/* global React, Button, Icon, LoadingSpinner, Pill, StatusDot, EmptyState, Drawer, PlanLimitMeter, ConfirmDialog, Select, useApiResource, apiFetch, fetchOAuthProviders, startOAuthConnect, startOAuthReauthorize, formatDateTime, formatRelative, useToast, StatusBadge, useAuth, requirePaidAction, canUseTenantAction, tenantActionDisabledReason, getPlanLimitState */ const { useEffect: useEffectMcp, useMemo: useMemoMcp, useRef: useRefMcp, useState: useStateMcp } = React; const TOOL_MONITOR_FLIP_MOVER_DURATION_MS = 950; const TOOL_MONITOR_FLIP_SIBLING_DURATION_MS = 760; const TOOL_MONITOR_FLIP_HOLD_DURATION_MS = 1120; const CLI_STATUS_LABELS = { pending: 'Queued', provisioning: 'Provisioning', discovering: 'Discovering', auth_required: 'Auth required', needs_review: 'Ready', ready: 'Ready', failed: 'Failed', archived: 'Archived', }; const SUCCESS_CONNECTION_STATUSES = new Set(['success', 'ok', 'completed']); const DISCOVERY_TERMINAL_STATUSES = new Set(['completed', 'failed', 'canceled']); function cliStatusLabel(status) { return CLI_STATUS_LABELS[status] || status || 'Unknown'; } function cliStatusTone(status) { if (status === 'ready' || status === 'needs_review') return 'ok'; if (status === 'failed' || status === 'archived') return 'bad'; if (status === 'pending' || status === 'provisioning' || status === 'discovering' || status === 'auth_required') return 'warn'; return 'neutral'; } function formatCliRiskLabel(risk) { if (risk === 'read') return 'Read-only'; if (risk === 'mutating') return 'Side-effecting'; return 'Risk unknown'; } function cliRiskBadgeClass(risk) { if (risk === 'read') return 'badge-success'; if (risk === 'mutating') return 'badge-fail'; return 'badge-neutral'; } function renderCliHelpDetails(help, fallbackExcerpt = '', { suppressSummary = false } = {}) { if (!help || typeof help !== 'object') { const legacy = String(fallbackExcerpt || '').trim(); return legacy ? 
{legacy.slice(0, 420)}
: null; } const args = Array.isArray(help.arguments) ? help.arguments : []; const options = Array.isArray(help.options) ? help.options : []; const showSummary = !suppressSummary && Boolean(help.summary); if (!help.usage && !showSummary && args.length === 0 && options.length === 0) { const legacy = String(fallbackExcerpt || '').trim(); return legacy ? 
{legacy.slice(0, 420)}
: null; } return (
{help.usage &&
{help.usage}
} {showSummary &&
{help.summary}
} {args.length > 0 && (
Arguments
{args.map((arg) => (
{arg.name} {arg.description && {arg.description}}
))}
)} {options.length > 0 && (
Options
{options.map((option) => { const flag = option.valueName ? `${option.flag} <${option.valueName}>` : option.flag; return (
{flag} {option.description && {option.description}}
); })}
)}
); } function isConnectionSuccessStatus(status) { return SUCCESS_CONNECTION_STATUSES.has(status); } function hostedRuntimeDiagnostic(detail) { const text = String(detail || '').trim(); const match = text.match(/Sandbox stderr(?: \(tail\))?:\s*([\s\S]+)/i); const diagnostic = String(match?.[1] || '').replace(/\s+/g, ' ').trim(); if (!diagnostic) return ''; return diagnostic.length > 240 ? `${diagnostic.slice(0, 240)}...` : diagnostic; } function targetUserErrorMessage(errorCode, targetKind = 'mcp', context = 'runtime', detail = '') { const code = String(errorCode || '').toLowerCase(); const diagnostic = hostedRuntimeDiagnostic(detail); if (context === 'provisioning') { if (/package_lifecycle_scripts_blocked|lifecycle scripts?|preinstall|postinstall/.test(code)) return 'This package needs install lifecycle scripts, which are disabled in hosted setup. Choose a package that installs without lifecycle scripts or provide a prebuilt CLI package.'; if (/package_not_found|npm e404|404 not found/.test(code)) return 'The npm package or pinned version could not be found. Check the package name and exact version.'; if (/package_integrity_mismatch|eintegrity|integrity checksum/.test(code)) return 'The npm package failed integrity verification. Retry after confirming the package version in the registry.'; if (/package_network_timeout|etimedout|econnreset|enotfound|network timeout/.test(code)) return 'The package install could not reach the npm registry before timing out. Retry provisioning.'; if (/package_install_failed|npm err|install failed/.test(code)) return 'npm install failed for this package. Check that the package can install with lifecycle scripts disabled.'; } if (targetKind === 'cli') { if (/auth|401|403|unauthorized|forbidden/.test(code)) return 'Authentication failed. Check the configured secret and environment variable.'; if (/timeout|timed_out/.test(code)) return 'The CLI did not respond before the timeout.'; if (/artifact_not_ready/.test(code)) return 'The CLI package is still installing. Command discovery will run after setup finishes.'; if (/package_bin_not_found|node_modules\/\.bin/.test(code)) return 'The package does not expose the configured command bin. Check the bin name published by the npm package.'; if (/not_found|enoent|command/.test(code)) return 'The configured CLI command could not be found in the hosted runtime.'; return 'We could not finish setting up this CLI. Check the package, version, command name, and whether it can run with --help.'; } if (/package_bin_not_found|node_modules\/\.bin/.test(code)) return 'The package does not expose the configured command bin. Check the bin name published by the npm package.'; if (/package_crashed_at_startup/.test(code)) { return diagnostic ? `The hosted package exited before tools could be discovered. Runtime stderr: ${diagnostic}` : 'The hosted package exited before tools could be discovered. The package installed, but its MCP process closed during startup; retry provisioning or check its startup requirements.'; } if (/auth|401|403|unauthorized|forbidden/.test(code)) return "Authentication failed. Check this server's auth profile."; if (/timeout|timed_out/.test(code)) return 'The MCP server did not respond before the timeout.'; if (/network|connection|closed|econn|unreachable/.test(code)) return 'We could not reach this MCP server. Check the URL and server availability.'; return "We could not complete the connection test. Check this target's configuration and try again."; } const CLI_PENDING_STATUSES = new Set(['pending', 'provisioning', 'discovering']); const EXACT_SEMVER_RE = /^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-[0-9A-Za-z.-]+)?$/; // Pinned to four phases that match the backend provisioning state machine. // The timeline CSS in styles.css (`.cli-setup-timeline-track` insets, // `.cli-setup-timeline-nodes` grid columns) hardcodes 4 — keep these in sync // if the phase set ever changes. const CLI_SETUP_STEPS = [ { status: 'pending', label: 'Queued' }, { status: 'provisioning', label: 'Installing package' }, { status: 'discovering', label: 'Discovering commands' }, { status: 'ready', label: 'Commands ready' }, ]; function isExactSemver(value) { return EXACT_SEMVER_RE.test(value); } // Translate the provisioning run row into one of the four UI step statuses. // The server row's `provisioning_status` already exposes the phase when // available; this is the fallback when only the run row is fetched. function mapProvisioningRunToStatus(runStatus, phase) { if (runStatus === 'failed' || runStatus === 'canceled') return 'failed'; if (phase === 'discovering') return 'discovering'; if (runStatus === 'completed') return 'discovering'; if (phase === 'provisioning' || phase === 'installing') return 'provisioning'; if (runStatus === 'running') return 'provisioning'; return 'pending'; } function cliSetupCopy(status, setupKind = 'cli', errorCode = null) { const isCliSetup = setupKind === 'cli'; if (status === 'auth_required') { return { title: isCliSetup ? 'Authentication required' : 'Connect OAuth to finish setup', body: isCliSetup ? 'Setup paused because this CLI needs authentication before commands can be discovered.' : 'Setup paused until OAuth is connected. Open the target to finish authorization, then provisioning can continue.', tone: 'warn', }; } if (status === 'failed') { return { title: 'Setup failed', body: errorCode ? targetUserErrorMessage(errorCode, isCliSetup ? 'cli' : 'mcp', 'provisioning') : isCliSetup ? 'We could not finish setting up this CLI. Check the package, version, command name, and whether it can run with --help.' : 'We could not finish setting up this MCP server. Check the package, version, command name, and whether it exposes MCP tools.', tone: 'bad', }; } if (status === 'ready' || status === 'needs_review') { return { title: isCliSetup ? 'CLI ready' : 'MCP server ready', body: isCliSetup ? 'Setup finished and commands are ready to use.' : 'Setup finished and tools are ready to use.', tone: 'ok', }; } if (status === 'discovering') { return { title: isCliSetup ? 'Discovering commands' : 'Discovering tools', body: isCliSetup ? 'The package installed. We are reading the CLI help output and building the command catalog.' : 'The package installed. We are reading the MCP tool list and building the tool catalog.', tone: 'warn', }; } if (status === 'provisioning') { return { title: 'Installing package', body: 'We are installing the pinned npm package in a hosted runtime.', tone: 'warn', }; } return { title: 'Setup queued', body: isCliSetup ? 'Provisioning has started. You can keep this open while we prepare the CLI.' : 'Provisioning has started. You can keep this open while we prepare the MCP server.', tone: 'warn', }; } const HOSTED_MCP_SOURCE_REMOTE = 'remote_url'; const HOSTED_MCP_SOURCE_NPM = 'npm_package'; const HOSTED_OAUTH_ENV_BY_PROVIDER = { allowance: 'ALLOWANCE_ACCESS_TOKEN', linear: 'LINEAR_ACCESS_TOKEN', }; const HOSTED_ENV_VAR_RE = /^[A-Z_][A-Z0-9_]*$/; const RESERVED_HOSTED_ENV_VARS = new Set([ 'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_SESSION_TOKEN', 'PATH', 'HOME', 'SHELL', 'NODE_OPTIONS', ]); const HOSTED_AUTH_ENV_DEFAULTS = new Set([ 'ACME_API_KEY', 'ACME_ACCESS_TOKEN', ...Object.values(HOSTED_OAUTH_ENV_BY_PROVIDER), ]); function hostedOauthEnvVar(providerSlug) { return HOSTED_OAUTH_ENV_BY_PROVIDER[String(providerSlug || '').toLowerCase()] || 'ACME_ACCESS_TOKEN'; } function validateHostedEnvVar(value) { const envVar = String(value || '').trim(); if (!envVar) return 'Environment variable is required for hosted MCP authentication'; if (!HOSTED_ENV_VAR_RE.test(envVar)) return 'Environment variable must use uppercase letters, numbers, and underscores'; if (RESERVED_HOSTED_ENV_VARS.has(envVar)) return 'That environment variable name is reserved'; return ''; } function defaultAuthProfileForServer(server, authProfiles) { if (!server) return null; if (server.default_auth_profile) return server.default_auth_profile; const profiles = Array.isArray(server.auth_profiles) ? server.auth_profiles : authProfiles; if (!Array.isArray(profiles)) return null; return profiles.find((profile) => profile?.is_default) || null; } const OAUTH_POPUP_NAME_PREFIX = 'armature-mcp-oauth-'; const OAUTH_POPUP_FEATURES = 'width=920,height=760'; const OAUTH_POPUP_POLL_MS = 500; const OAUTH_BROADCAST_CHANNEL = 'armature:mcp-oauth'; const MCP_OAUTH_SAME_TAB_FLOW_STORAGE_KEY = 'armature:mcp-oauth-same-tab-flow'; function generateOauthFlowId() { // crypto.randomUUID is supported wherever BroadcastChannel is, but fall // back to a Math.random-based id so we never throw if the dashboard ever // ends up running in a context that doesn't expose it. try { if (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function') { return crypto.randomUUID(); } } catch (_error) {} return `${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 10)}`; } function payloadToOutcome(data) { if (!data) return null; if (data.type === 'armature:mcp-oauth-connected') { return { outcome: 'connected', profileId: data.profileId || null }; } if (data.type === 'armature:mcp-oauth-failed') { return { outcome: 'failed', code: data.code || 'oauth_error', message: data.message || 'OAuth authorization failed.', }; } if (data.type === 'armature:mcp-oauth-pending') { return { outcome: 'pending', reason: data.reason || 'oauth_pending', profileId: data.profileId || null, }; } return null; } // Open the OAuth authorize URL in a named popup, focus it, and resolve once // the popup either posts a result back (via the bootstrap shim in // Armature.html that runs when our /?oauth=... callback page loads) or is // closed by the user. Keeping the popup separate from the original tab is // what lets the user resume the rest of the connect wizard (probe, tool // monitor selection) once the provider is done. // // Returns one of: // { outcome: 'connected', profileId } // { outcome: 'failed', code, message } // { outcome: 'pending', reason, profileId } // { outcome: 'closed' } // user closed popup before we got a result // { outcome: 'navigated' } // popup blocked, current tab navigated instead // // `options.onPopupOpened(popup)` lets the caller hold the popup reference // (e.g. to wire a "Cancel" button in the parent UI to popup.close()). async function openOAuthPopup(authorizationUrl, options) { const onPopupOpened = options && options.onPopupOpened; // Each call gets a unique flow id so concurrent OAuth flows (e.g. user // starts a connect popup, then triggers a reconnect from the slideover // before finishing the first one) don't cross-resolve each other's // promises. Two discriminators are needed: // - `event.source === popup` for the postMessage path. // - `data.flowId === flowId` for the BroadcastChannel path, since BC // events have no `source` we can compare against. // // The flow id ALWAYS comes from the server when available (`startResult. // clientFlowId`, plumbed through `options.flowId`). The server stitches // it back into the popup's `/?oauth=...` redirect URL (via the OAuth // state row id) so the shim can read it from `URLSearchParams` even when // the OAuth provider ships `Cross-Origin-Opener-Policy: same-origin` — // COOP triggers a browsing-context-group switch that wipes // `window.name`, which would otherwise be the only place the shim could // recover the flow id. Notion is the canonical example. // We still echo flowId into `window.name` as a best-effort fallback for // providers that don't ship COOP and the legacy pre-server-echo path. const flowId = (options && options.flowId) || generateOauthFlowId(); const popupName = `${OAUTH_POPUP_NAME_PREFIX}${flowId}`; // Security trade-off: we deliberately omit `noopener` here so we can keep // the `Window` reference (needed to detect popup blockers via `null`, // call `popup.focus()`, poll `popup.closed`, and route the postMessage // result via `event.source`). The cost is that pages loaded inside the // popup — including the OAuth provider's own pages — can read // `window.opener`. The provider can't read our DOM (cross-origin), and // since Chrome 88 / equivalent, cross-origin opener navigation // (`window.opener.location = ...`) is also blocked, so the practical // attack surface is limited to providers we already trust to host an // authorization endpoint. The postMessage handshake is locked down with // `event.source === popup` and `event.origin === window.location.origin` // checks below; the BroadcastChannel handshake is implicitly same-origin. const popup = window.open(authorizationUrl, popupName, OAUTH_POPUP_FEATURES); if (!popup) { try { window.sessionStorage?.setItem(MCP_OAUTH_SAME_TAB_FLOW_STORAGE_KEY, flowId); } catch (_error) {} window.location.href = authorizationUrl; return { outcome: 'navigated' }; } try { popup.focus(); } catch (_error) {} if (typeof onPopupOpened === 'function') { try { onPopupOpened(popup); } catch (_error) {} } return new Promise((resolve) => { let resolved = false; let pollerId = 0; // BroadcastChannel is the primary completion signal. It works // regardless of whether window.opener survives — many providers ship // Cross-Origin-Opener-Policy: same-origin on their login pages, which // severs the opener relationship permanently even after the popup // navigates back to our origin. postMessage-via-opener silently drops // in that case, but BroadcastChannel keeps working since both contexts // are on our origin. let channel = null; try { if (typeof BroadcastChannel !== 'undefined') channel = new BroadcastChannel(OAUTH_BROADCAST_CHANNEL); } catch (_error) {} function settle(result) { if (resolved) return; resolved = true; window.removeEventListener('message', onMessage); if (channel) { try { channel.removeEventListener('message', onChannelMessage); } catch (_error) {} try { channel.close(); } catch (_error) {} channel = null; } if (pollerId) { try { window.clearInterval(pollerId); } catch (_error) {} pollerId = 0; } try { if (!popup.closed) popup.close(); } catch (_error) {} try { window.focus(); } catch (_error) {} resolve(result); } function onMessage(event) { if (event.source !== popup) return; if (event.origin !== window.location.origin) return; const result = payloadToOutcome(event.data); if (result) settle(result); } function onChannelMessage(event) { const data = event && event.data; if (!data) return; // Strict per-flow filter: the BroadcastChannel is global to the // origin, so messages from a sibling popup must be ignored. The shim // always echoes back the flow id encoded in window.name, so the // absence of `flowId` is itself disqualifying. if (data.flowId !== flowId) return; const result = payloadToOutcome(data); if (result) settle(result); } window.addEventListener('message', onMessage); if (channel) { try { channel.addEventListener('message', onChannelMessage); } catch (_error) {} } pollerId = window.setInterval(() => { if (!popup.closed) return; settle({ outcome: 'closed' }); }, OAUTH_POPUP_POLL_MS); }); } // ----- Loopback paste-back OAuth flow ---------------------------------- // Some MCP authorization servers (Vercel) restrict redirect URIs to loopback // (`http://127.0.0.1:*` only). The /start API registers a loopback DCR client // and signals `redirectUriMode === 'loopback'`. Since the user's browser // can't reach that loopback after the AS redirect, we open the authorize URL // in a popup and ask the user to paste the resulting URL back here — we // can't auto-extract it because the popup is on a cross-origin "site can't // be reached" page. The pasted URL goes to // /api/auth-profiles/oauth/paste-callback on the server, which extracts // code+state and runs the same token-exchange path as the regular GET // callback. // // The modal is two-phase so the user reads the instructions BEFORE the // popup opens (otherwise they'd be looking at the consent screen by the // time the directions render and might miss the "copy the address bar" // step). Phase 1 is "ready" — instructions + Open sign-in button. Phase 2 // is "awaiting_paste" — popup is open, paste textarea is focused, and the // user can re-open sign-in if they forgot to copy the URL the first time. // // This is implemented as a module-scoped imperative controller (registered // by ``) so any descendant component can call // `presentLoopbackOAuthFlow(url)` without threading props through the tree. let activeLoopbackOAuthController = null; const LOOPBACK_POPUP_NAME = 'armature-mcp-oauth-loopback'; const LOOPBACK_POPUP_FEATURES = 'width=920,height=760'; const LOOPBACK_POPUP_POLL_MS = 500; const LOOPBACK_PASTE_PREFIX = 'http://127.0.0.1:'; function setLoopbackOAuthController(controller) { activeLoopbackOAuthController = controller; } function presentLoopbackOAuthFlow(authorizationUrl) { if (!activeLoopbackOAuthController) { return Promise.resolve({ outcome: 'failed', code: 'loopback_modal_unmounted', message: 'OAuth paste-back UI is not mounted; refresh the page and try again.', }); } return activeLoopbackOAuthController.present(authorizationUrl); } // Single entry point used by the connect / reconnect / hosted-OAuth flows. // Branches on `redirectUriMode` from /start so callers don't have to. The // loopback flow does NOT auto-open a window: the modal opens first so the // user can read the instructions, and the popup is opened by the user's // own click inside the modal. That click also serves as the user-gesture // the popup blocker requires. async function runMcpOAuthFlow(startResult, options) { if (startResult?.redirectUriMode === 'loopback' && startResult.authorizationUrl) { return presentLoopbackOAuthFlow(startResult.authorizationUrl); } // Forward the server-issued `clientFlowId` so the BroadcastChannel // listener can match the result that flows back via the popup-shim path // even when the OAuth provider's COOP wipes `window.name` mid-flow. return openOAuthPopup(startResult.authorizationUrl, { ...(options || {}), flowId: startResult?.clientFlowId || (options && options.flowId) || null, }); } function LoopbackOAuthModalRoot() { const [pending, setPending] = useStateMcp(null); const [phase, setPhase] = useStateMcp('ready'); // 'ready' | 'awaiting_paste' const [pastedUrl, setPastedUrl] = useStateMcp(''); const [submitting, setSubmitting] = useStateMcp(false); const [errorMessage, setErrorMessage] = useStateMcp(''); const [popupClosedHint, setPopupClosedHint] = useStateMcp(false); const [clipboardError, setClipboardError] = useStateMcp(''); const textareaRef = useRefMcp(null); const popupRef = useRefMcp(null); const popupPollRef = useRefMcp(0); function clearPopupPoller() { if (popupPollRef.current) { try { window.clearInterval(popupPollRef.current); } catch (_error) {} popupPollRef.current = 0; } } function watchPopup(popup) { clearPopupPoller(); popupRef.current = popup; setPopupClosedHint(false); if (!popup) return; popupPollRef.current = window.setInterval(() => { if (!popup.closed) return; clearPopupPoller(); popupRef.current = null; setPopupClosedHint(true); }, LOOPBACK_POPUP_POLL_MS); } useEffectMcp(() => { setLoopbackOAuthController({ present: (authorizationUrl) => new Promise((resolve) => { // Resolve any in-flight prior present() before overwriting it so the // caller's awaited promise doesn't orphan. Concurrent presentations // are rare in practice (the connect/reconnect buttons are disabled // while an OAuth flow is running) but possible across separate // descendants (e.g. TargetSourcesPage + an open McpServerDetail). setPending((prev) => { if (prev?.resolve) { try { prev.resolve({ outcome: 'superseded' }); } catch (_error) { // Ignored: previous caller already cleaned up. } } return { authorizationUrl, resolve }; }); setPhase('ready'); setPastedUrl(''); setErrorMessage(''); setClipboardError(''); setSubmitting(false); setPopupClosedHint(false); clearPopupPoller(); popupRef.current = null; }), }); return () => { setLoopbackOAuthController(null); clearPopupPoller(); }; }, []); useEffectMcp(() => { if (phase === 'awaiting_paste' && textareaRef.current) { try { textareaRef.current.focus(); } catch (_error) {} } }, [phase]); useEscapeToClose({ enabled: Boolean(pending), disabled: submitting, onClose: () => finalize({ outcome: 'closed' }), }); if (!pending) return null; function finalize(outcome) { const resolve = pending.resolve; clearPopupPoller(); try { popupRef.current?.close?.(); } catch (_error) {} popupRef.current = null; setPending(null); setPhase('ready'); setPastedUrl(''); setErrorMessage(''); setClipboardError(''); setSubmitting(false); setPopupClosedHint(false); resolve(outcome); } function openSignInPopup() { setClipboardError(''); setErrorMessage(''); setPopupClosedHint(false); let popup = null; try { // Use a sized popup (not _blank) so it sits next to the modal and the // user can see the modal's "paste below" instructions while reading // the address bar in the popup. The popup blocker only allows // window.open from a synchronous user gesture, which the click on // this button satisfies. popup = window.open(pending.authorizationUrl, LOOPBACK_POPUP_NAME, LOOPBACK_POPUP_FEATURES); } catch (_error) { popup = null; } if (!popup) { // Popup blocker swallowed it. Fall back to a new tab so the user can // still complete the flow; they'll need to alt-tab back to paste. try { window.open(pending.authorizationUrl, '_blank', 'noopener'); } catch (_error) {} } else { try { popup.focus(); } catch (_error) {} watchPopup(popup); } setPhase('awaiting_paste'); } async function pasteFromClipboard() { setClipboardError(''); setErrorMessage(''); if (!navigator?.clipboard?.readText) { setClipboardError("Your browser doesn't expose clipboard access. Paste manually with Cmd/Ctrl+V."); return; } try { const text = await navigator.clipboard.readText(); const trimmed = String(text || '').trim(); if (!trimmed) { setClipboardError('Clipboard is empty.'); return; } setPastedUrl(trimmed); if (!trimmed.startsWith(LOOPBACK_PASTE_PREFIX)) { setClipboardError(`That doesn't look like the loopback URL. It should start with ${LOOPBACK_PASTE_PREFIX}`); } } catch (error) { setClipboardError(error?.message || 'Could not read from clipboard. Paste manually with Cmd/Ctrl+V.'); } } async function handleSubmit(event) { event?.preventDefault?.(); const trimmed = pastedUrl.trim(); if (!trimmed) { setErrorMessage('Paste the URL from the popup\'s address bar first.'); return; } setSubmitting(true); setErrorMessage(''); setClipboardError(''); try { const result = await apiFetch('/api/auth-profiles/oauth/paste-callback', { method: 'POST', body: JSON.stringify({ pastedUrl: trimmed }), }); finalize({ outcome: 'connected', profileId: result.profileId || null, hostedDiscoveryDeferred: result.hostedDiscoveryDeferred || null, }); } catch (error) { setErrorMessage(error?.message || 'Could not complete OAuth.'); setSubmitting(false); } } const isReadyPhase = phase === 'ready'; const pasteLooksValid = pastedUrl.trim().startsWith(LOOPBACK_PASTE_PREFIX); const subtitle = isReadyPhase ? "This provider only accepts a localhost callback, so we can't auto-detect when sign-in finishes. Read the steps below before opening the popup." : 'Approve the permissions in the popup, copy the address-bar URL, then paste it below.'; const modal = (
{ if (event.target === event.currentTarget && !submitting) finalize({ outcome: 'closed' }); }}>
{isReadyPhase ? 'Manual sign-in required' : 'Paste the redirect URL'}
{subtitle}
  1. Click "Open sign-in"
    A small window will pop up with the provider's sign-in page.
  2. Approve the permissions
    Sign in and grant access in the popup.
  3. Copy the URL from the popup
    After you approve, the popup will show "This site can't be reached"{' '} — that's expected. Copy the full URL from the popup's address bar{' '} (it starts with {LOOPBACK_PASTE_PREFIX}).
  4. Paste it below
    {isReadyPhase ? 'The text box below activates after you open sign-in.' : 'Paste it here to finish connecting.'}