vercel · fg-nava · Oct 9, 2025 · Oct 10, 2025 · Oct 10, 2025 · Oct 10, 2025
diff --git a/.env.example b/.env.example
@@ -1,19 +1,84 @@
 # Generate a random secret: https://generate-secret.vercel.app/32 or `openssl rand -base64 32`
 AUTH_SECRET=****
 
-# The following keys below are automatically created and
-# added to your environment when you deploy on vercel
+# Google OAuth (for Google sign-in)
+GOOGLE_CLIENT_ID=****
+GOOGLE_CLIENT_SECRET=****
 
-# Get your xAI API Key here for chat and image models: https://console.x.ai/
+# xAI API Key for chat and image models: https://console.x.ai/
 XAI_API_KEY=****
 
-# Instructions to create a Vercel Blob Store here: https://vercel.com/docs/storage/vercel-blob
-BLOB_READ_WRITE_TOKEN=****
+# PostgreSQL database - used by both client and Mastra
+# Client: Chat history, votes, documents, user data
+# Mastra: Agent memory, workflows, traces, participants data
+# For local development with Docker postgres container:
+DATABASE_URL="postgresql://postgres:postgres@localhost:5432/labs_asp_dev"
+# For Docker-to-Docker communication (used inside containers):
+# DATABASE_URL="postgresql://postgres:postgres@postgres:5432/labs_asp_dev"
 
-# Instructions to create a PostgreSQL database here: https://vercel.com/docs/storage/vercel-postgres/quickstart
-POSTGRES_URL=****
+# OpenAI API Key (primary AI provider)
+OPENAI_API_KEY=****
 
+# Alternative API keys (optional)
+ANTHROPIC_API_KEY=****
+GOOGLE_GENERATIVE_AI_API_KEY=****
+EXA_API_KEY=****
 
-# Instructions to create a Redis store here:
-# https://vercel.com/docs/redis
-REDIS_URL=****
+# Google Cloud Configuration
+GOOGLE_VERTEX_LOCATION=****
+GOOGLE_VERTEX_PROJECT=****
+GOOGLE_APPLICATION_CREDENTIALS=./vertex-ai-credentials.json
+GOOGLE_CLOUD_PROJECT=****
+
+# Google Cloud Storage for file uploads
+GCS_BUCKET_NAME=****
+
+# Mastra Backend API for web automation
+# MASTRA_SERVER_URL is used by the client to connect to the Mastra backend
+# For local development: http://localhost:4111
+# For Docker deployment: http://localhost:4111 (external port mapping)
+MASTRA_API_URL=****
+MASTRA_JWT_TOKEN=****
+MASTRA_SERVER_URL=http://localhost:4111
+
+# NEXT_PUBLIC_MASTRA_SERVER_URL is required for client-side requests to Mastra
+# This MUST be set at build time for Next.js to embed it in the client bundle
+# For local development: http://localhost:4111
+# For Docker deployment: http://localhost:4111 (external port mapping)
+NEXT_PUBLIC_MASTRA_SERVER_URL=http://localhost:4111
+
+# Upstash Redis for shared links
+# Create a Redis database at https://console.upstash.com/
+UPSTASH_REDIS_REST_URL=****
+UPSTASH_REDIS_REST_TOKEN=****
+
+# Microsoft login
+AUTH_MICROSOFT_ENTRA_ID_ID=***
+AUTH_MICROSOFT_ENTRA_ID_SECRET=***
+AUTH_MICROSOFT_ENTRA_ID_ISSUER=https://login.microsoftonline.com/common/v2.0
+
+# Cloudflare Verified Bots - Ed25519 private key in PEM format
+# Used to sign the /.well-known/http-message-signatures-directory response
+CLOUDFLARE_BOT_PRIVATE_KEY=****
+
+# Apricot API Information
+# Prod and sandbox require separate credentials (different client_id/secret for each)
+# The correct credentials are selected based on ENVIRONMENT variable
+APRICOT_API_BASE_URL=https://f5r-api.iws.sidekick.solutions/apricot
+APRICOT_ORG_ID_SANDBOX=****
+APRICOT_ORG_ID_PROD=****
+# For local dev, use sandbox credentials:
+APRICOT_CLIENT_ID=****
+APRICOT_CLIENT_SECRET=****
+
+# Feature flag for AI SDK agent vs Mastra
+USE_AI_SDK_AGENT=false
+NEXT_PUBLIC_USE_AI_SDK_AGENT=false
+# Kernel.sh API key for remote browser management (used when USE_AI_SDK_AGENT=true)
+KERNEL_API_KEY=****
+
+# Feature flag for guest login in preview environments
+# When true, enables a guest login form that bypasses OAuth
+# Only enabled for preview-pr-* deployments
+USE_GUEST_LOGIN=false
+NEXT_PUBLIC_USE_GUEST_LOGIN=false
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,37 @@
+version: 2
+updates:
+  # npm dependencies
+  - package-ecosystem: "npm"
+    directory: "/"
+    target-branch: "labs-asp"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 5
+    groups:
+      all-dependencies:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "chore(deps)"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    target-branch: "labs-asp"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 3
+    labels:
+      - "dependencies"
+      - "ci"
+    commit-message:
+      prefix: "chore(ci)"
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -0,0 +1,29 @@
+## Checklist
+
+- [ ] Update PR Title to follow this pattern: `[INTENT]:[MESSAGE]`
+  > The title will become a one-line commit message in the git log, so be as concise and specific as possible -- refer to [How to Write a Git Commit Message](https://cbea.ms/git-commit/). Prepend [Conventional Commit](https://www.conventionalcommits.org/en/v1.0.0/#summary) intent (`fix:`, `feat:`, `chore:`, `ci:`, `docs:`, `style:`, `refactor:`, `perf:`, `test:`).
+
+## Ticket
+
+Resolves #{TICKET NUMBER or URL or description} or Adds {new capability or feature}
+
+## Changes
+
+> What was added, updated, or removed in this PR.
+> Prefer small PRs; try to limit to 300 lines of code changes
+> * https://blog.logrocket.com/using-stacked-pull-requests-in-github/
+> * https://opensource.com/article/18/6/anatomy-perfect-pull-request
+> * https://developers.google.com/blockly/guides/modify/contribute/write_a_good_pr
+
+## Testing
+
+> What was tested? How did you test it? Add unit tests for new functions, integration tests for API/database interactions, and E2E tests for critical user flows.
+> * https://martinfowler.com/articles/practical-test-pyramid.html
+> * https://blog.logrocket.com/javascript-testing-best-practices/
+> * https://www.testim.io/blog/typescript-unit-testing-101/
+
+## Context for reviewers
+
+> Background context, more in-depth details of the implementation, and anything else you'd like to call out or ask reviewers.
+> Add comments to your code under the "Files Changed" tab to explain complex logic or code
+> * https://betterprogramming.pub/how-to-make-a-perfect-pull-request-3578fb4c112 
diff --git a/.gitignore b/.gitignore
@@ -7,6 +7,7 @@ node_modules
 
 # testing
 coverage
+artifacts/session_*
 
 # next.js
 .next/
@@ -41,3 +42,5 @@ yarn-error.log*
 /playwright-report/
 /blob-report/
 /playwright/*
+.mastra/
+vertex-ai-credentials.json
diff --git a/app/(auth)/api/auth/guest/route.ts b/app/(auth)/api/auth/guest/route.ts
@@ -5,7 +5,13 @@ import { NextResponse } from 'next/server';
 
 export async function GET(request: Request) {
   const { searchParams } = new URL(request.url);
-  const redirectUrl = searchParams.get('redirectUrl') || '/';
+  let redirectUrl = searchParams.get('redirectUrl') || '/';
+
+  // Fix localhost redirects to use the current host
+  if (redirectUrl.includes('localhost:3000')) {
+    const currentUrl = new URL(request.url);
+    redirectUrl = redirectUrl.replace('http://localhost:3000', `${currentUrl.protocol}//${currentUrl.host}`);
+  }
 
   const token = await getToken({
     req: request,

diff --git a/app/(auth)/auth.config.ts b/app/(auth)/auth.config.ts
@@ -4,6 +4,7 @@ export const authConfig = {
   pages: {
     signIn: '/login',
     newUser: '/',
+    error: '/login',
   },
   providers: [
     // added later in auth.ts since it requires bcrypt which is only compatible with Node.js

diff --git a/app/(auth)/auth.ts b/app/(auth)/auth.ts
@@ -1,12 +1,21 @@
 import { compare } from 'bcrypt-ts';
 import NextAuth, { type DefaultSession } from 'next-auth';
 import Credentials from 'next-auth/providers/credentials';
-import { createGuestUser, getUser } from '@/lib/db/queries';
+import Google from 'next-auth/providers/google';
+import MicrosoftEntraID from "next-auth/providers/microsoft-entra-id";
+import { getUser, upsertOAuthUser, ensureUserExists } from '@/lib/db/queries';
 import { authConfig } from './auth.config';
 import { DUMMY_PASSWORD } from '@/lib/constants';
 import type { DefaultJWT } from 'next-auth/jwt';
 
-export type UserType = 'guest' | 'regular';
+// Feature flag for guest login in preview environments
+const useGuestLogin = process.env.USE_GUEST_LOGIN === 'true';
+
+// Fixed guest user for preview environments (using a valid UUID)
+const GUEST_USER_ID = '00000000-0000-0000-0000-000000000001';
+const GUEST_USER_EMAIL = 'guest@preview.local';
+
+export type UserType = 'regular';
 
 declare module 'next-auth' {
   interface Session extends DefaultSession {
@@ -37,9 +46,38 @@ export const {
   signOut,
 } = NextAuth({
   ...authConfig,
+  trustHost: true,
   providers: [
+    Google({
+      clientId: process.env.GOOGLE_CLIENT_ID!,
+      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+    }),
+    MicrosoftEntraID({
+      clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
+      clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
+      issuer: process.env.AUTH_MICROSOFT_ENTRA_ID_ISSUER,
+      authorization: {
+        params: {
+          scope: "openid profile email User.Read"
+        }
+      },
+      profile(profile) {
+        // Multi-tenant apps don't reliably return email claim, use preferred_username
+        return {
+          id: profile.sub,
+          name: profile.name,
+          email: profile.preferred_username || profile.email || profile.upn,
+          image: profile.picture,
+          type: 'regular' as const,
+        }
+      }
+    }),
     Credentials({
-      credentials: {},
+      name: 'credentials',
+      credentials: {
+        email: { label: 'Email', type: 'email' },
+        password: { label: 'Password', type: 'password' }
+      },
       async authorize({ email, password }: any) {
         const users = await getUser(email);
 
@@ -62,20 +100,52 @@ export const {
         return { ...user, type: 'regular' };
       },
     }),
+    // Guest provider for preview environments - auto-logs in without credentials
     Credentials({
       id: 'guest',
+      name: 'guest',
       credentials: {},
       async authorize() {
-        const [guestUser] = await createGuestUser();
-        return { ...guestUser, type: 'guest' };
+        if (!useGuestLogin) {
+          return null;
+        }
+
+        // Create or get the guest user
+        const guestUser = await ensureUserExists({
+          id: GUEST_USER_ID,
+          email: GUEST_USER_EMAIL,
+        });
+
+        return { ...guestUser, type: 'regular' as const };
       },
     }),
   ],
   callbacks: {
-    async jwt({ token, user }) {
+    async signIn({ user, account, profile }) {
+      // Handle OAuth sign-in with domain validation
+      if (account?.provider === 'google' || account?.provider === 'microsoft-entra-id') {
+        const email = user.email?.toLowerCase() || '';
+        const allowedDomains = ['@navapbc.com', '@rivco.org', '@navapbc.onmicrosoft.com', '@amplifi.org'];
+        const isAllowedDomain = allowedDomains.some(domain => email.endsWith(domain));
+
+        if (!isAllowedDomain) {
+          return false;
+        }
+
+        const dbUser = await upsertOAuthUser({
+          email: user.email!,
+          name: user.name,
+          image: user.image,
+        });
+        // Use the DB-generated user ID, not the OAuth provider's sub claim
+        user.id = dbUser.id;
+      }
+      return true;
+    },
+    async jwt({ token, user, account }) {
       if (user) {
         token.id = user.id as string;
-        token.type = user.type;
+        token.type = account?.provider === 'google' || account?.provider === 'microsoft-entra-id' ? 'regular' : user.type;
       }
 
       return token;