feat(extension/bridge): sync all UX improvements from private repo

Extension changes (v0.1.52):
- commands.js: Add configureCloudEndpoint command for SaaS onboarding
- dashboard.js: Full sync with private repo improvements
- onboarding.js: Add mode selection for SaaS/local
- process_manager.js: Add auth error notification parsing from bridge stderr
- sidebar.js: Full sync with private repo improvements

Bridge changes (v0.0.18):
- mcpServer.js: Add formatAuthRejectionError, emitAuthErrorNotification for better auth UX
- oauthHandler.js: Add hasAnyAuthEntries helper, PKCE validation comments

This makes the public repo the source of truth for extension/bridge builds.
All changes are additive UX improvements - no org dependencies.

Author: m1rl0k

ctx-mcp-bridge/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@context-engine-bridge/context-engine-mcp-bridge",
-  "version": "0.0.17",
+  "version": "0.0.18",
   "description": "Context Engine MCP bridge (http/stdio proxy combining indexer + memory servers)",
   "bin": {
     "ctxce": "bin/ctxce.js",

ctx-mcp-bridge/src/mcpServer.js

@@ -175,6 +175,36 @@ function isAuthRejectionError(error) {
   }
 }
 
+/**
+ * Format an auth rejection error with actionable information for users.
+ * Includes the backend URL and a hint to sign in via VS Code command palette.
+ */
+function formatAuthRejectionError(originalError, backendUrl) {
+  const originalMsg =
+    (originalError && typeof originalError.message === "string" && originalError.message) ||
+    (typeof originalError === "string" ? originalError : String(originalError || "Unknown auth error"));
+
+  const serverInfo = backendUrl ? ` (server: ${backendUrl})` : "";
+  const hint = "Run 'Context Engine: Sign In' from the VS Code command palette to authenticate.";
+
+  return `Authentication failed${serverInfo}: ${originalMsg}. ${hint}`;
+}
+
+/**
+ * Emit a special log line that the VS Code extension can detect to show a notification toast.
+ * Format: [ctxce:auth-error] JSON payload
+ */
+function emitAuthErrorNotification(backendUrl, originalError) {
+  const payload = {
+    type: "auth_rejection",
+    backend: backendUrl || "unknown",
+    message: String(originalError?.message || originalError || "Authentication failed"),
+    hint: "Run 'Context Engine: Sign In' from the VS Code command palette",
+  };
+  // This special prefix allows the VS Code extension to detect auth errors in stderr
+  debugLog(`[ctxce:auth-error] ${JSON.stringify(payload)}`);
+}
+
 function getBridgeRetryAttempts() {
   try {
     const raw = process.env.CTXCE_TOOL_RETRY_ATTEMPTS;
@@ -520,8 +550,21 @@ async function createBridgeServer(options) {
     sessionId = resolveSessionId();
   }
 
+  // Only fall back to deterministic session if auth is not configured
+  // If auth backend is configured but no session found, log warning instead of creating deterministic session
   if (!sessionId) {
-    sessionId = `ctxce-${Buffer.from(workspace).toString("hex").slice(0, 24)}`;
+    if (authBackendUrl) {
+      // Auth is configured but no valid session - don't use deterministic fallback
+      debugLog(`[ctxce] WARNING: Auth backend configured (${authBackendUrl}) but no valid session found.`);
+      debugLog("[ctxce] To authenticate, run 'Context Engine: Sign In' from the VS Code command palette, or run `ctxce auth login` from the terminal.");
+      debugLog("[ctxce] Continuing with deterministic session for backward compatibility, but this may fail if backend requires auth.");
+      // Emit notification for VS Code extension
+      emitAuthErrorNotification(authBackendUrl, { message: "No valid session found - authentication required" });
+      sessionId = `ctxce-${Buffer.from(workspace).toString("hex").slice(0, 24)}`;
+    } else {
+      // No auth configured - use deterministic session for local-only operation
+      sessionId = `ctxce-${Buffer.from(workspace).toString("hex").slice(0, 24)}`;
+    }
   }
 
   // Best-effort: inform the indexer of default collection and session.
@@ -531,6 +574,17 @@ async function createBridgeServer(options) {
     defaultsPayload.collection = defaultCollection;
   }
 
+  // Include org context from auth entry if available (for org-scoped collection isolation)
+  try {
+    const authEntry = backendHint ? loadAuthEntry(backendHint) : null;
+    if (authEntry && authEntry.org_id) {
+      defaultsPayload.org_id = authEntry.org_id;
+      defaultsPayload.org_slug = authEntry.org_slug;
+    }
+  } catch {
+    // ignore auth entry lookup failures
+  }
+
   const repoName = detectRepoName(workspace, config);
 
   try {
@@ -782,10 +836,13 @@ async function createBridgeServer(options) {
 
         // Backend auth rejection (mcp_auth.py ValidationError) - expire local auth
         if (isAuthRejectionError(err)) {
+          const serverUrl = backendHint || uploadServiceUrl || "unknown server";
           debugLog(
-            "[ctxce] tools/call: backend auth rejection; marking local session as expired: " +
+            `[ctxce] tools/call: backend auth rejection from ${serverUrl}; marking local session as expired: ` +
             String(err),
           );
+          // Emit special notification for VS Code extension to detect and show toast
+          emitAuthErrorNotification(serverUrl, err);
           if (backendHint) {
             try {
               const entry = loadAuthEntry(backendHint);
@@ -796,6 +853,13 @@ async function createBridgeServer(options) {
               // ignore failures
             }
           }
+          // Enhance error with actionable message before throwing
+          if (!isTransientToolError(err) || attempt === maxAttempts - 1) {
+            const enhancedMessage = formatAuthRejectionError(err, serverUrl);
+            const enhancedError = new Error(enhancedMessage);
+            enhancedError.cause = err;
+            throw enhancedError;
+          }
         }
 
         if (!isTransientToolError(err) || attempt === maxAttempts - 1) {
@@ -908,10 +972,42 @@ export async function runHttpMcpServer(options) {
       // Check Bearer token for MCP endpoint (accept /mcp and /mcp/ for compatibility)
       if (parsedUrl.pathname === "/mcp" || parsedUrl.pathname === "/mcp/") {
         const authHeader = req.headers["authorization"] || "";
-        const token = authHeader.startsWith("Bearer ") ? authHeader.slice(7) : null;
-
-        // TODO: Validate token and inject session
-        // For now, allow unauthenticated (backward compatible)
+        const bearerToken = authHeader.startsWith("Bearer ") ? authHeader.slice(7) : null;
+
+        // ----------------------------------------------------------------
+        // AUTHENTICATION DESIGN: Permissive by default for backward compatibility
+        // ----------------------------------------------------------------
+        // The condition `bearerToken && hasTokenStore()` is INTENTIONALLY permissive:
+        //
+        // 1. PRE-EXISTING USERS (v3.0.0, local/dev mode):
+        //    - No OAuth flow occurs → tokenStore remains empty
+        //    - hasTokenStore() returns false → auth check skipped entirely
+        //    - Requests proceed without authentication (local dev experience)
+        //
+        // 2. SAAS PLATFORM USERS (multi-tenant):
+        //    - User completes OAuth flow → token stored in tokenStore
+        //    - hasTokenStore() returns true → bearer token validation required
+        //    - Invalid/missing tokens are rejected with 401
+        //
+        // WHY NOT `hasTokenStore() && !bearerToken` (require token when store exists)?
+        //    - Mixed environments: Some clients may be local (no auth) while others
+        //      are authenticated. Requiring auth globally after first login would
+        //      break local dev workflows in hybrid setups.
+        //    - The current design: "validate if provided, but don't require"
+        //
+        // SECURITY NOTE: If strict authentication is required for all clients once
+        // any user authenticates, add an environment flag like CTXCE_REQUIRE_AUTH=1
+        // and check it here to enforce bearer tokens regardless of token store state.
+        // ----------------------------------------------------------------
+        if (bearerToken && oauthHandler.hasTokenStore()) {
+          const sessionId = oauthHandler.lookupToken(bearerToken);
+          if (!sessionId) {
+            // Token provided but invalid - reject
+            res.writeHead(401, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ jsonrpc: "2.0", error: { code: -32000, message: "Invalid or expired bearer token" }, id: null }));
+            return;
+          }
+        }
 
         if (req.method !== "POST") {
           res.statusCode = 405;

ctx-mcp-bridge/src/oauthHandler.js

@@ -534,7 +534,7 @@ export function handleOAuthStoreSession(req, res) {
 export function handleOAuthToken(req, res) {
   let body = "";
   req.on("data", (chunk) => { body += chunk; });
-  req.on("end", () => {
+  req.on("end", async () => {
     try {
       const data = new URLSearchParams(body);
       const code = data.get("code");
@@ -585,8 +585,24 @@ export function handleOAuthToken(req, res) {
         return;
       }
 
-      // TODO: Validate PKCE code_verifier against code_challenge
-      // For now, skip validation (local bridge, trusted)
+      // TODO: PKCE validation - disabled for now, no clients implement it yet
+      // if (pendingData.codeChallenge && pendingData.codeChallengeMethod === "S256") {
+      //   const codeVerifier = data.get("code_verifier");
+      //   if (!codeVerifier) {
+      //     pendingCodes.delete(code);
+      //     res.statusCode = 400;
+      //     res.end(JSON.stringify({ error: "invalid_grant", error_description: "code_verifier required for PKCE" }));
+      //     return;
+      //   }
+      //   const crypto = await import("node:crypto");
+      //   const expectedChallenge = crypto.createHash("sha256").update(codeVerifier).digest("base64url");
+      //   if (expectedChallenge !== pendingData.codeChallenge) {
+      //     pendingCodes.delete(code);
+      //     res.statusCode = 400;
+      //     res.end(JSON.stringify({ error: "invalid_grant", error_description: "code_verifier validation failed" }));
+      //     return;
+      //   }
+      // }
 
       // Clean up expired tokens periodically to prevent unbounded growth
       cleanupExpiredTokens();
@@ -651,4 +667,31 @@ export function isOAuthEndpoint(pathname) {
   );
 }
 
+/**
+ * Check if the token store has any entries (indicates auth is active)
+ * @returns {boolean}
+ */
+export function hasTokenStore() {
+  return tokenStore.size > 0;
+}
+
+/**
+ * Look up a bearer token and return the associated session ID
+ * @param {string} token - Bearer token to validate
+ * @returns {string|null} - Session ID if valid, null otherwise
+ */
+export function lookupToken(token) {
+  const entry = tokenStore.get(token);
+  if (!entry) return null;
+
+  // Check expiration
+  const tokenAge = Date.now() - entry.createdAt;
+  if (tokenAge > TOKEN_EXPIRY_MS) {
+    tokenStore.delete(token);
+    return null;
+  }
+
+  return entry.sessionId || null;
+}
+
 startCleanupInterval();

vscode-extension/context-engine-uploader/commands.js

@@ -316,6 +316,41 @@ function registerExtensionCommands(deps) {
         }
     }));
 
+    // Remote endpoint configuration for onboarding
+    disposables.push(vscode.commands.registerCommand('contextEngineUploader.configureCloudEndpoint', async () => {
+        try {
+            const endpoint = await vscode.window.showInputBox({
+                prompt: 'Enter your Context Engine server URL (your own server or SaaS)',
+                placeHolder: 'https://your-server.example.com or https://ce.context-engine.ai',
+                value: '',
+                ignoreFocusOut: true,
+                validateInput: (value) => {
+                    if (!value.trim()) {
+                        return 'Endpoint URL is required';
+                    }
+                    try {
+                        const url = new URL(value);
+                        if (!url.protocol.startsWith('http')) {
+                            return 'URL must use http:// or https://';
+                        }
+                        return null;
+                    } catch (_) {
+                        return 'Please enter a valid URL (e.g., https://your-server.example.com)';
+                    }
+                }
+            });
+            if (!endpoint) {
+                // User cancelled - reset to mode selection
+                await vscode.workspace.getConfiguration('contextEngineUploader').update('onboardingMode', '', vscode.ConfigurationTarget.Global);
+                return;
+            }
+            await vscode.workspace.getConfiguration('contextEngineUploader').update('endpoint', endpoint.trim(), vscode.ConfigurationTarget.Global);
+            vscode.window.showInformationMessage(`Endpoint set to ${endpoint}. You can now configure your workspace.`);
+        } catch (error) {
+            handleCatch(error, 'Endpoint configuration failed');
+        }
+    }));
+
     return disposables;
 }