feat(guard): show logged-in state on signup page with continue button (#661)

## 📝 Description

Modifies signup page to display "Continue to" button for logged-in users
instead of signup options, and includes comprehensive test coverage for
all signup scenarios.
Also adds AGENTS.md with repository guidelines for LLM agents.

Check [the issue](renderedtext/tasks#8782).

## ✅ Checklist
- [x] I have tested this change
- [x] ~This change requires documentation update~ N/A

Author: dexyk

guard/.sobelow-conf

@@ -1,7 +1,7 @@
 [
   verbose: false,
   private: false,
-  skip: false,
+  skip: true,
   router: "",
   exit: "false",
   format: "txt",

guard/AGENTS.md

@@ -0,0 +1,37 @@
+# Repository Guidelines
+
+## Project Structure & Module Organization
+- `lib/` hosts Guard application modules, supervisors, and generated gRPC clients in `lib/internal_api`; re-run `make pb.gen` after proto updates.
+- `config/` covers environment configs (`config/{dev,test,prod}.exs`) and runtime secrets; keep credentials in env vars, not source files.
+- `test/` mirrors `lib/` with ExUnit suites and helpers in `test/support`; service stubs and golden data live under `fixture/`.
+- `priv/`, `templates/`, and `assets/` hold persisted resources, mailer templates, and UI bundles, while `helm/` ships the deployment chart.
+
+## Getting Started & Triage
+- Review `DOCUMENTATION.md` for a high-level system map, component triage tips, and debugging entry points before you dive into specific change requests.
+- Keep that guide handy when diagnosing incidents or onboarding new contributors; it consolidates architecture, workflows, and configuration dependencies.
+
+## Build, Test, and Development Commands
+- `mix deps.get && mix compile` installs dependencies and ensures the code builds.
+- `make console.ex` opens `iex -S mix` inside the project container; use `console.bash` when you need a plain shell.
+- `make test.ex.setup` provisions Postgres, Redis, and RabbitMQ; run it once before the first test pass.
+- `make test.ex [FILE=...]` or `mix test` drives ExUnit; `mix test.watch` keeps a loop running during TDD.
+- `mix credo --strict`, `mix format`, and `mix sobelow --config .sobelow-conf` must pass before pushing.
+
+## Coding Style & Naming Conventions
+- Always run the Elixir formatter (2-space indentation, max 120 columns) and rely on `.formatter.exs` for the file list.
+- Modules stay in `CamelCase`, functions and variables in `snake_case`; generated protobuf code remains untouched.
+- Share helpers through `lib/guard/support` or `test/support`, and favour pattern matching plus small pure functions for clarity.
+
+## Testing Guidelines
+- Place ExUnit specs next to the code (`*_test.exs`) and organise scenarios with `describe` blocks.
+- Reuse factories, Mox doubles, and helpers from `test/support`; keep `fixture/` data deterministic and updated with contract changes.
+- Tag slow external calls with `@tag :integration`, supply skip guards, and document any required services in the PR.
+
+## Commit & Pull Request Guidelines
+- Follow the existing convention `type(guard): imperative summary (#ticket)` (example: `feat(guard): add team SSO (#660)`).
+- Keep commits focused; include migrations or protobuf updates alongside the change and flag remaining work explicitly.
+- Pull requests should explain motivation, list validation commands (`make test.ex`, `mix credo`), link Semaphore issues, and attach UI screenshots or config notes when relevant.
+
+## Security & Configuration Tips
+- Use the environment block in `Makefile` when running locally and override secrets through exported variables instead of committing changes.
+- Before merging, run `mix sobelow --config .sobelow-conf --exit` and review gRPC regen diffs for unintended data exposure.

guard/DOCUMENTATION.md

@@ -0,0 +1,43 @@
+# Guard Agent Playbook
+
+## Overview
+- `Guard` is an Elixir OTP application that fronts user auth, organization lifecycle, and git-provider integrations for Semaphore.
+- Primary entry point is `lib/guard/application.ex`; it wires repos, optional feature provider workers, GRPC servers, HTTP Plug endpoints, and Cachex caches based on `START_*` env flags.
+- Services expose GRPC APIs (port `50051`/`50052`) and HTTP endpoints (ports `4003`/`4004`) toggled by system env, so inspect those vars before enabling features locally.
+
+## Persistence & Data Shape
+- Three Ecto repos: `Guard.Repo`, `Guard.FrontRepo`, and `Guard.InstanceConfigRepo` (all configured via `config/config.exs`). Migrations live in `priv/repo/migrations` and `priv/front_repo/migrations`.
+- The main repo embeds schema modules inside `lib/guard/repo.ex` (Users, Collaborators, Projects, ProjectMembers, Suspensions) and additional data-layer logic resides under `lib/guard/store/`.
+- Cachex caches (`:ppl_cache`, `:feature_provider_cache`, `:config_cache`) are started conditionally; clear them in tests by dropping the Cachex tables if behaviour appears sticky.
+
+## Domain Map
+- `lib/guard/api/` contains external provider clients built with Tesla (`Guard.Api.Github`, `Guard.Api.Bitbucket`, `Guard.Api.Okta`, etc.).
+- `lib/guard/grpc_servers/` hosts GRPC server implementations; each wraps protobuf modules from `lib/internal_api/**`.
+- `lib/guard/id/`, `lib/guard/oidc/`, `lib/guard/authentication_token.ex`, and `lib/guard/session.ex` compose the HTTP identity endpoints.
+- `lib/guard/services/` contains background workers (RabbitMQ consumers, invalidators) supervised by the application.
+- `templates/` and `assets/` hold the minimal web UI for login/blocked flows; `priv/` contains persistent resources and embedded repos.
+
+## Local Workflows
+- Bootstrap: `mix deps.get && mix compile`.
+- Console work: `make console.ex` (starts `iex -S mix` inside the Docker toolchain), or `console.bash` when you need a raw shell.
+- Database bootstrap: `make test.ex.setup` (creates/migrates Postgres via docker-compose and seeds broker dependencies).
+- Tests: `make test.ex [FILE=path/to/test.exs]` or `mix test`; `mix test.watch` is available for TDD loops. CI uses `JUnitFormatter` (see `test/test_helper.exs`).
+- Quality gates: `mix format`, `mix credo --strict`, and `mix sobelow --config .sobelow-conf --exit`. Credo config lives in `.credo.exs`; formatter inputs are defined in `.formatter.exs`.
+- Regenerate protobufs after updating `renderedtext/internal_api` definitions with `make pb.gen` (requires Docker access and SSH credentials).
+
+## Testing Toolkit
+- Shared fixtures, factories, and Mox mocks live under `test/support/**`; use those instead of rolling bespoke stubs.
+- HTTP/service doubles sit in `test/fake` and `test/fixture`, while async scenarios reuse helpers in `test/support/wait.ex` and `test/support/concurrent_repo_case.ex`.
+- ExVCR is available for capturing HTTP interactions; prefer deterministic fixtures and keep cassettes under version control if used.
+
+## Configuration Notes
+- Base config is in `config/config.exs`; environment-specific overrides live in `config/{dev,test,prod}.exs` and `config/runtime.exs`.
+- Many behaviours hinge on env vars exported via the `Makefile` (e.g., `START_GRPC_*`, `START_FEATURE_PROVIDER`, `BASE_DOMAIN`, `AMQP_URL`). Override them in the shell instead of editing config files.
+- `docker-compose.yml` describes the dev stack (Elixir app + Postgres 9.6 + RabbitMQ + Adminer); ensure the local Docker daemon runs before invoking `make console.ex`.
+- Metrics use `watchman` (StatsD) with namespace `guard.<env>`, and Sentry logging is enabled in production.
+
+## Debugging Patterns
+- GRPC servers run under `GRPC.Server.Supervisor`; check logs on ports `50051`/`50052` if clients cannot connect.
+- RabbitMQ consumers (`Guard.Services.Organization*`) depend on `AMQP_URL`; missed events usually mean the queue wasn't configured in config or broker is down.
+- For OAuth/Git providers, secrets come from `Guard.GitProviderCredentials`; ensure appropriate vault/config entries exist when tokens cannot refresh.
+- `Guard.Migrator` offers helper functions for cross-repo migrations—search it when maintaining legacy data.

guard/config/config.exs

@@ -25,6 +25,7 @@ config :watchman,
 config :guard,
   projecthub_grpc_endpoint: "127.0.0.1:50052",
   organization_grpc_endpoint: "127.0.0.1:50052",
+  # sobelow_skip ["Config.Secrets"]
   secrethub_grpc_endpoint: "127.0.0.1:50052",
   pipeline_grpc_endpoint: "127.0.0.1:50052",
   repo_proxy_grpc_endpoint: "127.0.0.1:50052",

guard/docker-compose.yml

@@ -66,6 +66,8 @@ services:
 
     volumes:
       - .:/app
+      - /app/deps
+      - /app/_build
 
   db:
     image: postgres:9.6

guard/lib/guard/id/api.ex

@@ -139,29 +139,30 @@ defmodule Guard.Id.Api do
   # Signup endpoint
   #
   get "/signup" do
-    ensure_empty_user(conn, fn ->
-      case default_login_method() do
-        method when method in ["local", "oidc"] ->
-          conn |> signup_page(method)
+    logged_in = conn.assigns[:user_id] != nil
 
-        unknown ->
-          Logger.error("Unknown default signup method: #{unknown}")
+    case default_login_method() do
+      method when method in ["local", "oidc"] ->
+        conn |> signup_page(method, logged_in)
 
-          conn |> error_login_page("Signup is disabled")
-      end
-    end)
+      unknown ->
+        Logger.error("Unknown default signup method: #{unknown}")
+        conn |> error_login_page("Signup is disabled")
+    end
   end
 
-  defp signup_page(conn, "local") do
+  defp signup_page(conn, "local", logged_in) do
     conn
     |> render_signup_page(
       github: id_page("github"),
       bitbucket: id_page("bitbucket"),
-      gitlab: id_page("gitlab") |> filter_gitlab()
+      gitlab: id_page("gitlab") |> filter_gitlab(),
+      logged_in: logged_in,
+      me_url: me_page()
     )
   end
 
-  defp signup_page(conn, "oidc") do
+  defp signup_page(conn, "oidc", logged_in) do
     if Guard.OIDC.enabled?() do
       oidc_callback = id_page("oidc/callback")
 
@@ -172,7 +173,9 @@ defmodule Guard.Id.Api do
           |> render_signup_page(
             github: "#{url}&kc_idp_hint=github",
             bitbucket: "#{url}&kc_idp_hint=bitbucket",
-            gitlab: "#{url}&kc_idp_hint=gitlab" |> filter_gitlab()
+            gitlab: "#{url}&kc_idp_hint=gitlab" |> filter_gitlab(),
+            logged_in: logged_in,
+            me_url: me_page()
           )
 
         {:error, error} ->
@@ -187,6 +190,7 @@ defmodule Guard.Id.Api do
     end
   end
 
+  # sobelow_skip ["XSS.SendResp"]
   defp render_signup_page(conn, assigns) do
     assigns =
       Keyword.merge(assigns,
@@ -331,6 +335,7 @@ defmodule Guard.Id.Api do
     end
   end
 
+  # sobelow_skip ["XSS.SendResp"]
   defp render_login_page(conn, assigns) do
     assigns =
       Keyword.merge(assigns,

guard/lib/guard/instance_config/api.ex

@@ -185,6 +185,7 @@ defmodule Guard.InstanceConfig.Api do
     end
   end
 
+  # sobelow_skip ["XSS.SendResp"]
   defp render_manifest_page(conn, assigns) do
     html_content =
       Guard.TemplateRenderer.render_template([assigns: assigns], "submit_manifest.html")

guard/templates/signup.html.eex

@@ -80,40 +80,53 @@
                 </div>
                 <div class="loggin">
                   <div class="wrap">
-                    <h2 class="has-text-align-center" style="margin-top: 0;">Try Cloud</h2>
-                    <div class="wp-block-buttons split-button is-layout-flex wp-block-buttons-is-layout-flex">
-                      <%= if assigns[:github] do %>
-                      <div class="wp-block-button has-custom-width wp-block-button__width-100 has-custom-font-size is-style-v8-dropshadow has-font-down-2-font-size">
-                        <a class="wp-block-button__link has-v-8-black-color has-v-8-white-background-color has-text-color has-background has-link-color  wp-element-button"
-                        href="<%= @github %>"
-                        style="border-color:#CCCCCC;border-width:1px;border-radius:8px">
-                          <img decoding="async" width="22" height="22" class="wp-image-23604" style="width: 22px;" src="https://semaphoreci.com/wp-content/uploads/2024/04/github.svg" alt="">
-                          <strong>Signup with GitHub</strong>
-                        </a>
+                    <%= if assigns[:logged_in] do %>
+                      <h2 class="has-text-align-center" style="margin-top: 0;">You're already logged in</h2>
+                      <div class="wp-block-buttons split-button is-layout-flex wp-block-buttons-is-layout-flex">
+                        <div class="wp-block-button has-custom-width wp-block-button__width-100 has-custom-font-size is-style-v8-dropshadow has-font-down-2-font-size">
+                          <a class="wp-block-button__link has-v-8-black-color has-v-8-white-background-color has-text-color has-background has-link-color has-border-color wp-element-button"
+                          href="<%= @me_url %>"
+                          style="border-color:#CCCCCC;border-width:1px;border-radius:8px;display:flex;align-items:center;justify-content:center;">
+                            <strong style="display:flex;align-items:center;">Continue to <img decoding="async" src="https://semaphore.io/wp-content/uploads/2024/04/semaphore-logo.svg" alt="Semaphore" style="height: 18px; margin-left: 6px;"></strong>
+                          </a>
+                        </div>
                       </div>
-                      <% end %>
-                      <%= if assigns[:bitbucket] do %>
-                      <div class="wp-block-button has-custom-width wp-block-button__width-100 has-custom-font-size is-style-v8-dropshadow has-font-down-2-font-size">
-                        <a class="wp-block-button__link has-v-8-black-color has-v-8-white-background-color has-text-color has-background has-link-color has-border-color wp-element-button"
-                        style="border-color:#CCCCCC;border-width:1px;border-radius:8px"
-                        href="<%= @bitbucket %>">
-                          <img decoding="async" width="20" height="19" class="wp-image-23603" style="width: 20px;" src="https://semaphoreci.com/wp-content/uploads/2024/04/bitbucket.svg" alt="">
-                          <strong>Signup with Bitbucket</strong>
-                        </a>
+                    <% else %>
+                      <h2 class="has-text-align-center" style="margin-top: 0;">Try Cloud</h2>
+                      <div class="wp-block-buttons split-button is-layout-flex wp-block-buttons-is-layout-flex">
+                        <%= if assigns[:github] do %>
+                        <div class="wp-block-button has-custom-width wp-block-button__width-100 has-custom-font-size is-style-v8-dropshadow has-font-down-2-font-size">
+                          <a class="wp-block-button__link has-v-8-black-color has-v-8-white-background-color has-text-color has-background has-link-color  wp-element-button"
+                          href="<%= @github %>"
+                          style="border-color:#CCCCCC;border-width:1px;border-radius:8px">
+                            <img decoding="async" width="22" height="22" class="wp-image-23604" style="width: 22px;" src="https://semaphoreci.com/wp-content/uploads/2024/04/github.svg" alt="">
+                            <strong>Signup with GitHub</strong>
+                          </a>
+                        </div>
+                        <% end %>
+                        <%= if assigns[:bitbucket] do %>
+                        <div class="wp-block-button has-custom-width wp-block-button__width-100 has-custom-font-size is-style-v8-dropshadow has-font-down-2-font-size">
+                          <a class="wp-block-button__link has-v-8-black-color has-v-8-white-background-color has-text-color has-background has-link-color has-border-color wp-element-button"
+                          style="border-color:#CCCCCC;border-width:1px;border-radius:8px"
+                          href="<%= @bitbucket %>">
+                            <img decoding="async" width="20" height="19" class="wp-image-23603" style="width: 20px;" src="https://semaphoreci.com/wp-content/uploads/2024/04/bitbucket.svg" alt="">
+                            <strong>Signup with Bitbucket</strong>
+                          </a>
+                        </div>
+                        <% end %>
+                        <%= if assigns[:gitlab] do %>
+                        <div class="wp-block-button has-custom-width wp-block-button__width-100 has-custom-font-size is-style-v8-dropshadow has-font-down-2-font-size">
+                          <a class="wp-block-button__link has-v-8-black-color has-v-8-white-background-color has-text-color has-background has-link-color has-border-color wp-element-button"
+                          style="border-color:#CCCCCC;border-width:1px;border-radius:8px"
+                          href="<%= @gitlab %>">
+                            <img decoding="async" width="20" height="19" class="wp-image-23603" style="width: 20px;" src="https://semaphoreci.com/wp-content/uploads/2025/02/gitlab.svg" alt="">
+                            <strong>Signup with GitLab</strong>
+                          </a>
+                        </div>
+                        <% end %>
                       </div>
-                      <% end %>
-                      <%= if assigns[:gitlab] do %>
-                      <div class="wp-block-button has-custom-width wp-block-button__width-100 has-custom-font-size is-style-v8-dropshadow has-font-down-2-font-size">
-                        <a class="wp-block-button__link has-v-8-black-color has-v-8-white-background-color has-text-color has-background has-link-color has-border-color wp-element-button"
-                        style="border-color:#CCCCCC;border-width:1px;border-radius:8px"
-                        href="<%= @gitlab %>">
-                          <img decoding="async" width="20" height="19" class="wp-image-23603" style="width: 20px;" src="https://semaphoreci.com/wp-content/uploads/2025/02/gitlab.svg" alt="">
-                          <strong>Signup with GitLab</strong>
-                        </a>
-                      </div>
-                      <% end %>
-                    </div>
-                    <p class="has-text-align-center has-font-down-3-font-size">By continuing, you agree to our <a href="https://semaphoreci.com/tos">Terms of Service</a> and <a href="https://semaphoreci.com/privacy">Privacy policy</a>. </p>
+                      <p class="has-text-align-center has-font-down-3-font-size">By continuing, you agree to our <a href="https://semaphoreci.com/tos">Terms of Service</a> and <a href="https://semaphoreci.com/privacy">Privacy policy</a>. </p>
+                    <% end %>
                   </div>
                 </div>
               </div>