Merge branch 'temporalio:main' into add-ca-cert-support-in-auth

Author: lgutter

.claude/skills/auth-testing/SKILL.md

@@ -0,0 +1,162 @@
+---
+name: auth-testing
+description: Test OAuth2 token refresh and session expiry locally. Use when working on auth, tokens, SSO, OIDC, or session management features.
+---
+
+# Auth Testing Skill
+
+Test OAuth2 authentication flows locally using the built-in OIDC server.
+
+## Quick Start
+
+```bash
+pnpm dev:with-auth
+```
+
+This starts:
+
+- **Vite dev server**: http://localhost:3000
+- **UI Server** (Go): http://localhost:8081
+- **OIDC Server**: http://localhost:8889
+- **Temporal Server**: http://localhost:7233
+
+## Configuration Files
+
+| File                                             | Purpose                                                 |
+| ------------------------------------------------ | ------------------------------------------------------- |
+| `server/config/with-auth.yaml`                   | UI server auth settings (maxSessionDuration, providers) |
+| `utilities/oidc-server/support/configuration.ts` | OIDC server TTLs (token expiry, session duration)       |
+
+## Testing Scenarios
+
+### 1. Token Refresh
+
+Test that tokens refresh automatically before expiry.
+
+**Config**: AccessToken TTL (60s) < maxSessionDuration (2m)
+
+**Steps**:
+
+1. Login at http://localhost:3000
+2. Open browser DevTools > Network tab
+3. Wait ~60 seconds
+4. Observe `/auth/refresh` request that renews tokens
+
+### 2. Session Expiry
+
+Test that sessions expire and force re-login.
+
+**Config**: maxSessionDuration = Session TTL (both 2m)
+
+**Steps**:
+
+1. Login at http://localhost:3000
+2. Wait 2 minutes
+3. Make any API request (navigate, refresh)
+4. Should redirect to OIDC login page
+
+### 3. Unlimited Session
+
+Test long-lived sessions with only token refresh.
+
+**Config changes**:
+
+```yaml
+# server/config/with-auth.yaml
+auth:
+  maxSessionDuration: 0 # Disable session limit
+```
+
+```typescript
+// utilities/oidc-server/support/configuration.ts
+ttl: {
+  Session: 60 * 60 * 24,  // 1 day
+}
+```
+
+## Max Session Duration
+
+The `maxSessionDuration` config enforces a hard limit on how long a user can stay logged in, independent of token expiry.
+
+### How it works
+
+1. **On login**: Server sets `session_start` cookie with current timestamp
+2. **On each request**: Server validates session age against `maxSessionDuration`
+3. **On expiry**: Server returns 401, UI redirects to SSO login
+
+### Config location
+
+```yaml
+# server/config/with-auth.yaml
+auth:
+  enabled: true
+  maxSessionDuration: 2m # Duration string (e.g., 30m, 1h, 24h)
+  # Set to 0 or omit to disable
+```
+
+### Difference from token expiry
+
+| Mechanism          | Controls                 | Behavior on expiry                 |
+| ------------------ | ------------------------ | ---------------------------------- |
+| Token TTL          | How often tokens refresh | Silent refresh via `/auth/refresh` |
+| maxSessionDuration | Total session lifetime   | Full re-authentication required    |
+
+### Use cases
+
+- **Security compliance**: Force re-auth every N hours regardless of activity
+- **Testing**: Set short duration (2m) to quickly test session expiry flow
+- **Production**: Set longer duration (8h, 24h) based on security requirements
+
+## Key Relationships
+
+```
+AccessToken TTL < maxSessionDuration  → Enables token refresh
+Session TTL = maxSessionDuration      → Forces re-auth at OIDC on expiry
+RefreshToken TTL > Session TTL        → Allows refresh within session
+```
+
+## Current Default Values
+
+| Setting              | Value | Location         |
+| -------------------- | ----- | ---------------- |
+| Access Token TTL     | 60s   | OIDC config      |
+| ID Token TTL         | 60s   | OIDC config      |
+| Refresh Token TTL    | 1 day | OIDC config      |
+| OIDC Session TTL     | 2m    | OIDC config      |
+| Max Session Duration | 2m    | UI server config |
+
+## Debugging
+
+### View auth logs
+
+The Go server logs token validation:
+
+```
+[Auth] Setting refresh token cookie (length: X)
+[JWT Validation] Token valid, expires at X (time remaining: X)
+```
+
+### Check cookies
+
+In browser DevTools > Application > Cookies:
+
+- `user0`, `user1`... - Base64 encoded user data (short-lived)
+- `refresh` - HttpOnly refresh token (long-lived)
+- `session_start` - Session start timestamp (HttpOnly)
+
+### Test endpoints
+
+```bash
+# Get OIDC discovery
+curl http://localhost:8889/.well-known/openid-configuration
+
+# Manual token refresh (requires valid refresh cookie)
+curl -X GET http://localhost:8081/auth/refresh --cookie "refresh=<token>"
+```
+
+## Related Files
+
+- `server/server/route/auth.go` - Auth routes and callbacks
+- `server/server/auth/auth.go` - Token validation and session management
+- `server/server/config/config.go` - Auth config struct
+- `src/lib/utilities/auth-refresh.ts` - Client-side refresh logic

.claude/skills/install-local-ui-in-cloud.md

@@ -0,0 +1,210 @@
+# Install Local UI Package in Cloud UI
+
+**Trigger phrases:** "install local ui in cloud", "build ui for cloud", "test ui changes in cloud", "local ui package"
+
+## Purpose
+
+This skill replicates the GitHub Actions "Generate temporalio/ui PR" workflow locally when GitHub Actions is unavailable or for faster iteration. It builds the UI package from the current branch and installs it in a local cloud-ui repository.
+
+## Prerequisites Check
+
+Before proceeding, verify the user has cloud-ui available:
+
+1. Ask: "Do you have the cloud-ui repository cloned locally?"
+2. If YES: Ask for the path, then instruct: "Please run `/add-dir <path-to-cloud-ui>` so I can access both repositories"
+3. If NO: Explain they need to clone it first, then add it with `/add-dir`
+
+**CRITICAL:** Do not proceed until cloud-ui is added to the context with `/add-dir`.
+
+## Workflow Steps
+
+### Step 1: Build the UI Package
+
+In the **ui** repository (current repo):
+
+```bash
+# Ensure dependencies are installed
+pnpm install
+
+# Sync SvelteKit (required before packaging)
+pnpm svelte-kit sync
+
+# Build the library package (NOT pnpm build!)
+pnpm package
+
+# Create the tarball
+pnpm pack
+```
+
+**CRITICAL:** You must run `pnpm package` (not `pnpm build`).
+
+- `pnpm package` = builds the library for distribution (creates optimized dist/)
+- `pnpm build` = builds the dev/docs server (wrong for this use case)
+
+**Expected output:** A `.tgz` file in the ui root directory (e.g., `temporalio-ui-2.45.2.tgz`, ~1.0MB)
+
+### Step 2: Install in Cloud UI
+
+In the **cloud-ui** repository (must be added with `/add-dir`):
+
+```bash
+# Navigate to cloud-ui directory
+cd <path-to-cloud-ui>
+
+# Install the local UI package
+pnpm install <path-to-ui-repo>/temporalio-ui-<version>.tgz
+```
+
+**What this does:**
+
+- Updates `cloud-ui/package.json` dependencies to point `@temporalio/ui` to the local tarball
+- Installs the built UI package from your branch
+- Allows testing UI changes in the cloud environment
+
+### Step 2.5: Update pnpm.overrides (CRITICAL!)
+
+**IMPORTANT:** cloud-ui uses `pnpm.overrides` which takes precedence over dependencies. You MUST update this:
+
+1. **Find the overrides section** in `cloud-ui/package.json` (typically near the end):
+
+   ```json
+   "overrides": {
+     "@temporalio/ui": "file:./packs/temporalio-ui-XXXXXXXX.tgz",
+     "devalue": "5.6.2"
+   }
+   ```
+
+2. **Update the override** to point to your local tarball:
+
+   ```json
+   "overrides": {
+     "@temporalio/ui": "file:<absolute-path-to-ui-repo>/temporalio-ui-<version>.tgz",
+     "devalue": "5.6.2"
+   }
+   ```
+
+3. **Run pnpm install** again to apply the override:
+   ```bash
+   pnpm install
+   ```
+
+**Why this matters:** Without updating the override, pnpm will ignore your dependency change and continue using the old pack referenced in overrides.
+
+### Step 3: Start Cloud UI Dev Server
+
+```bash
+# In cloud-ui directory
+pnpm dev
+
+# Or for production build
+pnpm build
+```
+
+Now you can test the UI changes in the cloud environment at `http://localhost:5173` (or configured port).
+
+## Verification
+
+After installation, verify:
+
+1. Check `cloud-ui/package.json` dependencies show the local path:
+
+   ```json
+   "@temporalio/ui": "file:/absolute/path/to/ui/temporalio-ui-2.45.2.tgz"
+   ```
+
+2. Check `cloud-ui/package.json` overrides also point to the local path:
+
+   ```json
+   "overrides": {
+     "@temporalio/ui": "file:/absolute/path/to/ui/temporalio-ui-2.45.2.tgz"
+   }
+   ```
+
+3. Check `cloud-ui/node_modules/@temporalio/ui/package.json` version matches
+
+4. Start dev server and verify UI changes appear
+
+## Cleanup
+
+To revert to the published package:
+
+```bash
+# In cloud-ui directory
+pnpm install @temporalio/ui@latest
+```
+
+## Troubleshooting
+
+**"Cannot find module":**
+
+- Ensure you ran `pnpm pack` in the ui repo first
+- Verify the tarball path is correct
+
+**"Changes not appearing":**
+
+- Clear cloud-ui's dev server cache and restart
+- Check that `pnpm pack` built the latest changes
+- Verify `node_modules/@temporalio/ui` contains your changes
+
+**"Workspace dependency issues":**
+
+- Ensure both repos use compatible pnpm/node versions
+- Try `pnpm install --force` in cloud-ui
+
+## Example Full Workflow
+
+```bash
+# In ui repo - build the package
+cd ~/code/ui
+git checkout my-feature-branch
+pnpm install
+pnpm svelte-kit sync
+pnpm package  # Build the library (NOT pnpm build!)
+pnpm pack     # Creates temporalio-ui-2.45.2.tgz (~1.0MB)
+
+# In cloud-ui repo - install local package
+cd ~/code/cloud-ui
+pnpm install ~/code/ui/temporalio-ui-2.45.2.tgz
+
+# CRITICAL: Update the pnpm.overrides in package.json
+# Edit package.json and change the overrides section:
+# "@temporalio/ui": "file:/Users/ross/code/ui/temporalio-ui-2.45.2.tgz"
+
+# Apply the override
+pnpm install
+
+# Start dev server
+pnpm dev
+# Visit http://localhost:3000 to test (cloud-ui uses port 3000, not 5173)
+```
+
+## When to Use This Skill
+
+- GitHub Actions is degraded/unavailable
+- Faster iteration than waiting for CI
+- Testing UI changes in cloud environment locally
+- Debugging integration issues between ui and cloud-ui
+
+## What This Replaces
+
+This replicates the `Generate temporalio/ui PR` GitHub Actions workflow which:
+
+1. Checks out the UI branch
+2. Builds the package
+3. Creates a cloud-ui PR with the updated package reference
+
+The local version gives immediate feedback without waiting for CI.
+
+## ⚠️ CRITICAL: Do NOT Commit cloud-ui Changes
+
+**IMPORTANT:** The changes made to `cloud-ui/package.json` and `cloud-ui/pnpm-lock.yaml` are for **local testing only**.
+
+**DO NOT:**
+
+- ❌ Commit changes in cloud-ui
+- ❌ Push changes in cloud-ui
+- ❌ Create PRs with these changes
+
+**Only commit and push changes in the UI repo!**
+
+The GitHub Actions workflow will create the proper cloud-ui PR automatically when it's available.