Adds a new support_copilot app type for deploying agents across external
tools and support platforms (e.g. browser extensions, helpdesks). The
app authenticates end-users via the existing OAuth 2.1 provider using
asymmetric JWTs validated via JWKS.

Backend (agents-api, agents-core):
- New SupportCopilotConfig schema with credentialReferenceIds
- tryOAuthSupportCopilotAuth: JWKS-verified JWT flow with azp, tenant,
  and SpiceDB canUseProjectStrict checks
- OAuth JWT path added to manageAuth (priority #3, JWT-only — opaque
  tokens are not issued by this flow)
- GET /manage/tenants/:tenantId/apps for cross-project app discovery
  (used by the copilot BFF to resolve its app_id per tenant)
- COPILOT_OAUTH_CLIENT_ID env var for azp validation

UI (agents-manage-ui):
- Support Copilot option in New App dropdown (double-gated:
  PUBLIC_IS_INKEEP_CLOUD_DEPLOYMENT=true AND org has
  feature:support_copilot entitlement with maxValue > 0)
- CredentialMultiSelect component for picking credential references
- Default agent and credential pickers in create/update forms
- Orange badge for support_copilot in the apps table

Tooling:
- scripts/setup-oauth-client.ts — creates the OAuth client for the
  copilot BFF. Supports --print-only for safe prod bootstrap
  (no .env write).

Tests: 15 new unit tests (tryOAuthSupportCopilotAuth, manage OAuth JWT
path, tenant apps route). Full agents-api suite: 2362 passed.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* feat: add support_copilot app type with OAuth 2.1 JWT auth

Adds a new support_copilot app type for deploying agents across external
tools and support platforms (e.g. browser extensions, helpdesks). The
app authenticates end-users via the existing OAuth 2.1 provider using
asymmetric JWTs validated via JWKS.

Backend (agents-api, agents-core):
- New SupportCopilotConfig schema with credentialReferenceIds
- tryOAuthSupportCopilotAuth: JWKS-verified JWT flow with azp, tenant,
  and SpiceDB canUseProjectStrict checks
- OAuth JWT path added to manageAuth (priority #3, JWT-only — opaque
  tokens are not issued by this flow)
- GET /manage/tenants/:tenantId/apps for cross-project app discovery
  (used by the copilot BFF to resolve its app_id per tenant)
- COPILOT_OAUTH_CLIENT_ID env var for azp validation

UI (agents-manage-ui):
- Support Copilot option in New App dropdown (double-gated:
  PUBLIC_IS_INKEEP_CLOUD_DEPLOYMENT=true AND org has
  feature:support_copilot entitlement with maxValue > 0)
- CredentialMultiSelect component for picking credential references
- Default agent and credential pickers in create/update forms
- Orange badge for support_copilot in the apps table

Tooling:
- scripts/setup-oauth-client.ts — creates the OAuth client for the
  copilot BFF. Supports --print-only for safe prod bootstrap
  (no .env write).

Tests: 15 new unit tests (tryOAuthSupportCopilotAuth, manage OAuth JWT
path, tenant apps route). Full agents-api suite: 2362 passed.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

* fix(oauth): tighten OAuth JWT auth based on review feedback

- Disable OAuth JWT auth entirely when COPILOT_OAUTH_CLIENT_ID is unset
  (previously the azp check was skipped silently, which could allow JWTs
  issued to other OAuth clients on the same provider to authenticate)
- Require tenantId claim on support_copilot JWTs (was optional before)
- Validate issuer (iss) claim in jwtVerify as defense-in-depth
- Extract JWKS singleton to shared lazy-initialized util
  (src/utils/oauthJwks.ts) to remove duplication across middleware
- Add commonGetErrorResponses to tenantApps route for consistency
- Fix support_copilot missing from type cast in apps list handler
- Add aria-hidden to decorative icons in CredentialMultiSelect

Tests: new coverage for the unconfigured env var and missing-tenantId
paths. Full agents-api suite: 2365 passed.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>

…nal messages

- Context window (pullfrog #2, load-bearing): getModelContextWindow() was
  called without args and always returned the 120K default, so the 30%
  oversized threshold was hardcoded at ~36K regardless of the actual
  model. Added currentModelSettings to AgentRunContext, stashed after
  configureModelSettings, and read lazily inside toModelOutput.
- Compression prompt (pullfrog #4, load-bearing): buildCompressPrompt
  only kept role==='system' messages, dropping the original user query
  and conversation-history prefix. Now takes originalMessageCount and
  preserves messages.slice(0, originalMessageCount) as the prefix —
  matching the pre-middleware handlePrepareStepCompression behavior.
- Async-iterator fallback (pullfrog #1): replaced the unsound
  `as unknown as AsyncIterator` cast with a proper Reader → iterator
  adapter so the dead branch is safe if ever triggered.
- Middleware spec-version comment (pullfrog #5): documented which
  @ai-sdk/provider versions the wrapGenerate/wrapStream contract was
  verified against.
- JSON round-trip (pullfrog #3): kept as-is. The round-trip is not a
  no-op — it launders `unknown` tool args through JSONValue and strips
  non-JSON types. Added a comment explaining this.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>