Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@alembic_osm/versions/9221408912dd_add_user_role_table.py`:
- Around line 47-61: The migration and ORM disagree: the Alembic migration
creates a column named user_auth_uid of type sa.Uuid(), while the SQLModel
WorkspaceUserRole declares auth_user_uid: str (no sa_column override), causing a
name/type mismatch and runtime errors; fix by making the physical table match
the model or vice‑versa — either (A) update the migration to rename
user_auth_uid -> auth_user_uid and change sa.Uuid() to sa.String() (and keep the
ForeignKeyConstraint(["auth_user_uid"], ["users.auth_uid"])) to match
WorkspaceUserRole, or (B) update the WorkspaceUserRole model to use a UUID type
and set sa_column or Field(..., foreign_key="users.auth_uid",
sa_column=Column("user_auth_uid", Uuid())) so the field name, DB column name and
type (Uuid) align with the migration; ensure the PK/foreign key definitions
reference the corrected column name.

In `@api/src/teams/repository.py`:
- Line 27: The code currently iterates result.all() and passes Row tuples into
WorkspaceTeamItem.from_team, which expects WorkspaceTeam instances; change the
call site to extract scalar model instances by using result.scalars().all() (the
same pattern used in get_members) so WorkspaceTeamItem.from_team receives
WorkspaceTeam objects from the async session.exec(select(...)) result.

---

Outside diff comments:
In `@alembic_task/env.py`:
- Around line 19-29: The auto-import loop using src_path.rglob(...) and
importlib.import_module(module_path) pulls in all models (including
WorkspaceLongQuest with __tablename__ = "workspaces_long_quests") causing
cross-DB inspection; restrict imports so alembic_task only loads task-bound
models by scoping the glob to a task-only subpackage or replacing the catch-all
loop with explicit imports, or filter modules after import by a marker (e.g.,
check for a __bind_key__ or module/package name) and skip modules that belong to
the OSM DB; update the import loop (module_path / importlib.import_module usage)
to only import or register task-bound models so workspaces_long_quests is not
seen by the task migration run.

In `@api/core/security.py`:
- Around line 190-194: The code uses blocking requests.get(authorizationUrl,
headers=headers) which will block the FastAPI event loop; replace it with an
async call: either (preferred) import httpx, make the surrounding function async
and use "async with httpx.AsyncClient() as client: response = await
client.get(authorizationUrl, headers=headers)" and keep the same status_code
check/raise of credentials_exception, or (minimal) wrap the existing call with
asyncio.to_thread: "response = await asyncio.to_thread(requests.get,
authorizationUrl, headers=headers)". Also add the necessary imports (httpx or
asyncio) and ensure the caller is awaited if you convert the function to async.
- Around line 196-200: Validate the parsed JSON before using it: after loading
response.text into j, ensure j is a list and each item is a dict containing the
keys 'tdei_project_group_id', 'project_group_name', and 'roles' with the
expected types (e.g., str for IDs/names and iterable for roles); if j is not a
list or any item is malformed, raise credentials_exception. Wrap the
access/iteration logic that assumes these keys (the code that consumes j) in a
simple guard or try/except catching TypeError/KeyError/ValueError and convert
those to credentials_exception so malformed-but-valid-JSON responses (e.g., null
or {}) produce a 401 instead of a 500; reference the variables response,
content, j and credentials_exception when making the changes.

In `@api/main.py`:
- Around line 96-102: Remove the unreachable `return` statements that follow
`raise HTTPException` in the authentication checks: locate the blocks that call
`current_user.isWorkspaceContributor(workspace_id)` (and any similar checks
using `current_user.isWorkspaceOwner`/contributors) and delete the `return`
lines immediately after the `raise HTTPException(...)` so control flow is
correct and there is no dead code left after the exception is thrown.
- Around line 116-131: Replace the unclosed httpx.AsyncClient usage with an
async context manager (use "async with httpx.AsyncClient(...) as client:"), move
client.build_request and rp_req creation inside that block so the client is
closed after use; when building new_headers only append the Authorization header
if request.headers.get("Authorization") is not None (avoid appending None), keep
the X-Workspace logic for authorizedWorkspace and ensure header values are
converted to bytes consistently (e.g., bytes(str(...), "utf-8")) and retain Host
as bytes(client.base_url.host, "utf-8").
- Line 91: The variable authorizedWorkspace is set to None and never assigned,
leaving the subsequent conditional checking if authorizedWorkspace is not None
as dead code; fix by either removing that unreachable block or assign the
workspace after validating workspace_id—e.g., after you parse/validate the
X-Workspace header, call repository.get_workspace(workspace_id) and set
authorizedWorkspace, then handle the case where repository returns None
(deny/return 403 or raise as appropriate); update any logic that depended on
authorizedWorkspace accordingly and ensure the authorization branch is
reachable.

---

Nitpick comments:
In `@api/core/security.py`:
- Around line 157-161: The code instantiates jwt.PyJWKClient inside the request
flow (jwks_client) causing its internal JWKS cache to be lost and
get_signing_key_from_jwt(token) to trigger synchronous HTTP calls on each
invocation; fix by creating a module-level singleton PyJWKClient (e.g.,
JWKS_CLIENT or jwks_client_singleton) initialized once at import time using
f"{settings.TDEI_OIDC_URL}realms/{settings.TDEI_OIDC_REALM}/protocol/openid-connect/certs"
and update the function that calls get_signing_key_from_jwt(token) to use that
singleton instead of re-instantiating, so the client’s cache is reused and
blocking fetches are minimized.
- Around line 122-141: The validate_token function currently logs cache hits
with logger.info which will be noisy; change the cache-hit log in validate_token
(where it checks _token_cache and currently calls logger.info("Token validation
cache hit")) to logger.debug("Token validation cache hit") so routine traffic
doesn't spam INFO logs; keep the existing _token_cache behavior (not changing
the caching semantics for revoked tokens) but you may add a short inline comment
near _token_cache usage to note the accepted one-hour revocation window if
desired.

In `@api/main.py`:
- Around line 73-76: AUTH_WHITELIST_PATHS is a list of raw regex strings that
are being recompiled on every request; fix by creating compiled regex objects at
module import (e.g. define AUTH_WHITELIST_REGEXES = [re.compile(p) for p in
AUTH_WHITELIST_PATHS]) and update the request-check site (where
any(re.search(... for ...)) is used) to iterate over AUTH_WHITELIST_REGEXES and
call regex.search(path) instead of re.search with strings so the patterns are
compiled once and reused.

In `@api/src/teams/repository.py`:
- Around line 68-69: Replace the runtime-only assert with an explicit guard:
check if team.id is None and raise a clear exception (e.g., ValueError or
RuntimeError) with a descriptive message instead of relying on assert; update
the code around the existing references to team.id (the lines with "assert
team.id is not None" and "return team.id") so callers never receive a None id
even when Python is run with -O.

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@api/src/teams/repository.py`:
- Line 27: The list comprehension in repository.py that returns
[WorkspaceTeamItem.from_team(x) for x in result.scalars().all()] is already
corrected to use result.scalars().all() and matches the pattern used elsewhere
(see the similar usage around line 85); no further changes are required—leave
WorkspaceTeamItem.from_team and the result.scalars().all() call as-is.

---

Nitpick comments:
In `@api/src/teams/repository.py`:
- Around line 79-80: The delete call for WorkspaceTeam uses await
self.session.execute(delete(WorkspaceTeam).where(WorkspaceTeam.id == id)) but
does not check the returned result's rowcount, so deleting a non-existent team
silently succeeds; update the method (the WorkspaceTeam delete path) to capture
the result from session.execute, check result.rowcount and raise
NotFoundException if rowcount != 1 (mirroring the behavior in
workspaces/repository.py's delete), then commit only after the check to maintain
consistent non-idempotent behavior.
- Line 68: Replace the runtime-unsafe assertion "assert team.id is not None"
with an explicit check that raises a clear exception (e.g., ValueError or
RuntimeError) when team.id is None; locate the check around the code handling
the Team instance (the occurrence of "team" and "team.id" in repository.py) and
change it to an if-statement that raises with a descriptive message like
"team.id must not be None" so the guard remains active in optimized Python runs.

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@alembic_osm/versions/9221408912dd_add_user_role_table.py`:
- Around line 29-49: The downgrade path must mirror the upgrade
deterministically: remove the conditional probing logic and drop only the
objects this migration created unconditionally (or alternatively track creation
in a migration-local flag), so edit the migration to eliminate existence checks
around creating/dropping auth_uid_unique, workspace_role, and
user_workspace_roles; specifically remove use of constraint_exists and
insp.has_table gating in upgrade()/downgrade() and make downgrade() always drop
the "auth_uid_unique" constraint, the "workspace_role" enum type, and the
"user_workspace_roles" table (or add explicit creation flags if you prefer
tracking) so the upgrade/downgrade pair is reversible and deterministic.

In `@api/main.py`:
- Around line 56-60: The startup sequence initializes _osm_client and calls
init_tdei_client() before run_migrations(), and if run_migrations() raises the
lifespan never yields so resources remain open; wrap the startup block that
calls init_tdei_client() and any _osm_client initialization in a try/finally (or
try/except + cleanup) so that on any exception you call the appropriate
cleanup/close routines for _osm_client and the TDEI client (mirror whatever
shutdown logic exists) to ensure resources are released when startup fails.

---

Duplicate comments:
In `@alembic_osm/versions/9221408912dd_add_user_role_table.py`:
- Around line 47-63: The migration creates the table column as "user_auth_uid"
with sa.Uuid(), but the ORM/Repository model (WorkspaceUserRole) expects a
column named "auth_user_uid" with the model's type; update the op.create_table
call for "user_workspace_roles" to rename the column from user_auth_uid to
auth_user_uid and change its SQLAlchemy type to match the
WorkspaceUserRole.auth_user_uid field, update the ForeignKeyConstraint reference
if necessary (still pointing to users.auth_uid), and keep the
PrimaryKeyConstraint("auth_user_uid", "workspace_id") so the physical schema
matches the model mapping.