PRG-02: Auth & URL bundle (from #328 #336 #337 #335 #329)

[nap-liu]

This regrouped PR combines the original changes from:\n- #328 fix-unbound-user-login\n- #336 unified-url-resolution\n- #337 generic-oauth2-sso\n- #335 agent-prompt-base-url\n- #329 redis-token-cache\n\nScope: authentication flow, URL normalization, and auth cache behavior.

[wisdomqin]

Thanks for regrouping these changes. The areas covered here are important, but this PR is too broad to review or merge safely as-is, especially because it touches authentication, tenant/domain routing, SSO callbacks, migrations, and token caching at the same time. GitHub also currently reports this PR as not mergeable.

Please split this into smaller focused PRs before we continue review. Suggested split:

1. Tenant domain fields and Alembic migrations only
2. Domain/base URL resolution behavior only
3. Generic OAuth2 SSO support only
4. Redis-backed token cache only
5. Frontend configuration UI/i18n updates only, paired with the backend PR they depend on

A few concrete blockers I noticed:

1. The Alembic chain appears to branch from d9cbd43b62e5, which is not the current migration head path. Please rebase and attach any new migrations to the current correct head to avoid creating multiple Alembic heads.

2. The new /tenants/resolve-by-domain logic appears to compare Tenant.sso_domain directly against a hostname. Existing sso_domain values are stored as full URLs such as https://acme.example.com, so this can break existing custom-domain resolution.

3. The new domain fallback behavior can return a tenant by slug or default tenant even when the incoming domain was not explicitly configured. That is risky for tenant isolation and should be reviewed separately with clear routing rules and tests.

4. The login change that allows tenant_id=None users through a dedicated tenant login flow needs a separate review. The intended unbound-user setup flow is valid, but we need to ensure it cannot bypass the selected tenant or allow accidental self-creation under the wrong context.

5. The generic OAuth2 provider is a substantial feature by itself. It should be reviewed separately with tests for authorization URL generation, callback handling, field mapping, userinfo failure fallback, and tenant-scoped provider lookup.

6. The token-cache changes affect Teams, Feishu, WeCom, and DingTalk org sync. That is operationally sensitive and should be a separate PR with explicit Redis-unavailable fallback behavior and cache-key isolation checks.

Could you rebase this branch, split it into focused PRs, and start with the lowest-risk piece first? That will make it much easier for us to review and merge safely.

[nap-liu]

Thanks for the review. The changes in this bundle already exist as focused, independent PRs. I've verified all five now merge cleanly against the current upstream/main, both individually and in sequence:

• refactor: migrate in-memory token caches to Redis with memory fallback #329 — Redis token cache
• fix: allow unbound users (tenant_id=None) to pass tenant-scoped login #328 — unbound user login
• feat: inject platform base_url into agent system prompt and webhook URLs #335 — platform base_url injection
• feat: add generic OAuth2 SSO login with configurable field mapping #337 — generic OAuth2 SSO
• feat: unified URL resolution with 5-level fallback chain and multi-tenant subdomain support #336 — URL resolution (just rebased onto latest main; now MERGEABLE, Alembic dual-head fixed)

Could we shift review back to the individual PRs? I'll drive each one separately per your suggested split. Happy to keep this bundle open for reference or close it if you'd rather consolidate review threads.