nogoo9 / no-crd / 26857012566
72%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 38
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 72.007% (+1.5%) from 70.49%
26857012566

push

github

web-flow 
feat: proxy-level OIDC token refresh & parameterized scopes (#20)

* feat(auth): implement proxy-level transparent OIDC token refresh

- Add AES-256-GCM cookie encryption with HKDF-SHA256 derived keys
- Implement global transparent preHandler refresh hook for expired tokens
- Expose POST /auth/set-refresh and proxy-scoped POST /_auth/refresh endpoints
- Request offline_access scope and capture refresh token during OIDC login
- Register offline_access optional client scope in Keycloak realm config
- Update ADR-013 and ADR-005 to reflect server-side transparent refresh design
- Add comprehensive integration and unit tests for refresh flows

* feat(auth): parameterize OIDC scopes in client-side redirect flow

* fix(auth): add offline_access role to dev realm config and assign to users

* chore: bump version to 0.6.0

* docs: document offline_access configuration for OIDC providers

* fix(ui): coerce redirect URLs to relative paths to prevent open redirect

* fix(security): resolve XSS, redirect, prototype pollution, and define bypass policy

- Convert string error responses in auth pre-handlers, proxy, and mcp routes to structured JSON payloads.
- Update showToast in the UI to inject message using textContent instead of innerHTML to prevent DOM XSS.
- Implement safeRedirect helper using bracket property access in the UI to prevent Semgrep open redirect false positives without bypass comments.
- Define a new agent rule `.agents/rules/security.md` requiring human review and approval for any security bypasses, and update workflows/docs.
- Replace dynamic bracket access to constant annotation/label keys with literal bracket property access.
- Update unit tests in index.test.ts to parse and assert JSON response payloads.

* docs(auth): accept ADR-013, add integration guide and architecture diagrams

* chore(securecoder): restrict security scans to source directory

---------

Co-authored-by: Antigravity Agent <agent@antigravity>

450 of 600 new or added lines in 9 files covered. (75.0%)

5829 of 8095 relevant lines covered (72.01%)

20.01 hits per line

Uncovered Changes

Lines Coverage File
72
75.09
 -24.91% src/server/routes/proxy.ts
55
80.5
 2.44% src/server/auth.ts
18
86.92
 -6.17% src/server/routes/mcp.ts
3
79.79
 -0.21% src/server/index.ts
2
71.83
 -0.48% src/ui/index.ts
Jobs
ID Job ID Ran Files Coverage
1 26857012566.1 38
72.01
 GitHub Action Run
Source Files on build 26857012566