Grace CLI Authentication with Personal Access Tokens and Device Code Login (with Maximum Token Lifetime) (#40)

* feat: add authz types and initialize beads tracking

* chore: remove src beads directory

* feat: add shared authorization evaluation

* feat: add access control and repo permission actors

* feat: add test auth and permission evaluator

* feat: add access API parameters and routes

* feat: add access SDK

* feat: add access CLI commands

* feat: enforce authz on repo and storage endpoints

* test: add authz unit and integration coverage

* fix: authz serialization and test setup

* fix: remove obsolete ISystemClock usage

* docs: update bd usage in AGENTS

* fix: retry access control persistence on transient storage errors

* feat: add auth config and claim mapping

* chore: close auth config task

* feat: add auth login endpoints

* chore: close auth login task

* feat: wire microsoft oidc and jwt auth

* chore: close auth scheme task

* feat: add cli device code auth and sdk token support

* test: cover auth endpoints and cli auth configuration

* docs: add microsoft auth setup guide

* fix: force OIDC code flow for Microsoft auth

* fix: set OIDC response type literal to avoid missing constant

* fix: accept tenant-specific issuer for Microsoft auth

* fix: use IssuerValidator delegate for Microsoft auth

* fix: skip Microsoft userinfo call without Graph scope

* feat: request Graph scope and enable userinfo claims

* fix: ensure scope sent during OIDC code redemption

* fix: avoid mixing Graph and API scopes in OIDC

* feat: return raw auth claims from /auth/me

* Add REPO_INDEX.md

* Add PAT auth flow and improve Aspire auth wiring

---------

Co-authored-by: Scott Arbeit <scottarbeit@github.com>

Author: ScottArbeit

src/.beads/.gitignore .beads/.gitignoresrc/.beads/.gitignore renamed to .beads/.gitignore

@@ -10,6 +10,10 @@ daemon.lock
 daemon.log
 daemon.pid
 bd.sock
+sync-state.json
+
+# Local version tracking (prevents upgrade notification spam after git ops)
+.local_version
 
 # Legacy database files
 db.sqlite
@@ -25,5 +29,6 @@ beads.right.meta.json
 
 # Keep JSONL exports and config (source of truth for git)
 !issues.jsonl
+!interactions.jsonl
 !metadata.json
 !config.json

src/.beads/README.md .beads/README.mdsrc/.beads/README.md renamed to .beads/README.md

@@ -0,0 +1,3 @@
+
+# Use bd merge for beads JSONL files
+.beads/issues.jsonl merge=beads

src/.beads/config.yaml .beads/config.yamlsrc/.beads/config.yaml renamed to .beads/config.yaml

@@ -0,0 +1,41 @@
+# Agent Instructions
+
+This project uses **bd** (beads) for issue tracking. The repo is initialized at the root `.beads`, so run `bd` from the repo root.
+
+## Quick Reference
+
+```bash
+bd ready --json                 # Find available work (ready issues)
+bd list --parent <epic-id>      # List child tasks for an epic (use this; there is no "bd tasks")
+bd show <id>                    # View issue details
+bd update <id> --status in_progress  # Claim work
+bd close <id>                   # Complete work
+bd sync                         # Sync with git (when using JSONL sync)
+bd --help                       # Command reference (recommended)
+```
+
+## Landing the Plane (Session Completion)
+
+**When ending a work session**, you MUST complete ALL steps below. Work is NOT complete until `git push` succeeds.
+
+**MANDATORY WORKFLOW:**
+
+1. **File issues for remaining work** - Create issues for anything that needs follow-up
+2. **Run quality gates** (if code changed) - Tests, linters, builds
+3. **Update issue status** - Close finished work, update in-progress items
+4. **PUSH TO REMOTE** - This is MANDATORY:
+   ```bash
+   git pull --rebase
+   bd sync
+   git push
+   git status  # MUST show "up to date with origin"
+   ```
+5. **Clean up** - Clear stashes, prune remote branches
+6. **Verify** - All changes committed AND pushed
+7. **Hand off** - Provide context for next session
+
+**CRITICAL RULES:**
+- Work is NOT complete until `git push` succeeds
+- NEVER stop before pushing - that leaves work stranded locally
+- NEVER say "ready to push when you are" - YOU must push
+- If push fails, resolve and retry until it succeeds

src/.beads/issues.jsonl .beads/interactions.jsonlsrc/.beads/issues.jsonl renamed to .beads/interactions.jsonl

@@ -0,0 +1,88 @@
+# REPO_INDEX.md (Grace jump table)
+
+This file is a machine-oriented index to help tools and humans quickly find the right code.
+
+---
+
+## Suggested search strategy for AllGrace.txt
+
+1. Refer to AllGrace_Index.md for exact starting and ending line numbers for each file.
+2. Use the entry points list below to decide where to navigate to.
+3. Jump to the exact starting line of the file, and search within the starting and ending line numbers.
+
+## Top entry points (open these first)
+
+### Grace Server (HTTP + DI + Orleans wiring)
+
+- `src/Grace.Server/Startup.Server.fs`
+  HTTP routes/endpoints and server composition entry points.
+- `src/Grace.Server/Program.Server.fs`
+  Host startup (Kestrel/Orleans host build/run).
+
+### Orleans grains (domain behavior)
+
+- `src/Grace.Actors/**/*.fs`
+  Grain/actor implementations. Look for `*Actor.fs` as primary behavior files.
+
+### Domain types, events, DTOs
+
+- `src/Grace.Types/**/*.fs`
+  Discriminated unions, events, DTOs, identifiers, serialization shapes.
+
+### Local orchestration (emulators/containers)
+
+- `src/Grace.Aspire.AppHost/Program.Aspire.AppHost.cs`
+  Local dev topology: Cosmos emulator, Azurite, Service Bus emulator, Redis, and Grace.Server.
+
+### Integration tests
+
+- `src/Grace.Server.Tests/General.Server.Tests.fs`
+  Test harness bootstrapping and shared test state.
+- `src/Grace.Server.Tests/Owner.Server.Tests.fs`
+  Owner API tests.
+- `src/Grace.Server.Tests/Repository.Server.Tests.fs`
+  Repository API tests.
+
+---
+
+## Cross-cutting �where is X implemented?�
+
+### JSON serialization settings
+
+- Search: `JsonSerializerOptions`
+- Likely in: `src/Grace.Shared/**` or `src/Grace.Server/**`
+
+### Service Bus publishing
+
+- Search: `publishGraceEvent`, `ServiceBusMessage`, `GraceEvent`
+- Likely in:
+  - `src/Grace.Actors/**` (where events are emitted)
+  - `src/Grace.Server/**` (wiring/config)
+  - `src/Grace.Shared/**` (helpers)
+
+### Cosmos DB / persistence wiring
+
+- Search: `AddCosmosGrainStorage`, `CosmosClient`, `UseAzureStorageClustering`
+- Likely in: `src/Grace.Server/Startup.Server.fs`
+
+### Azure Blob grain storage
+
+- Search: `AddAzureBlobGrainStorage`, `BlobServiceClient`
+- Likely in: `src/Grace.Server/Startup.Server.fs`
+
+### CLI commands
+
+- Search: `grace owner create`, `Command`, `System.CommandLine`
+- Likely in: `src/Grace.CLI/**`
+
+---
+
+## Local development �source of truth�
+
+- Aspire AppHost defines the runnable local environment. If there is a discrepancy between older docs/tests and AppHost, prefer AppHost.
+
+---
+
+## Obsolete / legacy systems
+
+- Dapr is not used anymore. Any Dapr references in tests or tooling are legacy and should be removed or ignored.

.beads/issues.jsonl

@@ -0,0 +1,80 @@
+# Authentication (Microsoft MSA + Entra)
+
+Grace currently supports Microsoft identity for both web and CLI clients. This uses:
+- A **web app registration** for the Grace Server (confidential client).
+- A **public client app registration** for Grace CLI (device code flow).
+
+GitHub and Google sign-in are planned but not yet implemented. The `/auth/login` page will list those providers once configured.
+
+## App Registrations (Azure Portal)
+
+### 1) Grace Server (Web app, confidential client)
+1. Create a new **App registration** (Accounts: "Accounts in any organizational directory and personal Microsoft accounts").
+2. Add a **Web** redirect URI for your server:
+   - Local dev: `https://localhost:5001/signin-oidc` (or your local HTTPS port).
+   - Deployed: `https://<your-domain>/signin-oidc`.
+3. Create a **Client secret** (Certificates & secrets).
+4. **Expose an API**:
+   - Application ID URI: `api://<server-client-id>` (or your preferred URI).
+   - Add scope: `access`.
+
+This produces:
+- Server **Client ID**
+- Server **Client Secret**
+- API scope: `api://<server-client-id>/access` (default used by Grace)
+
+### 2) Grace CLI (Public client)
+1. Create a new **App registration** (same account type as above).
+2. Add a **Mobile and desktop** redirect URI:
+   - `http://localhost` (device code flow does not rely on redirect, but this is commonly used).
+3. **API permissions**:
+   - Add delegated permission for the server API scope: `access`.
+   - Grant admin consent if required by your tenant.
+
+This produces:
+- CLI **Client ID**
+
+## Environment Variables
+
+### Grace Server
+Required:
+- `grace__auth__microsoft__client_id` = Server Client ID
+- `grace__auth__microsoft__client_secret` = Server Client Secret
+
+Optional:
+- `grace__auth__microsoft__tenant_id` = Tenant ID (default: `common`)
+- `grace__auth__microsoft__authority` = Authority override (default: `https://login.microsoftonline.com/{tenant_id}`)
+- `grace__auth__microsoft__api_scope` = API scope override (default: `api://{client_id}/access`)
+- `grace__auth__microsoft__cli_client_id` = CLI Client ID (optional but recommended to keep in the same config)
+
+### Grace CLI
+Required:
+- `grace__auth__microsoft__cli_client_id` = CLI Client ID
+- `grace__auth__microsoft__api_scope` = API scope (ex: `api://<server-client-id>/access`)
+
+Optional:
+- `grace__auth__microsoft__tenant_id` = Tenant ID (default: `common`)
+- `grace__auth__microsoft__authority` = Authority override
+
+## Using the Web Login
+
+- Browse to `https://<server>/auth/login`
+- Choose **Microsoft**
+- A cookie session is established after successful login.
+
+## Using the CLI (Device Code)
+
+Common commands:
+- `grace auth login` (device code sign-in)
+- `grace auth status`
+- `grace auth whoami`
+- `grace auth logout`
+
+Tokens are cached using MSAL in:
+- `~/.grace/grace_msal_cache.bin`
+
+Grace CLI attaches the Bearer token automatically for SDK calls once authenticated.
+
+## Future Providers (GitHub, Google)
+
+GitHub and Google providers are not wired yet. When added, they will appear in `/auth/login` with additional environment variables and app registration steps.