Skip to content

Fix navbar auth display and add self-serve org rename#288

Merged
bokelley merged 2 commits into
mainfrom
bokelley/fix-navbar-auth-logo
Dec 12, 2025
Merged

Fix navbar auth display and add self-serve org rename#288
bokelley merged 2 commits into
mainfrom
bokelley/fix-navbar-auth-logo

Conversation

@bokelley

Copy link
Copy Markdown
Contributor

Summary

  • Fixed navbar showing login/signup when user is actually logged in
  • Added automatic session token refresh to fix 60-second idle timeout issue
  • Implemented self-serve organization renaming for owners/admins
  • Unified branding to always show AAO logo across all sites

Test plan

  • ✅ All tests pass (schema, examples, unit, typecheck)
  • ✅ Authenticated users now see account dropdown (not login buttons)
  • ✅ Sessions persist beyond access token expiration
  • ✅ Organization owners/admins can rename their org from dashboard
  • ✅ Edit button only visible to authorized users

🤖 Generated with Claude Code

bokelley and others added 2 commits December 11, 2025 22:42
- Fixed navbar showing login/signup when user is logged in by removing
  isBetaSite condition from auth check
- Always show AAO logo across all sites (removed AdCP branding)
- Updated "Managed by" text to "Managed by AgenticAdvertising.org"
- Added session token auto-refresh to fix 60-second idle timeout
- Implemented PUT /api/organizations/:orgId endpoint for renaming
- Added UI for self-serve organization rename (owners/admins only)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@bokelley bokelley merged commit f5fc679 into main Dec 12, 2025
5 checks passed
bokelley added a commit that referenced this pull request Apr 25, 2026
Applies feedback from prompt-engineer, security, ad-tech-protocol-expert,
and docs-expert reviews on the original Escalation #288 fix.

Knowledge rule (server/src/addie/rules/knowledge.md):
- Replace "do NOT say X" negation primer with positive "common conflation"
  framing; lift the conflation block to the top of the section so retrieval
  hits it first.
- Update AdCP-protocol-auth characterization to match docs/building/
  integration/authentication.mdx — Bearer (3.0 baseline; read-only in 3.1+),
  RFC 9421 (recommended in 3.0, required for mutating ops in 3.1+), or mTLS.
  Previous "bearer + optional signing" was stale.
- Note that OAuth ALSO appears between agents (sales agents publishing their
  own AS for operator-account flows) — AAO is one OAuth deployment among
  many, not "the" OAuth surface for AdCP.
- Add bridging line: a buyer that signed into AAO via OAuth still uses a
  separate seller-issued bearer when calling that seller's AdCP endpoints.
- Spell out facts that were missing and would misroute integrators:
  no client_credentials grant (use a WorkOS org API key for S2S, not
  /token); no RFC 8707 audience binding enforced (so one JWT covers /mcp
  and /api); no advertised revocation_endpoint; PKCE mandatory regardless
  of token_endpoint_auth_method.
- Soften "no manual onboarding required" — /register is rate-limited.
- Cite both repo-relative path and public URL anchor for the registry
  reference.
- Reciprocal cross-link: append a sentence to "Audit Surfaces in AdCP"
  pointing back to the new section.

Docs (docs/building/integration/authentication.mdx):
- Close the gap docs-expert flagged: this page is the canonical "AdCP
  authentication" landing point but was silent on AAO platform auth. Add
  a short "Authenticating to AAO Platform Services" section after
  "Obtaining Credentials" with the well-known URLs, the no-client_credentials
  caveat, and a link to /docs/registry#authentication.

Docs (docs/registry/index.mdx):
- Add "or logging in to AAO" so search_docs queries like "AAO login" /
  "sign in" route to the Authentication section.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
bokelley added a commit that referenced this pull request Apr 26, 2026
* fix(addie): teach Addie that AAO runs an OAuth 2.1 + OIDC authorization server

Escalation #288 (Emma Mulitz / Scope3) — Addie was telling users that AAO
doesn't support OAuth and that bearer tokens are the only mechanism. AAO's
authorization server has been live at
https://agenticadvertising.org/.well-known/oauth-authorization-server with
RFC 8414 metadata, RFC 9728 protected-resource metadata for /api and /mcp,
RFC 7591 dynamic client registration, and PKCE-protected authorization code
flow. Addie's rules had no OAuth section, so she fabricated.

Adds a Knowledge section that:

- explicitly states AAO supports OAuth 2.1 + OIDC and the well-known URLs,
- separates AAO platform auth (OAuth/JWT for /mcp and /api) from AdCP
  protocol-level bearer + optional HTTP Message Signatures between agents,
- points Addie at docs/registry/index.mdx and search_docs for specifics.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(addie): tighten AAO OAuth rule + close doc gap (expert review pass)

Applies feedback from prompt-engineer, security, ad-tech-protocol-expert,
and docs-expert reviews on the original Escalation #288 fix.

Knowledge rule (server/src/addie/rules/knowledge.md):
- Replace "do NOT say X" negation primer with positive "common conflation"
  framing; lift the conflation block to the top of the section so retrieval
  hits it first.
- Update AdCP-protocol-auth characterization to match docs/building/
  integration/authentication.mdx — Bearer (3.0 baseline; read-only in 3.1+),
  RFC 9421 (recommended in 3.0, required for mutating ops in 3.1+), or mTLS.
  Previous "bearer + optional signing" was stale.
- Note that OAuth ALSO appears between agents (sales agents publishing their
  own AS for operator-account flows) — AAO is one OAuth deployment among
  many, not "the" OAuth surface for AdCP.
- Add bridging line: a buyer that signed into AAO via OAuth still uses a
  separate seller-issued bearer when calling that seller's AdCP endpoints.
- Spell out facts that were missing and would misroute integrators:
  no client_credentials grant (use a WorkOS org API key for S2S, not
  /token); no RFC 8707 audience binding enforced (so one JWT covers /mcp
  and /api); no advertised revocation_endpoint; PKCE mandatory regardless
  of token_endpoint_auth_method.
- Soften "no manual onboarding required" — /register is rate-limited.
- Cite both repo-relative path and public URL anchor for the registry
  reference.
- Reciprocal cross-link: append a sentence to "Audit Surfaces in AdCP"
  pointing back to the new section.

Docs (docs/building/integration/authentication.mdx):
- Close the gap docs-expert flagged: this page is the canonical "AdCP
  authentication" landing point but was silent on AAO platform auth. Add
  a short "Authenticating to AAO Platform Services" section after
  "Obtaining Credentials" with the well-known URLs, the no-client_credentials
  caveat, and a link to /docs/registry#authentication.

Docs (docs/registry/index.mdx):
- Add "or logging in to AAO" so search_docs queries like "AAO login" /
  "sign in" route to the Authentication section.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(addie): tighten AAO OAuth rule + harden seller-AS trust (review pass 2)

Applies second-pass feedback from prompt-engineer, security, ad-tech-protocol-
expert, and docs-expert reviews on commit b621c14.

Knowledge rule (server/src/addie/rules/knowledge.md):
- Split the conflation block into three bullets: (1) AAO platform auth,
  (2) AdCP protocol auth between agents with the bridging "AAO JWT is not
  an AdCP credential" line elevated, (3) "Other auth surfaces" covering
  sales-agent operator-account OAuth and the TMP/webhook signing profiles.
  Item 2 was overloaded; the bridging fact was buried mid-paragraph.
- Add the operator-OAuth wire signal so Addie knows when to expect it:
  `get_adcp_capabilities.require_operator_auth: true` or a 401 carrying
  `WWW-Authenticate: Bearer resource_metadata=…` (RFC 9728).
- Add seller-AS issuer-pinning guidance — discovered `authorization_servers`
  must be pinned via adagents.json / out-of-band onboarding, not blindly
  trusted from the resource itself. Closes the credential-routing risk
  the security pass flagged.
- Use specific signing terms for TMP and webhooks (Ed25519 envelope,
  HMAC-SHA256 per push_notification_config) so search_docs queries route.
- Drop the unverifiable "~20/hr" rate-limit number on /register; the
  observed limit is at the edge, not application-level.
- Drop the revocation_endpoint absence bullet (Addie won't recall it and
  stating absences invites fabrication).
- Trim the audience-binding bullet to one positive sentence ("the same
  user JWT is accepted on /mcp and /api"); merge with the reach bullet.

Docs (docs/building/integration/authentication.mdx):
- Add "All AAO endpoints are HTTPS-only" sentence.
- Add a Warning callout: when following a sales agent's RFC 9728 PRM for
  operator-account OAuth, pin the discovered AS issuer against
  adagents.json. Same threat the rule above guards against.

Docs (docs/registry/index.mdx):
- Drop "or logging in to AAO" duplication; "signing in" already carries
  the search query and the doubled phrase read as keyword stuffing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(docs): backfill v3-envelope-integrity rows in universal conformance tables

The v3-envelope-integrity universal storyboard merged in #3045 without
the matching rows in the two doc index tables that the build-time
parity lint enforces. Any PR merging with main has been failing the
TypeScript Build job at build:compliance with:

  Universal-storyboard doc parity drift:
    - docs/building/conformance.mdx: missing rows for `v3_envelope_integrity`
    - docs/building/compliance-catalog.mdx: missing rows for `v3-envelope-integrity`

Adds one row to each table next to schema-validation (the related
category) — snake_case YAML id form in conformance.mdx, kebab-case
filename slug in compliance-catalog.mdx, matching the conventions the
parity lint expects per scripts/lint-universal-storyboard-doc-parity.cjs.

Verified locally with `npm run build:compliance` — clean build, 20 universal
storyboards detected.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant