Microsoft Entra SSO replaces email login; system LLM keys make models available for all users
Two changes in one commit: email/password auth is out, Microsoft Entra OAuth is in, and a new `/system/llm-providers` endpoint lets users without personal API keys use whatever models the deployment has configured at the environment level.
Commit 97c30c2 deletes frontend/src/app/signup/page.tsx (281 lines) on the assumption users are provisioned via Entra, adds /auth/callback/page.tsx to handle the OAuth code exchange, and wires in a new backend/src/routes/system.ts router that exposes a single authenticated endpoint: GET /system/llm-providers. That endpoint returns { claude: bool, gemini: bool } based on whether ANTHROPIC_API_KEY and GEMINI_API_KEY are set in the server environment. UserProfileContext fetches it once on auth and threads systemProviders through isModelAvailable, so the model selectors in ChatInput, ModelToggle, TRChatPanel, TabularReviewView, and the account models page all light up correctly when a system key covers the gap.
Commit 37d9bbd is a one-liner: switching the Supabase client to PKCE flow in frontend/src/lib/supabase.ts. Supabase-js v2 defaults to implicit (token in URL fragment), which doesn't work with the new callback handler that expects a query-string code. PKCE is also the more secure choice regardless.
These two pieces pull apart cleanly. The system-provider fallback in routes/system.ts and the UserProfileContext / isModelAvailable plumbing are self-contained and don't depend on Entra. The SSO half is opinionated - it deletes the signup page and assumes an external directory manages user accounts.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?