feat(web): port provider stack (Auth, Organization, Feature Flags) from platform repo

[ashleeradka]

Prompt / plan

Port the foundational Auth, Organization, and Feature Flag providers from vellum-assistant-platform to the assistant repo. These are cross-domain shared utilities required by every domain (Chat, Settings, Library, Onboarding) — without them, every parallel domain migration session would independently stub useAuth(), useAppFeatureFlags(), and useOrganization(), creating inconsistency and merge conflicts.

Platform files frozen in migration table: PR #7198.

What's included

Module	Files	What it does
Auth	lib/auth/allauth-client.ts, lib/auth/csrf.ts, lib/auth/auth-provider.tsx	Allauth session adapter, CSRF token management, AuthProvider context (session probe on mount, re-validate on focus/visibility, cross-tab logout via BroadcastChannel)
Organization	lib/organization/organization-state.ts, lib/organization/organization-provider.tsx	Module-level org ID state (useSyncExternalStore-compatible), OrganizationProvider context (fetches orgs via React Query, resolves active org, syncs to request interceptor)
Feature Flags	lib/feature-flags/feature-flag-provider.tsx	Typed AppFeatureFlagProvider + useAppFeatureFlags() context with all current flags
API Interceptors	lib/api-interceptors.ts	Side-effect module that installs Vellum-Organization-Id header and X-CSRFToken on mutating requests for both auth and platform HeyAPI clients
AppProviders	lib/providers/app-providers.tsx	Composes Auth → Organization → scope-keyed QueryClient so switching users/orgs yields a fresh React Query cache

Changes from platform source

• Removed: Native platform detection, biometric auth, push token registration, Sentry user context, onboarding sync — none of these apply to the SPA
• Simplified: No SSR guards (typeof window, typeof document) — SPA always has DOM
• Fixed: ProviderSignupContext.account typed correctly against generated ProviderAccount (platform had drift)
• Upgraded: tsconfig lib from ES2022 → ES2023 for Array.findLast support in CSRF cookie parsing
• Cleaned up: Removed dead query-client.ts (replaced by scope-keyed provider in AppProviders)

Alternatives not taken

• Stub providers per domain: Would duplicate auth/org logic in every parallel session and create merge conflicts. Provider stack as a shared foundation avoids this.
• Port feature flags as part of Chat domain: Feature flags are used across ~20 consumers in Chat, Settings, Library, and assistant components. Making them a Chat-specific concern would couple unrelated domains.
• Keep single QueryClient: Platform scopes the QueryClient by (user, org) to prevent data leakage across account switches. Preserving this in the SPA via key prop remounting.

Test plan

• bunx tsc --noEmit passes (zero type errors)
• bun run lint passes (zero lint errors)
• CI checks (lint, typecheck, tests)
• No runtime testing needed — providers are consumed by domain components not yet ported. The dev server will exercise them once Chat or Settings land.

Link to Devin session: https://app.devin.ai/sessions/536ceadb023a4059908b0609b9833bc1
Requested by: @ashleeradka

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a927cc91e4

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Add generation before importing gitignored HeyAPI clients

These imports make a fresh checkout depend on apps/web/src/generated/**, but that directory is gitignored (apps/web/.gitignore) and there are no tracked generated files (git ls-files apps/web/src/generated/** returns 0). I also checked the web PR workflow: after install it runs only lint, bun run typecheck, and build, with no bun run openapi-ts step, so CI and local bun run typecheck/bun run build will fail with missing @/generated/... modules unless the clients are generated as part of install/build/CI or committed despite the ignore.

Useful? React with 👍 / 👎.

[devin-ai-integration]

Fixed in 8a79627a4b — added bun run openapi-ts codegen step to pr-web.yaml before lint/typecheck/build. The OpenAPI specs are committed at apps/web/openapi-schemas/, so CI can regenerate the clients from them.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

[vex-assistant-bot]

✦ APPROVE

Value: Every parallel domain migration session (Chat, Settings, Library) now has a shared, production-grade auth/org/feature-flag foundation to import from instead of independently stubbing useAuth() — eliminating the merge conflicts and drift that stub-per-domain would have caused.

What this does: Ports AuthProvider, OrganizationProvider, FeatureFlagProvider, the HeyAPI request interceptors (Vellum-Organization-Id + X-CSRFToken), and a scope-keyed AppProviders composition from vellum-assistant-platform → apps/web/src/lib/. Removes the dead query-client.ts. Adds a bun run openapi-ts codegen step to pr-web.yaml (CI was missing it; generated files are gitignored). Upgrades tsconfig.json to ES2023 for Array.findLast support in CSRF cookie parsing.

---

Codex P1 — resolved ✅
Codex flagged (on stale commit a927cc91) that @/generated/ imports would fail CI because the directory is gitignored and no codegen step existed. Devin fixed this in 8a79627a by adding bun run openapi-ts before lint/typecheck/build in pr-web.yaml. The OpenAPI specs are committed at apps/web/openapi-schemas/, so CI can always regenerate. Verified: pr-web.yaml diff adds the step at the correct position (post-install, pre-lint). ✅

---

Architecture observations:

organization-state.ts — module-level state with useSyncExternalStore-compatible subscription. Correct pattern per KB: external stores (module-level) use useSyncExternalStore to avoid tearing, not useEffect. subscribeToActiveOrganizationIdForRequests returns a stable unsubscribe function and moves subscribe/getSnapshot to module scope. ✅

app-providers.tsx — the two-layer QueryClient design is thoughtful: AuthScopedQueryClientProvider (keyed by user identity) wraps OrganizationProvider so org-list queries survive org switches; ScopeKeyedQueryClientProvider (keyed by user+org) wraps domain queries so the domain cache flushes on org switch. Data leakage across account switches is prevented. ✅

api-interceptors.ts — interceptors install at the HeyAPI client level, before globalThis.fetch is called. Capacitor/iOS safe: this is header injection, not SSE consumer wiring, so CapacitorHttp's fetch interception doesn't affect it. ✅

BroadcastChannel auth sync — correctly guarded with if (typeof BroadcastChannel === "undefined") return; and the cleanup closes the channel. ✅

---

Non-blocking observations:

1. refreshOrganizations dep on full organizationsQuery object — useCallback(async () => { await organizationsQuery.refetch(); }, [organizationsQuery]) uses the whole query object as a dep. React Query's useQuery returns a new object reference on every render (even when data hasn't changed), so refreshOrganizations is recreated on every render. Since it's in the useMemo deps for the context value, useOrganization() consumers re-render on every parent render cycle. Perf non-issue today (few consumers), but worth fixing before more components subscribe. Fix: destructure refetch first and dep on [refetch], which React Query guarantees is stable:

   const { refetch: refetchOrgs } = organizationsQuery;
   const refreshOrganizations = useCallback(async () => {
     await refetchOrgs();
   }, [refetchOrgs]);

2. initSession missing cancelled guard — KB requires a cancelled flag in async useEffect callbacks (PR #6726 evidence). AuthProvider is root-level and won't unmount in practice, so this is harmless today. Leaving a note for if the hook shape ever changes.

3. refreshSession() in focus/visibility handlers unguarded — onFocus and onVisibilityChange call refreshSession() but don't .catch() the returned promise. If getSession() throws on a network failure, this becomes an unhandled rejection that Sentry would capture as noise. Trivial fix: refreshSession().catch(err => console.warn("Session refresh failed", err)).

---

Merge gate:

• ✅ Vex approves at 8a79627a
• ⏳ Devin reviewed at HEAD (COMMENTED — needs to post explicit "No Issues Found" or APPROVE for merge criteria)
• ⏳ CI — confirm bun run openapi-ts step passes in the new workflow

Vellum Constitution — Yours: every domain migration session now shares a single, correct auth identity — no more per-session stubs that quietly diverge.

[devin-ai-integration]

All 3 non-blocking observations fixed in 97d633a:

1. refreshOrganizations stability — Destructured refetch from organizationsQuery and dep on [refetchOrganizations] instead of the full query object. React Query guarantees refetch is stable.

2. initSession cancelled guard — Added let cancelled = false with cleanup return. State updates are now gated on !cancelled.

3. refreshSession unhandled rejection — Wrapped focus/visibility handlers with .catch() → console.warn so network failures don't produce unhandled rejection noise.