RubyGems - lex-github - Versions diffs - 0.2.4 → 0.3.0 - Mend

lex-github 0.2.4 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (59) hide show

checksums.yaml +4 -4
data/.github/workflows/ci.yml +3 -3
data/.rubocop.yml +2 -53
data/CHANGELOG.md +55 -0
data/CLAUDE.md +45 -19
data/Gemfile +1 -0
data/README.md +155 -83
data/lex-github.gemspec +2 -0
data/lib/legion/extensions/github/app/actor/token_refresh.rb +68 -0
data/lib/legion/extensions/github/app/actor/webhook_poller.rb +65 -0
data/lib/legion/extensions/github/app/hooks/setup.rb +19 -0
data/lib/legion/extensions/github/app/hooks/webhook.rb +19 -0
data/lib/legion/extensions/github/app/runners/auth.rb +48 -0
data/lib/legion/extensions/github/app/runners/credential_store.rb +46 -0
data/lib/legion/extensions/github/app/runners/installations.rb +56 -0
data/lib/legion/extensions/github/app/runners/manifest.rb +65 -0
data/lib/legion/extensions/github/app/runners/webhooks.rb +118 -0
data/lib/legion/extensions/github/app/transport/exchanges/app.rb +17 -0
data/lib/legion/extensions/github/app/transport/messages/event.rb +18 -0
data/lib/legion/extensions/github/app/transport/queues/auth.rb +18 -0
data/lib/legion/extensions/github/app/transport/queues/webhooks.rb +18 -0
data/lib/legion/extensions/github/cli/app.rb +57 -0
data/lib/legion/extensions/github/cli/auth.rb +99 -0
data/lib/legion/extensions/github/client.rb +24 -0
data/lib/legion/extensions/github/errors.rb +44 -0
data/lib/legion/extensions/github/helpers/browser_auth.rb +106 -0
data/lib/legion/extensions/github/helpers/cache.rb +99 -0
data/lib/legion/extensions/github/helpers/callback_server.rb +89 -0
data/lib/legion/extensions/github/helpers/client.rb +292 -2
data/lib/legion/extensions/github/helpers/scope_registry.rb +91 -0
data/lib/legion/extensions/github/helpers/token_cache.rb +86 -0
data/lib/legion/extensions/github/middleware/credential_fallback.rb +76 -0
data/lib/legion/extensions/github/middleware/rate_limit.rb +40 -0
data/lib/legion/extensions/github/middleware/scope_probe.rb +37 -0
data/lib/legion/extensions/github/oauth/actor/token_refresh.rb +76 -0
data/lib/legion/extensions/github/oauth/hooks/callback.rb +19 -0
data/lib/legion/extensions/github/oauth/runners/auth.rb +111 -0
data/lib/legion/extensions/github/oauth/transport/exchanges/oauth.rb +17 -0
data/lib/legion/extensions/github/oauth/transport/queues/auth.rb +18 -0
data/lib/legion/extensions/github/runners/actions.rb +100 -0
data/lib/legion/extensions/github/runners/branches.rb +8 -6
data/lib/legion/extensions/github/runners/checks.rb +84 -0
data/lib/legion/extensions/github/runners/comments.rb +15 -9
data/lib/legion/extensions/github/runners/commits.rb +13 -8
data/lib/legion/extensions/github/runners/contents.rb +6 -4
data/lib/legion/extensions/github/runners/deployments.rb +76 -0
data/lib/legion/extensions/github/runners/gists.rb +11 -6
data/lib/legion/extensions/github/runners/issues.rb +18 -11
data/lib/legion/extensions/github/runners/labels.rb +18 -11
data/lib/legion/extensions/github/runners/organizations.rb +12 -10
data/lib/legion/extensions/github/runners/pull_requests.rb +26 -16
data/lib/legion/extensions/github/runners/releases.rb +89 -0
data/lib/legion/extensions/github/runners/repositories.rb +19 -12
data/lib/legion/extensions/github/runners/repository_webhooks.rb +76 -0
data/lib/legion/extensions/github/runners/search.rb +13 -10
data/lib/legion/extensions/github/runners/users.rb +14 -10
data/lib/legion/extensions/github/version.rb +1 -1
data/lib/legion/extensions/github.rb +23 -1
metadata +63 -1

data/lib/legion/extensions/github/helpers/client.rb CHANGED Viewed

@@ -1,21 +1,311 @@
 # frozen_string_literal: true
 require 'faraday'
+require 'legion/extensions/github/helpers/token_cache'
+require 'legion/extensions/github/helpers/scope_registry'
+require 'legion/extensions/github/middleware/credential_fallback'
 module Legion
   module Extensions
     module Github
       module Helpers
         module Client
-          def connection(api_url: 'https://api.github.com', token: nil, **_opts)
+          include TokenCache
+          include ScopeRegistry
+          CREDENTIAL_RESOLVERS = %i[
+            resolve_vault_delegated resolve_settings_delegated
+            resolve_vault_app resolve_settings_app
+            resolve_vault_pat resolve_settings_pat
+            resolve_gh_cli resolve_env
+          ].freeze
+          def connection(owner: nil, repo: nil, api_url: 'https://api.github.com', token: nil, **_opts)
+            resolved = token ? { token: token } : resolve_credential(owner: owner, repo: repo)
+            resolved_token = resolved&.dig(:token)
+            @current_credential = resolved
+            @skipped_fingerprints = []
             Faraday.new(url: api_url) do |conn|
+              conn.use :github_credential_fallback, resolver: self
               conn.request :json
               conn.response :json, content_type: /\bjson$/
+              conn.response :github_rate_limit, handler: self
+              conn.response :github_scope_probe, handler: self
               conn.headers['Accept'] = 'application/vnd.github+json'
-              conn.headers['Authorization'] = "Bearer #{token}" if token
+              conn.headers['Authorization'] = "Bearer #{resolved_token}" if resolved_token
               conn.headers['X-GitHub-Api-Version'] = '2022-11-28'
             end
           end
+          def resolve_next_credential(owner: nil, repo: nil)
+            fingerprint = @current_credential&.dig(:metadata, :credential_fingerprint)
+            @skipped_fingerprints ||= []
+            @skipped_fingerprints << fingerprint if fingerprint
+            CREDENTIAL_RESOLVERS.each do |method|
+              next unless respond_to?(method, true)
+              result = send(method)
+              next unless result
+              fp = result.dig(:metadata, :credential_fingerprint)
+              next if fp && @skipped_fingerprints.include?(fp)
+              next if fp && rate_limited?(fingerprint: fp)
+              if owner && fp
+                scope = scope_status(fingerprint: fp, owner: owner, repo: repo)
+                next if scope == :denied
+              end
+              @current_credential = result
+              return result
+            end
+            nil
+          end
+          def max_fallback_retries
+            CREDENTIAL_RESOLVERS.size
+          end
+          def on_rate_limit(remaining:, reset_at:, status:, url:, **) # rubocop:disable Lint/UnusedMethodArgument
+            fingerprint = @current_credential&.dig(:metadata, :credential_fingerprint)
+            return unless fingerprint
+            mark_rate_limited(fingerprint: fingerprint, reset_at: reset_at)
+          end
+          def on_scope_denied(status:, url:, path:, **) # rubocop:disable Lint/UnusedMethodArgument
+            fingerprint = @current_credential&.dig(:metadata, :credential_fingerprint)
+            owner, repo = extract_owner_repo(path)
+            return unless fingerprint && owner
+            register_scope(fingerprint: fingerprint, owner: owner, repo: repo, status: :denied)
+          end
+          def on_scope_authorized(status:, url:, path:, **) # rubocop:disable Lint/UnusedMethodArgument
+            fingerprint = @current_credential&.dig(:metadata, :credential_fingerprint)
+            owner, repo = extract_owner_repo(path)
+            return unless fingerprint && owner
+            register_scope(fingerprint: fingerprint, owner: owner, repo: repo, status: :authorized)
+          end
+          def resolve_credential(owner: nil, repo: nil)
+            CREDENTIAL_RESOLVERS.each do |method|
+              next unless respond_to?(method, true)
+              result = send(method)
+              next unless result
+              fingerprint = result.dig(:metadata, :credential_fingerprint)
+              next if fingerprint && rate_limited?(fingerprint: fingerprint)
+              if owner && fingerprint
+                scope = scope_status(fingerprint: fingerprint, owner: owner, repo: repo)
+                next if scope == :denied
+              end
+              return result
+            end
+            nil
+          end
+          def resolve_vault_delegated
+            return nil unless defined?(Legion::Crypt)
+            token_data = vault_get('github/oauth/delegated/token')
+            return nil unless token_data&.dig('access_token')
+            fp = credential_fingerprint(auth_type: :oauth_user, identifier: 'vault_delegated')
+            { token: token_data['access_token'], auth_type: :oauth_user,
+              expires_at: token_data['expires_at'],
+              metadata: { source: :vault, credential_fingerprint: fp } }
+          rescue StandardError => _e
+            nil
+          end
+          def resolve_settings_delegated
+            return nil unless defined?(Legion::Settings)
+            token = Legion::Settings.dig(:github, :oauth, :access_token)
+            return nil unless token
+            fp = credential_fingerprint(auth_type: :oauth_user, identifier: 'settings_delegated')
+            { token: token, auth_type: :oauth_user,
+              metadata: { source: :settings, credential_fingerprint: fp } }
+          rescue StandardError => _e
+            nil
+          end
+          def resolve_vault_app
+            return nil unless defined?(Legion::Crypt)
+            private_key = begin
+              vault_get('github/app/private_key')
+            rescue StandardError => _e
+              nil
+            end
+            return nil unless private_key
+            app_id = begin
+              vault_get('github/app/app_id')
+            rescue StandardError => _e
+              nil
+            end
+            installation_id = begin
+              vault_get('github/app/installation_id')
+            rescue StandardError => _e
+              nil
+            end
+            return nil unless app_id && installation_id
+            fp = credential_fingerprint(auth_type: :app_installation, identifier: "vault_app_#{app_id}")
+            cached = fetch_token(auth_type: :app_installation, installation_id: installation_id)
+            return cached.merge(metadata: { source: :vault, credential_fingerprint: fp }) if cached
+            jwt = generate_jwt(app_id: app_id, private_key: private_key)[:result]
+            token_data = create_installation_token(jwt: jwt, installation_id: installation_id)[:result]
+            return nil unless token_data&.dig('token')
+            expires_at = begin
+              Time.parse(token_data['expires_at'])
+            rescue StandardError => _e
+              Time.now + 3600
+            end
+            result = { token: token_data['token'], auth_type: :app_installation,
+                       expires_at: expires_at, installation_id: installation_id,
+                       metadata: { source: :vault, installation_id: installation_id,
+                                   credential_fingerprint: fp } }
+            store_token(**result)
+            result
+          rescue StandardError => _e
+            nil
+          end
+          def resolve_settings_app
+            return nil unless defined?(Legion::Settings)
+            app_id = begin
+              Legion::Settings.dig(:github, :app, :app_id)
+            rescue StandardError => _e
+              nil
+            end
+            return nil unless app_id
+            fp = credential_fingerprint(auth_type: :app_installation, identifier: "settings_app_#{app_id}")
+            key_path = begin
+              Legion::Settings.dig(:github, :app, :private_key_path)
+            rescue StandardError => _e
+              nil
+            end
+            installation_id = begin
+              Legion::Settings.dig(:github, :app, :installation_id)
+            rescue StandardError => _e
+              nil
+            end
+            return nil unless key_path && installation_id
+            cached = fetch_token(auth_type: :app_installation, installation_id: installation_id)
+            return cached.merge(metadata: { source: :settings, credential_fingerprint: fp }) if cached
+            private_key = ::File.read(key_path)
+            jwt = generate_jwt(app_id: app_id, private_key: private_key)[:result]
+            token_data = create_installation_token(jwt: jwt, installation_id: installation_id)[:result]
+            return nil unless token_data&.dig('token')
+            expires_at = begin
+              Time.parse(token_data['expires_at'])
+            rescue StandardError => _e
+              Time.now + 3600
+            end
+            result = { token: token_data['token'], auth_type: :app_installation,
+                       expires_at: expires_at, installation_id: installation_id,
+                       metadata: { source: :settings, installation_id: installation_id,
+                                   credential_fingerprint: fp } }
+            store_token(**result)
+            result
+          rescue StandardError => _e
+            nil
+          end
+          def resolve_vault_pat
+            return nil unless defined?(Legion::Crypt)
+            token = vault_get('github/token')
+            return nil unless token
+            fp = credential_fingerprint(auth_type: :pat, identifier: 'vault_pat')
+            { token: token, auth_type: :pat, metadata: { source: :vault, credential_fingerprint: fp } }
+          rescue StandardError => _e
+            nil
+          end
+          def resolve_settings_pat
+            return nil unless defined?(Legion::Settings)
+            token = Legion::Settings.dig(:github, :token)
+            return nil unless token
+            fp = credential_fingerprint(auth_type: :pat, identifier: 'settings_pat')
+            { token: token, auth_type: :pat, metadata: { source: :settings, credential_fingerprint: fp } }
+          rescue StandardError => _e
+            nil
+          end
+          def resolve_gh_cli
+            if cache_connected? || local_cache_connected?
+              cached = cache_connected? ? cache_get('github:cli_token') : local_cache_get('github:cli_token')
+              return cached if cached
+            end
+            output = gh_cli_token_output
+            return nil unless output
+            fp = credential_fingerprint(auth_type: :cli, identifier: 'gh_cli')
+            result = { token: output, auth_type: :cli, metadata: { source: :gh_cli, credential_fingerprint: fp } }
+            cache_set('github:cli_token', result, ttl: 300) if cache_connected?
+            local_cache_set('github:cli_token', result, ttl: 300) if local_cache_connected?
+            result
+          rescue StandardError => _e
+            nil
+          end
+          def gh_cli_token_output
+            output = `gh auth token 2>/dev/null`.strip
+            return nil unless $?&.success? && !output.empty? # rubocop:disable Style/SpecialGlobalVars
+            output
+          rescue StandardError => _e
+            nil
+          end
+          def resolve_env
+            token = ENV.fetch('GITHUB_TOKEN', nil)
+            return nil if token.nil? || token.empty?
+            fp = credential_fingerprint(auth_type: :env, identifier: 'env')
+            { token: token, auth_type: :env, metadata: { source: :env, credential_fingerprint: fp } }
+          end
+          private
+          def extract_owner_repo(path)
+            match = path.match(%r{^/repos/([^/]+)/([^/]+)})
+            return [nil, nil] unless match
+            [match[1], match[2]]
+          end
+          def credential_fallback?
+            return true unless defined?(Legion::Settings)
+            Legion::Settings.dig(:github, :credential_fallback) != false
+          rescue StandardError => _e
+            true
+          end
         end
       end
     end

data/lib/legion/extensions/github/helpers/scope_registry.rb ADDED Viewed

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+require 'digest'
+module Legion
+  module Extensions
+    module Github
+      module Helpers
+        module ScopeRegistry
+          def credential_fingerprint(auth_type:, identifier:)
+            Digest::SHA256.hexdigest("#{auth_type}:#{identifier}")[0, 16]
+          end
+          def scope_status(fingerprint:, owner:, repo: nil)
+            if repo
+              status = scope_cache_get("github:scope:#{fingerprint}:#{owner}/#{repo}")
+              return status if status
+            end
+            scope_cache_get("github:scope:#{fingerprint}:#{owner}") || :unknown
+          end
+          def register_scope(fingerprint:, owner:, status:, repo: nil)
+            key = repo ? "github:scope:#{fingerprint}:#{owner}/#{repo}" : "github:scope:#{fingerprint}:#{owner}"
+            ttl = if status == :denied
+                    scope_denied_ttl
+                  else
+                    (repo ? scope_repo_ttl : scope_org_ttl)
+                  end
+            cache_set(key, status, ttl: ttl) if cache_connected?
+            local_cache_set(key, status, ttl: ttl) if local_cache_connected?
+          end
+          def rate_limited?(fingerprint:)
+            entry = scope_cache_get("github:rate_limit:#{fingerprint}")
+            return false unless entry
+            entry[:reset_at] > Time.now
+          end
+          def mark_rate_limited(fingerprint:, reset_at:)
+            ttl = [(reset_at - Time.now).ceil, 1].max
+            value = { reset_at: reset_at, remaining: 0 }
+            cache_set("github:rate_limit:#{fingerprint}", value, ttl: ttl) if cache_connected?
+            local_cache_set("github:rate_limit:#{fingerprint}", value, ttl: ttl) if local_cache_connected?
+          end
+          def invalidate_scope(fingerprint:, owner:, repo: nil)
+            key = repo ? "github:scope:#{fingerprint}:#{owner}/#{repo}" : "github:scope:#{fingerprint}:#{owner}"
+            cache_delete(key) if cache_connected?
+            local_cache_delete(key) if local_cache_connected?
+          end
+          private
+          def scope_cache_get(key)
+            if cache_connected?
+              result = cache_get(key)
+              return result if result
+            end
+            local_cache_get(key) if local_cache_connected?
+          end
+          def scope_org_ttl
+            return 3600 unless defined?(Legion::Settings)
+            Legion::Settings.dig(:github, :scope_registry, :org_ttl) || 3600
+          rescue StandardError => _e
+            3600
+          end
+          def scope_repo_ttl
+            return 300 unless defined?(Legion::Settings)
+            Legion::Settings.dig(:github, :scope_registry, :repo_ttl) || 300
+          rescue StandardError => _e
+            300
+          end
+          def scope_denied_ttl
+            return 300 unless defined?(Legion::Settings)
+            Legion::Settings.dig(:github, :scope_registry, :denied_ttl) || 300
+          rescue StandardError => _e
+            300
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/helpers/token_cache.rb ADDED Viewed

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+require 'time'
+require 'legion/cache/helper'
+module Legion
+  module Extensions
+    module Github
+      module Helpers
+        module TokenCache
+          include Legion::Cache::Helper
+          TOKEN_BUFFER_SECONDS = 300
+          def store_token(token:, auth_type:, expires_at:, installation_id: nil, metadata: {}, **)
+            entry = { token: token, auth_type: auth_type,
+                      expires_at: expires_at.respond_to?(:iso8601) ? expires_at.iso8601 : expires_at,
+                      installation_id: installation_id, metadata: metadata }
+            ttl = [(expires_at.respond_to?(:to_i) ? expires_at.to_i - Time.now.to_i : 3600), 60].max
+            key = token_cache_key(auth_type, installation_id)
+            cache_set(key, entry, ttl: ttl) if cache_connected?
+            local_cache_set(key, entry, ttl: ttl) if local_cache_connected?
+          end
+          def fetch_token(auth_type:, installation_id: nil, **)
+            key = token_cache_key(auth_type, installation_id)
+            entry = token_cache_read(key)
+            entry = token_cache_read(token_cache_key(auth_type, nil)) if entry.nil? && installation_id
+            return nil unless entry
+            expires = begin
+              Time.parse(entry[:expires_at].to_s)
+            rescue StandardError => _e
+              nil
+            end
+            return nil if expires && expires < Time.now + TOKEN_BUFFER_SECONDS
+            entry
+          end
+          def mark_rate_limited(auth_type:, reset_at:, **)
+            entry = { reset_at: reset_at.respond_to?(:iso8601) ? reset_at.iso8601 : reset_at }
+            ttl = [(reset_at.respond_to?(:to_i) ? reset_at.to_i - Time.now.to_i : 300), 10].max
+            key = "github:rate_limit:#{auth_type}"
+            cache_set(key, entry, ttl: ttl) if cache_connected?
+            local_cache_set(key, entry, ttl: ttl) if local_cache_connected?
+          end
+          def rate_limited?(auth_type:, **)
+            key = "github:rate_limit:#{auth_type}"
+            entry = if cache_connected?
+                      cache_get(key)
+                    elsif local_cache_connected?
+                      local_cache_get(key)
+                    end
+            return false unless entry
+            reset = begin
+              Time.parse(entry[:reset_at].to_s)
+            rescue StandardError => _e
+              nil
+            end
+            reset.nil? || reset > Time.now
+          end
+          private
+          def token_cache_key(auth_type, installation_id)
+            base = "github:token:#{auth_type}"
+            installation_id ? "#{base}:#{installation_id}" : base
+          end
+          def token_cache_read(key)
+            if cache_connected?
+              cache_get(key)
+            elsif local_cache_connected?
+              local_cache_get(key)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/legion/extensions/github/middleware/credential_fallback.rb ADDED Viewed

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+require 'faraday'
+module Legion
+  module Extensions
+    module Github
+      module Middleware
+        class CredentialFallback < ::Faraday::Middleware
+          RETRYABLE_STATUSES = [403, 429].freeze
+          IDEMPOTENT_METHODS = %w[GET HEAD OPTIONS PUT DELETE].freeze
+          def initialize(app, resolver: nil)
+            super(app)
+            @resolver = resolver
+          end
+          def call(env)
+            response = @app.call(env)
+            return response unless should_retry?(response)
+            retries = 0
+            max = @resolver.respond_to?(:max_fallback_retries) ? @resolver.max_fallback_retries : 3
+            while retries < max && should_retry?(response)
+              notify_resolver(response)
+              owner, repo = extract_owner_repo_from_env(env)
+              next_credential = @resolver&.resolve_next_credential(owner: owner, repo: repo)
+              break unless next_credential
+              env[:request_headers]['Authorization'] = "Bearer #{next_credential[:token]}"
+              response = @app.call(env)
+              retries += 1
+            end
+            response
+          end
+          private
+          def should_retry?(response)
+            return false unless @resolver.respond_to?(:credential_fallback?)
+            return false unless @resolver.credential_fallback?
+            return false unless IDEMPOTENT_METHODS.include?(response.env[:method].to_s.upcase)
+            RETRYABLE_STATUSES.include?(response.status)
+          end
+          def extract_owner_repo_from_env(env)
+            path = env.url&.path.to_s
+            match = path.match(%r{^/repos/([^/]+)/([^/]+)})
+            match ? [match[1], match[2]] : [nil, nil]
+          end
+          def notify_resolver(response)
+            if response.status == 429 && @resolver.respond_to?(:on_rate_limit)
+              reset = response.headers['x-ratelimit-reset']
+              reset_at = reset ? Time.at(reset.to_i) : Time.now + 60
+              @resolver.on_rate_limit(remaining: 0, reset_at: reset_at,
+                                      status: 429, url: response.env.url.to_s)
+            elsif response.status == 403 && @resolver.respond_to?(:on_scope_denied)
+              @resolver.on_scope_denied(status: 403, url: response.env.url.to_s,
+                                        path: response.env.url.path)
+            end
+          end
+        end
+      end
+    end
+  end
+end
+Faraday::Middleware.register_middleware(
+  github_credential_fallback: Legion::Extensions::Github::Middleware::CredentialFallback
+)

data/lib/legion/extensions/github/middleware/rate_limit.rb ADDED Viewed

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+require 'faraday'
+module Legion
+  module Extensions
+    module Github
+      module Middleware
+        class RateLimit < ::Faraday::Middleware
+          def initialize(app, handler: nil)
+            super(app)
+            @handler = handler
+          end
+          def on_complete(env)
+            remaining = env.response_headers['x-ratelimit-remaining']
+            reset = env.response_headers['x-ratelimit-reset']
+            return unless remaining
+            remaining_int = remaining.to_i
+            return unless remaining_int.zero? || env.status == 429
+            return unless @handler.respond_to?(:on_rate_limit)
+            reset_at = reset ? Time.at(reset.to_i) : Time.now + 60
+            @handler.on_rate_limit(
+              remaining: remaining_int,
+              reset_at:  reset_at,
+              status:    env.status,
+              url:       env.url.to_s
+            )
+          end
+        end
+      end
+    end
+  end
+end
+Faraday::Response.register_middleware(
+  github_rate_limit: Legion::Extensions::Github::Middleware::RateLimit
+)

data/lib/legion/extensions/github/middleware/scope_probe.rb ADDED Viewed

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+require 'faraday'
+module Legion
+  module Extensions
+    module Github
+      module Middleware
+        class ScopeProbe < ::Faraday::Middleware
+          REPO_PATH_PATTERN = %r{^/repos/([^/]+)/([^/]+)}
+          def initialize(app, handler: nil)
+            super(app)
+            @handler = handler
+          end
+          def on_complete(env)
+            return unless @handler
+            return unless env.url.path.match?(REPO_PATH_PATTERN)
+            info = { status: env.status, url: env.url.to_s, path: env.url.path }
+            if [403, 404].include?(env.status)
+              @handler.on_scope_denied(info) if @handler.respond_to?(:on_scope_denied)
+            elsif env.status >= 200 && env.status < 300
+              @handler.on_scope_authorized(info) if @handler.respond_to?(:on_scope_authorized)
+            end
+          end
+        end
+      end
+    end
+  end
+end
+Faraday::Response.register_middleware(
+  github_scope_probe: Legion::Extensions::Github::Middleware::ScopeProbe
+)