feat(oauth): white-label headless OAuth — URL-less auth-recovery [WIP]#402
Draft
angel-manuel wants to merge 1 commit into
Draft
feat(oauth): white-label headless OAuth — URL-less auth-recovery [WIP]#402angel-manuel wants to merge 1 commit into
angel-manuel wants to merge 1 commit into
Conversation
… axes Recovered WIP for URL-less auth-recovery for white-label / BYOC orgs. - migration 084: orgs.headless flag (per-org capability) - migration 085: drop connections.integration_managed (split conflated axes) - DB layer changes for org headless flag + drop integration_managed field - platform_connections import derivation changes Incomplete — sqlx cache not yet regenerated, error envelopes + auth-recovery branches still pending. Committed to preserve work before continuing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context (WIP — draft to preserve work)
White-label / BYOC orgs (e.g. Overfolder) run the OAuth dance against their own client and vault tokens via
POST /v1/connections/import. The problem is auth-recovery: when an action hits a connection needing re-auth (reauth_required,needs_authentication,missing_scopes), Overslash mints a gated/connect-authorizeURL requiring an Overslash dashboard session. A white-label org's end users never have one → white-label violation.Approach
Delete
integration_managedand split the two conflated axes:byoc_credential_idself-refreshes; no stored boolean.headlesscapability. Headless org → auth-recovery returns URL-less typed envelopes (no gate), mints no flow row. Non-headless → unchanged gated flow.byoc_credential_id(400 otherwise).Status
🚧 Incomplete WIP committed to avoid losing recovered work.
Done so far:
084_orgs_headless(per-orgheadlessflag)085_drop_connection_integration_managedintegration_managed, add org headless get/setplatform_connectionsimport derivation changesRemaining:
make sqlx-prepare)error.rs): URL-less variants withheadlessdiscriminatoractions/auth.rs): suppress URL mint for headless orgsheadlessflag (routes/orgs.rs)tests/headless_oauth.rs)Cross-repo follow-up
overfolderconsumes the envelope — coordinated PR needed to swapintegration_managed→headlessand drop the deadconnection.refresh_requiredhandler.🤖 Generated with Claude Code