(llm-first): context budget, validation, and eval harness, orchestration general-prompt

client/src/auth/keycloak.ts

@@ -1,96 +1,43 @@
-import Keycloak, { KeycloakTokenParsed } from 'keycloak-js';
+import Keycloak from 'keycloak-js';
 import { env } from '../config/env';
 
-interface RealmAccessTokenParsed extends KeycloakTokenParsed {
-  realm_access?: {
-    roles: string[];
-  };
-}
-
 const keycloak = new Keycloak({
   url: env.keycloakUrl,
   realm: env.keycloakRealm,
   clientId: env.keycloakClientId,
 });
 
-let keycloakInitPromise: Promise<void> | null = null;
-let refreshInFlight: Promise<void> | null = null;
+let initPromise: Promise<boolean> | null = null;
+let refreshPromise: Promise<string | null> | null = null;
+
+export async function initKeycloak(): Promise<boolean> {
+  if (!initPromise) {
+    initPromise = keycloak.init({
+      onLoad: 'login-required',
+      pkceMethod: 'S256',
+      checkLoginIframe: false,
+    });
+  }
+
+  return initPromise;
+}
+
+export async function getAccessToken(): Promise<string | null> {
+  await initKeycloak();
+  if (!keycloak.authenticated) return null;
+
+  if (!refreshPromise) {
+    refreshPromise = keycloak
+      .updateToken(30)
+      .then(() => keycloak.token ?? null)
+      .finally(() => {
+        refreshPromise = null;
+      });
+  }
+
+  return refreshPromise;
+}
 
 export function getKeycloak() {
   return keycloak;
 }
-
-export async function initKeycloak() {
-  if (!keycloakInitPromise) {
-    keycloakInitPromise = keycloak
-      .init({
-        onLoad: 'login-required',
-        pkceMethod: 'S256',
-        checkLoginIframe: false,
-      })
-      .then((authenticated) => {
-        if (!authenticated) {
-          return keycloak.login({ redirectUri: window.location.href });
-        }
-      });
-  }
-
-  await keycloakInitPromise;
-}
-
-async function refreshAccessToken(minValiditySeconds = 30) {
-  if (!refreshInFlight) {
-    refreshInFlight = keycloak
-      .updateToken(minValiditySeconds)
-      .then(() => undefined)
-      .finally(() => {
-        refreshInFlight = null;
-      });
-  }
-
-  await refreshInFlight;
-}
-
-export async function getValidAccessToken(minValiditySeconds = 30): Promise<string> {
-  await initKeycloak();
-
-  if (!keycloak.authenticated) {
-    await keycloak.login({ redirectUri: window.location.href });
-    throw new Error('User is not authenticated');
-  }
-
-  await refreshAccessToken(minValiditySeconds);
-
-  if (!keycloak.token) {
-    throw new Error('Missing access token');
-  }
-
-  return keycloak.token;
-}
-
-export async function forceReauthentication() {
-  keycloak.clearToken();
-  await keycloak.login({ redirectUri: window.location.href });
-}
-
-export async function logoutFromKeycloak() {
-  await keycloak.logout({ redirectUri: window.location.origin });
-}
-
-export function getRealmRoles(): string[] {
-  const parsed = keycloak.tokenParsed as RealmAccessTokenParsed | undefined;
-  const roles = parsed?.realm_access?.roles;
-  return Array.isArray(roles) ? roles : [];
-}
-
-export function getIdentity() {
-  const parsed = keycloak.tokenParsed as RealmAccessTokenParsed | undefined;
-  const id = parsed?.sub ?? 'unknown';
-  const fullName =
-    parsed?.name ??
-    parsed?.preferred_username ??
-    parsed?.email ??
-    'Unknown User';
-
-  return { id, fullName };
-}