include email in JWT token plus some other fixes

[MatousJobanek]

The JWT token needs to have email claim defined because it's being enforced by oauth2-proxy.
Also, when trying running the makefile target locally, it failed with some weird python dependency error, so this PR contains vibe-coded fixes for that as well

Assisted-by: Cursor

Summary by CodeRabbit

• New Features

  • Email parameter now supported in JWT token generation (defaults to tarsy-bot@example.com if not specified).

• Documentation

  • Updated help text for token generation commands to include EMAIL parameter usage and examples.

[coderabbitai]

Walkthrough

These changes add email claim support to JWT token generation. Both Makefile targets (generate-api-token and generate-api-token-exp) and the Python script are updated to accept an optional EMAIL parameter with defaults applied when not provided. The Makefile targets now explicitly include PyJWT[crypto] dependencies in their invocations.

Changes

Cohort / File(s)	Summary
Makefile token targets backend/Makefile	Updated generate-api-token and generate-api-token-exp targets to accept EMAIL parameter (defaults to tarsy-bot@example.com). Added --no-project --with "PyJWT[crypto]" flags to Python invocations. Updated help text and usage examples to reflect new email support. Extended conditional logic to include EMAIL in parameter checking.
Python token generation backend/generate_token.py	Added email parameter to JWT generation function with default value. Updated CLI argument parsing to accept optional email argument. JWT payload now includes email claim. Enhanced output messaging to display generated email. Added broader exception handling for token generation errors.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title mentions 'email in JWT token' which is the main change, but vaguely refers to 'plus some other fixes' without clarifying what those fixes are.	Clarify the title to specify what the 'other fixes' are, such as 'include email in JWT token and fix PyJWT dependency handling' for better clarity.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

backend/Makefile (1)

296-300: LGTM — uv run --no-project --with "PyJWT[crypto]" is valid and correctly fixes the local dependency error.

--no-project is a documented uv flag used exactly when a script doesn't depend on the project; it tells uv to skip project discovery and run the script in isolation. The --with "PyJWT[crypto]" addition correctly pulls in the cryptography back-end required for RS256 signing.

The empty-string placeholders ("" "" "") for private_key_path, subject, and issuer are a workable but fragile coupling to the current positional-arg implementation of generate_token.py. If the Python script is ever refactored to use argparse, these placeholders will need updating.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/Makefile` around lines 296 - 300, The make target generate-api-token
uses fragile positional empty-string placeholders when invoking
generate_token.py; update the Makefile target (generate-api-token) to pass
explicit named CLI flags or environment variables instead of "" "" "" so the
invocation is robust if generate_token.py switches to argparse—either (A) change
the command to provide --private-key-path, --subject, and --issuer flags (pull
values from make variables or defaults) or (B) set well-named environment
variables read by generate_token.py; reference the target name
generate-api-token, the script generate_token.py, and the EMAIL/UV make
variables when implementing the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@backend/Makefile`:
- Around line 296-300: The make target generate-api-token uses fragile
positional empty-string placeholders when invoking generate_token.py; update the
Makefile target (generate-api-token) to pass explicit named CLI flags or
environment variables instead of "" "" "" so the invocation is robust if
generate_token.py switches to argparse—either (A) change the command to provide
--private-key-path, --subject, and --issuer flags (pull values from make
variables or defaults) or (B) set well-named environment variables read by
generate_token.py; reference the target name generate-api-token, the script
generate_token.py, and the EMAIL/UV make variables when implementing the change.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.71%. Comparing base (57f4ed4) to head (3be34a2).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #274      +/-   ##
==========================================
- Coverage   83.79%   83.71%   -0.09%     
==========================================
  Files         143      143              
  Lines       13543    13543              
==========================================
- Hits        11349    11338      -11     
- Misses       2194     2205      +11     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.