Guava Docs

General

Frontend Development Guide - Guava Docs
← All Docs

Frontend Development Guide

This guide covers frontend development patterns and conventions for the Guava frontend.

Structure
```
frontend/ ├── app/ │ ├── routes/ # Route components (file-based routing) │ │ ├── home.tsx # / (index route) │ │ ├── auth.login.tsx # /auth/login │ │ ├── residents.tsx # /residents │ │ ├── rotations.tsx # /rotations │ │ ├── rotations.new.tsx # /rotations/new │ │ ├── rotations.$id.tsx # /rotations/:id │ │ ├── call-schedules.tsx # /call-schedules │ │ ├── call-schedules.$id.tsx # /call-schedules/:id │ │ ├── settings.program.tsx # /settings/program │ │ └── p.$token.tsx # /p/:token (public preference entry) │ ├── routes.ts # Route configuration (CRITICAL!) │ ├── gen/ # Generated protobuf types (from backend) │ ├── components/ # UI components │ │ └── ui/ # shadcn/ui components (owned by you) │ ├── lib/ # Shared utilities │ │ ├── connect-client.ts # Connect RPC client setup │ │ ├── auth-context.tsx # Auth state management │ │ ├── query-provider.tsx # React Query setup │ │ └── utils.ts # Utility functions (cn helper) │ ├── root.tsx # Root layout component │ └── app.css # Global styles (Tailwind + shadcn theme)
```
React Router v7 Configuration

CRITICAL: React Router v7 uses explicit route configuration in frontend/app/routes.ts. File names like auth.login.tsx do NOT automatically create routes. You MUST manually register all routes.

When adding a new route: 1. Create the route file in frontend/app/routes/ (e.g., auth.login.tsx) 2. IMMEDIATELY add it to frontend/app/routes.ts: typescript export default [ index("routes/home.tsx"), // / (root) route("auth/login", "routes/auth.login.tsx"), // /auth/login // ... other routes ] satisfies RouteConfig; 3. Run make dev-up to rebuild with the new route

Common mistake: Creating a route file but forgetting to register it in routes.ts results in 404 errors.

Development Commands
```
cd frontend pnpm install # Install dependencies pnpm run dev # Start dev server (usually on :5173 or :5174) pnpm run build # Build for production pnpm run typecheck # Run TypeScript type checking pnpm run lint # Run Biome linting pnpm run lint:fix # Auto-fix linting issues pnpm run format # Format code with Biome pnpm run format:check # Check code formatting
```
UI Components (shadcn/ui)

The frontend uses shadcn/ui - a collection of reusable components built on Radix UI.

Adding New Components:
```
cd frontend pnpm dlx shadcn@latest add [component-name] # e.g., button, input, dialog, tabs
```
Key Features: - Components live in app/components/ui/, you own the code - Built on Radix UI with accessibility support - Tailwind CSS for styling - Documentation: https://ui.shadcn.com/docs

Code Quality & Type Safety

Biome handles linting and formatting (replaces ESLint + Prettier).

Code Style: - Double quotes, semicolons required - 2-space indentation, 100 char line width

Type Safety Requirements: - NO type casting/assertions - Type assertions (as Type) are prohibited except: - as const for literal type narrowing - Context default values in React (e.g., {} as ContextType) - Use type guards and validation - Validate data at runtime instead of asserting - Form data extraction - Use getRequiredFormField() or getOptionalFormField() from ~/lib/form-utils - Strict TypeScript - noUncheckedIndexedAccess and all strict flags enabled - No explicit any - Biome enforces noExplicitAny: "error" - No non-null assertions - Biome enforces noNonNullAssertion: "error"

Type Guard Pattern:
```
// Single source of truth - array defines the type const VALID_THEMES = ["dark", "light", "system"] as const; type Theme = (typeof VALID_THEMES)[number];  function isValidTheme(value: string): value is Theme {  return VALID_THEMES.some((t) => t === value); }  function toTheme(value: string, fallback: Theme = "system"): Theme {  return VALID_THEMES.find((t) => t === value) ?? fallback; }
```
Authentication

The frontend uses HTTP-only cookie authentication:
1. User logs in via /auth/login → backend sets session_token HTTP-only cookie
2. Frontend automatically includes cookies via credentials: "include"
3. Backend validates session from cookie on each request
Key Files: - frontend/app/lib/auth-context.tsx - Manages auth state via getCurrentUser() RPC - frontend/app/lib/connect-client.ts - Provides transport with automatic cookie handling - frontend/app/lib/protected-route.tsx - Wrapper component to protect routes

Making Authenticated API Calls:
```
import { createClient } from "@connectrpc/connect"; import { UserService } from "~/gen/user/v1/user_pb"; import { transport } from "~/lib/connect-client";  function MyComponent() {  const client = createClient(UserService, transport);  // Cookies automatically included }
```
Protecting Routes:
```
import { ProtectedRoute } from "~/lib/protected-route";  export default function MyPage() {  return (  <ProtectedRoute>  <MyPageContent />  </ProtectedRoute>  ); }
```
Data Loading Pattern

Use direct useQuery with a null guard. No loaders, no loading spinners.

Standard Pattern
```
import { useQuery } from "@connectrpc/connect-query"; import { listSites } from "~/gen/site/v1/site-SiteService_connectquery";  function SitesContent() {  const { data } = useQuery(listSites);   if (!data) return null;   // data is guaranteed to exist after this point  const sites = data.sites;  return <SitesList sites={sites} />; }
```
Multiple Queries
```
function ScheduleContent({ id }: { id: string }) {  const { data: scheduleData } = useQuery(getSchedule, { id });  const { data: blocksData } = useQuery(listBlocks, { scheduleId: id });   if (!scheduleData || !blocksData) return null;   // Both guaranteed to exist }
```
Rules
1. No clientLoader exports - Loaders add complexity without benefit
2. No isPending / isLoading checks - Backend is fast, spinners feel slower
3. Guard with if (!data) return null - Shows nothing until data arrives
4. After the guard, data is guaranteed - No optional chaining needed
What Happens at Runtime
- AppLayout (sidebar, header) renders immediately
- Content area is empty for 100-200ms while data fetches
- Data arrives, content appears
- On revisit: cached data shows instantly (stale-while-revalidate)
Program-Scoped Queries

Many endpoints require a programId parameter. To prevent requests from firing with empty programId before the context is initialized, use the program-scoped query hooks from ~/lib/program-queries.ts.

Available hooks: - useProgramResidents() - Fetches residents in the current program - useProgramRotationSchedules() - Fetches rotation schedules in the current program - useProgramAcademicYears() - Fetches academic years in the current program - useProgramCallSchedules() - Fetches call schedules in the current program

How they work: 1. Each hook checks both !isLoading and !!currentProgramId before enabling the query 2. Queries NEVER fire with an empty programId 3. Components render immediately (no blocking spinner) while queries wait for programId

Usage:
```
import { useProgramResidents } from "~/lib/program-queries";  function ResidentsContent() {  const { data } = useProgramResidents();   if (!data) return null;   return <ResidentsList residents={data.residents} />; }
```
CRITICAL: Do NOT call program-scoped endpoints directly:
```
// DON'T DO THIS - risks empty programId const { data } = useQuery(listResidents, { programId: someProgramId ?? "" });  // DO THIS - uses the safe wrapper hook const { data } = useProgramResidents();
```
For other program-scoped endpoints, follow the pattern in program-queries.ts:
```
export function useProgramNewFeature() {  const { currentProgramId, isLoading } = useProgram();  const enabled = !isLoading && !!currentProgramId;  return useConnectQuery(listNewFeature, { programId: currentProgramId ?? "" }, { enabled }); }
```
Data Fetching in Dialogs

Convention: Dialogs receive reference data as props from their parent. They do not fetch it themselves.

Dialog components (modals, drawers, etc.) should not call useQuery or useProgramX() hooks to fetch reference data like rotations, sites, tags, or residents. Instead, the parent component that renders the dialog should fetch shared data and pass it down as props.

Why: - Makes data dependencies explicit — you can see from the outside what a dialog needs - Eliminates duplicate fetching logic when sibling dialogs share the same data - Makes components easier to test in isolation - TanStack Query deduplicates at the network level, but the code-level duplication still obscures intent

Correct:
```
// Parent fetches and passes data function SchedulePage() {  const { data: sitesData } = useProgramSites();  const sites = sitesData?.sites ?? [];   return (  <CreateShiftDialog sites={sites} callScheduleId={id} />  ); }  // Dialog receives data as props interface CreateShiftDialogProps {  sites: Site[];  callScheduleId: string; }  function CreateShiftDialog({ sites, callScheduleId }: CreateShiftDialogProps) {  // Use sites directly — no fetching here }
```
Incorrect:
```
// Dialog fetches its own reference data function CreateShiftDialog({ callScheduleId }: { callScheduleId: string }) {  const { data: sitesData } = useProgramSites(); // DON'T — hoist to parent  const sites = sitesData?.sites ?? []; }
```
Exceptions — dialogs may fetch data internally when: - The query is specific to that dialog and no sibling shares it (e.g., listResidentTagCombinations in a single dialog) - The query depends on dialog-internal state (e.g., a search query typed by the user) - Mutations — dialogs always own their own useConnectMutation calls

Mutation Patterns & Cache Invalidation

All mutation → query invalidation relationships are defined in frontend/app/lib/query-relationships.ts: - Single source of truth for which queries need invalidation after each mutation - Automatic invalidation via MutationCache.onSuccess in query-provider.tsx

Adding a new mutation: 1. Import the mutation from the connect-query generated file 2. Import any query schemas it affects 3. Add an entry to mutationEffects:
```
[createFoo.name]: [listFoos, getFoo],
```
Component mutations:
```
// DO THIS: Simple useMutation with no onSuccess invalidation const createMutation = useMutation(createFoo);  // onSuccess is only for UI state changes const createMutation = useMutation(createFoo, {  onSuccess: () => {  setIsDialogOpen(false);  form.reset();  }, });
```
NEVER manually invalidate in components - the central schema handles it.

Important Files
- frontend/app/routes.ts - Route configuration (MUST be updated when adding routes)
- frontend/app/root.tsx - Root layout with providers
- frontend/app/lib/connect-client.ts - RPC client configuration
- frontend/app/lib/auth-context.tsx - Authentication state management
- frontend/app/lib/query-provider.tsx - TanStack Query with MutationCache auto-invalidation
- frontend/app/lib/query-relationships.ts - Central mutation → query schema
- frontend/app/lib/form-utils.ts - Type-safe form data extraction
- frontend/app/components/ui/ - shadcn/ui components
- frontend/biome.json - Biome linter and formatter configuration
- frontend/tsconfig.json - TypeScript configuration
- frontend/app/gen/ - Generated TypeScript types from protobuf

Local SSO Testing with Keycloak - Guava Docs

Local SSO Testing with Keycloak

This guide explains how to test OIDC and SAML authentication locally using Keycloak.

Prerequisites

Docker installed and running

Quick Start

# 1. Seed SSO test data make seed-sso  # 2. Start dev environment with SSO + Keycloak make dev-sso

make dev-sso starts the database, Keycloak (via Docker Compose sso profile), and the backend with SSO environment variables — all in one command.

Test Credentials

Email	Password	Auth Method
`alice@oidc-test.local`	`password123`	OIDC
`bob@saml-test.local`	`password123`	SAML

Testing OIDC Flow

Go to http://localhost:5173/auth/login
Enter alice@oidc-test.local
Click “Continue”
You’ll be redirected to Keycloak
Log in with password123
You’ll be redirected back to the app, logged in

Testing SAML Flow

Go to http://localhost:5173/auth/login
Enter bob@saml-test.local
Click “Continue”
You’ll be redirected to Keycloak
Log in with password123
You’ll be redirected back to the app, logged in

Keycloak Admin Console

URL: http://localhost:8180
Username: admin
Password: admin

Use this to: - View/edit test users - Check client configurations - Debug SSO issues

Troubleshooting

“OIDC SSO handler registered” not in logs

Ensure you started with make dev-sso (not make dev-up).

“SAML SSO handler registered” not in logs

Ensure SP_CERT and SP_KEY are set and the cert files exist:

ls docker/keycloak/sp-*.pem cat docker/keycloak/sp-cert.pem | head -1 # Should show BEGIN CERTIFICATE

Keycloak not starting

Check Docker logs:

make keycloak-logs

“institution not found” error

Ensure SSO data is seeded:

make seed-sso

Redirect loop or callback errors

Check Keycloak is running: curl http://localhost:8180/health/ready
Check redirect URIs match in Keycloak admin console
Check SSO_ROOT_URL is http://localhost:8080

Makefile Commands

Command	Description
`make dev-sso`	Start backend with SSO + Keycloak
`make keycloak-logs`	Tail Keycloak logs
`make seed-sso`	Seed SSO test data
`make dev-down`	Stop everything (server, DB, Keycloak)

plans

RFC: Sidebar Navigation Restructure - Guava Docs
← All Docs

RFC: Sidebar Navigation Restructure

Date: 2026-03-26 Status: Open for feedback

Problem

The sidebar navigation has 14 items across 3 sections, and it’s not clear what belongs in “Settings” versus the main nav. The Settings section has 7 items that mix program-wide configuration with entity-specific configuration:

Current sidebar:
```
Main Nav ├── Home ├── Residents ├── Didactics ├── Rotations └── Jeopardy Call ├── Schedules └── Fairness Settings (7 items!) ├── Program ├── Academic Years ├── Sites ├── Call Types ← call-specific, not program-wide ├── Call Constraints ← call-specific, not program-wide ├── Users └── Jeopardy ← jeopardy-specific, not program-wide
```
The core confusion: “Call Types” and “Call Constraints” are call-specific config but live in Settings. “Jeopardy” appears in both the main nav and Settings. “Users” is actively managed but sits next to rarely-changed items like “Sites.”

Guiding Principle

The restructure is based on scope — distinguishing between:
- Program-wide configuration — facts about the program that rarely change (academic years, sites, program name/timezone). These are broad and affect everything.
- Entity-specific management — config tied to specific domains (call types, jeopardy settings). These should live near the entities they configure.
Option A: Colocate Config With Its Domain

Move entity-specific configuration into each domain’s collapsible section. Settings shrinks to only program-wide items.
```
Main Nav ├── Home ├── Residents ├── Didactics ├── Rotations └── Jeopardy ├── Schedule └── Settings Call ├── Schedules ├── Fairness ├── Types └── Constraints ──────────────── Settings (program-wide only) ├── Program ├── Academic Years ├── Sites └── Users
```
Pros: - Config lives right next to the thing it configures — intuitive - Settings section becomes small and clearly scoped - Scales well as new domains are added (each domain owns its own config) - Follows the “scope” principle cleanly

Cons: - Some domain sections get longer (Call goes from 2 → 4 items) - May need visual distinction between “use” and “configure” sub-items within a section - “Users” in Settings is debatable — it’s actively managed, not really a “program fact”

Option B: Colocate Config + Promote Users

Same as Option A, but also promotes “Users” out of Settings to a top-level nav item. Settings becomes purely “program facts” — things you set up once.
```
Main Nav ├── Home ├── Residents ├── Didactics ├── Rotations ├── Jeopardy │ ├── Schedule │ └── Settings ├── Users │ ├── Call │ ├── Schedules │ ├── Fairness │ ├── Types │ └── Constraints ──────────────── Program Config ├── General ├── Academic Years └── Sites
```
Pros: - Settings/Program Config is very small (3 items) and clearly scoped to “program facts” - “Users” gets the prominence it deserves as an actively-managed feature - Renamed to “Program Config” makes the scope immediately obvious - Cleanest separation of concerns

Cons: - One more top-level item (Users) - Renaming “Settings” to “Program Config” is a change users need to learn

Questions for the Team
1. Which option do you prefer — A or B? Or a mix?
2. Does “Users” feel like a “program fact” or an actively-managed feature?
3. Should we rename “Settings” to “Program Config” to clarify its scope?
4. Any items that feel like they’re in the wrong place in either proposal?
Please share your thoughts — we’ll finalize the design based on feedback.

superpowers/specs

File Uploads Design - Guava Docs
← All Docs

File Uploads Design

Overview

Add file upload/download support to Guava so that faculty can attach documents (PDFs, Word docs) to entities like didactic sessions, and residents can download them. Eventually residents will also upload files for different use cases.

Files are stored in Cloudflare R2 (S3-compatible, zero egress fees) and served via presigned URLs with short expiry (~15 minutes). The Go backend never proxies file data — it only manages metadata and generates presigned URLs.

Storage

Cloudflare R2 bucket, accessed via the AWS SDK for Go v2 (S3-compatible API).
- R2 key format: programs/{program_id}/{uuid}/{original_filename}
- Namespaced by program to prevent cross-program access at the storage level
- UUID prevents collisions; original filename preserved for clean download URLs
- Zero egress fees — ideal for a self-hosted setup where downloads are frequent
Configuration via environment variables:

Variable Purpose

R2_ACCOUNT_ID Cloudflare account ID

R2_ACCESS_KEY_ID R2 API token key ID

R2_ACCESS_KEY_SECRET R2 API token secret

R2_BUCKET_NAME Bucket name (e.g., guava-files)

Database Schema

files table

Tracks file metadata. Actual bytes live in R2.
```
CREATE TABLE files (  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),  program_id BIGINT NOT NULL REFERENCES programs(id),  uploaded_by BIGINT NOT NULL REFERENCES users(id),  filename TEXT NOT NULL,  content_type TEXT NOT NULL,  size_bytes BIGINT NOT NULL,  r2_key TEXT NOT NULL UNIQUE,  confirmed BOOLEAN NOT NULL DEFAULT false,  created_at TIMESTAMPTZ NOT NULL DEFAULT now() );
```
- confirmed tracks whether the upload to R2 actually completed. Unconfirmed rows are cleaned up periodically.
Association tables

Join tables link files to domain entities. Starting with didactic sessions:
```
CREATE TABLE didactic_session_files (  didactic_session_id BIGINT NOT NULL REFERENCES didactic_sessions(id) ON DELETE CASCADE,  file_id UUID NOT NULL REFERENCES files(id) ON DELETE CASCADE,  PRIMARY KEY (didactic_session_id, file_id) );
```
To attach files to new entity types in the future, add more join tables (e.g., resident_files). The files table stays unchanged.

Upload Flow
1. Client calls CreateUploadURL RPC with filename, content type, size, and the target entity (e.g., didactic session ID).
2. Backend validates auth and permission on the target entity. Generates a UUID, constructs the R2 key, inserts an unconfirmed files row, and generates a presigned PUT URL with constraints:
  - Content-Type must match the declared type
  - Content-Length must not exceed 50MB
  - URL expires in 15 minutes
3. Backend returns the presigned URL and file ID.
4. Client uploads the file directly to R2 via HTTP PUT to the presigned URL.
5. Client calls ConfirmUpload RPC with the file ID.
6. Backend verifies:
  - The caller is the same user who requested the upload
  - The object actually exists in R2 (HEAD request)
  - Size and content type match expectations
7. Backend sets confirmed = true and creates the join table entry (e.g., didactic_session_files row).
Handling upload failures

If the upload to R2 succeeds but the confirm call fails (e.g., user loses internet):
- The files row remains with confirmed = false
- An orphaned object sits in R2
- Cleanup: A background goroutine runs periodically (e.g., every hour) and deletes unconfirmed file records older than 24 hours, along with their R2 objects
Download Flow
1. Client calls GetDownloadURL RPC with the file ID.
2. Backend validates auth — checks the user has access to the entity the file is attached to.
3. Backend generates a presigned GET URL (15 min expiry) and returns it.
4. Client downloads directly from R2 via the presigned URL.
Delete Flow
1. Client calls DeleteFile RPC with the file ID.
2. Backend validates auth and permission.
3. Backend deletes the R2 object, then deletes the files row (cascades to join tables).
Backend Architecture

Feature structure
```
internal/features/file/ ├── service.go # RPC handlers ├── service_test.go # Tests ├── queries.sql # sqlc queries ├── models.go # Type converters └── r2.go # R2 storage client wrapper
```
Storage client interface

Thin wrapper around AWS SDK, makes testing straightforward:
```
type StorageClient interface {  GeneratePresignedPutURL(ctx context.Context, key, contentType string, maxSize int64) (string, error)  GeneratePresignedGetURL(ctx context.Context, key string) (string, error)  HeadObject(ctx context.Context, key string) (*ObjectInfo, error)  DeleteObject(ctx context.Context, key string) error }
```
Production implementation uses the AWS SDK for Go v2 with R2 endpoint configuration. Tests use a mock implementation.

Service constructor

Follows existing pool pattern, plus the storage dependency:
```
type Service struct {  pool *pgxpool.Pool  storage StorageClient }  func NewService(pool *pgxpool.Pool, storage StorageClient) *Service {  return &Service{pool: pool, storage: storage} }
```
Registration

In cmd/server/main.go:
```
storageClient := file.NewR2Client(r2Config) fileService := file.NewService(pool, storageClient) mux.Handle(filev1connect.NewFileServiceHandler(fileService))
```
Proto definition

New proto/file/v1/file.proto:
- CreateUploadURL(CreateUploadURLRequest) returns (CreateUploadURLResponse) — returns presigned PUT URL + file ID
- ConfirmUpload(ConfirmUploadRequest) returns (ConfirmUploadResponse) — verifies and confirms upload
- GetDownloadURL(GetDownloadURLRequest) returns (GetDownloadURLResponse) — returns presigned GET URL
- DeleteFile(DeleteFileRequest) returns (DeleteFileResponse) — deletes file from R2 + DB
- ListFiles(ListFilesRequest) returns (ListFilesResponse) — list files for an entity
RPC details

CreateUploadURLRequest: - filename (string) — original filename - content_type (string) — MIME type - size_bytes (int64) — file size for validation - Entity reference (oneof): didactic_session_id (int64), extensible to other entities

CreateUploadURLResponse: - upload_url (string) — presigned PUT URL - file_id (string) — UUID of the created file record

ConfirmUploadRequest: - file_id (string) — UUID returned from CreateUploadURL

GetDownloadURLRequest: - file_id (string)

GetDownloadURLResponse: - download_url (string) — presigned GET URL - filename (string) — original filename (for UI display) - content_type (string) - size_bytes (int64)

ListFilesRequest: - Entity reference (oneof): didactic_session_id (int64)

ListFilesResponse: - files (repeated File) — file metadata list

File message: - id, filename, content_type, size_bytes, created_at, uploaded_by_name

Frontend Integration

Upload hook

A useFileUpload custom hook:
1. Call createUploadURL mutation via Connect-Web to get presigned URL + file ID
2. PUT the file directly to R2 using fetch (or XMLHttpRequest for progress tracking)
3. Call confirmUpload mutation with the file ID
4. Invalidate the entity’s file list query
Download

Call getDownloadURL → open the presigned URL in a new tab or trigger browser download.

UI components

A reusable FileAttachments component that: - Takes an entity type + ID as props - Displays list of attached files (name, size, upload date) - Handles upload (file picker + drag-and-drop) - Handles download (presigned URL redirect) - Handles delete (with confirmation)

Start by integrating into the didactic session detail page. Reuse for other entities as needed.

Cache invalidation

Add file list queries to frontend/app/lib/query-relationships.ts so that upload/confirm/delete mutations properly invalidate the file list.

Access Control

Files inherit access from their associated entity: - If a user can view the didactic session, they can view and download its files - Upload/delete permissions follow the same rules as modifying the parent entity - The uploaded_by field on files enables “only the uploader can delete” rules if needed later

Presigned URLs provide short-lived (15 min) access without requiring authentication on the R2 side. The auth check happens in the backend when generating the URL.

Testing

Follows existing two-layer approach:
- Query tests: Test sqlc queries with real PostgreSQL via testutil.TestDB(t)
- Service tests: Test RPC handlers with real DB + mock StorageClient
- All tests parallel with t.Parallel() and isolated databases
Dependencies

New Go dependency: - github.com/aws/aws-sdk-go-v2 (+ S3 and presign sub-packages) — R2 is S3-compatible

No new frontend dependencies needed — fetch handles the presigned URL upload.

Variable	Purpose
`R2_ACCOUNT_ID`	Cloudflare account ID
`R2_ACCESS_KEY_ID`	R2 API token key ID
`R2_ACCESS_KEY_SECRET`	R2 API token secret
`R2_BUCKET_NAME`	Bucket name (e.g., `guava-files`)

Guava Docs

General

Frontend Development Guide

Structure

React Router v7 Configuration

Development Commands

UI Components (shadcn/ui)

Code Quality & Type Safety

Authentication

Data Loading Pattern

Standard Pattern

Multiple Queries

Rules

What Happens at Runtime

Program-Scoped Queries

Data Fetching in Dialogs

Mutation Patterns & Cache Invalidation

Important Files

Local SSO Testing with Keycloak

Prerequisites

Quick Start

Test Credentials

Testing OIDC Flow

Testing SAML Flow

Keycloak Admin Console

Troubleshooting

“OIDC SSO handler registered” not in logs

“SAML SSO handler registered” not in logs

Keycloak not starting

“institution not found” error

Redirect loop or callback errors

Makefile Commands

plans

RFC: Sidebar Navigation Restructure

Problem

Guiding Principle

Option A: Colocate Config With Its Domain

Option B: Colocate Config + Promote Users

Questions for the Team

superpowers/specs

File Uploads Design

Overview

Storage

Database Schema

files table

Association tables

Upload Flow

Handling upload failures

Download Flow

Delete Flow

Backend Architecture

Feature structure

Storage client interface

Service constructor

Registration

Proto definition

RPC details

Frontend Integration

Upload hook

Download

UI components

Cache invalidation

Access Control

Testing

Dependencies

`files` table