Feat/client library token

[AlexAxthelm]

Updates client library to parse an environment variable as a bearer token to pass on and authenticate against api.

Updates Calls in the "friends" services (EL, LLM, seed) to use new auth method.

Tested locally with AUTH_DISABLED=false using my bearer token, and the one stored in LastPass for LLM.

[github-actions]

CD summary 8cacb5a

Frontend: https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net

Deployments (4)

service	url	fqdn
api	open	pr85-api.purplegrass-c07d0a94.westus2.azurecontainerapps.io
entity-linkage	open	pr85-entity-linkage.purplegrass-c07d0a94.westus2.azurecontainerapps.io
frontend	https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net
stitch-llm	open	pr85-stitch-llm.purplegrass-c07d0a94.westus2.azurecontainerapps.io

Database (1)

db_name	postgres_host	postgres_port	postgres_db
pr_85	stitch-dev.postgres.database.azure.com	5432	pr_85

Jobs (1)

job	image	postgres_db
db-init	ghcr.io/rmi/stitch-api:pr85@sha256:77699fee49d989d46a04c3d2b409c671863aea7b04d134031ae09b0f9bb8a321	pr_85

Images (4)

build_time	commit_time	git_sha	image	image_digest
2026-05-08T15:18:00Z	2026-05-08T15:17:46Z	3b454d8	ghcr.io/rmi/stitch-api:pr85	ghcr.io/rmi/stitch-api:pr85@sha256:77699fee49d989d46a04c3d2b409c671863aea7b04d134031ae09b0f9bb8a321
2026-05-08T15:18:00Z	2026-05-08T15:17:46Z	3b454d8	ghcr.io/rmi/stitch-entity-linkage:pr85	ghcr.io/rmi/stitch-entity-linkage:pr85@sha256:1dda853cf074969dfe07ed1ee83ee5e541c482a2b4be58879cfe47e7069e4f5c
2026-05-08T15:18:07Z	2026-05-08T15:17:46Z	3b454d8	ghcr.io/rmi/stitch-seed:pr85	ghcr.io/rmi/stitch-seed:pr85@sha256:ee28b5277853f5947479b1f61dd0ed9aaed80222dbe0f582387ccfcd89f402fe
2026-05-08T15:18:00Z	2026-05-08T15:17:46Z	3b454d8	ghcr.io/rmi/stitch-stitch-llm:pr85	ghcr.io/rmi/stitch-stitch-llm:pr85@sha256:8b80c5ec4f6120303db335edb94a1177054b6bf709792c6d7e52205bcb6ba2bc

[Copilot]

Pull request overview

Adds an env-driven bearer token auth mode to stitch-client and updates downstream consumers (seed, entity-linkage, stitch-llm) to use it, while also extending the API’s auth user provisioning to tolerate missing name/email claims.

Changes:

• Introduce STITCH_CLIENT_BEARER_TOKEN + env_bearer_token_headers_provider() and export via stitch.client.
• Switch downstream services to env-bearer-token auth, add startup validation, and add /health/details endpoints that probe /auth/me.
• Update API user provisioning logic and user schema/entities to allow nullable name/email, including concurrency-oriented IntegrityError handling.

Reviewed changes

Copilot reviewed 32 out of 32 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
packages/stitch-client/tests/test_async_client.py	Adds tests for env bearer token header provider and request auth header behavior.
packages/stitch-client/src/stitch/client/auth.py	New env-backed bearer token headers provider + env var constant.
packages/stitch-client/src/stitch/client/async_client.py	Adds get_auth_me() endpoint wrapper.
packages/stitch-client/src/stitch/client/init.py	Re-exports env bearer token auth utilities.
packages/stitch-client/README.md	Documents env-bearer-token usage for the client library.
env.example	Adds downstream token env vars and updates example auth/Azure OpenAI settings.
docker-compose.local.yml	Wires per-service tokens into STITCH_CLIENT_BEARER_TOKEN for local compose.
deployments/stitch-llm/tests/test_oil_gas_fields_api.py	Adjusts tests to bypass new downstream auth startup validation.
deployments/stitch-llm/tests/test_health_api.py	New tests for /health/details behavior and downstream probe handling.
deployments/stitch-llm/tests/test_client.py	Updates client tests for env-token validation and async cleanup.
deployments/stitch-llm/src/stitch/llm/settings.py	Removes machine-token config in favor of env-bearer-token mode.
deployments/stitch-llm/src/stitch/llm/routers/health.py	Adds /health/details endpoint with readiness + downstream auth probe.
deployments/stitch-llm/src/stitch/llm/main.py	Adds lifespan startup validation flags + timestamps.
deployments/stitch-llm/src/stitch/llm/client.py	Switches downstream auth to env bearer token; adds startup validation + get_auth_me().
deployments/stitch-llm/README.md	Updates README wording to reflect bearer auth for downstream API access.
deployments/seed/tests/test_main.py	Updates seed tests to set env token and assert headers_provider wiring.
deployments/seed/src/stitch/seed/main.py	Uses env bearer token provider and validates token at startup.
deployments/seed/README.md	Documents downstream auth via STITCH_CLIENT_BEARER_TOKEN.
deployments/entity-linkage/tests/test_start.py	Updates tests for new downstream auth mode and client construction changes.
deployments/entity-linkage/tests/test_start_api.py	Updates API tests and adds health details probe coverage.
deployments/entity-linkage/tests/test_client.py	Updates client tests to use env token mode and validate startup requirements.
deployments/entity-linkage/src/stitch/entity_linkage/routers/start.py	Renames response field and removes transparent relay client usage.
deployments/entity-linkage/src/stitch/entity_linkage/routers/health.py	Adds /health/details endpoint with downstream auth probe.
deployments/entity-linkage/src/stitch/entity_linkage/main.py	Adds lifespan startup validation flags + timestamps.
deployments/entity-linkage/src/stitch/entity_linkage/entities.py	Updates auth context docstring to reflect inbound identity vs downstream relay.
deployments/entity-linkage/src/stitch/entity_linkage/client.py	Switches downstream auth to env bearer token; adds startup validation + get_auth_me().
deployments/entity-linkage/src/stitch/entity_linkage/auth.py	Adjusts docs to indicate future explicit relay/OBO modes.
deployments/entity-linkage/README.md	Documents downstream auth via STITCH_CLIENT_BEARER_TOKEN.
deployments/api/tests/test_auth_integration.py	Expands coverage for null claims, rollback durability, and IntegrityError handling.
deployments/api/src/stitch/api/entities.py	Makes user name/email nullable in API entities.
deployments/api/src/stitch/api/db/model/user.py	Makes DB columns nullable for user name/email.
deployments/api/src/stitch/api/auth.py	Refactors get_current_user to use a dedicated session and improved IntegrityError recovery.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

CD summary 7cd217f

Frontend: https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net

Deployments (4)

service	url	fqdn
api	open	pr85-api.purplegrass-c07d0a94.westus2.azurecontainerapps.io
entity-linkage	open	pr85-entity-linkage.purplegrass-c07d0a94.westus2.azurecontainerapps.io
frontend	https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net
stitch-llm	open	pr85-stitch-llm.purplegrass-c07d0a94.westus2.azurecontainerapps.io

Database (1)

db_name	postgres_host	postgres_port	postgres_db
pr_85	stitch-dev.postgres.database.azure.com	5432	pr_85

Jobs (1)

job	image	postgres_db
db-init	ghcr.io/rmi/stitch-api:pr85@sha256:f89b1d8147237c70fc0cb8f2af331b913a95e1c65faad9b9b534b7b4cf26451a	pr_85

Images (4)

build_time	commit_time	git_sha	image	image_digest
2026-05-11T08:59:00Z	2026-05-11T08:58:44Z	edc2ef9	ghcr.io/rmi/stitch-api:pr85	ghcr.io/rmi/stitch-api:pr85@sha256:f89b1d8147237c70fc0cb8f2af331b913a95e1c65faad9b9b534b7b4cf26451a
2026-05-11T08:59:04Z	2026-05-11T08:58:44Z	edc2ef9	ghcr.io/rmi/stitch-entity-linkage:pr85	ghcr.io/rmi/stitch-entity-linkage:pr85@sha256:3c32148e850ad42834414f585bf4d262d393af6d44fb12d89fd3f24f01972054
2026-05-11T08:59:03Z	2026-05-11T08:58:44Z	edc2ef9	ghcr.io/rmi/stitch-seed:pr85	ghcr.io/rmi/stitch-seed:pr85@sha256:9bd24b90f3b4194c53760c967a9331fb993b9df0b487a601e0adaa69bc18f6b6
2026-05-11T08:58:56Z	2026-05-11T08:58:44Z	edc2ef9	ghcr.io/rmi/stitch-stitch-llm:pr85	ghcr.io/rmi/stitch-stitch-llm:pr85@sha256:2b8690da3d9ccfa8ee8e43f32e8aa608917ffa2937809b37436072380132bd7c

[github-actions]

CD summary 736fb18

Deployments (2)

service	url	fqdn
api	open	pr85-api.purplegrass-c07d0a94.westus2.azurecontainerapps.io
entity-linkage	open	pr85-entity-linkage.purplegrass-c07d0a94.westus2.azurecontainerapps.io

Database (1)

db_name	postgres_host	postgres_port	postgres_db
pr_85	stitch-dev.postgres.database.azure.com	5432	pr_85

Jobs (1)

job	image	postgres_db
db-init	ghcr.io/rmi/stitch-api:pr85@sha256:4e843447856a323c6938f5be709037340b68e22f72ee74d760e351753e222b60	pr_85

Images (3)

build_time	commit_time	git_sha	image	image_digest
2026-05-11T09:06:19Z	2026-05-11T09:06:04Z	1c8ab28	ghcr.io/rmi/stitch-api:pr85	ghcr.io/rmi/stitch-api:pr85@sha256:4e843447856a323c6938f5be709037340b68e22f72ee74d760e351753e222b60
2026-05-11T09:06:21Z	2026-05-11T09:06:04Z	1c8ab28	ghcr.io/rmi/stitch-entity-linkage:pr85	ghcr.io/rmi/stitch-entity-linkage:pr85@sha256:b4bad2c51c0ba32a7c879199ffdcd4a3fce71f29c40cbaad9caa4bc63e7d6b9e
2026-05-11T09:06:22Z	2026-05-11T09:06:04Z	1c8ab28	ghcr.io/rmi/stitch-seed:pr85	ghcr.io/rmi/stitch-seed:pr85@sha256:628ea528b6be95d21fd16338ae85bde7a4c4cd8ea5c100d608888a9f62be5ed5

[github-actions]

CD summary da1e74a

Frontend: https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net

Deployments (4)

service	url	fqdn
api	open	pr85-api.purplegrass-c07d0a94.westus2.azurecontainerapps.io
entity-linkage	open	pr85-entity-linkage.purplegrass-c07d0a94.westus2.azurecontainerapps.io
frontend	https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net
stitch-llm	open	pr85-stitch-llm.purplegrass-c07d0a94.westus2.azurecontainerapps.io

Database (1)

db_name	postgres_host	postgres_port	postgres_db
pr_85	stitch-dev.postgres.database.azure.com	5432	pr_85

Jobs (1)

job	image	postgres_db
db-init	ghcr.io/rmi/stitch-api:pr85@sha256:1cfae615d0a59b2fe0ac432850497c8ea6be075af97c7095d0248422f1118de3	pr_85

Images (4)

build_time	commit_time	git_sha	image	image_digest
2026-05-11T09:10:44Z	2026-05-11T09:10:27Z	06a0f27	ghcr.io/rmi/stitch-api:pr85	ghcr.io/rmi/stitch-api:pr85@sha256:1cfae615d0a59b2fe0ac432850497c8ea6be075af97c7095d0248422f1118de3
2026-05-11T09:10:48Z	2026-05-11T09:10:27Z	06a0f27	ghcr.io/rmi/stitch-entity-linkage:pr85	ghcr.io/rmi/stitch-entity-linkage:pr85@sha256:cbd82c5539ef2a74e86d260bde80c125b1b561a68a834d95f261f5e6c82d3e48
2026-05-11T09:10:42Z	2026-05-11T09:10:27Z	06a0f27	ghcr.io/rmi/stitch-seed:pr85	ghcr.io/rmi/stitch-seed:pr85@sha256:7456b17dc41d18bdba0340b63379dcac1f7d35aa405fe4008337a127fe245989
2026-05-11T09:10:48Z	2026-05-11T09:10:27Z	06a0f27	ghcr.io/rmi/stitch-stitch-llm:pr85	ghcr.io/rmi/stitch-stitch-llm:pr85@sha256:b7d1a835ea0ea7c8840dd441e6daad41fbdf86846b4f6f9d6c1a1ecfefe0cf55

[Copilot]

Pull request overview

Copilot reviewed 32 out of 32 changed files in this pull request and generated 4 comments.

[github-actions]

CD summary d7f3941

Frontend: https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net

Deployments (4)

service	url	fqdn
api	open	pr85-api.purplegrass-c07d0a94.westus2.azurecontainerapps.io
entity-linkage	open	pr85-entity-linkage.purplegrass-c07d0a94.westus2.azurecontainerapps.io
frontend	https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net
stitch-llm	open	pr85-stitch-llm.purplegrass-c07d0a94.westus2.azurecontainerapps.io

Database (1)

db_name	postgres_host	postgres_port	postgres_db
pr_85	stitch-dev.postgres.database.azure.com	5432	pr_85

Jobs (1)

job	image	postgres_db
db-init	ghcr.io/rmi/stitch-api:pr85@sha256:57a671ed129812c68d4ed8bae277456e52ae0af13fac16bf24a52cd9681ba1e6	pr_85

Images (4)

build_time	commit_time	git_sha	image	image_digest
2026-05-11T11:27:58Z	2026-05-11T11:27:48Z	a014d5d	ghcr.io/rmi/stitch-api:pr85	ghcr.io/rmi/stitch-api:pr85@sha256:57a671ed129812c68d4ed8bae277456e52ae0af13fac16bf24a52cd9681ba1e6
2026-05-11T11:28:04Z	2026-05-11T11:27:48Z	a014d5d	ghcr.io/rmi/stitch-entity-linkage:pr85	ghcr.io/rmi/stitch-entity-linkage:pr85@sha256:e84ae69e360834d8c6c47392ceef0e1207680bc970ff4a28bc5bb933caf6de0d
2026-05-11T11:28:03Z	2026-05-11T11:27:48Z	a014d5d	ghcr.io/rmi/stitch-seed:pr85	ghcr.io/rmi/stitch-seed:pr85@sha256:4a01b7dec215c7cd1649f267f1f624c6b39e0206e73d0e5d41356a67485d6d1e
2026-05-11T11:28:04Z	2026-05-11T11:27:48Z	a014d5d	ghcr.io/rmi/stitch-stitch-llm:pr85	ghcr.io/rmi/stitch-stitch-llm:pr85@sha256:b08ea298f74e064c04dced3ea68fc629d9dd0464772095f908e0a5b3a8cf9ba9

[github-actions]

CD summary 5e9712a

Frontend: https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net

Deployments (4)

service	url	fqdn
api	open	pr85-api.purplegrass-c07d0a94.westus2.azurecontainerapps.io
entity-linkage	open	pr85-entity-linkage.purplegrass-c07d0a94.westus2.azurecontainerapps.io
frontend	https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net
stitch-llm	open	pr85-stitch-llm.purplegrass-c07d0a94.westus2.azurecontainerapps.io

Database (1)

db_name	postgres_host	postgres_port	postgres_db
pr_85	stitch-dev.postgres.database.azure.com	5432	pr_85

Jobs (1)

job	image	postgres_db
db-init	ghcr.io/rmi/stitch-api:pr85@sha256:fe127bae9f60a732681a8b15429165b4adf80c797c22a92c8f85e136e9911f09	pr_85

Images (4)

build_time	commit_time	git_sha	image	image_digest
2026-05-11T11:43:27Z	2026-05-11T11:43:08Z	1c12a0b	ghcr.io/rmi/stitch-api:pr85	ghcr.io/rmi/stitch-api:pr85@sha256:fe127bae9f60a732681a8b15429165b4adf80c797c22a92c8f85e136e9911f09
2026-05-11T11:43:27Z	2026-05-11T11:43:08Z	1c12a0b	ghcr.io/rmi/stitch-entity-linkage:pr85	ghcr.io/rmi/stitch-entity-linkage:pr85@sha256:635bb850b3d88b55a07580b2eef88ac823d84ab658db9bc2be67b9127b142d30
2026-05-11T11:43:19Z	2026-05-11T11:43:08Z	1c12a0b	ghcr.io/rmi/stitch-seed:pr85	ghcr.io/rmi/stitch-seed:pr85@sha256:8eabc46b92ddd5e3230efc7d0efad7e1fa8b07ad3aaa134acfc3f10b9ff8f098
2026-05-11T11:43:22Z	2026-05-11T11:43:08Z	1c12a0b	ghcr.io/rmi/stitch-stitch-llm:pr85	ghcr.io/rmi/stitch-stitch-llm:pr85@sha256:a5ca80e3f5f80d6df8f84ed74fb657daece1c6e893575c19e7b343ca965c9ea2

[github-actions]

CD summary 5e9712a

Frontend: https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net

Deployments (4)

service	url	fqdn
api	open	pr85-api.purplegrass-c07d0a94.westus2.azurecontainerapps.io
entity-linkage	open	pr85-entity-linkage.purplegrass-c07d0a94.westus2.azurecontainerapps.io
frontend	https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net
stitch-llm	open	pr85-stitch-llm.purplegrass-c07d0a94.westus2.azurecontainerapps.io

Database (1)

db_name	postgres_host	postgres_port	postgres_db
pr_85	stitch-dev.postgres.database.azure.com	5432	pr_85

Jobs (2)

job	image	postgres_db	api_url	auth_mode
db-init	ghcr.io/rmi/stitch-api:pr85@sha256:6eb020259106479ca42fe512635aa3daec3b8440de6877e263459b6200a15be7	pr_85
seed	ghcr.io/rmi/stitch-seed:pr85@sha256:a9131de29944dab57ce8eb0f8b3fe7b5e13ad51988367e8ad3b3af904ce770cf		https://pr85-api.purplegrass-c07d0a94.westus2.azurecontainerapps.io/api/v1	dev placeholder bearer token

Images (4)

build_time	commit_time	git_sha	image	image_digest
2026-05-11T11:50:03Z	2026-05-11T11:49:50Z	682805b	ghcr.io/rmi/stitch-api:pr85	ghcr.io/rmi/stitch-api:pr85@sha256:6eb020259106479ca42fe512635aa3daec3b8440de6877e263459b6200a15be7
2026-05-11T11:50:03Z	2026-05-11T11:49:50Z	682805b	ghcr.io/rmi/stitch-entity-linkage:pr85	ghcr.io/rmi/stitch-entity-linkage:pr85@sha256:d8b00b2ed8d6ab83a79947f862827854193e973bc58802d7e07ebf3beae78461
2026-05-11T11:50:07Z	2026-05-11T11:49:50Z	682805b	ghcr.io/rmi/stitch-seed:pr85	ghcr.io/rmi/stitch-seed:pr85@sha256:a9131de29944dab57ce8eb0f8b3fe7b5e13ad51988367e8ad3b3af904ce770cf
2026-05-11T11:50:00Z	2026-05-11T11:49:50Z	682805b	ghcr.io/rmi/stitch-stitch-llm:pr85	ghcr.io/rmi/stitch-stitch-llm:pr85@sha256:0b0f81b9123ae5c2f36ec9c8ecede16dcb457184ea053ecb7a4e9e6a4d212167

[github-actions]

CD summary c0dff40

Frontend: https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net

Deployments (4)

service	url	fqdn
api	open	pr85-api.purplegrass-c07d0a94.westus2.azurecontainerapps.io
entity-linkage	open	pr85-entity-linkage.purplegrass-c07d0a94.westus2.azurecontainerapps.io
frontend	https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net
stitch-llm	open	pr85-stitch-llm.purplegrass-c07d0a94.westus2.azurecontainerapps.io

Database (1)

db_name	postgres_host	postgres_port	postgres_db
pr_85	stitch-dev.postgres.database.azure.com	5432	pr_85

Jobs (1)

job	image	postgres_db
db-init	ghcr.io/rmi/stitch-api:pr85@sha256:99ba4103d2c24aca2211da3e708a2e79f64ab28ac488b9076fdde18d411d2777	pr_85

Images (4)

build_time	commit_time	git_sha	image	image_digest
2026-05-11T11:59:46Z	2026-05-11T11:59:34Z	9c30be5	ghcr.io/rmi/stitch-api:pr85	ghcr.io/rmi/stitch-api:pr85@sha256:99ba4103d2c24aca2211da3e708a2e79f64ab28ac488b9076fdde18d411d2777
2026-05-11T11:59:44Z	2026-05-11T11:59:34Z	9c30be5	ghcr.io/rmi/stitch-entity-linkage:pr85	ghcr.io/rmi/stitch-entity-linkage:pr85@sha256:0565154c1bd92c96ebbd6515199ad309ff71eb4f475c0c1f5bfbf5e6afd23a9b
2026-05-11T11:59:45Z	2026-05-11T11:59:34Z	9c30be5	ghcr.io/rmi/stitch-seed:pr85	ghcr.io/rmi/stitch-seed:pr85@sha256:9e444e5cbb1132e9ef147f018002b5003476ed99c4b16143318a6e3d1e988389
2026-05-11T11:59:45Z	2026-05-11T11:59:34Z	9c30be5	ghcr.io/rmi/stitch-stitch-llm:pr85	ghcr.io/rmi/stitch-stitch-llm:pr85@sha256:6fe121b13951706f36c08f0fa2c7580ac8db3a609c37dc33222149e9f49bd98c

[Copilot]

Pull request overview

Copilot reviewed 33 out of 33 changed files in this pull request and generated 3 comments.

Comments suppressed due to low confidence (1)

env.example:23

• AUTH_DISABLED is defined twice in this template (earlier under "# API" and again here under "# API Auth"). Duplicate keys in a .env file are ambiguous (last one wins in many loaders). Consider removing one definition and consolidating the comments so there’s a single source of truth.

# API Auth
AUTH_DISABLED=true
# AUTH_ISSUER="https://<domain>.<region>.auth0.com/"
# AUTH_AUDIENCE="https://<audienc>"
# AUTH_JWKS_URI="https:/<domain>.<region>.auth0.com/.well-known/jwks.json"

[github-actions]

CD summary 6a5d398

Frontend: https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net

Deployments (4)

service	url	fqdn
api	open	pr85-api.purplegrass-c07d0a94.westus2.azurecontainerapps.io
entity-linkage	open	pr85-entity-linkage.purplegrass-c07d0a94.westus2.azurecontainerapps.io
frontend	https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net
stitch-llm	open	pr85-stitch-llm.purplegrass-c07d0a94.westus2.azurecontainerapps.io

Database (1)

db_name	postgres_host	postgres_port	postgres_db
pr_85	stitch-dev.postgres.database.azure.com	5432	pr_85

Jobs (1)

job	image	postgres_db
db-init	ghcr.io/rmi/stitch-api:pr85@sha256:6e5986023af0514071ba8aaceac5e10c261f8b9737a262c9f29a368b2008a134	pr_85

Images (4)

build_time	commit_time	git_sha	image	image_digest
2026-05-11T12:16:19Z	2026-05-11T12:16:01Z	1727ab5	ghcr.io/rmi/stitch-api:pr85	ghcr.io/rmi/stitch-api:pr85@sha256:6e5986023af0514071ba8aaceac5e10c261f8b9737a262c9f29a368b2008a134
2026-05-11T12:16:15Z	2026-05-11T12:16:01Z	1727ab5	ghcr.io/rmi/stitch-entity-linkage:pr85	ghcr.io/rmi/stitch-entity-linkage:pr85@sha256:5decb3a34d417353918aab318e3d07b694bd40cd0c17f42429e4bc5d0d9ebf24
2026-05-11T12:16:19Z	2026-05-11T12:16:01Z	1727ab5	ghcr.io/rmi/stitch-seed:pr85	ghcr.io/rmi/stitch-seed:pr85@sha256:15dd5c252692f47065dd2736a9a217c4697b94aa2d7812ac58123086e6fd9672
2026-05-11T12:16:16Z	2026-05-11T12:16:01Z	1727ab5	ghcr.io/rmi/stitch-stitch-llm:pr85	ghcr.io/rmi/stitch-stitch-llm:pr85@sha256:954519f94fe60b9c5d0befe56b95a8a1c49e387c54a7f4dbcd65058a79bcf91e

[AlexAxthelm]

@mbarlow12 Copilot caught this as a potential race condition in claim parsing

[mbarlow12]

Trying to follow what it's saying, but I'm not seeing the issue.

returns the row without applying the same name/email backfill logic used in the non-error path.

That's what _apply_claim_backfill is doing.

Also, IIUC the "race" would be triggered by simultaneous login attempts? Pretty curious about how likely a

concurrent first-login race

actually is. My hunch is to keep an eye on it, but I'm doubtful we'll ever see it.

[AlexAxthelm]

@mbarlow12 I restored the EmailStr validation (over str)

[mbarlow12]

Should be ok here. I now recall that if email is missing, we fall back to grabbing preferred_username off the auth payload which might not be an email. I don't think it's a problem until it's a problem.

[github-actions]

CD summary 25041c7

Frontend: https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net

Deployments (4)

service	url	fqdn
api	open	pr85-api.purplegrass-c07d0a94.westus2.azurecontainerapps.io
entity-linkage	open	pr85-entity-linkage.purplegrass-c07d0a94.westus2.azurecontainerapps.io
frontend	https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net
stitch-llm	open	pr85-stitch-llm.purplegrass-c07d0a94.westus2.azurecontainerapps.io

Database (1)

db_name	postgres_host	postgres_port	postgres_db
pr_85	stitch-dev.postgres.database.azure.com	5432	pr_85

Jobs (1)

job	image	postgres_db
db-init	ghcr.io/rmi/stitch-api:pr85@sha256:7798f0b516304c91dfae6c16c4ea351af07cc259e0e15f286a82ec3e1f8cb7dd	pr_85

Images (4)

build_time	commit_time	git_sha	image	image_digest
2026-05-11T15:38:28Z	2026-05-11T15:38:10Z	3b6110c	ghcr.io/rmi/stitch-api:pr85	ghcr.io/rmi/stitch-api:pr85@sha256:7798f0b516304c91dfae6c16c4ea351af07cc259e0e15f286a82ec3e1f8cb7dd
2026-05-11T15:38:33Z	2026-05-11T15:38:10Z	3b6110c	ghcr.io/rmi/stitch-entity-linkage:pr85	ghcr.io/rmi/stitch-entity-linkage:pr85@sha256:855873255f41c183e820a2b8e300c436a8591ce3bdbaa8b5e61e630506600cdc
2026-05-11T15:38:26Z	2026-05-11T15:38:10Z	3b6110c	ghcr.io/rmi/stitch-seed:pr85	ghcr.io/rmi/stitch-seed:pr85@sha256:179afeb4924da11668a43dec0b48d0ea1d9f0f2dd5c8836dcc560787d739de4a
2026-05-11T15:38:27Z	2026-05-11T15:38:10Z	3b6110c	ghcr.io/rmi/stitch-stitch-llm:pr85	ghcr.io/rmi/stitch-stitch-llm:pr85@sha256:0d66d04d55b8e119e3c6e06c417da9a51a9ba7e99ab28ae451f5e36f5913d7a2

[mbarlow12]

LGTM.
Commented on the race condition. Honestly think we should push forward and see what happens.

[mbarlow12]

Should be ok here. I now recall that if email is missing, we fall back to grabbing preferred_username off the auth payload which might not be an email. I don't think it's a problem until it's a problem.

[mbarlow12]

Trying to follow what it's saying, but I'm not seeing the issue.

returns the row without applying the same name/email backfill logic used in the non-error path.

That's what _apply_claim_backfill is doing.

Also, IIUC the "race" would be triggered by simultaneous login attempts? Pretty curious about how likely a

concurrent first-login race

actually is. My hunch is to keep an eye on it, but I'm doubtful we'll ever see it.

[github-actions]

CD summary 1959b62

Frontend: https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net

Deployments (4)

service	url	fqdn
api	open	pr85-api.purplegrass-c07d0a94.westus2.azurecontainerapps.io
entity-linkage	open	pr85-entity-linkage.purplegrass-c07d0a94.westus2.azurecontainerapps.io
frontend	https://witty-mushroom-017a3dc1e-85.westus2.1.azurestaticapps.net
stitch-llm	open	pr85-stitch-llm.purplegrass-c07d0a94.westus2.azurecontainerapps.io

Database (1)

db_name	postgres_host	postgres_port	postgres_db
pr_85	stitch-dev.postgres.database.azure.com	5432	pr_85

Jobs (1)

job	image	postgres_db
db-init	ghcr.io/rmi/stitch-api:pr85@sha256:7aad77fd3af3a00f578842268b070183726dd84563560a52618b51c3663d6b25	pr_85

Images (4)

build_time	commit_time	git_sha	image	image_digest
2026-05-12T08:53:11Z	2026-05-12T08:52:59Z	2330e6c	ghcr.io/rmi/stitch-api:pr85	ghcr.io/rmi/stitch-api:pr85@sha256:7aad77fd3af3a00f578842268b070183726dd84563560a52618b51c3663d6b25
2026-05-12T08:53:17Z	2026-05-12T08:52:59Z	2330e6c	ghcr.io/rmi/stitch-entity-linkage:pr85	ghcr.io/rmi/stitch-entity-linkage:pr85@sha256:ae6f657531eae9e339772f6f05975a1365d0153fc9611a8461c1250e3f04c222
2026-05-12T08:53:13Z	2026-05-12T08:52:59Z	2330e6c	ghcr.io/rmi/stitch-seed:pr85	ghcr.io/rmi/stitch-seed:pr85@sha256:3e9bc767a300bc99303e7fecd95bc7816e446fac21090c5d4ab81c5f48688a77
2026-05-12T08:53:12Z	2026-05-12T08:52:59Z	2330e6c	ghcr.io/rmi/stitch-stitch-llm:pr85	ghcr.io/rmi/stitch-stitch-llm:pr85@sha256:677fca5d5b941e96aee07de8b43f7c806ab05da9ad96cf9c537e051defe1687d

[AlexAxthelm]

Cleaned up that logic for the race condition. let the robots talk me out of common sense. throwing an error is much nicer here.