remove auth feature flags

[omar-inkeep]

main change in this PR is removing the auth flags, which will force everyone to use better-auth and spicedb. This involved updating tests, quickstart (create agents template), local dev (setup-dev), cypress tests, etc.

I also made changes in this PR to address UX feedback from the Project-level access release. Mainly UX changes.

I am exposing the ability for org admins to add users (only if google login has been setup). And we will show any pending users too.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
agents-api	Ready	Preview, Comment	Jan 29, 2026 0:30am
agents-manage-ui	Ready	Preview, Comment	Jan 29, 2026 0:30am

1 Skipped Deployment

Project	Deployment	Review	Updated (UTC)
agents-docs	Skipped		Jan 29, 2026 0:30am

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9c449ab

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[claude]

Claude finished @omar-inkeep's task —— View job

---

PR Review: Remove Auth Feature Flags

I've conducted a comprehensive review of this significant architectural change that removes auth feature flags and forces migration to better-auth and SpiceDB. Here's my analysis:

🔒 Security and Authentication Architecture

✅ Strengths:

• Consolidation on Battle-tested Solutions: Moving to better-auth + SpiceDB eliminates auth complexity and provides a more robust foundation
• Proper Authorization Patterns: SpiceDB integration with hierarchical permissions (org admin inherits project access) is well-architected
• Clean Test Environment Handling: Test environment properly bypasses auth without exposing production vulnerabilities

⚠️ Areas for Consideration:

1. Missing Changeset - High Priority

   • This is a breaking change that forces users to migrate auth systems
   • Must add a changeset describing the migration impact on users
   • Consider this at least a minor version bump given the scope

2. Database Initialization Timing (packages/agents-core/src/auth/init.ts:34)

   • The init script runs setup operations that could race with server startup
   • Consider adding database readiness checks before user creation
   • The script exits on failure but could provide clearer recovery guidance

3. Error Handling in Auth Flows

   • Some error paths in invite-member-dialog.tsx:100-121 have generic fallbacks
   • Could benefit from more specific error messages for better UX

🧪 Testing and Quality Assurance

✅ Strengths:

• Test environment properly bypasses auth without security risks
• Updated test utilities handle both manage and run route authentication correctly
• SpiceDB permission tests cover edge cases well

⚠️ Areas for Consideration:

4. Test Coverage Gaps
   • The removed initialization.ts had complex auth state management - verify migration paths are tested
   • Consider adding integration tests for the full auth initialization flow
   • Docker compose changes should be validated with integration tests

📱 User Experience Changes

✅ Strengths:

• New invite member dialog provides good UX with batch invitation results
• Proper role management with clear descriptions
• Pending invitation display improves transparency

⚠️ Areas for Consideration:

5. Google Login Dependency (invite-member-dialog.tsx:77)

   • Org admin invite functionality is gated behind Google login setup
   • Should document this requirement clearly for users
   • Consider graceful degradation when Google auth isn't configured

6. Hardcoded Role Options (members-table.tsx:36-47)

   • Role options are hardcoded in UI component
   • Consider centralizing role definitions to avoid duplication with backend

🏗️ Architecture and Breaking Changes

⚠️ Critical Considerations:

7. Breaking Change Impact - Urgent

   • This forces all users to migrate from feature-flagged auth to better-auth
   • Missing migration documentation for existing users
   • Should provide clear upgrade path and rollback instructions

8. Environment Variable Changes

   • Removed several auth-related environment variables
   • Updated .env.example but existing deployments may break
   • Consider providing a migration script or clear documentation

9. Docker Compose Architecture

   • Adds SpiceDB as a required dependency
   • Existing Docker deployments will need SpiceDB configuration
   • Could impact local development setup

🔧 Implementation Quality

✅ Strengths:

• Clean removal of conditional auth logic simplifies codebase
• Proper separation between test and production auth paths
• Good use of TypeScript types for auth client integration

⚠️ Areas for Consideration:

10. Project Access Middleware Simplification (middleware/projectAccess.ts:22-28)

    • Test environment bypass is clean but ensure it's properly documented
    • The isTestEnvironment check should be consistent across all middleware

11. Async Error Handling

    • Several async operations lack proper error boundaries
    • Consider implementing circuit breaker patterns for external auth services

📋 Recommendations

Immediate Actions:

1. Add changeset describing the breaking change and migration requirements
2. Create migration documentation for existing users
3. Add integration tests for the full auth initialization flow
4. Document Google login requirements for invite functionality

Future Improvements:

1. Consider adding database migration scripts for smooth upgrades
2. Centralize role definitions to avoid UI/backend duplication
3. Add monitoring/alerting for auth service health
4. Consider implementing progressive rollout capabilities

📊 Overall Assessment

This is a well-architected migration that significantly simplifies the auth system while improving security. The code quality is good and the architectural decisions are sound. However, this is a major breaking change that requires careful rollout planning and user communication.

Recommendation: Approve after addressing the changeset requirement and migration documentation. The security and architectural improvements justify the breaking change, but users need clear guidance for migration.

---

Note: This review focused on the most impactful aspects. The codebase demonstrates good engineering practices overall, and the migration to better-auth + SpiceDB is a positive architectural decision.