refactor: integration loader throws if unauthenticated client

[sea-grass]

This PR refactors the integration loader to perform an auth check when loading the content. It will throw an error (stopping the build) if the check is unsuccessful.

Also moves the integration mapping from the integration loader into the content config to keep content config in one place.

[greptile-apps]

Greptile Summary

This PR refactors the integration loader so it receives an injected Client and integrations map instead of building them internally, and adds an auth-check call (ensureClientAuthenticated) that fails the build on a 401. The integrations map moves from integrations.ts to content.config.ts, where the token check now throws at module load time rather than warning and returning.

• A debug console.log(JSON.stringify(w, null, 2)) was left inside ensureClientAuthenticated and will print workspace JSON on every build.
• The integration fetching loop changed from parallel Promise.all to a sequential for...in, which will noticeably increase build time across ~40 integrations.
• The module-level hard throw on a missing token is a deliberate behavior change but breaks any build environment (e.g. local dev) that previously relied on the graceful warn-and-skip path.

Confidence Score: 3/5

Not ready to merge — the debug console.log leaks response data on every build, and the sequential fetch loop will noticeably slow builds until fixed.

Two issues in the loader itself need to be addressed before this lands: a forgotten debug log that dumps workspace JSON to stdout unconditionally, and a regression from parallel to sequential integration fetching that will add meaningful latency to every build. The structural refactor (injected client, moved integrations map, auth-check before fetching) is otherwise clean and intentional.

src/bach/loaders/integrations.ts needs the most attention — the debug log and sequential fetch loop are both in that file.

Important Files Changed

Filename	Overview
src/bach/loaders/integrations.ts	Refactored to accept an injected Client and integrations map; adds an auth-check helper, but leaves a debug console.log in it and replaces parallel Promise.all with a sequential loop over ~40 integrations.
src/content.config.ts	Moves token check and Client construction to module level (hard-throw on missing token) and relocates the integrations map here; the structural change is clean but the fail-hard behavior affects all build environments.

Sequence Diagram

sequenceDiagram
    participant CC as content.config.ts
    participant IL as integrationsLoader
    participant ECA as ensureClientAuthenticated
    participant BP as Botpress API

    CC->>CC: Check BOTPRESS_API_TOKEN (throws if missing)
    CC->>CC: "new Client({ token })"
    CC->>IL: "integrationsLoader({ client, integrations })"

    Note over IL: During Astro build load()
    IL->>ECA: ensureClientAuthenticated(client)
    ECA->>BP: "listPublicWorkspaces({ pageSize: 0 })"
    alt 401 Unauthorized
        BP-->>ECA: "Error { code: 401 }"
        ECA-->>IL: throw not-authenticated Error
        IL-->>CC: Build fails
    else Other error
        BP-->>ECA: Error
        ECA-->>IL: re-throw
    else Success
        BP-->>ECA: workspace list
        ECA->>ECA: console.log(JSON.stringify(w))
        ECA-->>IL: return void
    end

    loop Sequential for...in
        IL->>BP: "getPublicIntegration({ name, version: latest })"
        alt Success
            BP-->>IL: integration data
            IL->>IL: "store.set({ id: slug, data })"
        else Error
            BP-->>IL: Error
            IL->>IL: logger.warn(...)
        end
    end

Loading

_{Reviews (1): Last reviewed commit: "comments" | Re-trigger Greptile}

[greptile-apps]

Debug console.log left in production code

ensureClientAuthenticated calls console.log(JSON.stringify(w, null, 2)) unconditionally, which dumps the full workspace API response as formatted JSON to stdout on every build. This is clearly a debug artifact — remove it before merging.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

Sequential fetching replaces parallel — significant build slowdown

The original loader used Promise.all to fetch all integrations concurrently. The new loop processes each of the ~40 integrations one at a time. Each getPublicIntegration call involves a network round-trip, so this change could easily multiply build time by the number of integrations (e.g. 40 × 200 ms ≈ 8 s extra). Converting the loop back to Promise.all(Object.entries(integrations).map(...)) would restore the original performance.

[greptile-apps]

Hard module-level throw blocks all builds without a token

The previous loader gracefully degraded (warned and returned empty data) when BOTPRESS_API_TOKEN was absent. Throwing at module-load time means any environment — local development, preview deploys, CI jobs that build non-integration pages — will fail immediately rather than falling back to empty integration data. Is this the intended trade-off, or should there be a way to opt out of the hard failure for local dev? Was the intent to require the token in all build environments, or only in CI/production? The previous warn-and-skip behavior allowed local builds without the token.