@flink-app/github-app-plugin 0.12.1-alpha.45 → 0.13.0

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 0.13.0
+
+### Minor Changes
+
+-   Migrate to pnpm and streamlines build process.
+
 All notable changes to the GitHub App Plugin will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
@@ -10,137 +16,151 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 #### Core Features
-- GitHub App installation flow with CSRF protection using state parameter
-- JWT signing with RSA private key (RS256 algorithm)
-- Automatic detection of PKCS#1 and PKCS#8 private key formats
-- Installation access token management with automatic caching (55-minute TTL)
-- Automatic token refresh when expired
-- Webhook integration with HMAC-SHA256 signature validation
-- Constant-time comparison for security-critical validations
-- GitHub API client wrapper with automatic token injection
-- Repository access verification
-- Standalone plugin architecture (works without JWT Auth Plugin)
+
+-   GitHub App installation flow with CSRF protection using state parameter
+-   JWT signing with RSA private key (RS256 algorithm)
+-   Automatic detection of PKCS#1 and PKCS#8 private key formats
+-   Installation access token management with automatic caching (55-minute TTL)
+-   Automatic token refresh when expired
+-   Webhook integration with HMAC-SHA256 signature validation
+-   Constant-time comparison for security-critical validations
+-   GitHub API client wrapper with automatic token injection
+-   Repository access verification
+-   Standalone plugin architecture (works without JWT Auth Plugin)
 
 #### Database
-- `GitHubAppSessionRepo` for CSRF session storage with TTL index (default: 10 minutes)
-- `GitHubInstallationRepo` for installation-to-user mappings
-- `GitHubWebhookEventRepo` for optional webhook event logging
-- Configurable collection names for all repositories
-- Automatic TTL index creation for session cleanup
+
+-   `GitHubAppSessionRepo` for CSRF session storage with TTL index (default: 10 minutes)
+-   `GitHubInstallationRepo` for installation-to-user mappings
+-   `GitHubWebhookEventRepo` for optional webhook event logging
+-   Configurable collection names for all repositories
+-   Automatic TTL index creation for session cleanup
 
 #### API Handlers
-- `GET /github-app/install` - Initiate GitHub App installation
-- `GET /github-app/callback` - Handle installation callback
-- `POST /github-app/webhook` - Receive and validate webhook events
-- `DELETE /github-app/installation/:id` - Uninstall GitHub App
-- Optional handler registration via `registerRoutes` config option
+
+-   `GET /github-app/install` - Initiate GitHub App installation
+-   `GET /github-app/callback` - Handle installation callback
+-   `POST /github-app/webhook` - Receive and validate webhook events
+-   `DELETE /github-app/installation/:id` - Uninstall GitHub App
+-   Optional handler registration via `registerRoutes` config option
 
 #### Context API
-- `getClient(installationId)` - Get GitHub API client for installation
-- `getInstallation(userId)` - Get first installation for user
-- `getInstallations(userId)` - Get all installations for user
-- `deleteInstallation(userId, installationId)` - Delete installation
-- `hasRepositoryAccess(userId, owner, repo)` - Verify repository access
-- `getInstallationToken(installationId)` - Get raw installation token (advanced usage)
-- `clearTokenCache()` - Clear all cached installation tokens
-- `options` - Read-only access to plugin configuration
+
+-   `getClient(installationId)` - Get GitHub API client for installation
+-   `getInstallation(userId)` - Get first installation for user
+-   `getInstallations(userId)` - Get all installations for user
+-   `deleteInstallation(userId, installationId)` - Delete installation
+-   `hasRepositoryAccess(userId, owner, repo)` - Verify repository access
+-   `getInstallationToken(installationId)` - Get raw installation token (advanced usage)
+-   `clearTokenCache()` - Clear all cached installation tokens
+-   `options` - Read-only access to plugin configuration
 
 #### GitHub API Client Methods
-- `getRepositories()` - List accessible repositories
-- `getRepository(owner, repo)` - Get repository details
-- `getContents(owner, repo, path)` - Get file contents
-- `createIssue(owner, repo, params)` - Create GitHub issue
-- `request(method, endpoint, data)` - Generic API request with retry logic
+
+-   `getRepositories()` - List accessible repositories
+-   `getRepository(owner, repo)` - Get repository details
+-   `getContents(owner, repo, path)` - Get file contents
+-   `createIssue(owner, repo, params)` - Create GitHub issue
+-   `request(method, endpoint, data)` - Generic API request with retry logic
 
 #### Configuration Options
-- Required: `appId`, `privateKey`, `webhookSecret`, `clientId`, `clientSecret`
-- Optional: `appSlug`, `baseUrl` (default: https://api.github.com)
-- Callbacks: `onInstallationSuccess` (required), `onInstallationError`, `onWebhookEvent`
-- Database: `sessionsCollectionName`, `installationsCollectionName`, `webhookEventsCollectionName`
-- Cache: `tokenCacheTTL` (default: 3300 seconds), `sessionTTL` (default: 600 seconds)
-- Features: `registerRoutes` (default: true), `logWebhookEvents` (default: false)
+
+-   Required: `appId`, `privateKey`, `webhookSecret`, `clientId`, `clientSecret`
+-   Optional: `appSlug`, `baseUrl` (default: https://api.github.com)
+-   Callbacks: `onInstallationSuccess` (required), `onInstallationError`, `onWebhookEvent`
+-   Database: `sessionsCollectionName`, `installationsCollectionName`, `webhookEventsCollectionName`
+-   Cache: `tokenCacheTTL` (default: 3300 seconds), `sessionTTL` (default: 600 seconds)
+-   Features: `registerRoutes` (default: true), `logWebhookEvents` (default: false)
 
 #### Security Features
-- Private key validation on plugin initialization
-- CSRF protection with cryptographically secure state parameter (32 bytes)
-- Webhook signature validation using HMAC-SHA256
-- Constant-time comparison for state and signature validation
-- Installation tokens cached in memory only (never in database)
-- One-time use sessions (deleted after successful callback)
-- Automatic session expiration via MongoDB TTL indexes
+
+-   Private key validation on plugin initialization
+-   CSRF protection with cryptographically secure state parameter (32 bytes)
+-   Webhook signature validation using HMAC-SHA256
+-   Constant-time comparison for state and signature validation
+-   Installation tokens cached in memory only (never in database)
+-   One-time use sessions (deleted after successful callback)
+-   Automatic session expiration via MongoDB TTL indexes
 
 #### Error Handling
-- Kebab-case error codes for frontend translation
-- Comprehensive error codes: `invalid-state`, `session-expired`, `installation-not-found`, `invalid-private-key`, `jwt-signing-failed`, `token-exchange-failed`, `webhook-signature-invalid`, `webhook-payload-invalid`, `repository-not-accessible`, `installation-suspended`, `installation-not-owned`, `api-rate-limit`, `network-error`, `server-error`
-- User-friendly error messages with actionable hints
-- Detailed error logging for debugging
-- Graceful handling of GitHub API failures
-- Retry logic with exponential backoff for rate limits
+
+-   Kebab-case error codes for frontend translation
+-   Comprehensive error codes: `invalid-state`, `session-expired`, `installation-not-found`, `invalid-private-key`, `jwt-signing-failed`, `token-exchange-failed`, `webhook-signature-invalid`, `webhook-payload-invalid`, `repository-not-accessible`, `installation-suspended`, `installation-not-owned`, `api-rate-limit`, `network-error`, `server-error`
+-   User-friendly error messages with actionable hints
+-   Detailed error logging for debugging
+-   Graceful handling of GitHub API failures
+-   Retry logic with exponential backoff for rate limits
 
 #### Documentation
-- Comprehensive README.md with step-by-step guides
-- SECURITY.md covering all security considerations
-- 8 complete usage examples:
-  - `basic-installation.ts` - Basic GitHub App installation with standalone auth
-  - `webhook-handling.ts` - Process webhook events (push, PR, installation)
-  - `repository-access.ts` - Access repositories via API client
-  - `create-issue.ts` - Create GitHub issue with permission check
-  - `with-jwt-auth.ts` - Optional integration with JWT Auth Plugin
-  - `organization-installation.ts` - Organization-level installation
-  - `error-handling.ts` - Comprehensive error handling
-  - `multi-event-webhook.ts` - Handle multiple webhook event types
-- JSDoc comments on all public interfaces
-- TypeScript type exports for all schemas and interfaces
+
+-   Comprehensive README.md with step-by-step guides
+-   SECURITY.md covering all security considerations
+-   8 complete usage examples:
+    -   `basic-installation.ts` - Basic GitHub App installation with standalone auth
+    -   `webhook-handling.ts` - Process webhook events (push, PR, installation)
+    -   `repository-access.ts` - Access repositories via API client
+    -   `create-issue.ts` - Create GitHub issue with permission check
+    -   `with-jwt-auth.ts` - Optional integration with JWT Auth Plugin
+    -   `organization-installation.ts` - Organization-level installation
+    -   `error-handling.ts` - Comprehensive error handling
+    -   `multi-event-webhook.ts` - Handle multiple webhook event types
+-   JSDoc comments on all public interfaces
+-   TypeScript type exports for all schemas and interfaces
 
 #### Testing
-- Project initialization tests
-- Schema and repository tests
-- JWT utilities tests (PKCS#1 and PKCS#8 support)
-- Webhook signature validation tests
-- Token cache tests
-- Error utilities tests
-- Authentication service tests
-- API client tests
-- Handler tests (installation flow, callbacks, webhooks)
-- Plugin initialization tests
-- Integration tests for end-to-end flows
-- Security tests for CSRF and signature validation
+
+-   Project initialization tests
+-   Schema and repository tests
+-   JWT utilities tests (PKCS#1 and PKCS#8 support)
+-   Webhook signature validation tests
+-   Token cache tests
+-   Error utilities tests
+-   Authentication service tests
+-   API client tests
+-   Handler tests (installation flow, callbacks, webhooks)
+-   Plugin initialization tests
+-   Integration tests for end-to-end flows
+-   Security tests for CSRF and signature validation
 
 ### Features Highlights
 
 #### Standalone Architecture
-- **No dependencies on JWT Auth Plugin** - Works with any authentication system
-- Plugin agnostic about authentication mechanism
-- Developers can use sessions, custom tokens, or any auth system
-- Optional integration with JWT Auth Plugin available
+
+-   **No dependencies on JWT Auth Plugin** - Works with any authentication system
+-   Plugin agnostic about authentication mechanism
+-   Developers can use sessions, custom tokens, or any auth system
+-   Optional integration with JWT Auth Plugin available
 
 #### Token Management
-- **Automatic caching** - Reduces GitHub API calls
-- **Smart expiration** - Caches for 55 minutes (tokens expire at 60 minutes)
-- **Automatic refresh** - Seamless token renewal
-- **Memory-only storage** - Enhanced security
+
+-   **Automatic caching** - Reduces GitHub API calls
+-   **Smart expiration** - Caches for 55 minutes (tokens expire at 60 minutes)
+-   **Automatic refresh** - Seamless token renewal
+-   **Memory-only storage** - Enhanced security
 
 #### Webhook Security
-- **Signature validation** - HMAC-SHA256 with constant-time comparison
-- **Automatic validation** - No manual verification needed
-- **Rejection of invalid webhooks** - Returns 401 for invalid signatures
+
+-   **Signature validation** - HMAC-SHA256 with constant-time comparison
+-   **Automatic validation** - No manual verification needed
+-   **Rejection of invalid webhooks** - Returns 401 for invalid signatures
 
 #### Developer Experience
-- **TypeScript-first** - Full type safety
-- **Auto-registration** - Handlers, repos, and jobs automatically registered
-- **Comprehensive examples** - 8 working examples covering all use cases
-- **Clear error messages** - Actionable error codes with hints
-- **Flexible configuration** - Sensible defaults, customizable when needed
+
+-   **TypeScript-first** - Full type safety
+-   **Auto-registration** - Handlers, repos, and jobs automatically registered
+-   **Comprehensive examples** - 8 working examples covering all use cases
+-   **Clear error messages** - Actionable error codes with hints
+-   **Flexible configuration** - Sensible defaults, customizable when needed
 
 ### Known Limitations
 
-- Single GitHub App per Flink application (multi-tenant support deferred to future)
-- No proactive token refresh before expiration (refreshes on-demand when expired)
-- GitHub Enterprise Server support via `baseUrl` option but not explicitly tested
-- No GraphQL API support (REST API only)
-- No advanced rate limit handling with queuing (basic retry logic included)
-- No webhook event replay mechanism
-- No repository permission auditing features
+-   Single GitHub App per Flink application (multi-tenant support deferred to future)
+-   No proactive token refresh before expiration (refreshes on-demand when expired)
+-   GitHub Enterprise Server support via `baseUrl` option but not explicitly tested
+-   No GraphQL API support (REST API only)
+-   No advanced rate limit handling with queuing (basic retry logic included)
+-   No webhook event replay mechanism
+-   No repository permission auditing features
 
 ### Breaking Changes
 
@@ -157,44 +177,48 @@ None (initial release)
 ## Roadmap
 
 ### Planned for v0.2.0
-- Multi-tenant support (multiple GitHub Apps per Flink application)
-- Proactive token refresh before expiration
-- Enhanced rate limit handling with request queuing
-- Webhook event replay mechanism for failed deliveries
-- GitHub Actions integration
-- GraphQL API support
+
+-   Multi-tenant support (multiple GitHub Apps per Flink application)
+-   Proactive token refresh before expiration
+-   Enhanced rate limit handling with request queuing
+-   Webhook event replay mechanism for failed deliveries
+-   GitHub Actions integration
+-   GraphQL API support
 
 ### Planned for v0.3.0
-- Repository permission auditing
-- Installation analytics and reporting
-- Batch operations for multiple repositories
-- Advanced webhook event filtering
-- Custom event processors registry
-- Webhook event transformation pipeline
+
+-   Repository permission auditing
+-   Installation analytics and reporting
+-   Batch operations for multiple repositories
+-   Advanced webhook event filtering
+-   Custom event processors registry
+-   Webhook event transformation pipeline
 
 ### Planned for v1.0.0
-- Production-ready stability
-- Comprehensive GitHub Enterprise Server testing
-- Performance optimizations
-- Advanced caching strategies
-- Complete test coverage (>90%)
-- Security audit and hardening
+
+-   Production-ready stability
+-   Comprehensive GitHub Enterprise Server testing
+-   Performance optimizations
+-   Advanced caching strategies
+-   Complete test coverage (>90%)
+-   Security audit and hardening
 
 ### Future Considerations
-- GitHub Packages integration
-- Container Registry support
-- Deployment status integration
-- Check runs and check suites support
-- Team management features
-- Marketplace integration
+
+-   GitHub Packages integration
+-   Container Registry support
+-   Deployment status integration
+-   Check runs and check suites support
+-   Team management features
+-   Marketplace integration
 
 ## Support
 
-- **Documentation:** [README.md](./README.md)
-- **Security:** [SECURITY.md](./SECURITY.md)
-- **Examples:** [examples/](./examples/)
-- **Issues:** [GitHub Issues](https://github.com/your-org/flink-framework/issues)
-- **Discussions:** [GitHub Discussions](https://github.com/your-org/flink-framework/discussions)
+-   **Documentation:** [README.md](./README.md)
+-   **Security:** [SECURITY.md](./SECURITY.md)
+-   **Examples:** [examples/](./examples/)
+-   **Issues:** [GitHub Issues](https://github.com/your-org/flink-framework/issues)
+-   **Discussions:** [GitHub Discussions](https://github.com/your-org/flink-framework/discussions)
 
 ## Contributing
 

package/dist/GitHubAppPlugin.js

@@ -26,7 +26,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.githubAppPlugin = void 0;
+exports.githubAppPlugin = githubAppPlugin;
 const flink_1 = require("@flink-app/flink");
 const GitHubAppSessionRepo_1 = __importDefault(require("./repos/GitHubAppSessionRepo"));
 const GitHubInstallationRepo_1 = __importDefault(require("./repos/GitHubInstallationRepo"));
@@ -373,4 +373,3 @@ function githubAppPlugin(options) {
         init,
     };
 }
-exports.githubAppPlugin = githubAppPlugin;

package/dist/services/WebhookValidator.d.ts

@@ -3,8 +3,6 @@
  *
  * Validates GitHub webhook signatures and parses webhook payloads.
  */
-/// <reference types="node" />
-/// <reference types="node" />
 /**
  * Parsed webhook payload data
  */

package/dist/utils/error-utils.js

@@ -8,7 +8,10 @@
  * Error codes use kebab-case for frontend translation consistency.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.handleGitHubAPIError = exports.validatePrivateKey = exports.createGitHubAppError = exports.GitHubAppErrorCodes = void 0;
+exports.GitHubAppErrorCodes = void 0;
+exports.createGitHubAppError = createGitHubAppError;
+exports.validatePrivateKey = validatePrivateKey;
+exports.handleGitHubAPIError = handleGitHubAPIError;
 /**
  * GitHub App error codes
  *
@@ -50,7 +53,6 @@ function createGitHubAppError(code, message, details) {
         details,
     };
 }
-exports.createGitHubAppError = createGitHubAppError;
 /**
  * Validate private key format
  *
@@ -71,7 +73,6 @@ function validatePrivateKey(privateKey) {
     }
     return true;
 }
-exports.validatePrivateKey = validatePrivateKey;
 /**
  * Map GitHub API errors to standardized errors
  *
@@ -118,4 +119,3 @@ function handleGitHubAPIError(error) {
         status: error.status,
     });
 }
-exports.handleGitHubAPIError = handleGitHubAPIError;

package/dist/utils/jwt-utils.js

@@ -9,7 +9,8 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateJWT = exports.detectPEMFormat = void 0;
+exports.detectPEMFormat = detectPEMFormat;
+exports.generateJWT = generateJWT;
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
 /**
  * Detect PEM format (PKCS#1 or PKCS#8)
@@ -31,7 +32,6 @@ function detectPEMFormat(privateKey) {
     }
     throw new Error("Invalid PEM format. Expected PKCS#1 (BEGIN RSA PRIVATE KEY) or PKCS#8 (BEGIN PRIVATE KEY).");
 }
-exports.detectPEMFormat = detectPEMFormat;
 /**
  * Generate GitHub App JWT
  *
@@ -64,4 +64,3 @@ function generateJWT(appId, privateKey) {
         throw new Error(`Failed to sign JWT: ${error.message}`);
     }
 }
-exports.generateJWT = generateJWT;

package/dist/utils/state-utils.js

@@ -11,7 +11,9 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateSessionId = exports.validateState = exports.generateState = void 0;
+exports.generateState = generateState;
+exports.validateState = validateState;
+exports.generateSessionId = generateSessionId;
 const crypto_1 = __importDefault(require("crypto"));
 /**
  * Generate a cryptographically secure state parameter
@@ -25,7 +27,6 @@ const crypto_1 = __importDefault(require("crypto"));
 function generateState() {
     return crypto_1.default.randomBytes(32).toString("hex");
 }
-exports.generateState = generateState;
 /**
  * Validate state parameter using constant-time comparison
  *
@@ -59,7 +60,6 @@ function validateState(provided, stored) {
         return false;
     }
 }
-exports.validateState = validateState;
 /**
  * Generate a session ID for installation flow tracking
  *
@@ -71,4 +71,3 @@ exports.validateState = validateState;
 function generateSessionId() {
     return crypto_1.default.randomBytes(16).toString("hex");
 }
-exports.generateSessionId = generateSessionId;

package/dist/utils/webhook-signature-utils.d.ts

@@ -4,8 +4,6 @@
  * Validates GitHub webhook signatures using HMAC-SHA256 with
  * constant-time comparison to prevent timing attacks.
  */
-/// <reference types="node" />
-/// <reference types="node" />
 /**
  * Validate GitHub webhook signature
  *

package/dist/utils/webhook-signature-utils.js

@@ -9,7 +9,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.validateWebhookSignature = void 0;
+exports.validateWebhookSignature = validateWebhookSignature;
 const crypto_1 = __importDefault(require("crypto"));
 /**
  * Validate GitHub webhook signature
@@ -54,4 +54,3 @@ function validateWebhookSignature(payload, signature, secret) {
         return false;
     }
 }
-exports.validateWebhookSignature = validateWebhookSignature;

package/package.json

@@ -1,41 +1,36 @@
 {
-    "name": "@flink-app/github-app-plugin",
-    "version": "0.12.1-alpha.45",
-    "description": "Flink plugin for GitHub App integration with installation management and webhook handling",
-    "scripts": {
-        "test": "node --preserve-symlinks -r ts-node/register -- node_modules/jasmine/bin/jasmine --config=./spec/support/jasmine.json",
-        "test:watch": "nodemon --ext ts --exec 'jasmine-ts --config=./spec/support/jasmine.json'",
-        "prepare": "tsc --project tsconfig.dist.json",
-        "build": "tsc --project tsconfig.dist.json",
-        "watch": "tsc-watch --project tsconfig.dist.json"
-    },
-    "author": "joel@frost.se",
-    "license": "MIT",
-    "types": "dist/index.d.ts",
-    "main": "dist/index.js",
-    "publishConfig": {
-        "access": "public"
-    },
-    "peerDependencies": {
-        "mongodb": "^6.15.0"
-    },
-    "dependencies": {
-        "jsonwebtoken": "^9.0.2"
-    },
-    "devDependencies": {
-        "@flink-app/flink": "^0.12.1-alpha.45",
-        "@flink-app/test-utils": "^0.12.1-alpha.45",
-        "@types/jasmine": "^3.7.1",
-        "@types/jsonwebtoken": "^9.0.5",
-        "@types/node": "22.13.10",
-        "jasmine": "^3.7.0",
-        "jasmine-spec-reporter": "^7.0.0",
-        "mongodb": "6.15.0",
-        "mongodb-memory-server": "^10.2.3",
-        "nodemon": "^2.0.7",
-        "ts-node": "^9.1.1",
-        "tsc-watch": "^4.2.9",
-        "typescript": "5.4.5"
-    },
-    "gitHead": "af426a157217c110ac9c7beb48e2e746968bec33"
-}
+  "name": "@flink-app/github-app-plugin",
+  "version": "0.13.0",
+  "description": "Flink plugin for GitHub App integration with installation management and webhook handling",
+  "author": "joel@frost.se",
+  "license": "MIT",
+  "types": "dist/index.d.ts",
+  "main": "dist/index.js",
+  "publishConfig": {
+    "access": "public"
+  },
+  "peerDependencies": {
+    "mongodb": "^6.15.0"
+  },
+  "dependencies": {
+    "jsonwebtoken": "^9.0.2"
+  },
+  "devDependencies": {
+    "@types/jasmine": "^3.7.1",
+    "@types/jsonwebtoken": "^9.0.5",
+    "@types/node": "22.13.10",
+    "mongodb-memory-server": "^10.2.3",
+    "ts-node": "^10.9.2",
+    "tsc-watch": "^4.2.9",
+    "@flink-app/test-utils": "0.13.0",
+    "@flink-app/flink": "0.13.0"
+  },
+  "gitHead": "4243e3b3cd6d4e1ca001a61baa8436bf2bbe4113",
+  "scripts": {
+    "test": "jasmine-ts --config=./spec/support/jasmine.json",
+    "test:watch": "nodemon --ext ts --exec 'jasmine-ts --config=./spec/support/jasmine.json'",
+    "build": "tsc --project tsconfig.dist.json",
+    "watch": "tsc-watch --project tsconfig.dist.json",
+    "clean": "rimraf dist .flink"
+  }
+}

package/tsconfig.json

@@ -15,7 +15,7 @@
     "noEmit": false,
     "declaration": true,
     "experimentalDecorators": true,
-    "checkJs": true,
+    "checkJs": false,
     "outDir": "dist",
     "typeRoots": ["./node_modules/@types"]
   },

package/dist/handlers/InitiateInstallation.d.ts

@@ -1,32 +0,0 @@
-/**
- * GitHub App Installation Initiation Handler
- *
- * Initiates the GitHub App installation flow by:
- * 1. Generating a cryptographically secure state parameter for CSRF protection
- * 2. Creating an installation session to track the flow
- * 3. Building GitHub's installation URL with state parameter
- * 4. Redirecting the user to GitHub for app installation
- *
- * Route: GET /github-app/install?user_id={optional_user_id}
- */
-import { GetHandler, RouteProps } from "@flink-app/flink";
-/**
- * Query parameters for the handler
- */
-interface QueryParams {
-    user_id?: string;
-    [key: string]: any;
-}
-/**
- * Route configuration
- * Registered programmatically by the plugin if registerRoutes is enabled
- */
-export declare const Route: RouteProps;
-/**
- * GitHub App Installation Initiation Handler
- *
- * Starts the installation flow by generating CSRF state, creating a session,
- * and redirecting to GitHub's app installation page.
- */
-declare const InitiateInstallation: GetHandler<any, any, any, QueryParams>;
-export default InitiateInstallation;

package/dist/handlers/InitiateInstallation.js

@@ -1,66 +0,0 @@
-"use strict";
-/**
- * GitHub App Installation Initiation Handler
- *
- * Initiates the GitHub App installation flow by:
- * 1. Generating a cryptographically secure state parameter for CSRF protection
- * 2. Creating an installation session to track the flow
- * 3. Building GitHub's installation URL with state parameter
- * 4. Redirecting the user to GitHub for app installation
- *
- * Route: GET /github-app/install?user_id={optional_user_id}
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.Route = void 0;
-const flink_1 = require("@flink-app/flink");
-const state_utils_1 = require("../utils/state-utils");
-/**
- * Route configuration
- * Registered programmatically by the plugin if registerRoutes is enabled
- */
-exports.Route = {
-    path: "/github-app/install",
-    method: flink_1.HttpMethod.get,
-};
-/**
- * GitHub App Installation Initiation Handler
- *
- * Starts the installation flow by generating CSRF state, creating a session,
- * and redirecting to GitHub's app installation page.
- */
-const InitiateInstallation = async ({ ctx, req }) => {
-    const { user_id } = req.query;
-    try {
-        // Get plugin options
-        const { options } = ctx.plugins.githubApp;
-        // Validate that appSlug is configured
-        if (!options.appSlug) {
-            return (0, flink_1.badRequest)("GitHub App slug is not configured. Please set appSlug in plugin options.");
-        }
-        // Generate cryptographically secure state and session ID
-        const state = (0, state_utils_1.generateState)();
-        const sessionId = (0, state_utils_1.generateSessionId)();
-        // Store session for state validation in callback
-        await ctx.repos.githubAppSessionRepo.create({
-            sessionId,
-            state,
-            userId: user_id,
-            createdAt: new Date(),
-        });
-        // Build GitHub installation URL
-        const installationUrl = `https://github.com/apps/${options.appSlug}/installations/new?state=${state}`;
-        // Redirect user to GitHub's app installation page
-        return {
-            status: 302,
-            headers: {
-                Location: installationUrl,
-            },
-            data: {},
-        };
-    }
-    catch (error) {
-        // Handle unexpected errors
-        return (0, flink_1.internalServerError)(error.message || "Failed to initiate GitHub App installation");
-    }
-};
-exports.default = InitiateInstallation;

package/dist/handlers/InstallationCallback.d.ts

@@ -1,36 +0,0 @@
-/**
- * GitHub App Installation Callback Handler
- *
- * Handles the callback from GitHub after app installation by:
- * 1. Validating the state parameter to prevent CSRF attacks
- * 2. Fetching installation details from GitHub API
- * 3. Calling the onInstallationSuccess callback to link installation to user
- * 4. Storing the installation in the database
- * 5. Redirecting to the application
- *
- * Route: GET /github-app/callback?installation_id=...&setup_action=...&state=...
- */
-import { RouteProps } from "@flink-app/flink";
-import { GitHubAppInternalContext } from "../GitHubAppInternalContext";
-/**
- * Route configuration
- * Registered programmatically by the plugin if registerRoutes is enabled
- */
-export declare const Route: RouteProps;
-/**
- * GitHub App Installation Callback Handler
- *
- * Completes the installation flow by validating state, fetching installation
- * details, calling the app's callback, and storing the installation.
- */
-declare const InstallationCallback: ({ ctx, req }: {
-    ctx: GitHubAppInternalContext;
-    req: any;
-}) => Promise<import("@flink-app/flink").FlinkResponse<undefined> | {
-    status: number;
-    headers: {
-        Location: string;
-    };
-    data: {};
-}>;
-export default InstallationCallback;

package/dist/handlers/InstallationCallback.js

@@ -1,248 +0,0 @@
-"use strict";
-/**
- * GitHub App Installation Callback Handler
- *
- * Handles the callback from GitHub after app installation by:
- * 1. Validating the state parameter to prevent CSRF attacks
- * 2. Fetching installation details from GitHub API
- * 3. Calling the onInstallationSuccess callback to link installation to user
- * 4. Storing the installation in the database
- * 5. Redirecting to the application
- *
- * Route: GET /github-app/callback?installation_id=...&setup_action=...&state=...
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.Route = void 0;
-const flink_1 = require("@flink-app/flink");
-const error_utils_1 = require("../utils/error-utils");
-const state_utils_1 = require("../utils/state-utils");
-/**
- * Route configuration
- * Registered programmatically by the plugin if registerRoutes is enabled
- */
-exports.Route = {
-    path: "/github-app/callback",
-    method: flink_1.HttpMethod.get,
-};
-/**
- * GitHub App Installation Callback Handler
- *
- * Completes the installation flow by validating state, fetching installation
- * details, calling the app's callback, and storing the installation.
- */
-const InstallationCallback = async ({ ctx, req }) => {
-    const { installation_id, setup_action, state, code } = req.query;
-    try {
-        // Validate required parameters
-        if (!installation_id || !setup_action || !state) {
-            return (0, flink_1.badRequest)("Missing required parameters: installation_id, setup_action, or state");
-        }
-        // Find installation session by state
-        const session = await ctx.repos.githubAppSessionRepo.getOne({ state });
-        if (!session) {
-            const error = (0, error_utils_1.createGitHubAppError)(error_utils_1.GitHubAppErrorCodes.SESSION_EXPIRED, "Installation session not found or expired. Please try again.", {
-                state: state.substring(0, 10) + "...",
-            });
-            // Call onInstallationError callback if provided
-            const { options } = ctx.plugins.githubApp;
-            if (options.onInstallationError) {
-                const errorResult = await options.onInstallationError({ error, installationId: installation_id });
-                if (errorResult.redirectUrl) {
-                    return {
-                        status: 302,
-                        headers: { Location: errorResult.redirectUrl },
-                        data: {},
-                    };
-                }
-            }
-            return (0, flink_1.badRequest)(error.message);
-        }
-        // Validate state parameter using constant-time comparison (CSRF protection)
-        if (!(0, state_utils_1.validateState)(state, session.state)) {
-            const error = (0, error_utils_1.createGitHubAppError)(error_utils_1.GitHubAppErrorCodes.INVALID_STATE, "Invalid state parameter. Possible CSRF attack detected.", {
-                providedState: state.substring(0, 10) + "...",
-            });
-            // Call onInstallationError callback if provided
-            const { options } = ctx.plugins.githubApp;
-            if (options.onInstallationError) {
-                const errorResult = await options.onInstallationError({ error, installationId: installation_id });
-                if (errorResult.redirectUrl) {
-                    return {
-                        status: 302,
-                        headers: { Location: errorResult.redirectUrl },
-                        data: {},
-                    };
-                }
-            }
-            return (0, flink_1.badRequest)(error.message);
-        }
-        // Delete session immediately after validation (one-time use)
-        await ctx.repos.githubAppSessionRepo.deleteBySessionId(session.sessionId);
-        // Get plugin options and auth service
-        const { options, authService } = ctx.plugins.githubApp;
-        // Generate GitHub App JWT
-        const jwt = authService.generateAppJWT();
-        // Fetch installation details from GitHub API
-        const installationIdNum = parseInt(installation_id, 10);
-        const installationDetails = await fetchInstallationDetails(installationIdNum, jwt, options.baseUrl);
-        // Fetch repositories accessible by this installation
-        const repositories = await fetchInstallationRepositories(installationIdNum, jwt, options.baseUrl);
-        // Call onInstallationSuccess callback to get userId and redirect URL
-        let callbackResult;
-        try {
-            callbackResult = await options.onInstallationSuccess({
-                installationId: installationIdNum,
-                setupAction: setup_action,
-                account: installationDetails.account,
-                repositories: repositories,
-                permissions: installationDetails.permissions || {},
-                events: installationDetails.events || [],
-            }, ctx);
-        }
-        catch (error) {
-            flink_1.log.error("GitHub App onInstallationSuccess callback failed:", error);
-            const callbackError = (0, error_utils_1.createGitHubAppError)(error_utils_1.GitHubAppErrorCodes.SERVER_ERROR, "Failed to complete installation. Please try again.", {
-                originalError: error.message,
-            });
-            // Call onInstallationError callback if provided
-            if (options.onInstallationError) {
-                const errorResult = await options.onInstallationError({
-                    error: callbackError,
-                    installationId: installation_id,
-                });
-                if (errorResult.redirectUrl) {
-                    return {
-                        status: 302,
-                        headers: { Location: errorResult.redirectUrl },
-                        data: {},
-                    };
-                }
-            }
-            return (0, flink_1.internalServerError)("Installation failed. Please try again.");
-        }
-        // Extract userId and redirectUrl from callback result
-        const { userId, redirectUrl } = callbackResult;
-        if (!userId) {
-            return (0, flink_1.badRequest)("onInstallationSuccess callback must return userId");
-        }
-        // Store installation in database
-        await ctx.repos.githubInstallationRepo.create({
-            userId,
-            installationId: installationIdNum,
-            accountId: installationDetails.account.id,
-            accountLogin: installationDetails.account.login,
-            accountType: installationDetails.account.type,
-            avatarUrl: installationDetails.account.avatar_url,
-            repositories: repositories.map((repo) => ({
-                id: repo.id,
-                name: repo.name,
-                fullName: repo.full_name,
-                private: repo.private,
-            })),
-            permissions: installationDetails.permissions || {},
-            events: installationDetails.events || [],
-            createdAt: new Date(),
-            updatedAt: new Date(),
-        });
-        // Redirect to app using callback's redirectUrl or default to root
-        const finalRedirectUrl = redirectUrl || "/";
-        return {
-            status: 302,
-            headers: {
-                Location: finalRedirectUrl,
-            },
-            data: {},
-        };
-    }
-    catch (error) {
-        flink_1.log.error("GitHub App installation callback error:", error);
-        // Call onInstallationError callback if provided
-        const { options } = ctx.plugins.githubApp;
-        if (options.onInstallationError) {
-            try {
-                const errorResult = await options.onInstallationError({
-                    error: error,
-                    installationId: installation_id,
-                });
-                if (errorResult.redirectUrl) {
-                    return {
-                        status: 302,
-                        headers: { Location: errorResult.redirectUrl },
-                        data: {},
-                    };
-                }
-            }
-            catch (callbackError) {
-                flink_1.log.error("onInstallationError callback failed:", callbackError);
-            }
-        }
-        return (0, flink_1.internalServerError)(error.message || "Installation callback failed. Please try again.");
-    }
-};
-/**
- * Fetch installation details from GitHub API
- *
- * @param installationId - GitHub installation ID
- * @param jwt - GitHub App JWT
- * @param baseUrl - GitHub API base URL
- * @returns Installation details
- */
-async function fetchInstallationDetails(installationId, jwt, baseUrl = "https://api.github.com") {
-    const url = `${baseUrl}/app/installations/${installationId}`;
-    const response = await fetch(url, {
-        method: "GET",
-        headers: {
-            Authorization: `Bearer ${jwt}`,
-            Accept: "application/vnd.github+json",
-            "User-Agent": "Flink-GitHub-App-Plugin",
-        },
-    });
-    if (!response.ok) {
-        const errorBody = await response.text();
-        throw new Error(`Failed to fetch installation details: ${response.statusText} - ${errorBody}`);
-    }
-    return await response.json();
-}
-/**
- * Fetch repositories accessible by installation
- *
- * @param installationId - GitHub installation ID
- * @param jwt - GitHub App JWT
- * @param baseUrl - GitHub API base URL
- * @returns Array of repositories
- */
-async function fetchInstallationRepositories(installationId, jwt, baseUrl = "https://api.github.com") {
-    const url = `${baseUrl}/installation/repositories`;
-    // First get an installation token
-    const tokenUrl = `${baseUrl}/app/installations/${installationId}/access_tokens`;
-    const tokenResponse = await fetch(tokenUrl, {
-        method: "POST",
-        headers: {
-            Authorization: `Bearer ${jwt}`,
-            Accept: "application/vnd.github+json",
-            "User-Agent": "Flink-GitHub-App-Plugin",
-        },
-    });
-    if (!tokenResponse.ok) {
-        const errorBody = await tokenResponse.text();
-        throw new Error(`Failed to get installation token: ${tokenResponse.statusText} - ${errorBody}`);
-    }
-    const tokenData = await tokenResponse.json();
-    const token = tokenData.token;
-    // Now fetch repositories with the installation token
-    const reposResponse = await fetch(url, {
-        method: "GET",
-        headers: {
-            Authorization: `Bearer ${token}`,
-            Accept: "application/vnd.github+json",
-            "User-Agent": "Flink-GitHub-App-Plugin",
-        },
-    });
-    if (!reposResponse.ok) {
-        const errorBody = await reposResponse.text();
-        throw new Error(`Failed to fetch repositories: ${reposResponse.statusText} - ${errorBody}`);
-    }
-    const data = await reposResponse.json();
-    return data.repositories || [];
-}
-exports.default = InstallationCallback;

package/dist/handlers/UninstallHandler.d.ts

@@ -1,37 +0,0 @@
-/**
- * GitHub App Uninstall Handler
- *
- * Manually uninstalls a GitHub App installation by:
- * 1. Extracting userId from request (app-defined authentication)
- * 2. Verifying user owns the installation
- * 3. Deleting installation from database
- * 4. Clearing cached installation token
- * 5. Returning 204 No Content
- *
- * Route: DELETE /github-app/installation/:installationId
- *
- * Note: This is an optional handler for manual uninstallation.
- * Apps should also handle the 'installation.deleted' webhook event
- * for automatic cleanup when users uninstall via GitHub UI.
- */
-import { Handler, RouteProps } from "@flink-app/flink";
-/**
- * Path parameters for the handler
- */
-interface PathParams {
-    installationId: string;
-    [key: string]: string;
-}
-/**
- * Route configuration
- * Registered programmatically by the plugin if registerRoutes is enabled
- */
-export declare const Route: RouteProps;
-/**
- * GitHub App Uninstall Handler
- *
- * Allows users to manually uninstall a GitHub App from their account.
- * The application must provide userId extraction logic (via JWT, session, etc.)
- */
-declare const UninstallHandler: Handler<any, any, any, PathParams>;
-export default UninstallHandler;

package/dist/handlers/UninstallHandler.js

@@ -1,153 +0,0 @@
-"use strict";
-/**
- * GitHub App Uninstall Handler
- *
- * Manually uninstalls a GitHub App installation by:
- * 1. Extracting userId from request (app-defined authentication)
- * 2. Verifying user owns the installation
- * 3. Deleting installation from database
- * 4. Clearing cached installation token
- * 5. Returning 204 No Content
- *
- * Route: DELETE /github-app/installation/:installationId
- *
- * Note: This is an optional handler for manual uninstallation.
- * Apps should also handle the 'installation.deleted' webhook event
- * for automatic cleanup when users uninstall via GitHub UI.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.Route = void 0;
-const flink_1 = require("@flink-app/flink");
-/**
- * Route configuration
- * Registered programmatically by the plugin if registerRoutes is enabled
- */
-exports.Route = {
-    path: "/github-app/installation/:installationId",
-    method: flink_1.HttpMethod.delete,
-};
-/**
- * GitHub App Uninstall Handler
- *
- * Allows users to manually uninstall a GitHub App from their account.
- * The application must provide userId extraction logic (via JWT, session, etc.)
- */
-const UninstallHandler = async ({ ctx, req }) => {
-    try {
-        const { installationId } = req.params;
-        const installationIdNum = parseInt(installationId, 10);
-        if (isNaN(installationIdNum)) {
-            return {
-                status: 400,
-                data: { error: "Invalid installation ID" },
-            };
-        }
-        // Extract userId from request
-        // This is app-defined and can work with any authentication system
-        // Examples:
-        // - JWT Auth Plugin: ctx.auth?.tokenData?.userId
-        // - Session-based: req.session?.userId
-        // - Custom header: req.headers['x-user-id']
-        //
-        // For now, we'll look for userId in multiple common places
-        const userId = extractUserId(req, ctx);
-        if (!userId) {
-            return {
-                status: 401,
-                data: { error: "Authentication required" },
-            };
-        }
-        // Find the installation
-        const installation = await ctx.repos.githubInstallationRepo.findByInstallationId(installationIdNum);
-        if (!installation) {
-            return {
-                status: 404,
-                data: { error: "Installation not found" },
-            };
-        }
-        // Verify user owns the installation
-        if (installation.userId !== userId) {
-            flink_1.log.warn("User attempted to delete installation they don't own", {
-                userId,
-                installationId: installationIdNum,
-                ownerId: installation.userId,
-            });
-            return {
-                status: 403,
-                data: { error: "You do not have permission to delete this installation" },
-            };
-        }
-        // Delete installation from database
-        const deletedCount = await ctx.repos.githubInstallationRepo.deleteByInstallationId(installationIdNum);
-        if (deletedCount === 0) {
-            flink_1.log.error("Failed to delete installation from database", {
-                installationId: installationIdNum,
-            });
-            return {
-                status: 500,
-                data: { error: "Failed to delete installation" },
-            };
-        }
-        // Clear cached installation token
-        ctx.plugins.githubApp.authService.deleteInstallationToken(installationIdNum);
-        flink_1.log.info("GitHub App installation deleted", {
-            userId,
-            installationId: installationIdNum,
-        });
-        // Return 204 No Content
-        return {
-            status: 204,
-            data: {},
-        };
-    }
-    catch (error) {
-        flink_1.log.error("Error deleting GitHub App installation", {
-            error: error.message,
-        });
-        return {
-            status: 500,
-            data: { error: "Failed to delete installation" },
-        };
-    }
-};
-/**
- * Extract userId from request
- *
- * This helper function attempts to extract userId from various common
- * authentication patterns. Applications can customize this logic based
- * on their authentication system.
- *
- * @param req - Express request object
- * @param ctx - Flink context
- * @returns userId if found, undefined otherwise
- */
-function extractUserId(req, ctx) {
-    // Option 1: JWT Auth Plugin (if available)
-    if (ctx.auth?.tokenData?.userId) {
-        return ctx.auth.tokenData.userId;
-    }
-    // Option 2: Custom user property on request (set by custom middleware)
-    if (req.user?.id) {
-        return req.user.id;
-    }
-    if (req.user?.userId) {
-        return req.user.userId;
-    }
-    if (req.user?._id) {
-        return req.user._id;
-    }
-    // Option 3: Session-based authentication
-    if (req.session?.userId) {
-        return req.session.userId;
-    }
-    // Option 4: Custom header
-    if (req.headers["x-user-id"]) {
-        return req.headers["x-user-id"];
-    }
-    // Option 5: Query parameter (less secure, use with caution)
-    if (req.query?.user_id) {
-        return req.query.user_id;
-    }
-    return undefined;
-}
-exports.default = UninstallHandler;

package/dist/schemas/InstallationCallbackRequest.d.ts

@@ -1,10 +0,0 @@
-/**
- * Query parameters received from GitHub after app installation.
- */
-export default interface InstallationCallbackRequest {
-    installation_id: string;
-    setup_action: 'install' | 'update' | 'request';
-    state: string;
-    code?: string;
-    [key: string]: string | undefined;
-}

package/dist/schemas/InstallationCallbackRequest.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });