oauth: persist client state, simplify IPC, and refactor

connected-accounts UI

This refactor simplifies OAuth storage/IPC and updates the Electron UI
to use the new client-facing contract. OAuth state is now persisted per
provider with tokens, optional clientId, and an error string. A new oauth:getState
IPC returns only client-facing state (connected + error), and the UI renders
error/reconnect flow based on that.

  Core changes
  - Replace OAuth config with providers { tokens, clientId?, error? }
    and add zod-based migration from legacy token maps.
  - Persist Google clientId after successful OAuth and keep error state
    in repo.
  - Surface provider errors from refresh/credential failures in Google +
    Fireflies.
  - Add oauth:getState in IPC, returning client-facing config; remove
    old status wiring in the UI.

  UI changes
  - Switch renderer status checks to oauth:getState and derive connected/error
    from config.
  - Add alert dialog for account issues and update copy to “Connected
    accounts”.
  - Provide “View connected accounts” CTA that opens the Connectors popover.
  - Add shadcn alert-dialog component and Radix dependency.

  Notes
  - Adds @radix-ui/react-alert-dialog and shadcn wrapper.
  - pnpm-lock updated accordingly.

Author: ramnique

apps/x/apps/main/src/ipc.ts

@@ -5,8 +5,6 @@ import os from 'node:os';
 import {
   connectProvider,
   disconnectProvider,
-  isConnected,
-  getConnectedProviders,
   listProviders,
 } from './oauth-handler.js';
 import { watcher as watcherCore, workspace } from '@x/core';
@@ -24,6 +22,7 @@ import container from '@x/core/dist/di/container.js';
 import { listOnboardingModels } from '@x/core/dist/models/models-dev.js';
 import { testModelConnection } from '@x/core/dist/models/models.js';
 import type { IModelConfigRepo } from '@x/core/dist/models/repo.js';
+import type { IOAuthRepo } from '@x/core/dist/auth/repo.js';
 import { IGranolaConfigRepo } from '@x/core/dist/knowledge/granola/repo.js';
 import { triggerSync as triggerGranolaSync } from '@x/core/dist/knowledge/granola/sync.js';
 import { isOnboardingComplete, markOnboardingComplete } from '@x/core/dist/config/note_creation_config.js';
@@ -364,19 +363,18 @@ export function setupIpcHandlers() {
       return { success: true };
     },
     'oauth:connect': async (_event, args) => {
-      return await connectProvider(args.provider, args.clientId);
+      return await connectProvider(args.provider, args.clientId?.trim());
     },
     'oauth:disconnect': async (_event, args) => {
       return await disconnectProvider(args.provider);
     },
-    'oauth:is-connected': async (_event, args) => {
-      return await isConnected(args.provider);
-    },
     'oauth:list-providers': async () => {
       return listProviders();
     },
-    'oauth:get-connected-providers': async () => {
-      return await getConnectedProviders();
+    'oauth:getState': async () => {
+      const repo = container.resolve<IOAuthRepo>('oauthRepo');
+      const config = await repo.getClientFacingConfig();
+      return { config };
     },
     'granola:getConfig': async () => {
       const repo = container.resolve<IGranolaConfigRepo>('granolaConfigRepo');

apps/x/apps/main/src/oauth-handler.ts

@@ -4,12 +4,6 @@ import { createAuthServer } from './auth-server.js';
 import * as oauthClient from '@x/core/dist/auth/oauth-client.js';
 import type { Configuration } from '@x/core/dist/auth/oauth-client.js';
 import { getProviderConfig, getAvailableProviders } from '@x/core/dist/auth/providers.js';
-import {
-  clearProviderClientIdOverride,
-  getProviderClientIdOverride,
-  hasProviderClientIdOverride,
-  setProviderClientIdOverride,
-} from '@x/core/dist/auth/provider-client-id.js';
 import container from '@x/core/dist/di/container.js';
 import { IOAuthRepo } from '@x/core/dist/auth/repo.js';
 import { IClientRegistrationRepo } from '@x/core/dist/auth/client-repo.js';
@@ -80,24 +74,28 @@ function getClientRegistrationRepo(): IClientRegistrationRepo {
 /**
  * Get or create OAuth configuration for a provider
  */
-async function getProviderConfiguration(provider: string): Promise<Configuration> {
+async function getProviderConfiguration(provider: string, clientIdOverride?: string): Promise<Configuration> {
   const config = getProviderConfig(provider);
-  const resolveClientId = (): string => {
-    const override = getProviderClientIdOverride(provider);
-    if (override) {
-      return override;
-    }
+  const resolveClientId = async (): Promise<string> => {
     if (config.client.mode === 'static' && config.client.clientId) {
       return config.client.clientId;
     }
+    if (clientIdOverride) {
+      return clientIdOverride;
+    }
+    const oauthRepo = getOAuthRepo();
+    const clientId = await oauthRepo.getClientId(provider);
+    if (clientId) {
+      return clientId;
+    }
     throw new Error(`${provider} client ID not configured. Please provide a client ID.`);
   };
 
   if (config.discovery.mode === 'issuer') {
     if (config.client.mode === 'static') {
       // Discover endpoints, use static client ID
       console.log(`[OAuth] ${provider}: Discovery from issuer with static client ID`);
-      const clientId = resolveClientId();
+      const clientId = await resolveClientId();
       return await oauthClient.discoverConfiguration(
         config.discovery.issuer,
         clientId
@@ -137,7 +135,7 @@ async function getProviderConfiguration(provider: string): Promise<Configuration
     }
 
     console.log(`[OAuth] ${provider}: Using static endpoints (no discovery)`);
-    const clientId = resolveClientId();
+    const clientId = await resolveClientId();
     return oauthClient.createStaticConfiguration(
       config.discovery.authorizationEndpoint,
       config.discovery.tokenEndpoint,
@@ -161,15 +159,13 @@ export async function connectProvider(provider: string, clientId?: string): Prom
     const providerConfig = getProviderConfig(provider);
 
     if (provider === 'google') {
-      const trimmedClientId = clientId?.trim();
-      if (!trimmedClientId) {
+      if (!clientId) {
         return { success: false, error: 'Google client ID is required to connect.' };
       }
-      setProviderClientIdOverride(provider, trimmedClientId);
     }
 
     // Get or create OAuth configuration
-    const config = await getProviderConfiguration(provider);
+    const config = await getProviderConfiguration(provider, clientId);
 
     // Generate PKCE codes
     const { verifier: codeVerifier, challenge: codeChallenge } = await oauthClient.generatePKCE();
@@ -217,6 +213,10 @@ export async function connectProvider(provider: string, clientId?: string): Prom
         // Save tokens
         console.log(`[OAuth] Token exchange successful for ${provider}`);
         await oauthRepo.saveTokens(provider, tokens);
+        if (provider === 'google' && clientId) {
+          await oauthRepo.setClientId(provider, clientId);
+        }
+        await oauthRepo.clearError(provider);
 
         // Trigger immediate sync for relevant providers
         if (provider === 'google') {
@@ -282,33 +282,13 @@ export async function disconnectProvider(provider: string): Promise<{ success: b
   try {
     const oauthRepo = getOAuthRepo();
     await oauthRepo.clearTokens(provider);
-    if (provider === 'google') {
-      clearProviderClientIdOverride(provider);
-    }
     return { success: true };
   } catch (error) {
     console.error('OAuth disconnect failed:', error);
     return { success: false };
   }
 }
 
-/**
- * Check if a provider is connected
- */
-export async function isConnected(provider: string): Promise<{ isConnected: boolean }> {
-  try {
-    const oauthRepo = getOAuthRepo();
-    if (provider === 'google' && !hasProviderClientIdOverride(provider)) {
-      return { isConnected: false };
-    }
-    const connected = await oauthRepo.isConnected(provider);
-    return { isConnected: connected };
-  } catch (error) {
-    console.error('OAuth connection check failed:', error);
-    return { isConnected: false };
-  }
-}
-
 /**
  * Get access token for a provider (internal use only)
  * Refreshes token if expired
@@ -326,6 +306,7 @@ export async function getAccessToken(provider: string): Promise<string | null> {
     if (oauthClient.isTokenExpired(tokens)) {
       if (!tokens.refresh_token) {
         // No refresh token, need to reconnect
+        await oauthRepo.setError(provider, 'Missing refresh token. Please reconnect.');
         return null;
       }
 
@@ -338,6 +319,8 @@ export async function getAccessToken(provider: string): Promise<string | null> {
         tokens = await oauthClient.refreshTokens(config, tokens.refresh_token, existingScopes);
         await oauthRepo.saveTokens(provider, tokens);
       } catch (error) {
+        const message = error instanceof Error ? error.message : 'Token refresh failed';
+        await oauthRepo.setError(provider, message);
         console.error('Token refresh failed:', error);
         return null;
       }
@@ -350,23 +333,6 @@ export async function getAccessToken(provider: string): Promise<string | null> {
   }
 }
 
-/**
- * Get list of connected providers
- */
-export async function getConnectedProviders(): Promise<{ providers: string[] }> {
-  try {
-    const oauthRepo = getOAuthRepo();
-    const providers = await oauthRepo.getConnectedProviders();
-    const filteredProviders = providers.filter((provider) =>
-      provider === 'google' ? hasProviderClientIdOverride(provider) : true
-    );
-    return { providers: filteredProviders };
-  } catch (error) {
-    console.error('Get connected providers failed:', error);
-    return { providers: [] };
-  }
-}
-
 /**
  * Get list of available providers
  */

apps/x/apps/renderer/package.json

@@ -43,6 +43,7 @@
     "motion": "^12.23.26",
     "nanoid": "^5.1.6",
     "posthog-js": "^1.332.0",
+    "radix-ui": "^1.4.3",
     "react": "^19.2.0",
     "react-dom": "^19.2.0",
     "sonner": "^2.0.7",