poc(flutter): web stability, simulation tests & docs (#29)

[cemal-yilmaz-bt]

Closes #29

Summary

Follow-ups after the first merge slice of Flutter PoC parity (#28).

• Web: OAuth callback ordering, single-tab login, deferred callback + refreshStatus, Keycloak webOrigins + auth code lifetime, profile run_web.sh, in-memory storage on web (ContextStore identity)
• Platform: Flutter web/ scaffold
• Simulation/Mock sheet: Gemini/Sourcery review fixes (&&/|| precedence, duplicate header, timeouts, result coloring)
• Tests: poc/flutter-poc/test/poc_simulation_test.dart + fetch client injection helpers
• Docs: docs/dart-parity.md, docs/poc-guide.md, docs/poc/simulation.md, docs/README.md

Verification

• dart analyze / dart test: morph_core (representative Dart package touched transitively via PoC deps)
• flutter test in poc/flutter-poc: 16 passing

Made with Cursor

Summary by Sourcery

Add a richer, provider-grouped Flutter PoC home screen with web OAuth handling, mock API tools, and JSON-driven simulation, while aligning docs and scripts around Flutter web usage.

New Features:

• Add JSON-driven simulation engine and UI panel to run and visualize PoC scenarios from poc-simulation.json.
• Introduce mock API bottom sheet combining predefined steps, result display, and HTTP trace log.
• Add provider config sheet to inspect Morph provider metadata from the Flutter app.
• Add Flutter web scaffold (web index/manifest) and a run_web.sh script to launch Keycloak, mock API, and Flutter web together.

Enhancements:

• Refactor the Flutter PoC home screen to group token status by provider, derive per-row actions from grant hints, and support token exchange selection.
• Adjust OAuth handling to support single-tab web flows and process web callbacks safely after UI initialization, with a public refreshStatus entrypoint.
• Update Morph initialization to choose in-memory storage on web, keep ContextStore for native platforms, and centralize mock API host selection.
• Improve token status card styling and layout to integrate into provider sections.

Documentation:

• Expand PoC guide and dart parity docs with Flutter PoC parity details, web OAuth/CORS notes, storage behavior, and simulation executor description.
• Update docs README to highlight Dart/Flutter parity status and backlog context.

Tests:

• Add poc_simulation_test.dart covering parsing, session-dead detection, HTTP fetch execution, and asset loading for the simulation engine.
• Add a minimal widget_test to keep the Flutter test harness wired up.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6a995ecf-0fcf-4eae-8ca3-c933e4d7f606

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/issue-27-flutter-poc-parity

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Reviewer's Guide

Adds Flutter web support and a JSON-driven simulation UI to the Flutter PoC, reworking OAuth callback handling, storage strategy, and the home screen UI while documenting the Dart parity and PoC behavior.

Sequence diagram for web OAuth callback handling in the Flutter PoC

sequenceDiagram
    actor User
    participant Browser
    participant Flutter_main as Flutter_main
    participant MorphPocAppState
    participant MorphClient
    participant HomeScreenState
    participant Keycloak

    User->>Browser: Tap Login (2fa)
    Browser->>Keycloak: Open authorization_url(morph-auth/2fa)
    Keycloak-->>Browser: Redirect http://localhost:4200/?code&state

    Browser->>Flutter_main: Load app at Uri.base
    Flutter_main->>Flutter_main: _captureWebOAuthParams()
    note right of Flutter_main: Extract code,state
    Flutter_main->>MorphClient: initMorph()
    MorphClient-->>Flutter_main: MorphClient instance

    Flutter_main->>MorphPocAppState: runApp(pendingOAuth)
    MorphPocAppState->>MorphPocAppState: initState()
    alt kIsWeb and pendingOAuth != null
        MorphPocAppState->>MorphPocAppState: _processPendingWebOAuth()
        MorphPocAppState->>MorphClient: completeOAuthCallback(code,state)
        MorphClient-->>MorphPocAppState: OAuthResult(status,message)
        MorphPocAppState->>MorphPocAppState: setState(pendingOAuthMessage)
        MorphPocAppState->>HomeScreenState: refreshStatus()
        HomeScreenState->>MorphClient: getTokenStatus()
        MorphClient-->>HomeScreenState: List<MorphTokenStatus>
        HomeScreenState->>HomeScreenState: setState(_tokenStatus)
    end

Loading

Class diagram for simulation, mock API, and updated home screen structure

classDiagram
    class PocSimStep {
        <<sealed>>
        +String label
    }

    class PocSimFetchStep {
        +String label
        +String path
        +int expectStatus
        +bool skipInAutoSim
        +PocSimFetchStep(String label, String path, int expectStatus, bool skipInAutoSim)
    }

    class PocSimHostStep {
        +String label
        +String hostKey
        +String method
        +String path
        +String auth
        +Object body
        +Map~String,String~ headers
        +bool skipInAutoSim
        +PocSimHostStep(String label, String hostKey, String method, String path, String auth, Object body, Map~String,String~ headers, bool skipInAutoSim)
    }

    class PocSimLogoutStep {
        +String label
        +String providerKey
        +PocSimLogoutStep(String label, String providerKey)
    }

    PocSimStep <|-- PocSimFetchStep
    PocSimStep <|-- PocSimHostStep
    PocSimStep <|-- PocSimLogoutStep

    class PocSimStepResult {
        +String label
        +Object status
        +String detail
        +Object body
        +bool isError()
        +PocSimStepResult(String label, Object status, String detail, Object body)
    }

    class PocSimulationConfig {
        +String mockApiBaseUrl
        +List~PocSimStep~ steps
        +List~String~ sessionDeadAuthIds
        +String sessionDeadMessage
        +PocSimulationConfig(String mockApiBaseUrl, List~PocSimStep~ steps, List~String~ sessionDeadAuthIds, String sessionDeadMessage)
    }

    PocSimulationConfig --> PocSimStep : contains

    class PocSimulationFunctions {
        +PocSimulationConfig loadPocSimulation(String mockApiBase)
        +PocSimulationConfig parsePocSimulationJson(String raw, String mockApiFallback)
        +PocSimStepResult runPocSimStep(MorphClient morph, PocSimulationConfig cfg, PocSimStep step)
        +PocSimStepResult runPocSimFetchForTesting(PocSimFetchStep step, String mockApiBase, http.Client httpClient)
        +bool isPocSessionDeadStop(PocSimStepResult result, PocSimStep step, List~String~ sessionDeadAuthIds)
    }

    PocSimulationFunctions --> PocSimulationConfig
    PocSimulationFunctions --> PocSimStepResult
    PocSimulationFunctions --> PocSimStep

    class SimulationPanel {
        +MorphClient morph
        +PocSimulationConfig cfg
        +VoidCallback onStatusChanged
    }

    class _SimulationPanelState {
        -bool _running
        -bool _probe404Enabled
        -List~PocSimStepResult~ _results
        -String _sessionDeadMessage
        +List~PocSimStep~ get _autoSteps()
        +Future~void~ _runAll()
        +Widget build(BuildContext context)
    }

    SimulationPanel --> _SimulationPanelState : creates
    _SimulationPanelState --> PocSimulationConfig
    _SimulationPanelState --> PocSimStepResult
    _SimulationPanelState --> PocSimulationFunctions

    class MockApiSheet {
        +MorphClient morph
        +PocSimulationConfig cfg
    }

    class _MockApiSheetState {
        -bool _busy
        -String _message
        -bool _lastIsError
        -Object _lastBody
        +Future~void~ _run(PocSimStep step)
        +Widget build(BuildContext context)
    }

    MockApiSheet --> _MockApiSheetState : creates
    _MockApiSheetState --> PocSimulationConfig
    _MockApiSheetState --> PocSimStepResult

    class ProviderConfigSheet {
        +MorphClient morph
        +String providerKey
        +Widget build(BuildContext context)
    }

    ProviderConfigSheet --> MorphClient : uses

    class HomeScreen {
        +MorphClient morph
        +State createState()
    }

    class HomeScreenState {
        +List~MorphTokenStatus~ _tokenStatus
        +String _message
        +bool _busy
        +PocSimulationConfig _simCfg
        +Future~void~ refreshStatus()
        +Future~void~ _init()
        +List~_ContextAction~ _actionsForRow(MorphTokenStatus row)
        +Future~void~ _runAcquire(String authId)
        +Future~void~ _startLogin()
        +Future~void~ _runLogout(String authId)
        +Future~void~ _runExchange(String sourceAuthId, String targetAuthId)
        +void _openMockApi()
        +void _openProviderConfig(String providerKey)
        +Map~String,List~MorphTokenStatus~~ get _byProvider
        +Widget build(BuildContext context)
    }

    HomeScreen --> HomeScreenState : creates
    HomeScreenState --> MorphClient
    HomeScreenState --> PocSimulationConfig
    HomeScreenState --> SimulationPanel
    HomeScreenState --> MockApiSheet
    HomeScreenState --> ProviderConfigSheet

    class _ProviderSection {
        +String providerKey
        +List~MorphTokenStatus~ rows
        +bool busy
        +MorphClient morph
        +List~_ContextAction~ Function(MorphTokenStatus) actionsForRow
        +Future~void~ Function(String,String) onExchange
        +VoidCallback onConfigTap
        +void Function(MorphTokenStatus) onJwtTap
    }

    class _ProviderSectionState {
        -Map~String,String~ _exchangePick
        +void _syncExchangePicks()
        +Widget build(BuildContext context)
    }

    _ProviderSection --> _ProviderSectionState : creates
    _ProviderSectionState --> _ProviderSection

    class _ExchangeRow {
        +String targetAuthId
        +List~String~ sources
        +String picked
        +bool busy
        +void Function(String) onPickChanged
        +VoidCallback onExchange
        +Widget build(BuildContext context)
    }

    class _ContextAction {
        +String label
        +VoidCallback onPressed
        +bool danger
        +String tooltip
    }

    class _SmallButton {
        +String label
        +VoidCallback onPressed
        +bool danger
        +String tooltip
        +Widget build(BuildContext context)
    }

    HomeScreenState --> _ProviderSection
    HomeScreenState --> _ContextAction
    _ProviderSectionState --> _ExchangeRow
    _ExchangeRow --> _SmallButton

Loading

Architecture flow diagram for platform-specific storage and mock API configuration

flowchart TD
    A_initMorph[initMorph]
    A_initMorph --> B_detectPlatform[kIsWeb and defaultTargetPlatform]

    B_detectPlatform --> C_webBranch{kIsWeb}

    C_webBranch -->|true| D_webStorage[memoryStorageMorphPlugin]
    D_webStorage --> D1_noteWebStorage[Tokens in memory only\nSession scoped to JS heap]

    C_webBranch -->|false| E_nativeTryContextStore[ContextStore.create]
    E_nativeTryContextStore --> F_nativeSuccess{success?}

    F_nativeSuccess -->|yes| G_contextStorePlugin[contextStoreStoragePlugin]
    G_contextStorePlugin --> G1_noteNativeStorage[Persistent storage via ContextStore]

    F_nativeSuccess -->|no| H_fallbackMemory[memoryStorageMorphPlugin]
    H_fallbackMemory --> H1_noteFallback[Fallback when ContextStore init fails]

    %% MorphOptions wiring
    D_webStorage --> I_buildMorphOptions[MorphOptions\nwith storagePlugin]
    G_contextStorePlugin --> I_buildMorphOptions
    H_fallbackMemory --> I_buildMorphOptions
    I_buildMorphOptions --> J_createMorphClient[MorphClient.create]

    %% Mock API base resolution
    A_initMorph --> K_getMockApiBase[getMockApiBase]
    K_getMockApiBase --> L_androidCheck{platform == android and !kIsWeb}
    L_androidCheck -->|yes| M_androidHost[host = 10.0.2.2]
    L_androidCheck -->|no| N_otherHost[host = localhost]
    M_androidHost --> O_mockApiBase[mockApi.baseUrl = http://host:3000]
    N_otherHost --> O_mockApiBase

Loading

File-Level Changes

Change	Details	Files
Refactor HomeScreen to support provider-grouped status, dynamic per-row auth actions, and a simulation panel driven by JSON-configured steps.	Rename internal HomeScreen state to HomeScreenState and expose a refreshStatus() method for external OAuth-driven refreshes. Replace direct MorphRuntime usage with MorphClient.auth(...) helpers and add structured logging around token status refresh. Introduce provider grouping, per-row action generation based on grantHint, and a new _ProviderSection widget that renders TokenStatusCard rows, small action buttons, and exchange dropdowns. Replace the old hard-coded action buttons and inline HTTP trace section with a Mock API sheet launcher and an embedded SimulationPanel wired to the simulation config.	poc/flutter-poc/lib/screens/home_screen.dart poc/flutter-poc/lib/widgets/token_status_card.dart poc/flutter-poc/lib/widgets/simulation_panel.dart poc/flutter-poc/lib/widgets/mock_api_sheet.dart poc/flutter-poc/lib/widgets/provider_config_sheet.dart
Harden OAuth callback handling and platform-specific configuration for Flutter web vs native, including storage selection and callback URIs.	Capture web OAuth query parameters synchronously from Uri.base before runApp, then process them after the UI mounts via MorphPocApp using completeOAuthCallback. Use a GlobalKey to let the app-level widget notify HomeScreenState to refresh token status after OAuth completes. Introduce platform helpers for mock API host resolution and a separate kWebOAuthCallbackUri, and switch oauthCallbackUri config to choose between HTTP and custom-scheme callbacks based on kIsWeb. Change storage plugin selection to use in-memory storage on web and ContextStore on native, logging the chosen backend and falling back to memory if ContextStore init fails.	poc/flutter-poc/lib/main.dart poc/flutter-poc/lib/morph_init.dart
Implement a JSON-driven simulation engine and tests that mirror the TS/Vue PoC behavior for mock API and host-based flows.	Define sealed PocSimStep variants (fetch, host, logout_provider), a PocSimulationConfig, and PocSimStepResult with an isError helper. Add parsePocSimulationJson and loadPocSimulation to load assets/poc-simulation.json, including conditional blocks and sessionDeadCheck authIds/message. Implement runPocSimStep and helpers that execute HTTP fetches via package:http, MorphRuntime.http.hostFetch, and MorphClient.auth(...).logout, with sentinel status codes for NET, ERR, and AUTH. Add a comprehensive test suite covering JSON parsing, error classification, session-dead detection logic, mocked HTTP behavior, and loading the real asset file.	poc/flutter-poc/lib/poc_simulation.dart poc/flutter-poc/test/poc_simulation_test.dart poc/flutter-poc/test/widget_test.dart poc/flutter-poc/pubspec.yaml poc/flutter-poc/pubspec.lock poc/flutter-poc/assets/poc-simulation.json
Add Flutter web scaffolding and a convenience script to run the full PoC stack (Keycloak, mock API, Flutter web).	Introduce web/index.html and web/manifest.json for the Flutter web target with standard bootstrap and PWA metadata. Add run_web.sh to start Keycloak via docker compose, the Node-based mock API, and flutter run on Chrome with appropriate ports and Dart defines, including profile/debug selection and cleanup. Wire the simulation asset into the Flutter app via pubspec assets and ensure http dependency is available for fetch steps.	poc/flutter-poc/web/index.html poc/flutter-poc/web/manifest.json poc/flutter-poc/run_web.sh poc/flutter-poc/pubspec.yaml poc/flutter-poc/pubspec.lock
Update documentation to describe the Flutter PoC parity, simulation behavior, and CI / backlog context.	Add a Flutter PoC section to poc-guide.md detailing run_web.sh usage, OAuth web behavior, CORS requirements, storage strategy, simulation UI, and tests. Expand dart-parity.md with a detailed Flutter PoC parity row, storage behavior notes for web vs non-web, CI coverage notes, and backlog issue references. Document the Flutter simulation executor in docs/poc/simulation.md, including step types, session-dead semantics, and tests, and adjust docs/README.md to mention Flutter PoC parity. Ensure placeholders/tests are described and cross-referenced in docs to align with the new PoC behavior.	docs/poc-guide.md docs/dart-parity.md docs/poc/simulation.md docs/README.md

Possibly linked issues

• feat(poc): Flutter POC feature parity with TS Vue POC #28: PR delivers the issue’s requested web OAuth stability, web storage split, simulation runner fixes, tests, and documentation updates.
• #N/A: PR delivers the simulation, mock API, provider config, and home refactor features defined in the Flutter parity issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[gemini-code-assist]

Code Review

This pull request significantly enhances the Flutter PoC to achieve feature parity with the TypeScript implementation. Key changes include the introduction of a JSON-driven simulation executor, improved OAuth handling for web platforms (including synchronous parameter capture and CORS updates), and a refactored UI that groups token statuses by provider with dynamic actions. Feedback focuses on improving encapsulation by using public APIs, addressing a fragile error-matching heuristic in the simulation logic, and correcting an ineffective error-handling pattern in the UI rendering logic.

I am having trouble creating individual review comments. Click here to see my feedback.

poc/flutter-poc/lib/poc_simulation.dart (257-265)

Use the public MorphClient.host() API instead of accessing the internal runtime and http properties directly. This maintains better encapsulation and adheres to the intended SDK usage patterns.

    final res = await morph.host(step.hostKey).fetch<dynamic>(
      step.path,
      method: step.method,
      body: step.body != null ? jsonEncode(step.body) : null,
      auth: step.auth,
      headers: step.headers,
    );

poc/flutter-poc/lib/poc_simulation.dart (275-278)

This heuristic for identifying authentication errors is fragile as it relies on string matching against e.toString(). This can lead to false positives if these substrings appear elsewhere in the error message (e.g., in a URL or a different part of the stack trace). While acceptable for a PoC, consider implementing a more robust check using typed errors once they are available in the core SDK.

poc/flutter-poc/lib/screens/home_screen.dart (250-272)

The try-catch block here is ineffective for catching errors that occur during the rendering of _ProviderSection. In Flutter, errors during a widget's build phase are not caught by a try-catch surrounding its constructor. If the goal is to handle potential UI errors, consider using an ErrorWidget or handling errors within the _ProviderSection widget itself. Removing this block will also make the code cleaner.

                  return _ProviderSection(
                    providerKey: entry.key,
                    rows: entry.value,
                    busy: _busy,
                    morph: _morph,
                    actionsForRow: _actionsForRow,
                    onExchange: _runExchange,
                    onConfigTap: () => _openProviderConfig(entry.key),
                    onJwtTap: (s) => showModalBottomSheet(
                      context: context,
                      isScrollControlled: true,
                      builder: (_) => TokenClaimsSheet(status: s),
                    ),
                  );

[sourcery-ai]

Hey - I've left some high level feedback:

• The logic for deriving the mock API base host (Android emulator vs localhost) is duplicated between getMockApiBase() and _buildVariables(); consider routing _buildVariables() through getMockApiBase() (or a shared helper) so the behavior stays aligned in one place.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The logic for deriving the mock API base host (Android emulator vs localhost) is duplicated between `getMockApiBase()` and `_buildVariables()`; consider routing `_buildVariables()` through `getMockApiBase()` (or a shared helper) so the behavior stays aligned in one place.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}