[dev] [Marfuen] mariano/smart-suggestions (#1742)

* fix(api): improve env loading and JWKS retry handling

- Load .env manually before NestJS bootstrap
- Add automatic JWKS retry on key mismatch
- Remove redundant ConfigModule envFilePath

* fix(auth): add automatic token refresh on 401 errors

- Auto-refresh token and retry request on 401
- Add race condition protection and cooldown
- Fix useTask hook to wait for orgId from URL params

* feat(automation): add AI-generated suggestions for new automations

- Generate task-specific suggestions using GPT-4o-mini
- Load suggestions asynchronously for faster page load
- Add loading state for automation page

* feat(automation): improve suggestion prompts and error handling

- Ensure suggestions match exact task topic
- Exclude screenshots, require API integrations only
- Add fallback for broken vendor logo images

* feat(automation): add skeleton loaders for suggestion cards

- Show animated skeleton cards while AI suggestions are loading
- Match card structure and layout for smooth transition
- Load suggestions asynchronously without blocking page render

* chore(deps): update @trycompai/db to version 1.3.17 and add dotenv

* refactor(automation): remove reduced limits on vendor queries for clarity

* feat(automation): improve suggestion UI and add vendor diversity

- add flushSync for immediate UI updates after suggestions load
- change placeholder to generic text
- add vendor diversity requirement to AI prompts to avoid duplicate vendors

---------

Co-authored-by: Mariano Fuentes <marfuen98@gmail.com>

Author: github-actions[bot]

apps/api/package.json

@@ -4,22 +4,23 @@
   "version": "0.0.1",
   "author": "",
   "dependencies": {
-    "@prisma/client": "^6.13.0",
-    "prisma": "^6.13.0",
     "@aws-sdk/client-s3": "^3.859.0",
     "@aws-sdk/s3-request-presigner": "^3.859.0",
     "@nestjs/common": "^11.0.1",
     "@nestjs/config": "^4.0.2",
     "@nestjs/core": "^11.0.1",
     "@nestjs/platform-express": "^11.1.5",
     "@nestjs/swagger": "^11.2.0",
+    "@prisma/client": "^6.13.0",
     "@trycompai/db": "^1.3.17",
     "archiver": "^7.0.1",
     "axios": "^1.12.2",
     "better-auth": "^1.3.27",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.2",
+    "dotenv": "^17.2.3",
     "jose": "^6.0.12",
+    "prisma": "^6.13.0",
     "reflect-metadata": "^0.2.2",
     "rxjs": "^7.8.1",
     "swagger-ui-express": "^5.0.1",

apps/api/src/app.module.ts

@@ -9,6 +9,7 @@ import { PeopleModule } from './people/people.module';
 import { DevicesModule } from './devices/devices.module';
 import { DeviceAgentModule } from './device-agent/device-agent.module';
 import { awsConfig } from './config/aws.config';
+import { betterAuthConfig } from './config/better-auth.config';
 import { HealthModule } from './health/health.module';
 import { OrganizationModule } from './organization/organization.module';
 import { PoliciesModule } from './policies/policies.module';
@@ -23,7 +24,8 @@ import { TaskTemplateModule } from './framework-editor/task-template/task-templa
   imports: [
     ConfigModule.forRoot({
       isGlobal: true,
-      load: [awsConfig],
+      // .env file is loaded manually in main.ts before NestJS starts
+      load: [awsConfig, betterAuthConfig],
       validationOptions: {
         allowUnknown: true,
         abortEarly: true,

apps/api/src/auth/hybrid-auth.guard.ts

@@ -4,14 +4,32 @@ import {
   Injectable,
   UnauthorizedException,
 } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
 import { db } from '@trycompai/db';
 import { createRemoteJWKSet, jwtVerify } from 'jose';
 import { ApiKeyService } from './api-key.service';
+import type { BetterAuthConfig } from '../config/better-auth.config';
 import { AuthenticatedRequest } from './types';
 
 @Injectable()
 export class HybridAuthGuard implements CanActivate {
-  constructor(private readonly apiKeyService: ApiKeyService) {}
+  private readonly betterAuthUrl: string;
+
+  constructor(
+    private readonly apiKeyService: ApiKeyService,
+    private readonly configService: ConfigService,
+  ) {
+    const betterAuthConfig =
+      this.configService.get<BetterAuthConfig>('betterAuth');
+    this.betterAuthUrl =
+      betterAuthConfig?.url || process.env.BETTER_AUTH_URL || '';
+
+    if (!this.betterAuthUrl) {
+      console.warn(
+        '[HybridAuthGuard] BETTER_AUTH_URL not configured. JWT authentication will fail.',
+      );
+    }
+  }
 
   async canActivate(context: ExecutionContext): Promise<boolean> {
     const request = context.switchToHttp().getRequest<AuthenticatedRequest>();
@@ -61,20 +79,71 @@ export class HybridAuthGuard implements CanActivate {
     authHeader: string,
   ): Promise<boolean> {
     try {
+      // Validate BETTER_AUTH_URL is configured
+      if (!this.betterAuthUrl) {
+        console.error(
+          '[HybridAuthGuard] BETTER_AUTH_URL environment variable is not set',
+        );
+        throw new UnauthorizedException(
+          'Authentication configuration error: BETTER_AUTH_URL not configured',
+        );
+      }
+
       // Extract token from "Bearer <token>"
       const token = authHeader.substring(7);
 
-      // Create JWKS for token verification using Better Auth endpoint
-      const JWKS = createRemoteJWKSet(
-        new URL(`${process.env.BETTER_AUTH_URL}/api/auth/jwks`),
-      );
+      const jwksUrl = `${this.betterAuthUrl}/api/auth/jwks`;
 
-      // Verify JWT token
-      const { payload } = await jwtVerify(token, JWKS, {
-        issuer: process.env.BETTER_AUTH_URL,
-        audience: process.env.BETTER_AUTH_URL,
+      // Create JWKS for token verification using Better Auth endpoint
+      // Use shorter cache time to handle key rotation better
+      const JWKS = createRemoteJWKSet(new URL(jwksUrl), {
+        cacheMaxAge: 60000, // 1 minute cache (default is 5 minutes)
+        cooldownDuration: 10000, // 10 seconds cooldown before refetching
       });
 
+      // Verify JWT token with automatic retry on key mismatch
+      let payload;
+      try {
+        payload = (
+          await jwtVerify(token, JWKS, {
+            issuer: this.betterAuthUrl,
+            audience: this.betterAuthUrl,
+          })
+        ).payload;
+      } catch (verifyError: any) {
+        // If we get a key mismatch error, retry with a fresh JWKS fetch
+        if (
+          verifyError.code === 'ERR_JWKS_NO_MATCHING_KEY' ||
+          verifyError.message?.includes('no applicable key found') ||
+          verifyError.message?.includes('JWKSNoMatchingKey')
+        ) {
+          console.log(
+            '[HybridAuthGuard] Key mismatch detected, fetching fresh JWKS and retrying...',
+          );
+
+          // Create a fresh JWKS instance with no cache to force immediate fetch
+          const freshJWKS = createRemoteJWKSet(new URL(jwksUrl), {
+            cacheMaxAge: 0, // No cache - force fresh fetch
+            cooldownDuration: 0, // No cooldown - allow immediate retry
+          });
+
+          // Retry verification with fresh keys
+          payload = (
+            await jwtVerify(token, freshJWKS, {
+              issuer: this.betterAuthUrl,
+              audience: this.betterAuthUrl,
+            })
+          ).payload;
+
+          console.log(
+            '[HybridAuthGuard] Successfully verified token with fresh JWKS',
+          );
+        } else {
+          // Re-throw if it's not a key mismatch error
+          throw verifyError;
+        }
+      }
+
       // Extract user information from JWT payload (user data is directly in payload for Better Auth JWT)
       const userId = payload.id as string;
       const userEmail = payload.email as string;
@@ -112,6 +181,41 @@ export class HybridAuthGuard implements CanActivate {
       return true;
     } catch (error) {
       console.error('JWT verification failed:', error);
+
+      // Provide more helpful error messages
+      if (error instanceof Error) {
+        // Connection errors
+        if (
+          error.message.includes('ECONNREFUSED') ||
+          error.message.includes('fetch failed')
+        ) {
+          console.error(
+            `[HybridAuthGuard] Cannot connect to Better Auth JWKS endpoint at ${this.betterAuthUrl}/api/auth/jwks`,
+          );
+          console.error(
+            '[HybridAuthGuard] Make sure BETTER_AUTH_URL is set correctly and the Better Auth server is running',
+          );
+          throw new UnauthorizedException(
+            `Cannot connect to authentication service. Please check BETTER_AUTH_URL configuration.`,
+          );
+        }
+
+        // Key mismatch errors should have been handled by retry logic above
+        // If we still get one here, it means the retry also failed (token truly invalid)
+        if (
+          (error as any).code === 'ERR_JWKS_NO_MATCHING_KEY' ||
+          error.message.includes('no applicable key found') ||
+          error.message.includes('JWKSNoMatchingKey')
+        ) {
+          console.error(
+            '[HybridAuthGuard] Token key not found even after fetching fresh JWKS. Token may be from a different environment or truly invalid.',
+          );
+          throw new UnauthorizedException(
+            'Authentication token is invalid. Please log out and log back in to refresh your session.',
+          );
+        }
+      }
+
       throw new UnauthorizedException('Invalid or expired JWT token');
     }
   }

apps/api/src/config/better-auth.config.ts

@@ -0,0 +1,34 @@
+import { registerAs } from '@nestjs/config';
+import { z } from 'zod';
+
+const betterAuthConfigSchema = z.object({
+  url: z.string().url('BETTER_AUTH_URL must be a valid URL'),
+});
+
+export type BetterAuthConfig = z.infer<typeof betterAuthConfigSchema>;
+
+export const betterAuthConfig = registerAs(
+  'betterAuth',
+  (): BetterAuthConfig => {
+    const url = process.env.BETTER_AUTH_URL;
+
+    if (!url) {
+      throw new Error('BETTER_AUTH_URL environment variable is required');
+    }
+
+    const config = { url };
+
+    // Validate configuration at startup
+    const result = betterAuthConfigSchema.safeParse(config);
+
+    if (!result.success) {
+      throw new Error(
+        `Better Auth configuration validation failed: ${result.error.issues
+          .map((e) => `${e.path.join('.')}: ${e.message}`)
+          .join(', ')}`,
+      );
+    }
+
+    return result.data;
+  },
+);

apps/api/src/main.ts

@@ -4,9 +4,24 @@ import { NestFactory } from '@nestjs/core';
 import type { OpenAPIObject } from '@nestjs/swagger';
 import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger';
 import * as express from 'express';
+import { config } from 'dotenv';
+import path from 'path';
 import { AppModule } from './app.module';
 import { existsSync, mkdirSync, writeFileSync } from 'fs';
-import path from 'path';
+
+// Load .env file from apps/api directory before anything else
+// This ensures .env values override any shell environment variables
+// __dirname in compiled code is dist/src, so go up two levels to apps/api
+const envPath = path.join(__dirname, '..', '..', '.env');
+if (existsSync(envPath)) {
+  config({ path: envPath, override: true });
+} else {
+  // Fallback: try current working directory (when run from apps/api)
+  const cwdEnvPath = path.join(process.cwd(), '.env');
+  if (existsSync(cwdEnvPath)) {
+    config({ path: cwdEnvPath, override: true });
+  }
+}
 
 async function bootstrap(): Promise<void> {
   const app: INestApplication = await NestFactory.create(AppModule);

apps/app/package.json

@@ -4,7 +4,7 @@
   "dependencies": {
     "@ai-sdk/anthropic": "^2.0.0",
     "@ai-sdk/groq": "^2.0.0",
-    "@ai-sdk/openai": "^2.0.0",
+    "@ai-sdk/openai": "^2.0.65",
     "@ai-sdk/provider": "^2.0.0",
     "@ai-sdk/react": "^2.0.60",
     "@ai-sdk/rsc": "^1.0.0",

apps/app/src/app/(app)/[orgId]/tasks/[taskId]/automation/[automationId]/actions/generate-suggestions.ts

@@ -0,0 +1,100 @@
+'use server';
+
+import { openai } from '@ai-sdk/openai';
+import { db } from '@db';
+import { generateObject } from 'ai';
+import { performance } from 'perf_hooks';
+import { z } from 'zod';
+import {
+  AUTOMATION_SUGGESTIONS_SYSTEM_PROMPT,
+  getAutomationSuggestionsPrompt,
+} from './prompts/automation-suggestions';
+
+const SuggestionsSchema = z.object({
+  suggestions: z.array(
+    z.object({
+      title: z.string(),
+      prompt: z.string(),
+      vendorName: z.string().optional(),
+      vendorWebsite: z.string().optional(),
+    }),
+  ),
+});
+
+export async function generateAutomationSuggestions(
+  taskDescription: string,
+  organizationId: string,
+): Promise<{ title: string; prompt: string; vendorName?: string; vendorWebsite?: string }[]> {
+  const startTime = performance.now();
+  console.log('[generateAutomationSuggestions] Starting suggestion generation...');
+
+  // Get vendors from the Vendor table
+  const vendorsStartTime = performance.now();
+  const vendors = await db.vendor.findMany({
+    where: {
+      organizationId,
+    },
+    select: {
+      name: true,
+      website: true,
+      description: true,
+    },
+  });
+  const vendorsTime = performance.now() - vendorsStartTime;
+  console.log(
+    `[generateAutomationSuggestions] Fetched ${vendors.length} vendors in ${vendorsTime.toFixed(2)}ms`,
+  );
+
+  // Get vendors from context table as well
+  const contextStartTime = performance.now();
+  const contextEntries = await db.context.findMany({
+    where: {
+      organizationId,
+    },
+    select: {
+      question: true,
+      answer: true,
+    },
+  });
+  const contextTime = performance.now() - contextStartTime;
+  console.log(
+    `[generateAutomationSuggestions] Fetched ${contextEntries.length} context entries in ${contextTime.toFixed(2)}ms`,
+  );
+
+  const vendorList =
+    vendors.length > 0
+      ? vendors.map((v) => `${v.name}${v.website ? ` (${v.website})` : ''}`).join(', ')
+      : 'No vendors configured yet';
+
+  const contextInfo =
+    contextEntries.length > 0
+      ? contextEntries.map((c) => `Q: ${c.question}\nA: ${c.answer}`).join('\n\n')
+      : 'No additional context available';
+
+  const promptLength = getAutomationSuggestionsPrompt(
+    taskDescription,
+    vendorList,
+    contextInfo,
+  ).length;
+  console.log(`[generateAutomationSuggestions] Prompt length: ${promptLength} characters`);
+
+  // Generate AI suggestions
+  const aiStartTime = performance.now();
+  const { object, usage } = await generateObject({
+    model: openai('gpt-4.1-mini'), // Testing gpt-5-nano for suggestions
+    schema: SuggestionsSchema,
+    system: AUTOMATION_SUGGESTIONS_SYSTEM_PROMPT,
+    prompt: getAutomationSuggestionsPrompt(taskDescription, vendorList, contextInfo),
+  });
+  const aiTime = performance.now() - aiStartTime;
+  console.log(
+    `[generateAutomationSuggestions] AI generation completed in ${aiTime.toFixed(2)}ms (total tokens: ${usage?.totalTokens || 'unknown'})`,
+  );
+
+  const totalTime = performance.now() - startTime;
+  console.log(
+    `[generateAutomationSuggestions] Total time: ${totalTime.toFixed(2)}ms (vendors: ${vendorsTime.toFixed(2)}ms, context: ${contextTime.toFixed(2)}ms, AI: ${aiTime.toFixed(2)}ms)`,
+  );
+
+  return object.suggestions;
+}