fix(marketplace): send Bearer token on cloud-connection install/probe

[xuyushun441-sys]

Symptom

After SSO into a tenant environment, opening a marketplace package or clicking Install fails:

{"success":false,"error":{"code":"unauthenticated","message":"Sign in to this environment."}}

…even though the user is signed in (valid, non-expired session in the env DB).

Root cause

objectui authenticates with a Bearer token (better-auth; token in localStorage, normally injected on every /api/ call by createAuthenticatedFetch / createBearerFetch). The in-environment marketplace calls in marketplaceApi.ts use raw fetch() with credentials: 'include' and no Authorization header, so they bypass that wrapper and rely on the session cookie alone.

On a tenant runtime the env session cookie is not reliably presented after platform SSO, so the server route's resolveEnvSession (apps/objectos/cloud-runtime-plugins.ts) finds no session → 401.

Verified: the same server route returns 200 when the session is supplied as Authorization: Bearer <token> — so the server already accepts the Bearer; the client just wasn't sending it.

Fix

Inject the Bearer token (from @object-ui/auth TokenStorage) on the two same-origin cloud-connection calls — /install and /installation — via a small withEnvAuth() helper. credentials: 'include' is kept so the cookie still rides along when present.

Test plan

• CI typecheck/build
• After deploy: SSO into a tenant env → marketplace package page loads installed-state (no 401), Install succeeds
• Verified server-side that /api/v1/cloud-connection/installation returns 200 with Authorization: Bearer <session-token>

Deploy note

Reaching prod requires: merge → bump cloud/.objectui-sha to this commit → rebuild + deploy the objectos image.

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
objectui	Ignored		Jun 5, 2026 12:36pm

[github-actions]

✅ Console Performance Budget

Metric	Value	Budget
Main entry (gzip)	283.2 KB	350 KB
Entry file	index-DzjJ56pw.js	—
Status	PASS	—

---

📦 Bundle Size Report

Package	Size	Gzipped
app-shell (index.js)	5.75KB	2.02KB
app-shell (runtime-config.js)	4.29KB	1.54KB
app-shell (types.js)	0.01KB	0.04KB
auth (AuthContext.js)	0.31KB	0.24KB
auth (AuthGuard.js)	1.17KB	0.53KB
auth (AuthProvider.js)	17.16KB	3.44KB
auth (AuthShell.js)	3.49KB	1.40KB
auth (ForgotPasswordForm.js)	4.79KB	1.88KB
auth (LoginForm.js)	5.11KB	1.92KB
auth (PreviewBanner.js)	0.90KB	0.50KB
auth (RegisterForm.js)	6.63KB	2.15KB
auth (SocialSignInButtons.js)	8.89KB	3.61KB
auth (UserMenu.js)	3.40KB	1.22KB
auth (authStyles.js)	5.04KB	1.72KB
auth (createAuthClient.js)	22.29KB	5.30KB
auth (createAuthenticatedFetch.js)	3.33KB	1.32KB
auth (index.js)	1.75KB	0.76KB
auth (types.js)	0.59KB	0.35KB
auth (useAuth.js)	4.01KB	0.79KB
auth (useIsWorkspaceAdmin.js)	1.28KB	0.70KB
collaboration (CommentThread.js)	18.38KB	4.49KB
collaboration (LiveCursors.js)	3.17KB	1.27KB
collaboration (PresenceAvatars.js)	3.65KB	1.42KB
collaboration (PresenceProvider.js)	2.42KB	0.96KB
collaboration (index.js)	1.25KB	0.53KB
collaboration (useCommentSearch.js)	1.98KB	0.88KB
collaboration (useConflictResolution.js)	7.75KB	1.86KB
collaboration (useMentionNotifications.js)	1.81KB	0.68KB
collaboration (usePresence.js)	6.33KB	1.84KB
collaboration (useRealtimeSubscription.js)	7.91KB	2.01KB
components (index.js)	394.89KB	83.53KB
core (index.js)	1.45KB	0.54KB
create-plugin (index.js)	9.28KB	2.98KB
data-objectstack (index.js)	90.43KB	22.43KB
fields (index.js)	138.02KB	32.56KB
i18n (i18n.js)	4.32KB	1.77KB
i18n (index.js)	2.27KB	0.91KB
i18n (provider.js)	5.37KB	1.72KB
i18n (useObjectLabel.js)	18.42KB	4.30KB
i18n (useSafeTranslation.js)	1.63KB	0.57KB
layout (index.js)	36.05KB	9.94KB
mobile (MobileProvider.js)	0.92KB	0.49KB
mobile (ResponsiveContainer.js)	0.94KB	0.38KB
mobile (breakpoints.js)	1.51KB	0.70KB
mobile (createOfflineDataSource.js)	5.61KB	1.74KB
mobile (index.js)	1.50KB	0.62KB
mobile (offlineQueue.js)	3.91KB	1.35KB
mobile (pwa.js)	0.97KB	0.49KB
mobile (serviceWorker.js)	1.48KB	0.62KB
mobile (serviceWorkerSource.js)	3.41KB	1.48KB
mobile (useBreakpoint.js)	1.54KB	0.65KB
mobile (useGesture.js)	4.42KB	1.27KB
mobile (useOfflineSync.js)	1.99KB	0.72KB
mobile (usePullToRefresh.js)	2.53KB	0.85KB
mobile (useResponsive.js)	0.71KB	0.42KB
mobile (useResponsiveConfig.js)	1.36KB	0.63KB
mobile (useSpecGesture.js)	1.77KB	0.77KB
mobile (useTouchTarget.js)	1.01KB	0.54KB
permissions (MePermissionsProvider.js)	4.87KB	1.77KB
permissions (PermissionContext.js)	0.31KB	0.25KB
permissions (PermissionGuard.js)	0.89KB	0.45KB
permissions (PermissionProvider.js)	3.11KB	0.87KB
permissions (evaluator.js)	4.00KB	1.23KB
permissions (index.js)	0.91KB	0.41KB
permissions (store.js)	0.91KB	0.42KB
permissions (useFieldPermissions.js)	1.28KB	0.52KB
permissions (usePermissions.js)	1.42KB	0.68KB
plugin-ai (index.js)	15.71KB	3.79KB
plugin-calendar (index.js)	45.98KB	12.65KB
plugin-charts (index.js)	39.09KB	11.07KB
plugin-chatbot (index.js)	114.76KB	28.00KB
plugin-dashboard (index.js)	87.61KB	20.96KB
plugin-designer (index.js)	213.42KB	42.94KB
plugin-detail (index.js)	192.46KB	46.34KB
plugin-editor (index.js)	2.38KB	1.06KB
plugin-form (index.js)	64.24KB	14.79KB
plugin-gantt (index.js)	28.30KB	7.76KB
plugin-grid (index.js)	110.04KB	29.58KB
plugin-kanban (index.js)	48.82KB	13.13KB
plugin-list (index.js)	89.76KB	21.04KB
plugin-map (index.js)	16.02KB	4.98KB
plugin-markdown (index.js)	2.62KB	1.18KB
plugin-report (index.js)	129.03KB	28.39KB
plugin-timeline (index.js)	25.37KB	7.20KB
plugin-view (index.js)	140.77KB	28.99KB
plugin-workflow (index.js)	69.35KB	14.42KB
providers (DataSourceProvider.js)	0.75KB	0.39KB
providers (MetadataProvider.js)	1.37KB	0.59KB
providers (ThemeProvider.js)	1.55KB	0.67KB
providers (UploadProvider.js)	11.71KB	3.53KB
providers (index.js)	0.44KB	0.22KB
providers (types.js)	0.01KB	0.04KB
react (LazyPluginLoader.js)	3.77KB	1.33KB
react (SchemaRenderer.js)	14.98KB	4.84KB
react (index.js)	0.76KB	0.42KB
tenant (TenantContext.js)	0.31KB	0.25KB
tenant (TenantGuard.js)	1.04KB	0.43KB
tenant (TenantProvider.js)	2.76KB	0.98KB
tenant (TenantScopedQuery.js)	0.77KB	0.44KB
tenant (index.js)	0.75KB	0.38KB
tenant (resolver.js)	2.64KB	0.76KB
tenant (useTenant.js)	0.50KB	0.32KB
tenant (useTenantBranding.js)	0.62KB	0.39KB
types (ai.js)	0.20KB	0.17KB
types (api-types.js)	0.20KB	0.18KB
types (app.js)	2.87KB	0.99KB
types (base.js)	0.20KB	0.18KB
types (blocks.js)	0.20KB	0.18KB
types (complex.js)	0.20KB	0.18KB
types (crud.js)	0.20KB	0.18KB
types (data-display.js)	0.20KB	0.18KB
types (data-protocol.js)	0.20KB	0.19KB
types (data.js)	0.20KB	0.18KB
types (designer.js)	0.77KB	0.41KB
types (disclosure.js)	0.20KB	0.18KB
types (feedback.js)	0.20KB	0.18KB
types (field-types.js)	0.20KB	0.18KB
types (form.js)	0.20KB	0.18KB
types (index.js)	1.54KB	0.68KB
types (layout.js)	0.20KB	0.18KB
types (mobile.js)	0.20KB	0.18KB
types (navigation.js)	0.20KB	0.18KB
types (objectql.js)	0.20KB	0.18KB
types (overlay.js)	0.20KB	0.18KB
types (permissions.js)	0.20KB	0.18KB
types (plugin-scope.js)	0.20KB	0.18KB
types (record-components.js)	0.20KB	0.19KB
types (registry.js)	0.20KB	0.18KB
types (reports.js)	0.20KB	0.18KB
types (spec-report.js)	4.80KB	1.76KB
types (tenant.js)	0.20KB	0.18KB
types (theme.js)	0.20KB	0.18KB
types (ui-action.js)	0.75KB	0.46KB
types (views.js)	0.20KB	0.18KB
types (widget.js)	0.20KB	0.18KB
types (workflow.js)	0.20KB	0.18KB

Size Limits

• ✅ Core packages should be < 50KB gzipped
• ✅ Component packages should be < 100KB gzipped
• ⚠️ Plugin packages should be < 150KB gzipped