stats/compute/+server.ts +16 -16
package/src/ruvocal/src/routes/api/conversation/[id]/+server.ts +40 -40
package/src/ruvocal/src/routes/api/conversation/[id]/message/[messageId]/+server.ts +42 -42
package/src/ruvocal/src/routes/api/conversations/+server.ts +48 -48
package/src/ruvocal/src/routes/api/fetch-url/+server.ts +147 -147
package/src/ruvocal/src/routes/api/mcp/health/+server.ts +292 -292
package/src/ruvocal/src/routes/api/mcp/servers/+server.ts +32 -32
package/src/ruvocal/src/routes/api/models/+server.ts +25 -25
package/src/ruvocal/src/routes/api/transcribe/+server.ts +104 -104
package/src/ruvocal/src/routes/api/user/+server.ts +15 -15
package/src/ruvocal/src/routes/api/user/validate-token/+server.ts +20 -20
package/src/ruvocal/src/routes/api/v2/conversations/+server.ts +48 -48
package/src/ruvocal/src/routes/api/v2/conversations/[id]/+server.ts +94 -94
package/src/ruvocal/src/routes/api/v2/conversations/[id]/message/[messageId]/+server.ts +43 -43
package/src/ruvocal/src/routes/api/v2/conversations/import-share/+server.ts +23 -23
package/src/ruvocal/src/routes/api/v2/debug/config/+server.ts +16 -16
package/src/ruvocal/src/routes/api/v2/debug/refresh/+server.ts +30 -30
package/src/ruvocal/src/routes/api/v2/export/+server.ts +196 -196
package/src/ruvocal/src/routes/api/v2/feature-flags/+server.ts +14 -14
package/src/ruvocal/src/routes/api/v2/models/+server.ts +38 -38
package/src/ruvocal/src/routes/api/v2/models/[namespace]/+server.ts +8 -8
package/src/ruvocal/src/routes/api/v2/models/[namespace]/[model]/+server.ts +8 -8
package/src/ruvocal/src/routes/api/v2/models/[namespace]/[model]/subscribe/+server.ts +28 -28
package/src/ruvocal/src/routes/api/v2/models/[namespace]/subscribe/+server.ts +28 -28
package/src/ruvocal/src/routes/api/v2/models/old/+server.ts +7 -7
package/src/ruvocal/src/routes/api/v2/models/refresh/+server.ts +33 -33
package/src/ruvocal/src/routes/api/v2/public-config/+server.ts +7 -7
package/src/ruvocal/src/routes/api/v2/user/+server.ts +17 -17
package/src/ruvocal/src/routes/api/v2/user/billing-orgs/+server.ts +73 -73
package/src/ruvocal/src/routes/api/v2/user/reports/+server.ts +17 -17
package/src/ruvocal/src/routes/api/v2/user/settings/+server.ts +110 -110
package/src/ruvocal/src/routes/conversation/+server.ts +115 -115
package/src/ruvocal/src/routes/conversation/[id]/+page.svelte +586 -586
package/src/ruvocal/src/routes/conversation/[id]/+page.ts +60 -60
package/src/ruvocal/src/routes/conversation/[id]/+server.ts +740 -740
package/src/ruvocal/src/routes/conversation/[id]/message/[messageId]/prompt/+server.ts +66 -66
package/src/ruvocal/src/routes/conversation/[id]/share/+server.ts +69 -69
package/src/ruvocal/src/routes/conversation/[id]/stop-generating/+server.ts +35 -35
package/src/ruvocal/src/routes/healthcheck/+server.ts +3 -3
package/src/ruvocal/src/routes/login/+server.ts +5 -5
package/src/ruvocal/src/routes/login/callback/+server.ts +103 -103
package/src/ruvocal/src/routes/login/callback/updateUser.spec.ts +157 -157
package/src/ruvocal/src/routes/login/callback/updateUser.ts +215 -215
package/src/ruvocal/src/routes/logout/+server.ts +18 -18
package/src/ruvocal/src/routes/metrics/+server.ts +18 -18
package/src/ruvocal/src/routes/models/+page.svelte +233 -233
package/src/ruvocal/src/routes/models/[...model]/+page.svelte +161 -161
package/src/ruvocal/src/routes/models/[...model]/+page.ts +14 -14
package/src/ruvocal/src/routes/models/[...model]/thumbnail.png/+server.ts +64 -64
package/src/ruvocal/src/routes/models/[...model]/thumbnail.png/ModelThumbnail.svelte +28 -28
package/src/ruvocal/src/routes/privacy/+page.svelte +11 -11
package/src/ruvocal/src/routes/r/[id]/+page.ts +34 -34
package/src/ruvocal/src/routes/settings/(nav)/+layout.svelte +282 -282
package/src/ruvocal/src/routes/settings/(nav)/+layout.ts +1 -1
package/src/ruvocal/src/routes/settings/(nav)/+server.ts +59 -59
package/src/ruvocal/src/routes/settings/(nav)/[...model]/+page.svelte +464 -464
package/src/ruvocal/src/routes/settings/(nav)/[...model]/+page.ts +14 -14
package/src/ruvocal/src/routes/settings/(nav)/application/+page.svelte +362 -362
package/src/ruvocal/src/routes/settings/+layout.svelte +40 -40
package/src/ruvocal/src/styles/highlight-js.css +195 -195
package/src/ruvocal/src/styles/main.css +144 -144
package/src/ruvocal/static/chatui/favicon-dark.svg +3 -3
package/src/ruvocal/static/chatui/favicon-dev.svg +3 -3
package/src/ruvocal/static/chatui/favicon.svg +3 -3
package/src/ruvocal/static/chatui/icon.svg +3 -3
package/src/ruvocal/static/chatui/logo.svg +7 -7
package/src/ruvocal/static/chatui/manifest.json +54 -54
package/src/ruvocal/static/chatui/welcome.js +184 -184
package/src/ruvocal/static/huggingchat/favicon-dark.svg +4 -4
package/src/ruvocal/static/huggingchat/favicon-dev.svg +4 -4
package/src/ruvocal/static/huggingchat/favicon.svg +4 -4
package/src/ruvocal/static/huggingchat/fulltext-logo.svg +1 -1
package/src/ruvocal/static/huggingchat/icon.svg +4 -4
package/src/ruvocal/static/huggingchat/logo.svg +4 -4
package/src/ruvocal/static/huggingchat/manifest.json +54 -54
package/src/ruvocal/static/huggingchat/routes.chat.json +226 -226
package/src/ruvocal/static/robots.txt +10 -10
package/src/ruvocal/static/wasm/rvagent_wasm.js +1539 -1539
package/src/ruvocal/stub/@reflink/reflink/package.json +5 -5
package/src/ruvocal/svelte.config.js +53 -53
package/src/ruvocal/tailwind.config.cjs +30 -30
package/src/ruvocal/tsconfig.json +19 -19
package/src/ruvocal/vite.config.ts +87 -87
package/src/scripts/deploy.sh +116 -116
package/src/scripts/generate-config.js +245 -245
package/src/scripts/generate-welcome.js +187 -187
package/src/scripts/package-rvf.sh +116 -116
package/src/ruvocal/.claude-flow/daemon-state.json +0 -135
package/src/ruvocal/.claude-flow/data/pending-insights.jsonl +0 -0
package/src/ruvocal/.claude-flow/data/ranked-context.json +0 -5
package/src/ruvocal/.claude-flow/logs/daemon.log +0 -31
package/src/ruvocal/.claude-flow/logs/headless/audit_1777949411822_juxau0_prompt.log +0 -989
package/src/ruvocal/.claude-flow/logs/headless/audit_1777949411822_juxau0_result.log +0 -67
package/src/ruvocal/.claude-flow/logs/headless/audit_1777950042278_jvj5xq_prompt.log +0 -989
package/src/ruvocal/.claude-flow/logs/headless/audit_1777950042278_jvj5xq_result.log +0 -93
package/src/ruvocal/.claude-flow/logs/headless/optimize_1777949531823_yt5yc2_prompt.log +0 -1498
package/src/ruvocal/.claude-flow/logs/headless/optimize_1777949531823_yt5yc2_result.log +0 -93
package/src/ruvocal/.claude-flow/logs/headless/testgaps_1777949771821_elw1j4_prompt.log +0 -1498
package/src/ruvocal/.claude-flow/logs/headless/testgaps_1777949771821_elw1j4_result.log +0 -100
package/src/ruvocal/.claude-flow/metrics/codebase-map.json +0 -11
package/src/ruvocal/.claude-flow/metrics/consolidation.json +0 -6
package/src/ruvocal/.claude-flow/neural/stats.json +0 -6
package/src/ruvocal/.claude-flow/sessions/current.json +0 -13
package/src/ruvocal/.swarm/attestation.db +0 -0
package/src/ruvocal/.swarm/hnsw.index +0 -0
package/src/ruvocal/.swarm/hnsw.metadata.json +0 -1
package/src/ruvocal/.swarm/memory.db +0 -0
package/src/ruvocal/.swarm/schema.sql +0 -305

package/src/ruvocal/src/lib/server/auth.ts CHANGED Viewed

@@ -1,554 +1,554 @@
-import {
-	Issuer,
-	type BaseClient,
-	type UserinfoResponse,
-	type TokenSet,
-	custom,
-	generators,
-} from "openid-client";
-import type { RequestEvent } from "@sveltejs/kit";
-import { addHours, addWeeks, differenceInMinutes, subMinutes } from "date-fns";
-import { config } from "$lib/server/config";
-import { sha256 } from "$lib/utils/sha256";
-import { z } from "zod";
-import { dev } from "$app/environment";
-import { redirect, type Cookies } from "@sveltejs/kit";
-import { collections } from "$lib/server/database";
-import JSON5 from "json5";
-import { logger } from "$lib/server/logger";
-import { ObjectId } from "mongodb";
-import { adminTokenManager } from "./adminToken";
-import type { User } from "$lib/types/User";
-import type { Session } from "$lib/types/Session";
-import { base } from "$app/paths";
-import { acquireLock, isDBLocked, releaseLock } from "$lib/migrations/lock";
-import { Semaphores } from "$lib/types/Semaphore";
-export interface OIDCSettings {
-	redirectURI: string;
-}
-export interface OIDCUserInfo {
-	token: TokenSet;
-	userData: UserinfoResponse;
-}
-const stringWithDefault = (value: string) =>
-	z
-		.string()
-		.default(value)
-		.transform((el) => (el ? el : value));
-export const OIDConfig = z
-	.object({
-		CLIENT_ID: stringWithDefault(config.OPENID_CLIENT_ID),
-		CLIENT_SECRET: stringWithDefault(config.OPENID_CLIENT_SECRET),
-		PROVIDER_URL: stringWithDefault(config.OPENID_PROVIDER_URL),
-		SCOPES: stringWithDefault(config.OPENID_SCOPES),
-		NAME_CLAIM: stringWithDefault(config.OPENID_NAME_CLAIM).refine(
-			(el) => !["preferred_username", "email", "picture", "sub"].includes(el),
-			{ message: "nameClaim cannot be one of the restricted keys." }
-		),
-		TOLERANCE: stringWithDefault(config.OPENID_TOLERANCE),
-		RESOURCE: stringWithDefault(config.OPENID_RESOURCE),
-		ID_TOKEN_SIGNED_RESPONSE_ALG: z.string().optional(),
-	})
-	.parse(JSON5.parse(config.OPENID_CONFIG || "{}"));
-export const loginEnabled = !!OIDConfig.CLIENT_ID;
-const sameSite = z
-	.enum(["lax", "none", "strict"])
-	.default(dev || config.ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none")
-	.parse(config.COOKIE_SAMESITE === "" ? undefined : config.COOKIE_SAMESITE);
-const secure = z
-	.boolean()
-	.default(!(dev || config.ALLOW_INSECURE_COOKIES === "true"))
-	.parse(config.COOKIE_SECURE === "" ? undefined : config.COOKIE_SECURE === "true");
-function sanitizeReturnPath(path: string | undefined | null): string | undefined {
-	if (!path) {
-		return undefined;
-	}
-	if (path.startsWith("//")) {
-		return undefined;
-	}
-	if (!path.startsWith("/")) {
-		return undefined;
-	}
-	return path;
-}
-export function refreshSessionCookie(cookies: Cookies, sessionId: string) {
-	cookies.set(config.COOKIE_NAME, sessionId, {
-		path: "/",
-		// So that it works inside the space's iframe
-		sameSite,
-		secure,
-		httpOnly: true,
-		expires: addWeeks(new Date(), 2),
-	});
-}
-export async function findUser(
-	sessionId: string,
-	coupledCookieHash: string | undefined,
-	url: URL
-): Promise<{
-	user: User | null;
-	invalidateSession: boolean;
-	oauth?: Session["oauth"];
-}> {
-	const session = await collections.sessions.findOne({ sessionId });
-	if (!session) {
-		return { user: null, invalidateSession: false };
-	}
-	if (coupledCookieHash && session.coupledCookieHash !== coupledCookieHash) {
-		return { user: null, invalidateSession: true };
-	}
-	// Check if OAuth token needs refresh
-	if (session.oauth?.token && session.oauth.refreshToken) {
-		// If token expires in less than 5 minutes, refresh it
-		if (differenceInMinutes(session.oauth.token.expiresAt, new Date()) < 5) {
-			const lockKey = `${Semaphores.OAUTH_TOKEN_REFRESH}:${sessionId}`;
-			// Acquire lock for token refresh
-			const lockId = await acquireLock(lockKey);
-			if (lockId) {
-				try {
-					// Attempt to refresh the token
-					const newTokenSet = await refreshOAuthToken(
-						{ redirectURI: `${config.PUBLIC_ORIGIN}${base}/login/callback` },
-						session.oauth.refreshToken,
-						url
-					);
-					if (!newTokenSet || !newTokenSet.access_token) {
-						// Token refresh failed, invalidate session
-						return { user: null, invalidateSession: true };
-					}
-					// Update session with new token information
-					const updatedOAuth = tokenSetToSessionOauth(newTokenSet);
-					if (!updatedOAuth) {
-						// Token refresh failed, invalidate session
-						return { user: null, invalidateSession: true };
-					}
-					await collections.sessions.updateOne(
-						{ sessionId },
-						{
-							$set: {
-								oauth: updatedOAuth,
-								updatedAt: new Date(),
-							},
-						}
-					);
-					session.oauth = updatedOAuth;
-				} catch (err) {
-					logger.error(err, "Error during token refresh:");
-					return { user: null, invalidateSession: true };
-				} finally {
-					await releaseLock(lockKey, lockId);
-				}
-			} else if (new Date() > session.oauth.token.expiresAt) {
-				// If the token has expired, we need to wait for the token refresh to complete
-				let attempts = 0;
-				do {
-					await new Promise((resolve) => setTimeout(resolve, 200));
-					attempts++;
-					if (attempts > 20) {
-						return { user: null, invalidateSession: true };
-					}
-				} while (await isDBLocked(lockKey));
-				const updatedSession = await collections.sessions.findOne({ sessionId });
-				if (!updatedSession || updatedSession.oauth?.token === session.oauth.token) {
-					return { user: null, invalidateSession: true };
-				}
-				session.oauth = updatedSession.oauth;
-			}
-		}
-	}
-	return {
-		user: await collections.users.findOne({ _id: session.userId }),
-		invalidateSession: false,
-		oauth: session.oauth,
-	};
-}
-export const authCondition = (locals: App.Locals) => {
-	if (!locals.user && !locals.sessionId) {
-		throw new Error("User or sessionId is required");
-	}
-	return locals.user
-		? { userId: locals.user._id }
-		: { sessionId: locals.sessionId, userId: { $exists: false } };
-};
-export function tokenSetToSessionOauth(tokenSet: TokenSet): Session["oauth"] {
-	if (!tokenSet.access_token) {
-		return undefined;
-	}
-	return {
-		token: {
-			value: tokenSet.access_token,
-			expiresAt: tokenSet.expires_at
-				? subMinutes(new Date(tokenSet.expires_at * 1000), 1)
-				: addWeeks(new Date(), 2),
-		},
-		refreshToken: tokenSet.refresh_token || undefined,
-	};
-}
-/**
- * Generates a CSRF token using the user sessionId. Note that we don't need a secret because sessionId is enough.
- */
-export async function generateCsrfToken(
-	sessionId: string,
-	redirectUrl: string,
-	next?: string
-): Promise<string> {
-	const sanitizedNext = sanitizeReturnPath(next);
-	const data = {
-		expiration: addHours(new Date(), 1).getTime(),
-		redirectUrl,
-		...(sanitizedNext ? { next: sanitizedNext } : {}),
-	} as {
-		expiration: number;
-		redirectUrl: string;
-		next?: string;
-	};
-	return Buffer.from(
-		JSON.stringify({
-			data,
-			signature: await sha256(JSON.stringify(data) + "##" + sessionId),
-		})
-	).toString("base64");
-}
-let lastIssuer: Issuer<BaseClient> | null = null;
-let lastIssuerFetchedAt: Date | null = null;
-async function getOIDCClient(settings: OIDCSettings, url: URL): Promise<BaseClient> {
-	if (
-		lastIssuer &&
-		lastIssuerFetchedAt &&
-		differenceInMinutes(new Date(), lastIssuerFetchedAt) >= 10
-	) {
-		lastIssuer = null;
-		lastIssuerFetchedAt = null;
-	}
-	if (!lastIssuer) {
-		lastIssuer = await Issuer.discover(OIDConfig.PROVIDER_URL);
-		lastIssuerFetchedAt = new Date();
-	}
-	const issuer = lastIssuer;
-	const client_config: ConstructorParameters<typeof issuer.Client>[0] = {
-		client_id: OIDConfig.CLIENT_ID,
-		client_secret: OIDConfig.CLIENT_SECRET,
-		redirect_uris: [settings.redirectURI],
-		response_types: ["code"],
-		[custom.clock_tolerance]: OIDConfig.TOLERANCE || undefined,
-		id_token_signed_response_alg: OIDConfig.ID_TOKEN_SIGNED_RESPONSE_ALG || undefined,
-	};
-	if (OIDConfig.CLIENT_ID === "__CIMD__") {
-		// See https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/
-		client_config.client_id = new URL(
-			`${base}/.well-known/oauth-cimd`,
-			config.PUBLIC_ORIGIN || url.origin
-		).toString();
-	}
-	const alg_supported = issuer.metadata["id_token_signing_alg_values_supported"];
-	if (Array.isArray(alg_supported)) {
-		client_config.id_token_signed_response_alg ??= alg_supported[0];
-	}
-	return new issuer.Client(client_config);
-}
-export async function getOIDCAuthorizationUrl(
-	settings: OIDCSettings,
-	params: { sessionId: string; next?: string; url: URL; cookies: Cookies }
-): Promise<string> {
-	const client = await getOIDCClient(settings, params.url);
-	const csrfToken = await generateCsrfToken(
-		params.sessionId,
-		settings.redirectURI,
-		sanitizeReturnPath(params.next)
-	);
-	const codeVerifier = generators.codeVerifier();
-	const codeChallenge = generators.codeChallenge(codeVerifier);
-	params.cookies.set("hfChat-codeVerifier", codeVerifier, {
-		path: "/",
-		sameSite,
-		secure,
-		httpOnly: true,
-		expires: addHours(new Date(), 1),
-	});
-	return client.authorizationUrl({
-		code_challenge_method: "S256",
-		code_challenge: codeChallenge,
-		scope: OIDConfig.SCOPES,
-		state: csrfToken,
-		resource: OIDConfig.RESOURCE || undefined,
-	});
-}
-export async function getOIDCUserData(
-	settings: OIDCSettings,
-	code: string,
-	codeVerifier: string,
-	iss: string | undefined,
-	url: URL
-): Promise<OIDCUserInfo> {
-	const client = await getOIDCClient(settings, url);
-	const token = await client.callback(
-		settings.redirectURI,
-		{
-			code,
-			iss,
-		},
-		{ code_verifier: codeVerifier }
-	);
-	const userData = await client.userinfo(token);
-	return { token, userData };
-}
-/**
- * Refreshes an OAuth token using the refresh token
- */
-export async function refreshOAuthToken(
-	settings: OIDCSettings,
-	refreshToken: string,
-	url: URL
-): Promise<TokenSet | null> {
-	const client = await getOIDCClient(settings, url);
-	const tokenSet = await client.refresh(refreshToken);
-	return tokenSet;
-}
-export async function validateAndParseCsrfToken(
-	token: string,
-	sessionId: string
-): Promise<{
-	/** This is the redirect url that was passed to the OIDC provider */
-	redirectUrl: string;
-	/** Relative path (within this app) to return to after login */
-	next?: string;
-} | null> {
-	try {
-		const { data, signature } = z
-			.object({
-				data: z.object({
-					expiration: z.number().int(),
-					redirectUrl: z.string().url(),
-					next: z.string().optional(),
-				}),
-				signature: z.string().length(64),
-			})
-			.parse(JSON.parse(token));
-		const reconstructSign = await sha256(JSON.stringify(data) + "##" + sessionId);
-		if (data.expiration > Date.now() && signature === reconstructSign) {
-			return { redirectUrl: data.redirectUrl, next: sanitizeReturnPath(data.next) };
-		}
-	} catch (e) {
-		logger.error(e, "Error validating and parsing CSRF token");
-	}
-	return null;
-}
-type CookieRecord = Cookies;
-type HeaderRecord = Headers;
-export async function getCoupledCookieHash(cookie: CookieRecord): Promise<string | undefined> {
-	if (!config.COUPLE_SESSION_WITH_COOKIE_NAME) {
-		return undefined;
-	}
-	const cookieValue = cookie.get(config.COUPLE_SESSION_WITH_COOKIE_NAME);
-	if (!cookieValue) {
-		return "no-cookie";
-	}
-	return await sha256(cookieValue);
-}
-export async function authenticateRequest(
-	headers: HeaderRecord,
-	cookie: CookieRecord,
-	url: URL,
-	isApi?: boolean
-): Promise<App.Locals & { secretSessionId: string }> {
-	const token = cookie.get(config.COOKIE_NAME);
-	let email = null;
-	if (config.TRUSTED_EMAIL_HEADER) {
-		email = headers.get(config.TRUSTED_EMAIL_HEADER);
-	}
-	let secretSessionId: string | null = null;
-	let sessionId: string | null = null;
-	if (email) {
-		secretSessionId = sessionId = await sha256(email);
-		return {
-			user: {
-				_id: new ObjectId(sessionId.slice(0, 24)),
-				name: email,
-				email,
-				createdAt: new Date(),
-				updatedAt: new Date(),
-				hfUserId: email,
-				avatarUrl: "",
-			},
-			sessionId,
-			secretSessionId,
-			isAdmin: adminTokenManager.isAdmin(sessionId),
-		};
-	}
-	if (token) {
-		secretSessionId = token;
-		sessionId = await sha256(token);
-		const result = await findUser(sessionId, await getCoupledCookieHash(cookie), url);
-		if (result.invalidateSession) {
-			secretSessionId = crypto.randomUUID();
-			sessionId = await sha256(secretSessionId);
-			if (await collections.sessions.findOne({ sessionId })) {
-				throw new Error("Session ID collision");
-			}
-		}
-		return {
-			user: result.user ?? undefined,
-			token: result.oauth?.token?.value,
-			sessionId,
-			secretSessionId,
-			isAdmin: result.user?.isAdmin || adminTokenManager.isAdmin(sessionId),
-		};
-	}
-	if (isApi) {
-		const authorization = headers.get("Authorization");
-		if (authorization?.startsWith("Bearer ")) {
-			const token = authorization.slice(7);
-			const hash = await sha256(token);
-			sessionId = secretSessionId = hash;
-			const cacheHit = await collections.tokenCaches.findOne({ tokenHash: hash });
-			if (cacheHit) {
-				const user = await collections.users.findOne({ hfUserId: cacheHit.userId });
-				if (!user) {
-					throw new Error("User not found");
-				}
-				return {
-					user,
-					sessionId,
-					token,
-					secretSessionId,
-					isAdmin: user.isAdmin || adminTokenManager.isAdmin(sessionId),
-				};
-			}
-			const response = await fetch("https://huggingface.co/api/whoami-v2", {
-				headers: { Authorization: `Bearer ${token}` },
-			});
-			if (!response.ok) {
-				throw new Error("Unauthorized");
-			}
-			const data = await response.json();
-			const user = await collections.users.findOne({ hfUserId: data.id });
-			if (!user) {
-				throw new Error("User not found");
-			}
-			await collections.tokenCaches.insertOne({
-				tokenHash: hash,
-				userId: data.id,
-				createdAt: new Date(),
-				updatedAt: new Date(),
-			});
-			return {
-				user,
-				sessionId,
-				secretSessionId,
-				token,
-				isAdmin: user.isAdmin || adminTokenManager.isAdmin(sessionId),
-			};
-		}
-	}
-	// Generate new session if none exists
-	secretSessionId = crypto.randomUUID();
-	sessionId = await sha256(secretSessionId);
-	if (await collections.sessions.findOne({ sessionId })) {
-		throw new Error("Session ID collision");
-	}
-	return { user: undefined, sessionId, secretSessionId, isAdmin: false };
-}
-export async function triggerOauthFlow({ url, locals, cookies }: RequestEvent): Promise<Response> {
-	// const referer = request.headers.get("referer");
-	// let redirectURI = `${(referer ? new URL(referer) : url).origin}${base}/login/callback`;
-	let redirectURI = `${url.origin}${base}/login/callback`;
-	// TODO: Handle errors if provider is not responding
-	if (url.searchParams.has("callback")) {
-		const callback = url.searchParams.get("callback") || redirectURI;
-		if (config.ALTERNATIVE_REDIRECT_URLS.includes(callback)) {
-			redirectURI = callback;
-		}
-	}
-	// Preserve a safe in-app return path after login.
-	// Priority: explicit ?next=... (must be an absolute path), else the current path (when auto-login kicks in).
-	let next: string | undefined = undefined;
-	const nextParam = sanitizeReturnPath(url.searchParams.get("next"));
-	if (nextParam) {
-		// Only accept absolute in-app paths to prevent open redirects
-		next = nextParam;
-	} else if (!url.pathname.startsWith(`${base}/login`)) {
-		// For automatic login on protected pages, return to the page the user was on
-		next = sanitizeReturnPath(`${url.pathname}${url.search}`) ?? `${base}/`;
-	} else {
-		next = sanitizeReturnPath(`${base}/`) ?? "/";
-	}
-	const authorizationUrl = await getOIDCAuthorizationUrl(
-		{ redirectURI },
-		{ sessionId: locals.sessionId, next, url, cookies }
-	);
-	throw redirect(302, authorizationUrl);
-}
+import {
+	Issuer,
+	type BaseClient,
+	type UserinfoResponse,
+	type TokenSet,
+	custom,
+	generators,
+} from "openid-client";
+import type { RequestEvent } from "@sveltejs/kit";
+import { addHours, addWeeks, differenceInMinutes, subMinutes } from "date-fns";
+import { config } from "$lib/server/config";
+import { sha256 } from "$lib/utils/sha256";
+import { z } from "zod";
+import { dev } from "$app/environment";
+import { redirect, type Cookies } from "@sveltejs/kit";
+import { collections } from "$lib/server/database";
+import JSON5 from "json5";
+import { logger } from "$lib/server/logger";
+import { ObjectId } from "mongodb";
+import { adminTokenManager } from "./adminToken";
+import type { User } from "$lib/types/User";
+import type { Session } from "$lib/types/Session";
+import { base } from "$app/paths";
+import { acquireLock, isDBLocked, releaseLock } from "$lib/migrations/lock";
+import { Semaphores } from "$lib/types/Semaphore";
+export interface OIDCSettings {
+	redirectURI: string;
+}
+export interface OIDCUserInfo {
+	token: TokenSet;
+	userData: UserinfoResponse;
+}
+const stringWithDefault = (value: string) =>
+	z
+		.string()
+		.default(value)
+		.transform((el) => (el ? el : value));
+export const OIDConfig = z
+	.object({
+		CLIENT_ID: stringWithDefault(config.OPENID_CLIENT_ID),
+		CLIENT_SECRET: stringWithDefault(config.OPENID_CLIENT_SECRET),
+		PROVIDER_URL: stringWithDefault(config.OPENID_PROVIDER_URL),
+		SCOPES: stringWithDefault(config.OPENID_SCOPES),
+		NAME_CLAIM: stringWithDefault(config.OPENID_NAME_CLAIM).refine(
+			(el) => !["preferred_username", "email", "picture", "sub"].includes(el),
+			{ message: "nameClaim cannot be one of the restricted keys." }
+		),
+		TOLERANCE: stringWithDefault(config.OPENID_TOLERANCE),
+		RESOURCE: stringWithDefault(config.OPENID_RESOURCE),
+		ID_TOKEN_SIGNED_RESPONSE_ALG: z.string().optional(),
+	})
+	.parse(JSON5.parse(config.OPENID_CONFIG || "{}"));
+export const loginEnabled = !!OIDConfig.CLIENT_ID;
+const sameSite = z
+	.enum(["lax", "none", "strict"])
+	.default(dev || config.ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none")
+	.parse(config.COOKIE_SAMESITE === "" ? undefined : config.COOKIE_SAMESITE);
+const secure = z
+	.boolean()
+	.default(!(dev || config.ALLOW_INSECURE_COOKIES === "true"))
+	.parse(config.COOKIE_SECURE === "" ? undefined : config.COOKIE_SECURE === "true");
+function sanitizeReturnPath(path: string | undefined | null): string | undefined {
+	if (!path) {
+		return undefined;
+	}
+	if (path.startsWith("//")) {
+		return undefined;
+	}
+	if (!path.startsWith("/")) {
+		return undefined;
+	}
+	return path;
+}
+export function refreshSessionCookie(cookies: Cookies, sessionId: string) {
+	cookies.set(config.COOKIE_NAME, sessionId, {
+		path: "/",
+		// So that it works inside the space's iframe
+		sameSite,
+		secure,
+		httpOnly: true,
+		expires: addWeeks(new Date(), 2),
+	});
+}
+export async function findUser(
+	sessionId: string,
+	coupledCookieHash: string | undefined,
+	url: URL
+): Promise<{
+	user: User | null;
+	invalidateSession: boolean;
+	oauth?: Session["oauth"];
+}> {
+	const session = await collections.sessions.findOne({ sessionId });
+	if (!session) {
+		return { user: null, invalidateSession: false };
+	}
+	if (coupledCookieHash && session.coupledCookieHash !== coupledCookieHash) {
+		return { user: null, invalidateSession: true };
+	}
+	// Check if OAuth token needs refresh
+	if (session.oauth?.token && session.oauth.refreshToken) {
+		// If token expires in less than 5 minutes, refresh it
+		if (differenceInMinutes(session.oauth.token.expiresAt, new Date()) < 5) {
+			const lockKey = `${Semaphores.OAUTH_TOKEN_REFRESH}:${sessionId}`;
+			// Acquire lock for token refresh
+			const lockId = await acquireLock(lockKey);
+			if (lockId) {
+				try {
+					// Attempt to refresh the token
+					const newTokenSet = await refreshOAuthToken(
+						{ redirectURI: `${config.PUBLIC_ORIGIN}${base}/login/callback` },
+						session.oauth.refreshToken,
+						url
+					);
+					if (!newTokenSet || !newTokenSet.access_token) {
+						// Token refresh failed, invalidate session
+						return { user: null, invalidateSession: true };
+					}
+					// Update session with new token information
+					const updatedOAuth = tokenSetToSessionOauth(newTokenSet);
+					if (!updatedOAuth) {
+						// Token refresh failed, invalidate session
+						return { user: null, invalidateSession: true };
+					}
+					await collections.sessions.updateOne(
+						{ sessionId },
+						{
+							$set: {
+								oauth: updatedOAuth,
+								updatedAt: new Date(),
+							},
+						}
+					);
+					session.oauth = updatedOAuth;
+				} catch (err) {
+					logger.error(err, "Error during token refresh:");
+					return { user: null, invalidateSession: true };
+				} finally {
+					await releaseLock(lockKey, lockId);
+				}
+			} else if (new Date() > session.oauth.token.expiresAt) {
+				// If the token has expired, we need to wait for the token refresh to complete
+				let attempts = 0;
+				do {
+					await new Promise((resolve) => setTimeout(resolve, 200));
+					attempts++;
+					if (attempts > 20) {
+						return { user: null, invalidateSession: true };
+					}
+				} while (await isDBLocked(lockKey));
+				const updatedSession = await collections.sessions.findOne({ sessionId });
+				if (!updatedSession || updatedSession.oauth?.token === session.oauth.token) {
+					return { user: null, invalidateSession: true };
+				}
+				session.oauth = updatedSession.oauth;
+			}
+		}
+	}
+	return {
+		user: await collections.users.findOne({ _id: session.userId }),
+		invalidateSession: false,
+		oauth: session.oauth,
+	};
+}
+export const authCondition = (locals: App.Locals) => {
+	if (!locals.user && !locals.sessionId) {
+		throw new Error("User or sessionId is required");
+	}
+	return locals.user
+		? { userId: locals.user._id }
+		: { sessionId: locals.sessionId, userId: { $exists: false } };
+};
+export function tokenSetToSessionOauth(tokenSet: TokenSet): Session["oauth"] {
+	if (!tokenSet.access_token) {
+		return undefined;
+	}
+	return {
+		token: {
+			value: tokenSet.access_token,
+			expiresAt: tokenSet.expires_at
+				? subMinutes(new Date(tokenSet.expires_at * 1000), 1)
+				: addWeeks(new Date(), 2),
+		},
+		refreshToken: tokenSet.refresh_token || undefined,
+	};
+}
+/**
+ * Generates a CSRF token using the user sessionId. Note that we don't need a secret because sessionId is enough.
+ */
+export async function generateCsrfToken(
+	sessionId: string,
+	redirectUrl: string,
+	next?: string
+): Promise<string> {
+	const sanitizedNext = sanitizeReturnPath(next);
+	const data = {
+		expiration: addHours(new Date(), 1).getTime(),
+		redirectUrl,
+		...(sanitizedNext ? { next: sanitizedNext } : {}),
+	} as {
+		expiration: number;
+		redirectUrl: string;
+		next?: string;
+	};
+	return Buffer.from(
+		JSON.stringify({
+			data,
+			signature: await sha256(JSON.stringify(data) + "##" + sessionId),
+		})
+	).toString("base64");
+}
+let lastIssuer: Issuer<BaseClient> | null = null;
+let lastIssuerFetchedAt: Date | null = null;
+async function getOIDCClient(settings: OIDCSettings, url: URL): Promise<BaseClient> {
+	if (
+		lastIssuer &&
+		lastIssuerFetchedAt &&
+		differenceInMinutes(new Date(), lastIssuerFetchedAt) >= 10
+	) {
+		lastIssuer = null;
+		lastIssuerFetchedAt = null;
+	}
+	if (!lastIssuer) {
+		lastIssuer = await Issuer.discover(OIDConfig.PROVIDER_URL);
+		lastIssuerFetchedAt = new Date();
+	}
+	const issuer = lastIssuer;
+	const client_config: ConstructorParameters<typeof issuer.Client>[0] = {
+		client_id: OIDConfig.CLIENT_ID,
+		client_secret: OIDConfig.CLIENT_SECRET,
+		redirect_uris: [settings.redirectURI],
+		response_types: ["code"],
+		[custom.clock_tolerance]: OIDConfig.TOLERANCE || undefined,
+		id_token_signed_response_alg: OIDConfig.ID_TOKEN_SIGNED_RESPONSE_ALG || undefined,
+	};
+	if (OIDConfig.CLIENT_ID === "__CIMD__") {
+		// See https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/
+		client_config.client_id = new URL(
+			`${base}/.well-known/oauth-cimd`,
+			config.PUBLIC_ORIGIN || url.origin
+		).toString();
+	}
+	const alg_supported = issuer.metadata["id_token_signing_alg_values_supported"];
+	if (Array.isArray(alg_supported)) {
+		client_config.id_token_signed_response_alg ??= alg_supported[0];
+	}
+	return new issuer.Client(client_config);
+}
+export async function getOIDCAuthorizationUrl(
+	settings: OIDCSettings,
+	params: { sessionId: string; next?: string; url: URL; cookies: Cookies }
+): Promise<string> {
+	const client = await getOIDCClient(settings, params.url);
+	const csrfToken = await generateCsrfToken(
+		params.sessionId,
+		settings.redirectURI,
+		sanitizeReturnPath(params.next)
+	);
+	const codeVerifier = generators.codeVerifier();
+	const codeChallenge = generators.codeChallenge(codeVerifier);
+	params.cookies.set("hfChat-codeVerifier", codeVerifier, {
+		path: "/",
+		sameSite,
+		secure,
+		httpOnly: true,
+		expires: addHours(new Date(), 1),
+	});
+	return client.authorizationUrl({
+		code_challenge_method: "S256",
+		code_challenge: codeChallenge,
+		scope: OIDConfig.SCOPES,
+		state: csrfToken,
+		resource: OIDConfig.RESOURCE || undefined,
+	});
+}
+export async function getOIDCUserData(
+	settings: OIDCSettings,
+	code: string,
+	codeVerifier: string,
+	iss: string | undefined,
+	url: URL
+): Promise<OIDCUserInfo> {
+	const client = await getOIDCClient(settings, url);
+	const token = await client.callback(
+		settings.redirectURI,
+		{
+			code,
+			iss,
+		},
+		{ code_verifier: codeVerifier }
+	);
+	const userData = await client.userinfo(token);
+	return { token, userData };
+}
+/**
+ * Refreshes an OAuth token using the refresh token
+ */
+export async function refreshOAuthToken(
+	settings: OIDCSettings,
+	refreshToken: string,
+	url: URL
+): Promise<TokenSet | null> {
+	const client = await getOIDCClient(settings, url);
+	const tokenSet = await client.refresh(refreshToken);
+	return tokenSet;
+}
+export async function validateAndParseCsrfToken(
+	token: string,
+	sessionId: string
+): Promise<{
+	/** This is the redirect url that was passed to the OIDC provider */
+	redirectUrl: string;
+	/** Relative path (within this app) to return to after login */
+	next?: string;
+} | null> {
+	try {
+		const { data, signature } = z
+			.object({
+				data: z.object({
+					expiration: z.number().int(),
+					redirectUrl: z.string().url(),
+					next: z.string().optional(),
+				}),
+				signature: z.string().length(64),
+			})
+			.parse(JSON.parse(token));
+		const reconstructSign = await sha256(JSON.stringify(data) + "##" + sessionId);
+		if (data.expiration > Date.now() && signature === reconstructSign) {
+			return { redirectUrl: data.redirectUrl, next: sanitizeReturnPath(data.next) };
+		}
+	} catch (e) {
+		logger.error(e, "Error validating and parsing CSRF token");
+	}
+	return null;
+}
+type CookieRecord = Cookies;
+type HeaderRecord = Headers;
+export async function getCoupledCookieHash(cookie: CookieRecord): Promise<string | undefined> {
+	if (!config.COUPLE_SESSION_WITH_COOKIE_NAME) {
+		return undefined;
+	}
+	const cookieValue = cookie.get(config.COUPLE_SESSION_WITH_COOKIE_NAME);
+	if (!cookieValue) {
+		return "no-cookie";
+	}
+	return await sha256(cookieValue);
+}
+export async function authenticateRequest(
+	headers: HeaderRecord,
+	cookie: CookieRecord,
+	url: URL,
+	isApi?: boolean
+): Promise<App.Locals & { secretSessionId: string }> {
+	const token = cookie.get(config.COOKIE_NAME);
+	let email = null;
+	if (config.TRUSTED_EMAIL_HEADER) {
+		email = headers.get(config.TRUSTED_EMAIL_HEADER);
+	}
+	let secretSessionId: string | null = null;
+	let sessionId: string | null = null;
+	if (email) {
+		secretSessionId = sessionId = await sha256(email);
+		return {
+			user: {
+				_id: new ObjectId(sessionId.slice(0, 24)),
+				name: email,
+				email,
+				createdAt: new Date(),
+				updatedAt: new Date(),
+				hfUserId: email,
+				avatarUrl: "",
+			},
+			sessionId,
+			secretSessionId,
+			isAdmin: adminTokenManager.isAdmin(sessionId),
+		};
+	}
+	if (token) {
+		secretSessionId = token;
+		sessionId = await sha256(token);
+		const result = await findUser(sessionId, await getCoupledCookieHash(cookie), url);
+		if (result.invalidateSession) {
+			secretSessionId = crypto.randomUUID();
+			sessionId = await sha256(secretSessionId);
+			if (await collections.sessions.findOne({ sessionId })) {
+				throw new Error("Session ID collision");
+			}
+		}
+		return {
+			user: result.user ?? undefined,
+			token: result.oauth?.token?.value,
+			sessionId,
+			secretSessionId,
+			isAdmin: result.user?.isAdmin || adminTokenManager.isAdmin(sessionId),
+		};
+	}
+	if (isApi) {
+		const authorization = headers.get("Authorization");
+		if (authorization?.startsWith("Bearer ")) {
+			const token = authorization.slice(7);
+			const hash = await sha256(token);
+			sessionId = secretSessionId = hash;
+			const cacheHit = await collections.tokenCaches.findOne({ tokenHash: hash });
+			if (cacheHit) {
+				const user = await collections.users.findOne({ hfUserId: cacheHit.userId });
+				if (!user) {
+					throw new Error("User not found");
+				}
+				return {
+					user,
+					sessionId,
+					token,
+					secretSessionId,
+					isAdmin: user.isAdmin || adminTokenManager.isAdmin(sessionId),
+				};
+			}
+			const response = await fetch("https://huggingface.co/api/whoami-v2", {
+				headers: { Authorization: `Bearer ${token}` },
+			});
+			if (!response.ok) {
+				throw new Error("Unauthorized");
+			}
+			const data = await response.json();
+			const user = await collections.users.findOne({ hfUserId: data.id });
+			if (!user) {
+				throw new Error("User not found");
+			}
+			await collections.tokenCaches.insertOne({
+				tokenHash: hash,
+				userId: data.id,
+				createdAt: new Date(),
+				updatedAt: new Date(),
+			});
+			return {
+				user,
+				sessionId,
+				secretSessionId,
+				token,
+				isAdmin: user.isAdmin || adminTokenManager.isAdmin(sessionId),
+			};
+		}
+	}
+	// Generate new session if none exists
+	secretSessionId = crypto.randomUUID();
+	sessionId = await sha256(secretSessionId);
+	if (await collections.sessions.findOne({ sessionId })) {
+		throw new Error("Session ID collision");
+	}
+	return { user: undefined, sessionId, secretSessionId, isAdmin: false };
+}
+export async function triggerOauthFlow({ url, locals, cookies }: RequestEvent): Promise<Response> {
+	// const referer = request.headers.get("referer");
+	// let redirectURI = `${(referer ? new URL(referer) : url).origin}${base}/login/callback`;
+	let redirectURI = `${url.origin}${base}/login/callback`;
+	// TODO: Handle errors if provider is not responding
+	if (url.searchParams.has("callback")) {
+		const callback = url.searchParams.get("callback") || redirectURI;
+		if (config.ALTERNATIVE_REDIRECT_URLS.includes(callback)) {
+			redirectURI = callback;
+		}
+	}
+	// Preserve a safe in-app return path after login.
+	// Priority: explicit ?next=... (must be an absolute path), else the current path (when auto-login kicks in).
+	let next: string | undefined = undefined;
+	const nextParam = sanitizeReturnPath(url.searchParams.get("next"));
+	if (nextParam) {
+		// Only accept absolute in-app paths to prevent open redirects
+		next = nextParam;
+	} else if (!url.pathname.startsWith(`${base}/login`)) {
+		// For automatic login on protected pages, return to the page the user was on
+		next = sanitizeReturnPath(`${url.pathname}${url.search}`) ?? `${base}/`;
+	} else {
+		next = sanitizeReturnPath(`${base}/`) ?? "/";
+	}
+	const authorizationUrl = await getOIDCAuthorizationUrl(
+		{ redirectURI },
+		{ sessionId: locals.sessionId, next, url, cookies }
+	);
+	throw redirect(302, authorizationUrl);
+}