fix(auth): surface fatal Copilot rejection on device-code sign-in; add cancel + busy feedback#114
Merged
Merged
Conversation
…d cancel + busy feedback A device-code sign-in for an account with no usable Copilot (license revoked, TOS unaccepted, 401/403) routed through markAuthFatalAndSignOut — which wipes the token and sets the fatal-error state — but runPoller then swallowed the error and unconditionally latched signed-in, papering a "signed in" UI over a wiped session and burying the reason the user needs to act on. Return on CopilotAuthFatalError to preserve the error state, and re-check the abort flag before the signed-in transition so a signOut() that fires during the Copilot-mint await can no longer be overwritten. Two regression tests cover both paths. Shell UX, same flow: - Device-code pending state had no way out before the code expired; add a Cancel affordance that aborts the server-side poller via /sign-out (a no-op on the not-yet-minted token) and returns to the sign-in screen. - startAuth now shows the ambient busy bar while the request is in flight, matching signOut/useGhAccount. - Dev baseUrl defaulted to :4141 while the documented fast-iteration workflow + sidecar use :4142; default to :4142, VITE_API_BASE override.
This was referenced Jun 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Release-triage bundle for the device-code sign-in flow, from a three-way gap audit (state architecture / UX / slice-3 readiness) ahead of the next release.
Backend blocker
A device-code sign-in for an account with no usable Copilot (license revoked, TOS unaccepted, 401/403) routes through
markAuthFatalAndSignOut— which wipes the token + on-disk record and sets the fatal-error state with its remediation URL — butrunPollerthen swallowed the error and unconditionally latchedsigned-in, papering a "signed in" UI over a wiped session and burying the reason the user needs to act on.CopilotAuthFatalErrorin thesetupCopilotTokencatch so the error state is preserved.signed-intransition, so asignOut()that fires during the Copilot-mint await can't be overwritten.Shell UX (same flow)
/sign-out(a no-op on the not-yet-minted token); no reboot.startAuthnow shows the ambient busy bar while the request is in flight, matchingsignOut/useGhAccount.baseUrldefaulted to:4141while the documented fast-iteration workflow + sidecar use:4142; default to:4142,VITE_API_BASEoverride.Triage note
The three audits converged that the full Phase-3 transition reducer is not required for release —
#110(guard timers) +#106(reboot-on-signout) already closed the real hang/leak risks. This PR fixes the one remaining reachable correctness gap surgically. The Phase-3 reducer (and thecancel→/sign-outsemantic consolidation) stays deferred.Testing
bun test— 825 pass / 0 fail (+2 new)bun run check:fast— clean (typecheck root + shell, eslint, design tokens)/simplify(4-agent pass) — converged on ship-as-is, no code changes