src/App.tsx

import { Toaster } from "@/components/ui/toaster";
import { Toaster as Sonner } from "@/components/ui/sonner";
import { TooltipProvider } from "@/components/ui/tooltip";
import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
import { BrowserRouter, Routes, Route } from "react-router-dom";

// Layouts
import PublicLayout from "@/components/layouts/PublicLayout";
import ProtectedLayout from "@/components/layouts/ProtectedLayout";

// Public pages
import Index from "@/pages/Index";
import LoginPage from "@/pages/auth/LoginPage";
import RegisterPage from "@/pages/auth/RegisterPage";
import VerifyEmailPage from "@/pages/auth/VerifyEmailPage";
import ForgotPasswordPage from "@/pages/auth/ForgotPasswordPage";
import ResetPasswordPage from "@/pages/auth/ResetPasswordPage";
import InviteAcceptPage from "@/pages/auth/InviteAcceptPage";
import OIDCConsentPage from "@/pages/auth/OIDCConsentPage";
import OIDCErrorPage from "@/pages/auth/OIDCErrorPage";
import OAuthCallbackPage from "@/pages/auth/OAuthCallbackPage";
import ActivatePage from "@/pages/auth/ActivatePage";

// User pages
import ProfilePage from "@/pages/user/ProfilePage";
import SecurityPage from "@/pages/user/SecurityPage";
import LinkedAccountsPage from "@/pages/user/LinkedAccountsPage";
import ActivityPage from "@/pages/user/ActivityPage";
import SSHKeysPage from "@/pages/user/SSHKeysPage";

// Organization pages
import OrgOverviewPage from "@/pages/org/OrgOverviewPage";
import MembersPage from "@/pages/org/MembersPage";
import PoliciesPage from "@/pages/org/PoliciesPage";
import CompliancePage from "@/pages/org/CompliancePage";
import OrgAuditPage from "@/pages/org/OrgAuditPage";
import OIDCClientsPage from "@/pages/org/OIDCClientsPage";
import CAsPage from "@/pages/org/CAsPage";
import DepartmentsPage from "@/pages/org/DepartmentsPage";
import PrincipalsPage from "@/pages/org/PrincipalsPage";
import MyMembershipsPage from "@/pages/org/MyMembershipsPage";
import SystemAuditPage from "@/pages/admin/SystemAuditPage";
import AdminUsersPage from "@/pages/admin/AdminUsersPage";
import OAuthProvidersPage from "@/pages/admin/OAuthProvidersPage";
import OrgSetupPage from "@/pages/auth/OrgSetupPage";

import NotFound from "@/pages/NotFound";
import ApiDevTools from "@/components/dev/ApiDevTools";

const queryClient = new QueryClient({
  defaultOptions: {
    queries: {
      retry: (failureCount, error) => {
        // Don't retry on 403 authorization errors
        if (error && typeof error === 'object' && 'code' in error && error.code === 403) {
          return false;
        }
        // Default retry behavior for other errors (max 3 retries)
        return failureCount < 3;
      },
    },
  },
});

const App = () => (
  <QueryClientProvider client={queryClient}>
    <TooltipProvider>
      <Toaster />
      <Sonner />
      <BrowserRouter>
        <AppRoutes />
      </BrowserRouter>
    </TooltipProvider>
  </QueryClientProvider>
);

// Separate component so AuthProvider can use useNavigate
import { AuthProvider, useAuth } from "@/contexts/AuthContext";
import { Navigate } from "react-router-dom";

/** Redirects already-authenticated users away from guest-only pages (e.g. /login). */
function GuestRoute({ children }: { children: React.ReactNode }) {
  const { isAuthenticated, isOrgMember, isLoading } = useAuth();
  // Allow authenticated users through to /login when it's a CLI auth request —
  // LoginPage will immediately forward the existing token to the CLI callback.
  const params = new URLSearchParams(window.location.search);
  const isCli = params.has('cli_token') || params.has('cli_redirect');
  if (isLoading) return null; // wait for auth state to resolve
  if (isAuthenticated && !isCli) {
    // If the user hasn't set up an org yet, send them there first
    return <Navigate to={isOrgMember ? "/profile" : "/org-setup"} replace />;
  }
  return <>{children}</>;
}

/** Blocks access to /admin/* for non-admin users. */
function RequireAdmin({ children }: { children: React.ReactNode }) {
  const { isOrgAdmin, isLoading, isAuthenticated } = useAuth();
  if (isLoading) return null;
  if (!isAuthenticated) return <Navigate to="/login" replace />;
  if (!isOrgAdmin) return <Navigate to="/profile" replace />;
  return <>{children}</>;
}

/** Blocks access to /org/* for users who don't belong to any organisation. */
function RequireOrgMember({ children }: { children: React.ReactNode }) {
  const { isOrgMember, isLoading, isAuthenticated } = useAuth();
  if (isLoading) return null;
  if (!isAuthenticated) return <Navigate to="/login" replace />;
  if (!isOrgMember) return <Navigate to="/profile" replace />;
  return <>{children}</>;
}

/** 
 *  Used for /org-setup which lives inside PublicLayout */
function RequireAuth({ children }: { children: React.ReactNode }) {
  const { isAuthenticated, isLoading } = useAuth();
  if (isLoading) return null;
  if (!isAuthenticated) return <Navigate to="/login" replace />;
  return <>{children}</>;
}

function AppRoutes() {
  return (
    <AuthProvider>
      <Routes>
        {/* Index redirect */}
        <Route path="/" element={<Index />} />

        {/* Public routes */}
        <Route element={<PublicLayout />}>
          <Route path="/login" element={<GuestRoute><LoginPage /></GuestRoute>} />
          <Route path="/register" element={<RegisterPage />} />
          <Route path="/verify-email" element={<VerifyEmailPage />} />
          <Route path="/forgot-password" element={<ForgotPasswordPage />} />
          <Route path="/reset-password" element={<ResetPasswordPage />} />
          <Route path="/invite" element={<InviteAcceptPage />} />
          <Route path="/consent" element={<OIDCConsentPage />} />
          <Route path="/error" element={<OIDCErrorPage />} />
          <Route path="/oauth/callback" element={<OAuthCallbackPage />} />
          <Route path="/activate" element={<ActivatePage />} />
          {/* Org-setup uses the same full-screen centred layout as auth pages,
              but requires a valid session token (RequireAuth guard below). */}
          <Route path="/org-setup" element={<RequireAuth><OrgSetupPage /></RequireAuth>} />
        </Route>

        {/* Protected routes - handles auth and MFA enforcement */}
        <Route element={<ProtectedLayout />}>
          {/* User routes */}
          <Route path="/profile" element={<ProfilePage />} />
          <Route path="/security" element={<SecurityPage />} />
          <Route path="/linked-accounts" element={<LinkedAccountsPage />} />
          <Route path="/activity" element={<ActivityPage />} />
          <Route path="/ssh-keys" element={<SSHKeysPage />} />

          {/* Organization routes — org members: overview + own memberships only */}
          <Route path="/org" element={<RequireOrgMember><OrgOverviewPage /></RequireOrgMember>} />
          <Route path="/org/my-memberships" element={<RequireOrgMember><MyMembershipsPage /></RequireOrgMember>} />

          {/* Organization management routes — org admins/owners only */}
          <Route path="/org/members" element={<RequireAdmin><MembersPage /></RequireAdmin>} />
          <Route path="/org/departments" element={<RequireAdmin><DepartmentsPage /></RequireAdmin>} />
          <Route path="/org/principals" element={<RequireAdmin><PrincipalsPage /></RequireAdmin>} />
          <Route path="/org/policies" element={<RequireAdmin><PoliciesPage /></RequireAdmin>} />
          <Route path="/org/policies/compliance" element={<RequireAdmin><CompliancePage /></RequireAdmin>} />
          <Route path="/org/audit" element={<RequireAdmin><OrgAuditPage /></RequireAdmin>} />
          <Route path="/org/clients" element={<RequireAdmin><OIDCClientsPage /></RequireAdmin>} />
          <Route path="/org/cas" element={<RequireAdmin><CAsPage /></RequireAdmin>} />

          {/* Admin routes — org admin/owner only */}
          <Route path="/admin/audit" element={<RequireAdmin><SystemAuditPage /></RequireAdmin>} />
          <Route path="/admin/users" element={<RequireAdmin><AdminUsersPage /></RequireAdmin>} />
          <Route path="/admin/oauth" element={<RequireAdmin><OAuthProvidersPage /></RequireAdmin>} />
        </Route>

        {/* Catch-all */}
        <Route path="*" element={<NotFound />} />
      </Routes>

      {/* Dev tools - only shown in development */}
      <ApiDevTools />
    </AuthProvider>
  );
}

export default App;
template: new_style_vite_react_shadcn_ts 2025-01-01 00:00:00 +00:00			`import { Toaster } from "@/components/ui/toaster";`
			`import { Toaster as Sonner } from "@/components/ui/sonner";`
			`import { TooltipProvider } from "@/components/ui/tooltip";`
			`import { QueryClient, QueryClientProvider } from "@tanstack/react-query";`
			`import { BrowserRouter, Routes, Route } from "react-router-dom";`
Changes 2026-01-06 14:46:23 +00:00
			`// Layouts`
			`import PublicLayout from "@/components/layouts/PublicLayout";`
enabled policies 2026-01-16 17:31:25 +10:30			`import ProtectedLayout from "@/components/layouts/ProtectedLayout";`
Changes 2026-01-06 14:46:23 +00:00
			`// Public pages`
			`import Index from "@/pages/Index";`
			`import LoginPage from "@/pages/auth/LoginPage";`
			`import RegisterPage from "@/pages/auth/RegisterPage";`
			`import VerifyEmailPage from "@/pages/auth/VerifyEmailPage";`
			`import ForgotPasswordPage from "@/pages/auth/ForgotPasswordPage";`
			`import ResetPasswordPage from "@/pages/auth/ResetPasswordPage";`
			`import InviteAcceptPage from "@/pages/auth/InviteAcceptPage";`
			`import OIDCConsentPage from "@/pages/auth/OIDCConsentPage";`
			`import OIDCErrorPage from "@/pages/auth/OIDCErrorPage";`
can link google accounts! 2026-01-20 15:54:11 +10:30			`import OAuthCallbackPage from "@/pages/auth/OAuthCallbackPage";`
Feat(Fix): SSH Keys-Expiry+Log; Department+Principal Link; CA Keys mgmt; 2026-02-28 23:35:32 +05:45			`import ActivatePage from "@/pages/auth/ActivatePage";`
Changes 2026-01-06 14:46:23 +00:00
			`// User pages`
			`import ProfilePage from "@/pages/user/ProfilePage";`
			`import SecurityPage from "@/pages/user/SecurityPage";`
			`import LinkedAccountsPage from "@/pages/user/LinkedAccountsPage";`
			`import ActivityPage from "@/pages/user/ActivityPage";`
Feat(Fix): SSH Keys-Expiry+Log; Department+Principal Link; CA Keys mgmt; 2026-02-28 23:35:32 +05:45			`import SSHKeysPage from "@/pages/user/SSHKeysPage";`
Changes 2026-01-06 14:46:23 +00:00
			`// Organization pages`
			`import OrgOverviewPage from "@/pages/org/OrgOverviewPage";`
			`import MembersPage from "@/pages/org/MembersPage";`
			`import PoliciesPage from "@/pages/org/PoliciesPage";`
enabled policies 2026-01-16 17:31:25 +10:30			`import CompliancePage from "@/pages/org/CompliancePage";`
Changes 2026-01-06 14:46:23 +00:00			`import OrgAuditPage from "@/pages/org/OrgAuditPage";`
			`import OIDCClientsPage from "@/pages/org/OIDCClientsPage";`
Feat(Fix): SSH Keys-Expiry+Log; Department+Principal Link; CA Keys mgmt; 2026-02-28 23:35:32 +05:45			`import CAsPage from "@/pages/org/CAsPage";`
Feat(Chore): Implemented Audit-Logs, Department, Principal. 2026-02-27 21:08:16 +05:45			`import DepartmentsPage from "@/pages/org/DepartmentsPage";`
			`import PrincipalsPage from "@/pages/org/PrincipalsPage";`
Feat: RBAC, Keys Extension, Invites 2026-03-01 16:50:19 +05:45			`import MyMembershipsPage from "@/pages/org/MyMembershipsPage";`
Feat(Chore): Implemented Audit-Logs, Department, Principal. 2026-02-27 21:08:16 +05:45			`import SystemAuditPage from "@/pages/admin/SystemAuditPage";`
Feat(Fix): SSH Keys-Expiry+Log; Department+Principal Link; CA Keys mgmt; 2026-02-28 23:35:32 +05:45			`import AdminUsersPage from "@/pages/admin/AdminUsersPage";`
Feat: RBAC, Keys Extension, Invites 2026-03-01 16:50:19 +05:45			`import OAuthProvidersPage from "@/pages/admin/OAuthProvidersPage";`
Feat(Fix): User & Org Setup Initial (Invite + Create on own) & Chore: UI 2026-03-01 20:11:22 +05:45			`import OrgSetupPage from "@/pages/auth/OrgSetupPage";`
Changes 2026-01-06 14:46:23 +00:00
			`import NotFound from "@/pages/NotFound";`
Changes 2026-01-06 15:39:14 +00:00			`import ApiDevTools from "@/components/dev/ApiDevTools";`
template: new_style_vite_react_shadcn_ts 2025-01-01 00:00:00 +00:00
enabled policies 2026-01-16 17:31:25 +10:30			`const queryClient = new QueryClient({`
			`defaultOptions: {`
			`queries: {`
			`retry: (failureCount, error) => {`
			`// Don't retry on 403 authorization errors`
			`if (error && typeof error === 'object' && 'code' in error && error.code === 403) {`
			`return false;`
			`}`
			`// Default retry behavior for other errors (max 3 retries)`
			`return failureCount < 3;`
			`},`
			`},`
			`},`
			`});`
template: new_style_vite_react_shadcn_ts 2025-01-01 00:00:00 +00:00
			`const App = () => (`
			`<QueryClientProvider client={queryClient}>`
			`<TooltipProvider>`
			`<Toaster />`
			`<Sonner />`
			`<BrowserRouter>`
Changes 2026-01-06 15:33:03 +00:00			`<AppRoutes />`
template: new_style_vite_react_shadcn_ts 2025-01-01 00:00:00 +00:00			`</BrowserRouter>`
			`</TooltipProvider>`
			`</QueryClientProvider>`
			`);`

Changes 2026-01-06 15:33:03 +00:00			`// Separate component so AuthProvider can use useNavigate`
Feat(Fix): SSH Keys-Expiry+Log; Department+Principal Link; CA Keys mgmt; 2026-02-28 23:35:32 +05:45			`import { AuthProvider, useAuth } from "@/contexts/AuthContext";`
			`import { Navigate } from "react-router-dom";`

			`/** Redirects already-authenticated users away from guest-only pages (e.g. /login). */`
			`function GuestRoute({ children }: { children: React.ReactNode }) {`
Feat(Fix): User & Org Setup Initial (Invite + Create on own) & Chore: UI 2026-03-01 20:11:22 +05:45			`const { isAuthenticated, isOrgMember, isLoading } = useAuth();`
Feat: RBAC, Keys Extension, Invites 2026-03-01 16:50:19 +05:45			`// Allow authenticated users through to /login when it's a CLI auth request —`
			`// LoginPage will immediately forward the existing token to the CLI callback.`
			`const params = new URLSearchParams(window.location.search);`
			`const isCli = params.has('cli_token') \|\| params.has('cli_redirect');`
Feat(Fix): SSH Keys-Expiry+Log; Department+Principal Link; CA Keys mgmt; 2026-02-28 23:35:32 +05:45			`if (isLoading) return null; // wait for auth state to resolve`
Feat(Fix): User & Org Setup Initial (Invite + Create on own) & Chore: UI 2026-03-01 20:11:22 +05:45			`if (isAuthenticated && !isCli) {`
			`// If the user hasn't set up an org yet, send them there first`
			`return <Navigate to={isOrgMember ? "/profile" : "/org-setup"} replace />;`
			`}`
Feat: RBAC, Keys Extension, Invites 2026-03-01 16:50:19 +05:45			`return <>{children}</>;`
			`}`

			`/** Blocks access to /admin/* for non-admin users. */`
			`function RequireAdmin({ children }: { children: React.ReactNode }) {`
			`const { isOrgAdmin, isLoading, isAuthenticated } = useAuth();`
			`if (isLoading) return null;`
			`if (!isAuthenticated) return <Navigate to="/login" replace />;`
			`if (!isOrgAdmin) return <Navigate to="/profile" replace />;`
			`return <>{children}</>;`
			`}`

			`/** Blocks access to /org/* for users who don't belong to any organisation. */`
			`function RequireOrgMember({ children }: { children: React.ReactNode }) {`
			`const { isOrgMember, isLoading, isAuthenticated } = useAuth();`
			`if (isLoading) return null;`
			`if (!isAuthenticated) return <Navigate to="/login" replace />;`
			`if (!isOrgMember) return <Navigate to="/profile" replace />;`
Feat(Fix): SSH Keys-Expiry+Log; Department+Principal Link; CA Keys mgmt; 2026-02-28 23:35:32 +05:45			`return <>{children}</>;`
			`}`
Changes 2026-01-06 15:33:03 +00:00
Feat(Fix): User & Org Setup Initial (Invite + Create on own) & Chore: UI 2026-03-01 20:11:22 +05:45			`/**`
			`* Used for /org-setup which lives inside PublicLayout */`
			`function RequireAuth({ children }: { children: React.ReactNode }) {`
			`const { isAuthenticated, isLoading } = useAuth();`
			`if (isLoading) return null;`
			`if (!isAuthenticated) return <Navigate to="/login" replace />;`
			`return <>{children}</>;`
			`}`

Changes 2026-01-06 15:33:03 +00:00			`function AppRoutes() {`
			`return (`
			`<AuthProvider>`
			`<Routes>`
			`{/* Index redirect */}`
			`<Route path="/" element={<Index />} />`

			`{/* Public routes */}`
			`<Route element={<PublicLayout />}>`
Feat(Fix): SSH Keys-Expiry+Log; Department+Principal Link; CA Keys mgmt; 2026-02-28 23:35:32 +05:45			`<Route path="/login" element={<GuestRoute><LoginPage /></GuestRoute>} />`
Changes 2026-01-06 15:33:03 +00:00			`<Route path="/register" element={<RegisterPage />} />`
			`<Route path="/verify-email" element={<VerifyEmailPage />} />`
			`<Route path="/forgot-password" element={<ForgotPasswordPage />} />`
			`<Route path="/reset-password" element={<ResetPasswordPage />} />`
			`<Route path="/invite" element={<InviteAcceptPage />} />`
			`<Route path="/consent" element={<OIDCConsentPage />} />`
			`<Route path="/error" element={<OIDCErrorPage />} />`
can link google accounts! 2026-01-20 15:54:11 +10:30			`<Route path="/oauth/callback" element={<OAuthCallbackPage />} />`
Feat(Fix): SSH Keys-Expiry+Log; Department+Principal Link; CA Keys mgmt; 2026-02-28 23:35:32 +05:45			`<Route path="/activate" element={<ActivatePage />} />`
Feat(Fix): User & Org Setup Initial (Invite + Create on own) & Chore: UI 2026-03-01 20:11:22 +05:45			`{/* Org-setup uses the same full-screen centred layout as auth pages,`
			`but requires a valid session token (RequireAuth guard below). */}`
			`<Route path="/org-setup" element={<RequireAuth><OrgSetupPage /></RequireAuth>} />`
Changes 2026-01-06 15:33:03 +00:00			`</Route>`

enabled policies 2026-01-16 17:31:25 +10:30			`{/* Protected routes - handles auth and MFA enforcement */}`
			`<Route element={<ProtectedLayout />}>`
Changes 2026-01-06 15:33:03 +00:00			`{/* User routes */}`
			`<Route path="/profile" element={<ProfilePage />} />`
			`<Route path="/security" element={<SecurityPage />} />`
			`<Route path="/linked-accounts" element={<LinkedAccountsPage />} />`
			`<Route path="/activity" element={<ActivityPage />} />`
Feat(Fix): SSH Keys-Expiry+Log; Department+Principal Link; CA Keys mgmt; 2026-02-28 23:35:32 +05:45			`<Route path="/ssh-keys" element={<SSHKeysPage />} />`
Changes 2026-01-06 15:33:03 +00:00
Feat: RBAC, Keys Extension, Invites 2026-03-01 16:50:19 +05:45			`{/* Organization routes — org members: overview + own memberships only */}`
			`<Route path="/org" element={<RequireOrgMember><OrgOverviewPage /></RequireOrgMember>} />`
			`<Route path="/org/my-memberships" element={<RequireOrgMember><MyMembershipsPage /></RequireOrgMember>} />`

			`{/* Organization management routes — org admins/owners only */}`
			`<Route path="/org/members" element={<RequireAdmin><MembersPage /></RequireAdmin>} />`
			`<Route path="/org/departments" element={<RequireAdmin><DepartmentsPage /></RequireAdmin>} />`
			`<Route path="/org/principals" element={<RequireAdmin><PrincipalsPage /></RequireAdmin>} />`
			`<Route path="/org/policies" element={<RequireAdmin><PoliciesPage /></RequireAdmin>} />`
			`<Route path="/org/policies/compliance" element={<RequireAdmin><CompliancePage /></RequireAdmin>} />`
			`<Route path="/org/audit" element={<RequireAdmin><OrgAuditPage /></RequireAdmin>} />`
			`<Route path="/org/clients" element={<RequireAdmin><OIDCClientsPage /></RequireAdmin>} />`
			`<Route path="/org/cas" element={<RequireAdmin><CAsPage /></RequireAdmin>} />`

			`{/* Admin routes — org admin/owner only */}`
			`<Route path="/admin/audit" element={<RequireAdmin><SystemAuditPage /></RequireAdmin>} />`
			`<Route path="/admin/users" element={<RequireAdmin><AdminUsersPage /></RequireAdmin>} />`
			`<Route path="/admin/oauth" element={<RequireAdmin><OAuthProvidersPage /></RequireAdmin>} />`
Changes 2026-01-06 15:33:03 +00:00			`</Route>`

			`{/* Catch-all */}`
			`<Route path="*" element={<NotFound />} />`
			`</Routes>`
Changes 2026-01-06 15:39:14 +00:00
			`{/* Dev tools - only shown in development */}`
			`<ApiDevTools />`
Changes 2026-01-06 15:33:03 +00:00			`</AuthProvider>`
			`);`
			`}`

template: new_style_vite_react_shadcn_ts 2025-01-01 00:00:00 +00:00			`export default App;`