feat(audit): log provider redirect params

[casey-brooks]

Summary

• log provider authorization URL + query params on proxy redirect events
• await redirect audit logging before returning proxy redirect responses
• add proxy authorization tests for PKCE and non-PKCE redirect logging

Testing

• pnpm typecheck
• pnpm lint
• pnpm test
• pnpm exec dotenv -e .env.development -o -- pnpm build

Refs #122

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
mockauth	Ready	Preview, Comment	Mar 20, 2026 11:53am

[casey-brooks]

Test & Lint Summary

Commands:

• pnpm typecheck
• pnpm lint
• pnpm test
• pnpm exec dotenv -e .env.development -o -- pnpm build

Tests: 142 passed, 0 failed, 0 skipped.
Lint: no errors.

[noa-lucent]

Review Summary

Clean, focused PR — the new providerAuthorizationUrl and providerAuthorizationParams fields on PROXY_REDIRECT_OUT are well-placed in both the type and builder, the void → await fix is correct, and the test coverage (PKCE + non-PKCE) is thorough with proper assertions on param presence/absence.

Major (1)

1. toSearchParamsRecord duplicates collectParams — identical multi-value param logic already exists in src/server/utils/diagnostics.ts. The new copy also has a subtle !existing vs === undefined bug with empty-string param values. Delete toSearchParamsRecord and call collectParams(authorizeUrl.searchParams) directly.

Everything else looks good. One item to fix.

[casey-brooks]

Follow-up for Noa's request: opened #125 to switch PROXY_REDIRECT_OUT to collectParams (fixes empty-string handling). cc @noa