@forwardimpact/libbridge 0.1.10 → 0.1.11

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@forwardimpact/libbridge",
-  "version": "0.1.10",
+  "version": "0.1.11",
   "description": "Threaded-channel bridge primitives — relay messages between human channels (GitHub Discussions, Microsoft Teams) and the Kata agent team.",
   "keywords": [
     "bridge",

package/src/callback-handler.js

@@ -111,7 +111,15 @@ export function createCallbackHandler({
     }
 
     const discussionId = loadDiscussionId(meta);
-    const ctx = await store.loadByChannel(channel, discussionId);
+    // The dispatcher bound the resolved tenant on the callback token's domain
+    // meta (`default` in single-tenant). Thread it into the load so
+    // multi-tenant lookups hit the tenant-scoped key rather than re-resolving
+    // by channel (which the registry cannot do — the channel is not a key).
+    const ctx = await store.loadByChannel(
+      channel,
+      discussionId,
+      meta.meta?.tenant_id,
+    );
     if (!ctx) {
       logger.error?.("callback", "context missing", {
         discussion_id: discussionId,

package/src/dispatcher.js

@@ -44,7 +44,12 @@ export class Dispatcher {
       throw new Error("callbackBaseUrl is required");
     }
     if (!workflowFile) throw new Error("workflowFile is required");
-    if (!githubRepo) throw new Error("githubRepo is required");
+    // A non-empty static repo is required in single-tenant mode; multi-tenant
+    // mode derives the repo per request from the resolved tenant, so an empty
+    // string is accepted (the dispatch falls back to `tenant.repo`).
+    if (typeof githubRepo !== "string") {
+      throw new Error("githubRepo is required");
+    }
     if (!tokenResolver) throw new Error("tokenResolver is required");
     if (!tenantResolver) throw new Error("tenantResolver is required");
     if (!clock) throw new Error("clock is required");
@@ -81,9 +86,11 @@ export class Dispatcher {
     if (typeof prompt !== "string") throw new Error("prompt is required");
     if (typeof requester !== "string") throw new Error("requester is required");
 
-    const auth = await this.#tokenResolver.resolve(ctx.channel, requester);
-    if (auth.kind !== "token") return auth;
-
+    // Resolve the tenant before the dispatch credential. The hosted dispatch
+    // identity is a repo-scoped App installation token (see design § Hosted
+    // dispatch identity), so a token resolver that mints per repo needs the
+    // resolved tenant's `repo`. The third argument is additive — the
+    // self-hosted `TokenResolver` (per-user OAuth) ignores it.
     const tenant = await this.#tenantResolver.resolve({
       channel: ctx.channel,
       key: ctx.channel_tenant_key,
@@ -93,19 +100,33 @@ export class Dispatcher {
     }
     const tenant_id = tenant.tenant_id;
 
+    const auth = await this.#tokenResolver.resolve(
+      ctx.channel,
+      requester,
+      tenant,
+    );
+    if (auth.kind !== "token") return auth;
+
     const correlationId = randomUUID();
     const mergedMeta = { ...(callbackMeta ?? {}), requester, tenant_id };
     const token = this.#callbacks.register(correlationId, mergedMeta);
     ctx.pending_callbacks[token] = correlationId;
     ctx.active_requester = requester;
     const callbackUrl = `${this.#callbackBaseUrl}/api/callback/${tenant_id}/${token}`;
-    const inboxUrl = `${this.#callbackBaseUrl}/api/inbox/${correlationId}`;
+    const inboxUrl = `${this.#callbackBaseUrl}/api/inbox/${correlationId}?tenant_id=${encodeURIComponent(tenant_id)}`;
+
+    // The workflow_dispatch targets the resolved tenant's repository when the
+    // resolver supplies one (multi-tenant); otherwise the static configured
+    // repo (single-tenant). Both modes fire against the customer's runner.
+    const dispatchRepo = tenant.repo
+      ? `${tenant.repo.owner}/${tenant.repo.name}`
+      : this.#githubRepo;
 
     if (ackTarget !== undefined) await this.#ack.start(token, ackTarget);
     try {
       await dispatchWorkflow({
         workflowFile: this.#workflowFile,
-        repo: this.#githubRepo,
+        repo: dispatchRepo,
         token: auth.token,
         prompt,
         callbackUrl,

package/src/ghserver-token-resolver.js

@@ -0,0 +1,62 @@
+/**
+ * Hosted dispatch identity for multi-tenant bridges. The `workflow_dispatch`
+ * credential is a repo-scoped GitHub App installation token minted by
+ * `services/ghserver` for the resolved tenant's repository — not the per-user
+ * OAuth token used by the self-hosted path (see design § Hosted dispatch
+ * identity). Both `services/ghbridge` and `services/msbridge` share this
+ * resolver in multi-tenant mode; the channel-specific reply credential (Bot
+ * Framework for Teams, App installation for GitHub) is unaffected.
+ *
+ * This resolver satisfies the same duck-typed surface the `Dispatcher`
+ * expects from a `TokenResolver`: `resolve(surface, requester, tenant) ->
+ * DispatchAuth`. The `tenant` argument carries the registry row (with its
+ * `repo`) the dispatcher resolved before requesting the credential, so the
+ * mint is scoped to exactly that repository — there is no per-user link step.
+ *
+ * Lives in libbridge (not a channel adapter) because it imports no channel
+ * SDK: it depends only on the duck-typed ghserver client, keeping libbridge's
+ * "no channel SDKs" invariant intact.
+ */
+export class GhServerTokenResolver {
+  #client;
+  #requestedBy;
+
+  /**
+   * @param {object} client - ghserver gRPC client exposing
+   *   `MintInstallationToken({owner, name, requested_by})`.
+   * @param {object} [options]
+   * @param {string} [options.requestedBy] - Audit tag forwarded as
+   *   `requested_by` on the mint; identifies the calling bridge.
+   */
+  constructor(client, { requestedBy = "bridge" } = {}) {
+    if (!client) throw new Error("ghserver client is required");
+    this.#client = client;
+    this.#requestedBy = requestedBy;
+  }
+
+  /**
+   * @param {string} _surface - Unused; the App installation is repo-scoped.
+   * @param {string} _requester - Unused; the App authors the dispatch.
+   * @param {import("./tenant-resolver.js").Tenant} [tenant]
+   * @returns {Promise<{kind: string, token?: string, error?: Error}>}
+   */
+  async resolve(_surface, _requester, tenant) {
+    const repo = tenant?.repo;
+    if (!repo?.owner || !repo?.name) {
+      return {
+        kind: "transient",
+        error: new Error("tenant_repo_unresolved"),
+      };
+    }
+    try {
+      const { installation_token } = await this.#client.MintInstallationToken({
+        owner: repo.owner,
+        name: repo.name,
+        requested_by: this.#requestedBy,
+      });
+      return { kind: "token", token: installation_token };
+    } catch (err) {
+      return { kind: "transient", error: err };
+    }
+  }
+}

package/src/inbox-handler.js

@@ -23,6 +23,15 @@ export function createInboxHandler({
   return async (c) => {
     const correlationId = c.req.param("correlationId");
     const sinceSeq = parseInt(c.req.query("since") ?? "0", 10);
+    // The dispatcher embeds the resolved tenant on the inbox URL it hands the
+    // run (single-tenant binds the literal `default`). `services/bridge`
+    // rejects a `DrainInbox` without a `tenant_id`, so a poll that omits it is
+    // a caller error: fail fast rather than leaking a cross-tenant queue.
+    const tenant_id = c.req.query("tenant_id");
+    if (!tenant_id) {
+      logger.error?.("inbox", "missing tenant_id");
+      return c.json({ error: "tenant_id required" }, 400);
+    }
     const deadline = clock.now() + pollTimeoutMs;
 
     while (clock.now() < deadline) {
@@ -31,6 +40,7 @@ export function createInboxHandler({
           bridge.DrainInboxRequest.fromObject({
             correlation_id: correlationId,
             since_seq: sinceSeq,
+            tenant_id,
           }),
         );
         if (result.messages?.length > 0) {

package/src/index.js

@@ -36,6 +36,7 @@ export {
   RegistryTenantResolver,
 } from "./tenant-resolver.js";
 export { TokenResolver } from "./token-resolver.js";
+export { GhServerTokenResolver } from "./ghserver-token-resolver.js";
 export {
   CallbackHandlerError,
   createCallbackHandler,