…ons (#201)

Cherry-pick of #200 onto `main` (that PR targeted
`fix/issue-197-local-providers`, now merged).

## What this does
Enables `noUncheckedIndexedAccess: true` in `dashboard/tsconfig.json`
and fixes every resulting error by narrowing at the point of access — no
casts, no suppressions, no weakened types.

## Commits
1. **`chore(ts): enable noUncheckedIndexedAccess and fix 142 resulting
errors`** — flag on, 36 source files narrowed, 4 test files use
`expect(x).toBeDefined()` + `!`
2. **`fix(review): restore behavior regressions from
noUncheckedIndexedAccess pass`** — three issues the reviewer caught on
the first round:
- `lib/auth/session.ts`: restored `!Number.isFinite(v) \|\| v <= 0`
fallback in `parseExpiry`
- `api/containers/list/route.ts`: switched `return Errors.internal` back
to `continue + warn` (one bad line no longer 500s the whole list)
- `api/custom-providers/fetch-models/route.ts`: flipped SSRF guard
`return false` → `return true` so the fail-direction is closed
3. **`fix(review): make updateOAuthAliasEntry exhaustive over keyof
OAuthModelAliasEntry`** — replaced trailing `else` (which hardcoded
`_id`) with a `switch` + `never` default; adding a new field is now a
compile error at the call site.

## Verification (on `main`)
| Gate | Result |
|---|---|
| `tsc --noEmit` | 0 errors |
| `eslint` | 0 warnings/errors |
| `vitest run` | 190/190 passed, 21 files |
| `next build` | Compiled successfully |

## Contract audit
- 0 new `any`, `as any`, `as unknown as`, `@ts-ignore`,
`@ts-expect-error`
- 0 new non-null assertions outside test fixtures (all `!` sites follow
`expect(x).toBeDefined()` in `__tests__/*.test.ts`)

## Not included (intentional)
`exactOptionalPropertyTypes`, `noPropertyAccessFromIndexSignature`,
`noImplicitOverride`, `noFallthroughCasesInSwitch` — each its own
cutover; bundling would turn one reviewable change into an unreviewable
one.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Touches many dashboard API/UI code paths to add defensive checks
required by `noUncheckedIndexedAccess`, with a few subtle behavior
changes (e.g., container listing now skips malformed `docker ps` lines
and SSRF guard fails closed on unparseable IPv6-mapped addresses).
Overall risk is moderate due to broad surface area, but changes are
largely null/undefined handling and type narrowing.
> 
> **Overview**
> Enables TypeScript `noUncheckedIndexedAccess` in
`dashboard/tsconfig.json` and updates API routes, UI components, and
config generators to **narrow/guard all index-based access** (array
destructuring, regex groups, map entries) to avoid implicit `undefined`.
> 
> Includes a few targeted behavior hardenings: container APIs now return
`notFound` when a container name lacks `CONTAINER_CONFIG`, container
listing logs-and-skips malformed `docker ps` output instead of failing
the whole request, and the custom-provider SSRF checks treat unparseable
IPv6-mapped addresses as private (*fail closed*). Tests were adjusted to
assert presence before non-null assertions.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
e265117. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: itsmylife44 <itsmylife44@users.noreply.github.com>

…, etc.)

Detect distro family via ID_LIKE so Ubuntu/Debian-based distributions are
routed to the correct Docker apt repo instead of being rejected outright.

- Read ID_LIKE from /etc/os-release and match space-padded against
  ubuntu/debian tokens.
- Prefer UBUNTU_CODENAME / DEBIAN_CODENAME over VERSION_CODENAME so
  derivatives resolve to an upstream suite (e.g. Zorin -> noble, Mint -> jammy).
- Validate the resolved codename against the suites Docker actually
  publishes; reject rolling or non-upstream codenames (e.g. Kali
  kali-rolling) up front with a clear message instead of failing later
  at apt-get update.
- Update docs/INSTALLATION.md to note derivative auto-detection.

Fixes #202

Remove dead providers (qwen, codebuddy) and add Kilo (device flow) and
GitLab (OAuth app + PAT modes). Verified against upstream main branch
internal/api/server.go.

- Add kilo-auth-url and gitlab-auth-url to non-admin OAuth allowlist;
  also permit POST on gitlab-auth-url for PAT submission.
- Proxy route now accepts OAuth-shape POST for gitlab-auth-url and
  translates to upstream GET internally so client_secret never appears
  in browser URLs, Referer, or access logs.
- Add GitLab pre-connect modal with OAuth and PAT modes; preserve entered
  fields on bootstrap failure, close secondary modal, surface error inline.
- handleOAuthConnect returns {ok, errorMessage} for callers that need to
  react to bootstrap outcome.
- OAUTH_PROVIDER constants, PROVIDER_MATCH_ALIASES, CALLBACK_PATHS,
  PROVIDERS_WITH_CALLBACK, migration aliases all updated in lockstep.
- Add 18 i18n keys for GitLab flow (en + de, parity verified).

🤖 I have created a release *beep* *boop*
---


##
[0.1.78](dashboard-v0.1.77...dashboard-v0.1.78)
(2026-04-20)


### Bug Fixes

* **install:** support Ubuntu/Debian derivatives (Zorin, Mint, Pop!_OS,
etc.)
([c3f19f0](c3f19f0)),
closes
[#202](#202)

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>