updated auth and ci/cd pipeline

Author: mstrivens

.env.example

@@ -9,5 +9,11 @@ STACKONE_MCP_URL=https://api.stackone.com/mcp
 STACKONE_API_KEY=your_stackone_api_key_here
 STACKONE_ACCOUNT_ID=your_pylon_account_id_here
 
+# Google OAuth Configuration
+GOOGLE_CLIENT_ID=your_google_client_id_here
+GOOGLE_CLIENT_SECRET=your_google_client_secret_here
+AUTH_REDIRECT_URI=http://localhost:3000/auth/callback
+COOKIE_SECRET=your_random_secret_at_least_32_chars_here
+
 # Server Configuration
 PORT=3000

bun.lock

@@ -0,0 +1,130 @@
+# Google OAuth Gating for Dashboard
+
+## Summary
+
+Replace basic auth with Google OAuth, restricting access to @stackone.com email domain only. Uses Arctic OAuth library for edge-compatible implementation on Cloudflare Workers.
+
+## Requirements
+
+- Google OAuth as sole authentication method
+- Only @stackone.com emails allowed
+- 24-hour session duration
+- Remove existing basic auth
+
+## Architecture
+
+```
+┌─────────────┐     ┌─────────────────┐     ┌─────────────┐
+│   Browser   │────▶│ Cloudflare Worker│────▶│ Google OAuth│
+│             │◀────│   (Hono + Arctic)│◀────│   Server    │
+└─────────────┘     └─────────────────┘     └─────────────┘
+                            │
+                    ┌───────┴───────┐
+                    │ Signed Cookie │
+                    │   (Session)   │
+                    └───────────────┘
+```
+
+**Components:**
+- **Arctic** - handles OAuth 2.0 flow with Google
+- **Hono middleware** - protects routes, redirects unauthenticated users
+- **Signed cookie** - stores session (email + expiry), signed with secret key
+- **No database sessions** - stateless auth via cookie signature verification
+
+**New files:**
+- `src/auth/google.ts` - Arctic Google provider setup
+- `src/auth/session.ts` - Cookie session management
+- `src/auth/middleware.ts` - Auth middleware for route protection
+- `src/auth/routes.ts` - `/auth/login`, `/auth/callback`, `/auth/logout`
+
+## Authentication Flow
+
+**Login (`/auth/login`):**
+1. Generate random `state` parameter (CSRF protection)
+2. Store `state` in short-lived cookie (5 min)
+3. Redirect to Google OAuth consent screen
+
+**Callback (`/auth/callback`):**
+1. Validate `state` matches cookie (prevents CSRF)
+2. Exchange authorization code for tokens via Arctic
+3. Fetch user info from Google (email, name)
+4. Reject if email domain ≠ @stackone.com
+5. Create signed session cookie (24h expiry)
+6. Redirect to dashboard (`/`)
+
+**Logout (`/auth/logout`):**
+1. Clear session cookie
+2. Redirect to `/auth/login`
+
+**Unauthenticated access:**
+- Any protected route → redirect to `/auth/login`
+- After login → redirect back to originally requested URL
+
+## Session Management
+
+**Session cookie structure:**
+```typescript
+{
+  email: "user@stackone.com",
+  name: "User Name",
+  exp: 1711324800  // Unix timestamp (24h from login)
+}
+```
+
+**Cookie configuration:**
+- **Name:** `session`
+- **Signed:** Yes, using `COOKIE_SECRET` env var (HMAC-SHA256)
+- **HttpOnly:** Yes (not accessible via JavaScript)
+- **Secure:** Yes (HTTPS only in production)
+- **SameSite:** Lax (allows redirects from Google)
+- **Max-Age:** 86400 (24 hours)
+
+## Route Protection
+
+**Protected routes (require auth):**
+- `/` - Dashboard
+- `/api/*` - All API endpoints (except webhook)
+
+**Public routes (no auth):**
+- `/auth/login` - Login page/redirect
+- `/auth/callback` - OAuth callback
+- `/auth/logout` - Logout
+- `/health` - Health check
+- `/api/pylon/webhook` - Pylon webhook (has its own HMAC verification)
+
+## Error Handling
+
+**OAuth errors (callback failures):**
+- Invalid state → redirect to `/auth/login?error=invalid_state`
+- Google denies access → redirect to `/auth/login?error=access_denied`
+- Token exchange fails → redirect to `/auth/login?error=token_error`
+
+**Domain rejection:**
+- Non-@stackone.com email → redirect to `/auth/login?error=unauthorized_domain`
+
+**Error messages:**
+| Error | Message |
+|-------|---------|
+| `unauthorized_domain` | "Access restricted to @stackone.com accounts" |
+| `access_denied` | "Google sign-in was cancelled" |
+| `invalid_state` | "Session expired. Please try again." |
+| `token_error` | "Authentication failed. Please try again." |
+
+## Environment Configuration
+
+**New environment variables:**
+
+| Variable | Description |
+|----------|-------------|
+| `GOOGLE_CLIENT_ID` | OAuth client ID from Google Cloud Console |
+| `GOOGLE_CLIENT_SECRET` | OAuth client secret |
+| `COOKIE_SECRET` | Random string for signing cookies (32+ chars) |
+| `AUTH_REDIRECT_URI` | OAuth callback URL |
+
+**Removed:**
+- `DASHBOARD_PASSWORD` - no longer needed
+
+**Google Cloud Console setup required:**
+1. Create OAuth 2.0 credentials (Web application)
+2. Add authorized redirect URI: `{domain}/auth/callback`
+3. Enable Google People API (for user info)

docs/superpowers/specs/2026-03-25-google-oauth-gating-design.md

@@ -11,6 +11,7 @@
   },
   "dependencies": {
     "@anthropic-ai/sdk": "^0.78.0",
+    "arctic": "^3.7.0",
     "hono": "^4.12.7",
     "react": "^19.0.0",
     "react-dom": "^19.0.0"

package.json

@@ -0,0 +1,40 @@
+import { Google } from 'arctic';
+
+export type AuthEnv = {
+  GOOGLE_CLIENT_ID: string;
+  GOOGLE_CLIENT_SECRET: string;
+  AUTH_REDIRECT_URI: string;
+  COOKIE_SECRET: string;
+};
+
+let googleClient: Google | null = null;
+let authEnv: AuthEnv | null = null;
+
+export function setAuthEnv(env: AuthEnv): void {
+  authEnv = env;
+  googleClient = new Google(
+    env.GOOGLE_CLIENT_ID,
+    env.GOOGLE_CLIENT_SECRET,
+    env.AUTH_REDIRECT_URI
+  );
+}
+
+export function getGoogleClient(): Google {
+  if (!googleClient) {
+    throw new Error('Google OAuth client not initialized. Call setAuthEnv first.');
+  }
+  return googleClient;
+}
+
+export function getAuthEnv(): AuthEnv {
+  if (!authEnv) {
+    throw new Error('Auth env not initialized. Call setAuthEnv first.');
+  }
+  return authEnv;
+}
+
+export function isAuthConfigured(): boolean {
+  return authEnv !== null;
+}
+
+export const ALLOWED_DOMAIN = 'stackone.com';

src/auth/google.ts

@@ -0,0 +1,43 @@
+import type { Context, Next } from 'hono';
+import { getSession, type SessionData } from './session';
+import { isAuthConfigured } from './google';
+
+declare module 'hono' {
+  interface ContextVariableMap {
+    user: SessionData;
+  }
+}
+
+export async function authMiddleware(c: Context, next: Next): Promise<Response | void> {
+  // Check if auth is configured
+  if (!isAuthConfigured()) {
+    return c.html(`
+      <!DOCTYPE html>
+      <html>
+      <head><title>Auth Not Configured</title></head>
+      <body style="font-family: sans-serif; padding: 40px; background: #0f172a; color: #e2e8f0;">
+        <h1>Authentication Not Configured</h1>
+        <p>Google OAuth is not configured. Please set the following secrets:</p>
+        <ul>
+          <li>GOOGLE_CLIENT_ID</li>
+          <li>GOOGLE_CLIENT_SECRET</li>
+          <li>AUTH_REDIRECT_URI</li>
+          <li>COOKIE_SECRET</li>
+        </ul>
+        <p>Run: <code>npx wrangler secret put SECRET_NAME</code> for each.</p>
+      </body>
+      </html>
+    `, 500);
+  }
+
+  const session = await getSession(c);
+
+  if (!session) {
+    const currentUrl = new URL(c.req.url);
+    const redirectParam = encodeURIComponent(currentUrl.pathname + currentUrl.search);
+    return c.redirect(`/auth/login?redirect=${redirectParam}`);
+  }
+
+  c.set('user', session);
+  await next();
+}