Skip to content

Integration: dev 0.15.3 PR stack#6

Open
pascalandr wants to merge 128 commits into
devfrom
dev-0.15.3
Open

Integration: dev 0.15.3 PR stack#6
pascalandr wants to merge 128 commits into
devfrom
dev-0.15.3

Conversation

@pascalandr

@pascalandr pascalandr commented Jun 9, 2026

Copy link
Copy Markdown

Purpose

Integration branch for the dev-0.15.3 PR stack, rebuilt from dev using the PR branches as the source of truth. This PR is intended for full-stack automated review, including Greptile, before moving fixes back into the source PR branches.

Included PR Sources

  • pr/den-api-windows-build
  • pr/managed-desktop-bootstrap
  • pr/static-provisioner-backend
  • pr/static-worker-attach-security
  • pr/entra-sso-auto-join
  • pr/docker-onprem-runbook
  • pr/credential-contract-managed-sync
  • pr/den-oauth-provider-flow
  • pr/desktop-import-oauth-den-providers

Scope

  • Windows-compatible Den API build and generated desktop app version alignment.
  • Managed desktop bootstrap, remote OpenWork workspace handoff, and packaged Electron bootstrap support.
  • Static worker provisioning, token mapping, static attach security, and on-prem Docker runbook updates.
  • Entra SSO auto-join support.
  • Managed LLM provider credential contract and sync to remote workers.
  • OpenCode OAuth provider credential handling, Den Web OAuth flow, and desktop import support.

Verification

Passed locally:

  • git diff --check
  • pnpm --filter @openwork-ee/den-db build
  • pnpm --dir ee/apps/den-api exec tsc -p tsconfig.json --noEmit
  • pnpm --filter @openwork/app typecheck
  • pnpm --filter openwork-server typecheck
  • pnpm --filter openwork-server test src/workspace-activate.e2e.test.ts src/managed-provider-sync.e2e.test.ts
  • pnpm --dir ee/apps/den-api exec bun test test/provisioner-static.test.ts
  • pnpm --dir ee/apps/den-api exec bun test test/managed-provider-sync.test.ts test/llm-provider-credentials.test.ts test/llm-providers-oauth.test.ts test/entra-sso.test.ts

Not run:

  • Docker build/run, because the local Docker Linux engine was unavailable in this environment.

Review Notes

This is an integration review PR, not the source of truth for follow-up fixes. Any issues found here should be fixed in the relevant source PR branch first, then re-integrated into dev-0.15.3.

pascalandr added 30 commits May 22, 2026 09:14
@pascalandr
fix(den-api): build on Windows
d57efd3
@pascalandr
feat(desktop): support managed bootstrap state
636c597
@pascalandr
feat(den): support static worker provisioner
bdcc37f
@pascalandr
feat(den): support Entra SSO auto-join
f7ebab2
@pascalandr
docs(docker): clean up on-prem runbooks
1304e7d
@pascalandr
fix(desktop): update bootstrap dependency lockfile
af01579
@pascalandr
test(den): keep provisioner tests isolated
a33f24f
@pascalandr
feat(den): secure static worker attach
9aef096
@pascalandr
test(den): cover static attach security
e1b5888
@pascalandr
fix(den): make demo seed script portable
928a08f
@pascalandr
feat(den): sync managed providers to workers
d28b45f
@pascalandr
fix(server): restore managed provider auth apply
f592203
@pascalandr
fix(den): harden provider sync verification
542a3dc
@pascalandr
feat(den): add provider credential contract base
2860334 
Add the LLM provider credential kind/opencode auth storage contract, migration, and passive credential redaction/flags needed by follow-up provider credential and worker sync PRs.
@pascalandr
fix(den): treat empty provider sync as applied
9776240
@pascalandr
feat(den): handle OAuth provider credentials
c7ae20f 
Add Den API create/update/read/import handling for API-key versus OpenCode OAuth provider credentials on top of the credential contract base.
@pascalandr
fix: type worker organization context
c53a9cf 
Include organization context variables in worker route typing so managed provider sync typechecks without changing runtime behavior.
@pascalandr
feat(den): add OpenAI OAuth provider flow
d91928e 
Add Den API OpenAI OAuth device-flow routes/tests and Den Web provider UI for OAuth-backed provider credentials on top of the credential handling stack.
@pascalandr
feat(den): add provider credential contract base
d4b14c4 
Add the LLM provider credential kind/opencode auth storage contract, migration, and passive credential redaction/flags needed by follow-up provider credential and worker sync PRs.
@pascalandr
feat(den): handle OAuth provider credentials
efdefad 
Add Den API create/update/read/import handling for API-key versus OpenCode OAuth provider credentials on top of the credential contract base.
@pascalandr
feat(app): import OAuth-backed Den providers
32b39e7 
Allow desktop cloud-provider import to consume OpenCode OAuth-backed organization providers from the Den credential import endpoint.
@pascalandr
fix(server): restore managed provider auth apply
bf09ed3
@pascalandr
fix: TASK-2026-05-26-017 sanitize managed provider model config
f7ce71c 
Translate Den catalog model metadata through an explicit OpenCode-compatible allowlist before writing managed provider runtime config. Preserve boolean experimental values while dropping incompatible catalog metadata covered by focused regression tests.
@pascalandr
fix: TASK-2026-05-26-020 filter managed OAuth models
2a26ba3 
Filter Den-managed provider-list responses to configured model IDs so OAuth providers keep native auth IDs without exposing the full OpenCode catalog. Adds focused regression coverage for OpenAI OAuth and NVIDIA API-key managed providers.
@pascalandr
fix: TASK-2026-05-26-021 handle live provider shapes
3690f38 
Apply only product code from the mixed integration commit for the managed provider sync PR branch, excluding workflow and evidence artifacts.
@pascalandr
feat(den): add OpenAI OAuth provider flow
976b68c 
Add Den API OpenAI OAuth device-flow routes/tests and Den Web provider UI for OAuth-backed provider credentials on top of the credential handling stack.
@pascalandr
fix: TASK-2026-05-26-014 sync managed providers to remote workers
e5fcafa 
Route Den-backed remote workspaces through the managed-provider sync endpoint for background sync and manual Cloud Provider import. Add focused client coverage for successful and sanitized failure paths.
@pascalandr
fix: TASK-2026-05-26-020 guard managed model picker
4dbe93f 
Apply the cloud managed model allowlist to session and compact model picker options, refresh provider-list queries after managed-provider sync, and add focused regression coverage for stale OpenAI catalog filtering.
@pascalandr
merge: TASK-2026-05-26-023 resolve PR 1939 with upstream dev
5f52352 
Merge upstream/dev into pr/credential-contract-managed-sync and resolve managed-provider sync route plus Den DB migration numbering conflicts.
@pascalandr
chore: resolve pr 1891 conflicts
7238bb5 
Merge upstream/dev into pr/managed-desktop-bootstrap and resolve managed desktop bootstrap conflicts.
pascalandr added 30 commits June 9, 2026 23:56
@pascalandr
fix: TASK-2026-06-09-002 guard LLM provider access lifecycle
0c00087 
Reject removed members during LLM provider access assignment, hide stale removed-member access rows, and add the missing Drizzle snapshot metadata for the OAuth provider migration.
@pascalandr
fix: TASK-2026-06-09-002 preserve cloud managed provider identity
b1e1350 
Use runtime provider IDs for OAuth/OpenWork managed providers, require applied-provider IDs for partial remote sync results, and constrain default model picker entries to managed allowlists.
@pascalandr
merge: TASK-2026-06-09-002 integrate docker remediation
764466c
@pascalandr
merge: TASK-2026-06-09-002 integrate Entra invitation remediation
acd97ec
@pascalandr
merge: TASK-2026-06-09-002 integrate managed credential sync remediation
fe09804
@pascalandr
merge: TASK-2026-06-09-002 integrate bootstrap security remediation
6d8d90e 
# Conflicts:
#	apps/server/src/server.ts
@pascalandr
merge: TASK-2026-06-09-002 integrate provider OAuth access remediation
5f96d31 
# Conflicts:
#	ee/apps/den-api/src/routes/org/llm-providers.ts
#	ee/apps/den-api/test/llm-providers-oauth.test.ts
@pascalandr
merge: TASK-2026-06-09-002 integrate desktop provider import remediation
624976c 
# Conflicts:
#	apps/app/src/react-app/shell/settings-route.tsx
@pascalandr
test: TASK-2026-06-09-002 cover browser page callbacks
5514598 
Add Electron browser native tool coverage that proves list, select, create, and close page tools use the tab-management callbacks wired by the bootstrap remediation.
@pascalandr
merge: TASK-2026-06-09-002 integrate browser callback test
6079aea
@pascalandr
test: TASK-2026-06-09-002 align provider sync proxy auth
4a245ad 
Update managed-provider sync proxy assertions to use the normal bearer token path so the tests remain valid after host tokens are limited to host-only routes.
@pascalandr
merge: TASK-2026-06-09-002 integrate provider sync proxy-auth tests
63fe351
@pascalandr
test: TASK-2026-06-09-002 typecheck browser callback test
f5bde5d 
Cast the MCP server test handle before invoking registered tools so the Electron typecheck covers the page callback regression without touching private fields directly.
@pascalandr
merge: TASK-2026-06-09-002 integrate browser callback typecheck fix
a7cb850
@pascalandr
fix: TASK-2026-06-09-002 type invitation member claim
a76df15 
Annotate invitation member lookup helpers as nullable so the placeholder-claim flow typechecks while preserving duplicate-member prevention.
@pascalandr
merge: TASK-2026-06-09-002 integrate invitation member type fix
9d6f5a6
@pascalandr
fix: TASK-2026-06-09-002 keep host token off workspace discovery
efcb923 
Move desktop workspace discovery to a tested helper that sends only bearer auth to /workspaces, keep host tokens for host-only routes, and add dedicated desktop fetch timeout regression coverage.
@pascalandr
test: TASK-2026-06-09-002 cover invitation token lifecycle
d802374 
Add mocked Den API invitation lifecycle tests for preview by invite token, accept by invite token, placeholder-member claim without duplicate active members, and retained team association.
@pascalandr
merge: TASK-2026-06-09-002 close desktop host-token discovery gap
fc4f9e5
@pascalandr
merge: TASK-2026-06-09-002 add invitation lifecycle evidence
d7825d4
@pascalandr
fix: TASK-2026-06-10-005 repair invitation member lifecycle
09a1e4b 
Run invitation placeholder claims through post member-change hooks, keep repeated removals idempotent with active-member guards, and fix nullable placeholder member typing surfaced by Den API typecheck.
@pascalandr
fix: TASK-2026-06-10-005 defer stale auth deletion
fc10acb 
Move stale managed-provider auth deletion after config commit so rollback never restores config that references already-deleted stale auth, with regression coverage for deletion failure.
@pascalandr
fix: TASK-2026-06-10-005 show invited provider members
2ffcceb 
Use invitation fallback data for pending LLM provider member access rows and keep invited placeholders visible in access listings.
@pascalandr
merge: TASK-2026-06-10-005 integrate PR1895 review fixes
b758d46
@pascalandr
merge: TASK-2026-06-10-005 integrate PR1939 review fixes
30d38b3
@pascalandr
merge: TASK-2026-06-10-005 integrate PR1940 review fixes
56b12be
@pascalandr
fix: TASK-2026-06-10-005 retry stale auth cleanup
79913b5 
Keep stale managed provider IDs in metadata until auth deletion succeeds so failed stale cleanup remains retryable without restoring config that references deleted auth.
@pascalandr
fix: TASK-2026-06-10-005 parse invited provider access
d9c2e07 
Allow Den web to parse pending invited LLM provider access rows with nullable user IDs and cover the serialized API parser contract.
@pascalandr
merge: TASK-2026-06-10-005 integrate PR1939 retry cleanup
b02e67e
@pascalandr
merge: TASK-2026-06-10-005 integrate PR1940 parser contract
403fd44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pascalandr @src-opn @release-bot @actions-user