fix: auth, middleware, workflows and docs improvements

Consolidate post-PR#6 changes:
- docs: simplify README and fix marketplace e2e
- chore(auth): surface exact NextAuth client error
- test(auth): update login form assertions to match new errors
- fix(middleware): allow api access from app's own origin
- style(middleware): run prettier to fix ci format check
- fix(middleware): handle malformed NEXT_PUBLIC_APP_URL env var
- fix(auth): fallback to local workspace when Supabase query fails
- fix(workflows): bypass Supabase for local-workspace mode

Author: adriannoes

README.md

@@ -1,4 +1,4 @@
-# AgentKit
+# AI Agent Builder for ASAP Protocol
 
 Platform for building, configuring, and running AI agents with tool execution, workflows, and integrations.
 
@@ -7,6 +7,7 @@ Platform for building, configuring, and running AI agents with tool execution, w
 - **Agents & runs** — Manage agents and view execution history
 - **Workflow builder** — Visual editor for workflow orchestration (React Flow)
 - **Connectors** — Central registry for data and tool connections (OAuth, APIs, MCP)
+- **Cross-platform integration** — Navigation and auth hand-off with ASAP Protocol
 - **MCP** — Model Context Protocol server and tool management
 - **Marketplace** — Discover and install integrations
 - **Templates** — Reusable workflow and agent templates
@@ -22,31 +23,8 @@ Platform for building, configuring, and running AI agents with tool execution, w
 - **Data:** SWR, Recharts
 - **Workflow canvas:** React Flow (`@xyflow/react`)
 
-## Getting started
+### Cross-platform integration with ASAP Protocol
 
-1. Install dependencies: `npm install`
-2. Copy environment variables (see below) and configure a `.env` file.
-3. Run development server: `npm run dev`
-
-Required env vars for Supabase (auth and database):
-
-- `NEXT_PUBLIC_SUPABASE_URL`
-- `NEXT_PUBLIC_SUPABASE_ANON_KEY`
+This app is integrated with ASAP Protocol to provide a unified marketplace and navigation experience.
 
 Use the `/setup` route after starting the app to validate the connection and run migrations if needed.
-
-## Scripts
-
-| Script                   | Description                                        |
-| ------------------------ | -------------------------------------------------- |
-| `npm run dev`            | Development server (port 3000)                     |
-| `npm run build`          | Production build                                   |
-| `npm run start`          | Production server                                  |
-| `npm run lint`           | ESLint                                             |
-| `npm run test`           | Unit tests (Vitest, watch)                         |
-| `npm run test:run`       | Unit tests (single run)                            |
-| `npm run test:e2e`       | E2E tests (Playwright, starts dev on port 3099)    |
-| `npm run test:e2e:ui`    | E2E tests with Playwright UI                       |
-| `npm run test:e2e:reuse` | E2E tests reusing existing dev server on port 3000 |
-
-**E2E notes:** Stop any running `npm run dev` before `npm run test:e2e`, or use `npm run test:e2e:reuse` when dev is already running.

e2e/marketplace.spec.ts

@@ -10,7 +10,9 @@ test.describe("ASAP Agent Registry", () => {
   })
 
   test("shows registry description", async ({ page }) => {
-    await expect(page.getByText(/Discover agents registered on the ASAP Protocol/i)).toBeVisible()
+    await expect(
+      page.getByText(/Discover agents registered on the ASAP Protocol/i).first(),
+    ).toBeVisible()
   })
 
   test("has search input", async ({ page }) => {

src/components/auth/login-form.tsx

@@ -31,13 +31,13 @@ export function LoginForm({ fromAsap }: LoginFormProps) {
     try {
       const result = await signIn("github", { callbackUrl: "/", redirect: false })
       if (result && !result.ok) {
-        toast.error("Failed to sign in with GitHub")
+        toast.error("Failed to sign in: " + result.error)
         setIsLoading(false)
       } else if (result?.url) {
         window.location.href = result.url
       }
-    } catch {
-      toast.error("Failed to sign in with GitHub")
+    } catch (err: any) {
+      toast.error("Failed to sign in catch: " + (err?.message || "Unknown error"))
       setIsLoading(false)
     }
   }

src/lib/db/workflows.ts

@@ -10,7 +10,7 @@ if (process.env.NODE_ENV !== "production") globalForWorkflows.memoryWorkflows =
 
 export async function getWorkflows(workspaceId: string): Promise<Workflow[]> {
   const supabase = await getSupabaseServerClient()
-  if (!supabase) return Array.from(memoryWorkflows.values())
+  if (!supabase || workspaceId === "local-workspace") return Array.from(memoryWorkflows.values())
   const { data, error } = await supabase
     .from("workflows")
     .select("*")
@@ -35,7 +35,7 @@ export async function createWorkflow(
   workflow: Omit<Workflow, "id" | "version" | "createdAt" | "updatedAt">,
 ): Promise<Workflow> {
   const supabase = await getSupabaseServerClient()
-  if (!supabase) {
+  if (!supabase || workspaceId === "local-workspace") {
     const newWorkflow: Workflow = {
       id: crypto.randomUUID(),
       workspaceId,

src/lib/db/workspaces.ts

@@ -16,7 +16,9 @@ export async function getCurrentWorkspace() {
     .limit(1)
     .single()
 
-  if (error) return null
+  if (error || !data?.workspaces) {
+    return { id: "local-workspace", name: "Local Workspace" } as any
+  }
   return data.workspaces as any
 }
 
@@ -33,7 +35,9 @@ export async function getUserWorkspaces() {
     .select("workspace_id, role, workspaces(*)")
     .eq("user_id", user.id)
 
-  if (error) return []
+  if (error || !data?.length) {
+    return [{ id: "local-workspace", name: "Local Workspace", role: "admin" }] as any
+  }
   return data.map((item) => ({ ...item.workspaces, role: item.role }))
 }
 

src/middleware.ts

@@ -20,8 +20,12 @@ const ratelimit =
     : null
 
 export async function middleware(request: NextRequest) {
-  const allowedOrigin =
-    process.env.NEXT_PUBLIC_ASAP_PROTOCOL_URL || "https://asap-protocol.vercel.app"
+  const allowedOriginAsap = process.env.NEXT_PUBLIC_ASAP_PROTOCOL_URL?.startsWith("http")
+    ? process.env.NEXT_PUBLIC_ASAP_PROTOCOL_URL
+    : "https://asap-protocol.vercel.app"
+  const allowedOriginSelf = process.env.NEXT_PUBLIC_APP_URL?.startsWith("http")
+    ? process.env.NEXT_PUBLIC_APP_URL
+    : "https://open-agentic-flow.vercel.app"
   const requestOrigin = request.headers.get("origin")
 
   // For /api routes, reject non-allowlisted cross-origin requests
@@ -46,15 +50,16 @@ export async function middleware(request: NextRequest) {
 
     if (
       requestOrigin &&
-      !requestOrigin.startsWith(allowedOrigin) &&
+      !requestOrigin.startsWith(allowedOriginAsap) &&
+      !requestOrigin.startsWith(allowedOriginSelf) &&
       !requestOrigin.startsWith("http://localhost")
     ) {
       return new NextResponse("Forbidden", { status: 403 })
     }
 
     if (request.method === "OPTIONS") {
       const preflightHeaders = {
-        "Access-Control-Allow-Origin": requestOrigin || allowedOrigin,
+        "Access-Control-Allow-Origin": requestOrigin || allowedOriginSelf,
         "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
         "Access-Control-Allow-Headers": "Content-Type, Authorization",
       }
@@ -63,7 +68,7 @@ export async function middleware(request: NextRequest) {
 
     // Pass the request along with CORS headers attached to the response
     const response = NextResponse.next()
-    response.headers.set("Access-Control-Allow-Origin", requestOrigin || allowedOrigin)
+    response.headers.set("Access-Control-Allow-Origin", requestOrigin || allowedOriginSelf)
     response.headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
     response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization")
     return response

tests/components/login-form.test.tsx

@@ -76,7 +76,7 @@ describe("LoginForm", () => {
     await user.click(screen.getByRole("button", { name: /sign in with github/i }))
 
     await waitFor(() => {
-      expect(toast.error).toHaveBeenCalledWith("Failed to sign in with GitHub")
+      expect(toast.error).toHaveBeenCalledWith("Failed to sign in catch: Auth failed")
     })
   })
 
@@ -95,7 +95,7 @@ describe("LoginForm", () => {
     await user.click(screen.getByRole("button", { name: /sign in with github/i }))
 
     await waitFor(() => {
-      expect(toast.error).toHaveBeenCalledWith("Failed to sign in with GitHub")
+      expect(toast.error).toHaveBeenCalledWith("Failed to sign in: OAuthError")
     })
   })
 })