feat: subscribe to managed auth state via SSE instead of polling

[dcruzeneil2]

Summary

Replaces the 2s polling loop in useManagedAuthSession with a subscription to the existing /auth/connections/{id}/events SSE endpoint.

Resolves KERNEL-1268. Also fixes the form flash-back race condition described in KERNEL-1256.

Changes

Work in progress — PR opened as a scaffold for incremental development.

Test plan

• Local dev: start a managed auth flow, confirm DevTools shows a single text/event-stream connection instead of recurring GET /auth/connections/{id} polls
• Submit credentials and confirm the UI does not flash back to the form before transitioning to submitting / next step
• Kill the network tab mid-flow and confirm the stream reconnects
• Reach a terminal state (success / failure / expired) and confirm the stream closes cleanly and onSuccess / onError fire exactly once

🤖 Generated with Claude Code

---

Note

Medium Risk
Replaces the session state update mechanism with a custom SSE stream parser plus reconnect logic, which can affect auth flow progression and error/terminal handling if the stream parsing or reconnection behavior is off.

Overview
Managed auth session updates now use server-sent events instead of 2s polling. useManagedAuthSession replaces its interval-based refresh loop with a subscription to /auth/connections/{id}/events, adds exponential backoff reconnection (isReconnecting), and ensures terminal states stop the stream and fire onSuccess/onError only once.

Adds a fetch-based SSE implementation (streamManagedAuthEvents) that can send Authorization headers, parses managed_auth_state/error events, and introduces ManagedAuthStateEventData plus new optional response fields (flow_type, post_login_url, live_view_url, hosted_url).

^{Reviewed by Cursor Bugbot for commit 87d13ae. Bugbot is set up for automated code reviews on this repo. Configure here.}

[firetiger-agent]

Firetiger deploy monitoring skipped

This PR didn't match the auto-monitor filter configured on your GitHub connection:

Any PR that changes the kernel API. Monitor changes to API endpoints (packages/api/cmd/api/) and Temporal workflows (packages/api/lib/temporal) in the kernel repo

Reason: PR modifies client-side auth UI logic (useManagedAuthSession hook), not kernel API endpoints or Temporal workflows.

To monitor this PR anyway, reply with @firetiger monitor this.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
managed-auth-react-demo	Ready	Preview, Comment	May 18, 2026 6:23pm

[masnwilliams]

nice cleanup — moving off polling is a real win, and the terminal-state guarding via terminalRef is well-threaded across connectStream / scheduleReconnect / resyncAndConnect / onClose. notes grouped by severity.

correctness

• mergeStateEvent drops four event fields — useManagedAuthSession.ts:49-71 never reads flow_type, post_login_url, live_view_url, or hosted_url. The server emits all of them (kernel/kernel cmd/api/api/managed_auth.go:1731,1775,1779+) and they're declared on ManagedAuthStateEventData (types.ts:63, 73-75), but they never reach consumers. Either remove from the event type or extend ManagedAuthResponse and merge them through.
• err.status accessed via untyped cast — useManagedAuthSession.ts:222-223. retrieveManagedAuth throws ManagedAuthApiError; use instanceof for type safety and to match the onError branch on line 241.

robustness

• Reconnect loop has no upper bound — useManagedAuthSession.ts:181-192. If the backend is down, this reconnects forever at the 15s cap with no signal to the user. The UI stays on discovering / awaiting_input etc. while the stream silently flaps. Consider a max-attempts → error transition, or expose a reconnecting flag from the hook.
• onClose only fires on natural stream end — lib/api.ts:263. On non-OK response (203), missing body (210), fatal error (255), or unexpected reader exception (264), only onError fires; onClose never runs. Worth documenting on ManagedAuthStreamHandlers, or always calling onClose after terminal onError.
• CRLF SSE frames silently dropped — lib/api.ts:219 accepts \r\n\r\n as a separator, but lib/api.ts:233 splits by \n only. CRLF input leaves a trailing \r on each line, so eventType becomes "managed_auth_state\r" and the comparison on line 238 fails. Server uses \n today (verified), so this is latent — but the parser advertises CRLF support it doesn't deliver. Either strip trailing \r per line, or only accept \n\n as separator.

minor / nits

• lib/api.ts:255 — hard-coded 500 status on stream-error frames. Other non-HTTP error paths in this file use 0 (lines 210, 268); 0 is more consistent.
• lib/api.ts:242-244 — malformed managed_auth_state JSON is silently swallowed. The fatal-error branch (252) surfaces parse failures via fatal=true; consider surfacing the state-event parse error as a non-fatal onError so consumers know a payload dropped.
• useManagedAuthSession.ts:154-155 — if (!base) return; is unreachable in the current flow (init always sets stateRef before connectStream). Drop or convert to an assertion.

[dcruzeneil2]

regarding your reviews, have incorporated everything except points 2 and 3 of Nit category:

Nit 2: JSON should not be malformed since we are using marshal to construct the JSON. onError does a connection re-sync which seems not worth the situation. A more nuanced fix might be adding a onWarning path which does not re-sync the connection, but that can be added in a later PR.

Nit 3: yes, technically true for now, but retaining the defense check in case code refactors over time. Harmless defense as of now.

[masnwilliams]

thanks for the quick turnaround — nearly everything addressed :bufo-blob-clap:

addressed:

• ✅ mergeStateEvent field drop — flow_type/post_login_url/live_view_url/hosted_url added to ManagedAuthResponse and merged through with ev.<field> ?? base.<field> ?? null (65c8bc1)
• ✅ untyped err.status cast → instanceof ManagedAuthApiError (65c8bc1)
• ✅ reconnect now exposes isReconnecting on the hook return so consumers can render a state (65c8bc1 + 2ad9589)
• ✅ onClose semantics documented on ManagedAuthStreamHandlers (65c8bc1)
• ✅ stream-error 500 → 0, consistent with other non-HTTP error paths (65c8bc1)
• ✅ bonus: multi-line data: lines now concatenated per SSE spec (65c8bc1)
• ✅ bonus: generationRef guards against stale resyncs from prior sessionIds (0b9a8ff)

still open (both nits, non-blocking):

• lib/api.ts:245 — malformed managed_auth_state JSON silently swallowed; consider surfacing as a non-fatal onError so consumers know a payload dropped
• useManagedAuthSession.ts:169 — if (!base) return; is unreachable in the current flow; drop or convert to an assertion

[masnwilliams]

ack on the two nits — both reasonable as-is. nice work :bufo-blob-clap:

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 87d13ae. Configure here.}

[cursor]

Stale closure chain in reconnection self-reference

Medium Severity

resyncAndConnect calls connectStream(t) using the closure reference from the render when the outer connectStream was created. Since connectStream depends on options (a new object every render), fireSuccessOnce, and fireErrorOnce, the reconnection path perpetually reuses the stale versions of these from the original stream setup. Unlike the old polling code — where stopPolling/startPolling on each submit cycle picked up the latest pollOnce with fresh callbacks — the SSE stream's handlers are never refreshed, so onSuccess/onError changes are permanently ignored for terminal states reached via the stream or its reconnections.

Additional Locations (1)

• packages/managed-auth-react/src/session/useManagedAuthSession.ts#L158-L291

 

^{Reviewed by Cursor Bugbot for commit 87d13ae. Configure here.}

[dcruzeneil2]

theoretical edge case