Expose ui_layout and ai_enabled to mobile clients and add enable_ai endpoint (#983)

* Wire ui layout and AI flags into mobile auth

Include ui_layout and ai_enabled in mobile login/signup/SSO payloads,
add an authenticated endpoint to enable AI from Flutter, and gate
mobile navigation based on intro layout and AI consent flow.

* Linter

* Ensure write scope on enable_ai

* Make sure AI is available before enabling it

* Test improvements

* PR comment

* Fix review issues: test assertion bug, missing coverage, and Dart defaults (#985)

- Fix login test to use ai_enabled? (method) instead of ai_enabled (column)
  to match what mobile_user_payload actually serializes
- Add test for enable_ai when ai_available? returns false (403 path)
- Default aiEnabled to false when user is null in AuthProvider to avoid
  showing AI as available before authentication completes
- Remove extra blank lines in auth_provider.dart and auth_service.dart

https://claude.ai/code/session_01LEYYmtsDBoqizyihFtkye4

Co-authored-by: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>

test/controllers/api/v1/auth_controller_test.rb

@@ -15,9 +15,10 @@ class Api::V1::AuthControllerTest < ActionDispatch::IntegrationTest
     # Ensure the shared OAuth application exists
     @shared_app = Doorkeeper::Application.find_or_create_by!(name: "Sure Mobile") do |app|
       app.redirect_uri = "sureapp://oauth/callback"
-      app.scopes = "read_write"
+      app.scopes = "read read_write"
       app.confidential = false
     end
+    @shared_app.update!(scopes: "read read_write")
 
     # Clear the memoized class variable so it picks up the test record
     MobileDevice.instance_variable_set(:@shared_oauth_application, nil)
@@ -49,6 +50,9 @@ class Api::V1::AuthControllerTest < ActionDispatch::IntegrationTest
     assert_equal "newuser@example.com", response_data["user"]["email"]
     assert_equal "New", response_data["user"]["first_name"]
     assert_equal "User", response_data["user"]["last_name"]
+    new_user = User.find(response_data["user"]["id"])
+    assert_equal new_user.ui_layout, response_data["user"]["ui_layout"]
+    assert_equal new_user.ai_enabled?, response_data["user"]["ai_enabled"]
 
     # OAuth token assertions
     assert response_data["access_token"].present?
@@ -58,8 +62,8 @@ class Api::V1::AuthControllerTest < ActionDispatch::IntegrationTest
     assert response_data["created_at"].present?
 
     # Verify the device was created
-    new_user = User.find(response_data["user"]["id"])
-    device = new_user.mobile_devices.first
+    created_user = User.find(response_data["user"]["id"])
+    device = created_user.mobile_devices.first
     assert_equal @device_info[:device_id], device.device_id
     assert_equal @device_info[:device_name], device.device_name
     assert_equal @device_info[:device_type], device.device_type
@@ -227,6 +231,8 @@ class Api::V1::AuthControllerTest < ActionDispatch::IntegrationTest
 
     assert_equal user.id.to_s, response_data["user"]["id"]
     assert_equal user.email, response_data["user"]["email"]
+    assert_equal user.ui_layout, response_data["user"]["ui_layout"]
+    assert_equal user.ai_enabled?, response_data["user"]["ai_enabled"]
 
     # OAuth token assertions
     assert response_data["access_token"].present?
@@ -439,4 +445,64 @@ class Api::V1::AuthControllerTest < ActionDispatch::IntegrationTest
     response_data = JSON.parse(response.body)
     assert_equal "Refresh token is required", response_data["error"]
   end
+
+  test "should enable ai for authenticated user" do
+    user = users(:family_admin)
+    user.update!(ai_enabled: false)
+    device = user.mobile_devices.create!(@device_info)
+    token = Doorkeeper::AccessToken.create!(application: @shared_app, resource_owner_id: user.id, mobile_device_id: device.id, scopes: "read_write")
+
+    patch "/api/v1/auth/enable_ai", headers: {
+      "Authorization" => "Bearer #{token.token}",
+      "Content-Type" => "application/json"
+    }
+
+    assert_response :success
+    response_data = JSON.parse(response.body)
+    assert_equal true, response_data.dig("user", "ai_enabled")
+    assert_equal user.ui_layout, response_data.dig("user", "ui_layout")
+    assert_equal true, user.reload.ai_enabled
+  end
+
+  test "should require read_write scope to enable ai" do
+    user = users(:family_admin)
+    user.update!(ai_enabled: false)
+    device = user.mobile_devices.create!(@device_info)
+    token = Doorkeeper::AccessToken.create!(application: @shared_app, resource_owner_id: user.id, mobile_device_id: device.id, scopes: "read")
+
+    patch "/api/v1/auth/enable_ai", headers: {
+      "Authorization" => "Bearer #{token.token}",
+      "Content-Type" => "application/json"
+    }
+
+    assert_response :forbidden
+    response_data = JSON.parse(response.body)
+    assert_equal "insufficient_scope", response_data["error"]
+    assert_equal "This action requires the 'write' scope", response_data["message"]
+    assert_not user.reload.ai_enabled
+  end
+
+  test "should require authentication when enabling ai" do
+    patch "/api/v1/auth/enable_ai", headers: { "Content-Type" => "application/json" }
+
+    assert_response :unauthorized
+  end
+
+  test "should return forbidden when ai is not available" do
+    user = users(:family_admin)
+    user.update!(ai_enabled: false)
+    device = user.mobile_devices.create!(@device_info)
+    token = Doorkeeper::AccessToken.create!(application: @shared_app, resource_owner_id: user.id, mobile_device_id: device.id, scopes: "read_write")
+    User.any_instance.stubs(:ai_available?).returns(false)
+
+    patch "/api/v1/auth/enable_ai", headers: {
+      "Authorization" => "Bearer #{token.token}",
+      "Content-Type" => "application/json"
+    }
+
+    assert_response :forbidden
+    response_data = JSON.parse(response.body)
+    assert_equal "AI is not available for your account", response_data["error"]
+    assert_not user.reload.ai_enabled
+  end
 end