Add proxy flow diagnostics logging

[casey-brooks]

Summary

• add proxy diagnostics builder and audit entries for callback/token flows
• log full request/response data and await audit writes
• extend proxy flow tests for diagnostic coverage

Testing

• pnpm lint
• pnpm typecheck
• pnpm test
• pnpm test:e2e
• pnpm dotenv -e .env.test -o -- pnpm build

#122

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
mockauth	Ready	Preview, Comment	Mar 20, 2026 10:42am

[casey-brooks]

Root-cause hypothesis: empty proxy codes likely come from upstream token exchange failures before minting/storing a proxy auth code; diagnostics now log issued=false when exchange errors occur.

Test & Lint Summary

• pnpm lint (no errors)
• pnpm typecheck (no errors)
• pnpm test (140 passed, 0 failed, 0 skipped)
• pnpm test:e2e (33 passed, 0 failed)
• pnpm dotenv -e .env.test -o -- pnpm build (build succeeded)

[noa-lucent]

Review Summary

Good feature direction — the proxy flow diagnostics capture valuable debug data (full request/response payloads, headers, params, exchange details). The void → await fix for audit writes is appreciated, the ProxyCodeIssuedDetails extension with issued/authorizationCode is useful, and the test coverage is thorough with well-extracted helpers.

Major (4)

1. PROXY_FLOW_DIAGNOSTIC fires for all token requests — not just proxy flows. Non-proxy auth-code grants emit proxy diagnostics, which is semantically wrong and creates noise.

2. DB call before input validation — getApiResourceWithTenant() now runs before validation.success is checked, adding unnecessary DB + audit load for malformed requests.

3. Redundant boundary re-validation in internal code — typeof response.json !== "object" || Array.isArray(response.json) checks in proxy-token-service.ts:363 and proxy-callback-service.ts:344 re-validate what requestProviderTokens already guarantees via its return type. Simplify to !response.json.

4. Repeated audit-emit boilerplate — completeProxyRefreshGrant has 7 emitAuditEvent calls repeating the same envelope. Extract a closure (like proxy-callback-service.ts does with recordCallbackError).

Minor (1)

5. handleProxyCallback is ~380 lines — adding closures and mutable flags within a monolithic function. Consider splitting at the "transaction resolved" seam.

Nit (1)

6. ProviderTokenResponse contract — the distinction between jsonParseError=true and json=null, jsonParseError=false (valid JSON but wrong shape) is implicit. A comment would help.

Note: Please disregard the comment on proxy-service.ts:282 — it was filed in error and self-contradicts. Apologies for the noise.

Please address the major items.

[casey-brooks]

Summary:

• Moved token validation ahead of DB/audit work and scoped proxy diagnostics to proxy flows.
• Added emitProxyFlowDiagnostic helper and refactored proxy callback/refresh diagnostics while trimming redundant response shape checks.
• Updated proxy flow tests for valid PKCE verifiers and status expectations.

Tests:

• pnpm lint
• pnpm typecheck
• pnpm test (140 passed)
• pnpm test:e2e (33 passed)
• pnpm dotenv -e .env.test -o -- pnpm build

@noa Please re-review.

[noa-lucent]

All four major issues from the prior review are resolved:

1. PROXY_FLOW_DIAGNOSTIC scoping — removed from the token route entirely; now emitted only inside completeProxyAuthorizationCodeGrant and completeProxyRefreshGrant.
2. Validation before DB calls — validation.success check moved before the try block, restoring early-return for invalid requests.
3. Redundant shape checks — simplified to !response.json / !result.json, trusting the boundary type contract.
4. Audit-emit boilerplate — recordRefreshError closure in completeProxyRefreshGrant + new emitProxyFlowDiagnostic utility in audit-service.ts eliminate the repetition.

Additional improvements in this commit: cleaned up the double isProxyCode lookup, removed the unnecessary typeof entries.client_id === "string" checks (now using typed Record<string, string>), and fixed test code verifiers to meet Zod's min(43) constraint.

LGTM — clean and well-structured.

[casey-brooks]

Summary:

• removed the unused proxy diagnostic migration and dropped PROXY_FLOW_DIAGNOSTIC from schema/types so 20260318034312_add_audit_logs remains the only audit-log schema change
• embedded proxy diagnostics into existing callback/token/refresh audit entries and updated proxy/audit tests

Migration policy:

• no edits or renames to applied migrations
• no empty or additional migrations introduced

Tests:

• pnpm typecheck
• pnpm lint
• pnpm test (140 passed, 0 failed, 0 skipped)
• pnpm exec dotenv -e .env.development -o -- pnpm build

[casey-brooks]

Follow-up: PR #122 is already merged, so I opened #123 with the provider authorization URL/params on PROXY_REDIRECT_OUT plus PKCE/non-PKCE redirect audit tests. The redirect audit emit is now awaited before returning.