npm - @fractary/faber - Versions diffs - 2.2.0 → 2.3.0 - Mend

@fractary/faber 2.2.0 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/auth/github-app.d.ts +155 -0
package/dist/auth/github-app.d.ts.map +1 -0
package/dist/auth/github-app.js +348 -0
package/dist/auth/github-app.js.map +1 -0
package/dist/auth/index.d.ts +7 -0
package/dist/auth/index.d.ts.map +1 -0
package/dist/auth/index.js +7 -0
package/dist/auth/index.js.map +1 -0
package/dist/index.d.ts +1 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +2 -0
package/dist/index.js.map +1 -1
package/package.json +7 -1

package/dist/auth/github-app.d.ts ADDED Viewed

@@ -0,0 +1,155 @@
+/**
+ * @fractary/faber - GitHub App Authentication
+ *
+ * Provides JWT generation, installation token exchange, and token caching
+ * for GitHub App authentication.
+ *
+ * This module is used by both the SDK and CLI for GitHub App auth.
+ */
+/**
+ * GitHub App configuration
+ */
+export interface GitHubAppConfig {
+    /** GitHub App ID */
+    id: string;
+    /** Installation ID for the target org/repo */
+    installation_id: string;
+    /** Path to PEM file (optional if env var used) */
+    private_key_path?: string;
+    /** Env var name containing base64-encoded key */
+    private_key_env_var?: string;
+    /** How the app was created */
+    created_via?: 'manifest-flow' | 'manual';
+    /** ISO 8601 timestamp of creation */
+    created_at?: string;
+}
+/**
+ * Private Key Loader
+ *
+ * Loads private keys from file path or environment variable
+ */
+export declare class PrivateKeyLoader {
+    /**
+     * Load private key from configured sources.
+     * Priority: env var > file path
+     *
+     * @param config - GitHub App configuration
+     * @returns The private key content
+     * @throws Error if private key cannot be loaded
+     */
+    static load(config: GitHubAppConfig): Promise<string>;
+    /**
+     * Validate private key format.
+     *
+     * @param key - The private key content
+     * @returns true if valid PEM format
+     */
+    static validate(key: string): boolean;
+}
+/**
+ * GitHub App Authentication
+ *
+ * Handles JWT generation, installation token exchange, and caching
+ */
+export declare class GitHubAppAuth {
+    private cache;
+    private config;
+    private refreshPromise;
+    private static readonly REFRESH_THRESHOLD_MS;
+    private static readonly JWT_EXPIRY_SECONDS;
+    private static readonly GITHUB_API_URL;
+    constructor(config: GitHubAppConfig);
+    /**
+     * Get the configuration
+     */
+    getConfig(): GitHubAppConfig;
+    /**
+     * Get a valid installation token.
+     * Returns cached token if still valid, otherwise generates new one.
+     *
+     * @returns Installation access token
+     */
+    getToken(): Promise<string>;
+    /**
+     * Force refresh the token.
+     *
+     * @returns New installation access token
+     */
+    refreshToken(): Promise<string>;
+    /**
+     * Check if token needs refresh (within 5 minutes of expiration).
+     *
+     * @returns true if token should be refreshed
+     */
+    isTokenExpiringSoon(): boolean;
+    /**
+     * Validate the configuration and private key.
+     *
+     * @throws Error if configuration is invalid
+     */
+    validate(): Promise<void>;
+    /**
+     * Perform the actual token refresh
+     */
+    private doRefresh;
+    /**
+     * Generate a JWT for GitHub App authentication
+     */
+    private generateJWT;
+    /**
+     * Exchange JWT for installation access token
+     */
+    private exchangeForInstallationToken;
+    /**
+     * Check if token is expired
+     */
+    private isExpired;
+    /**
+     * Check if token is expiring soon
+     */
+    private isExpiringSoon;
+    /**
+     * Trigger background token refresh with retry (non-blocking)
+     */
+    private triggerBackgroundRefresh;
+    /**
+     * Refresh token with exponential backoff retry
+     *
+     * @param maxRetries - Maximum number of retry attempts
+     * @param baseDelayMs - Base delay in milliseconds (doubles each retry)
+     */
+    private refreshWithRetry;
+    /**
+     * Sleep helper for retry delays
+     */
+    private sleep;
+}
+/**
+ * Token Provider Interface
+ *
+ * Abstract interface for getting tokens, supporting both PAT and GitHub App
+ */
+export interface TokenProvider {
+    getToken(): Promise<string>;
+}
+/**
+ * Static Token Provider
+ *
+ * Simple provider for static PAT tokens
+ */
+export declare class StaticTokenProvider implements TokenProvider {
+    private token;
+    constructor(token: string);
+    getToken(): Promise<string>;
+}
+/**
+ * GitHub App Token Provider
+ *
+ * Provider that uses GitHubAppAuth for dynamic token generation
+ */
+export declare class GitHubAppTokenProvider implements TokenProvider {
+    private auth;
+    constructor(auth: GitHubAppAuth);
+    getToken(): Promise<string>;
+}
+//# sourceMappingURL=github-app.d.ts.map

package/dist/auth/github-app.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"github-app.d.ts","sourceRoot":"","sources":["../../src/auth/github-app.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAOH;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,oBAAoB;IACpB,EAAE,EAAE,MAAM,CAAC;IACX,8CAA8C;IAC9C,eAAe,EAAE,MAAM,CAAC;IACxB,kDAAkD;IAClD,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,iDAAiD;IACjD,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,8BAA8B;IAC9B,WAAW,CAAC,EAAE,eAAe,GAAG,QAAQ,CAAC;IACzC,qCAAqC;IACrC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAqBD;;;;GAIG;AACH,qBAAa,gBAAgB;IAC3B;;;;;;;OAOG;WACU,IAAI,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC;IAiD3D;;;;;OAKG;IACH,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;CAUtC;AAED;;;;GAIG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,KAAK,CAAuC;IACpD,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,cAAc,CAAgC;IAGtD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAAiB;IAE7D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAO;IAEjD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAA4B;gBAEtD,MAAM,EAAE,eAAe;IAInC;;OAEG;IACH,SAAS,IAAI,eAAe;IAI5B;;;;;OAKG;IACG,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;IAkBjC;;;;OAIG;IACG,YAAY,IAAI,OAAO,CAAC,MAAM,CAAC;IAerC;;;;OAIG;IACH,mBAAmB,IAAI,OAAO;IAK9B;;;;OAIG;IACG,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;IAkB/B;;OAEG;YACW,SAAS;IAcvB;;OAEG;YACW,WAAW;IAoBzB;;OAEG;YACW,4BAA4B;IA2D1C;;OAEG;IACH,OAAO,CAAC,SAAS;IAIjB;;OAEG;IACH,OAAO,CAAC,cAAc;IAItB;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAWhC;;;;;OAKG;YACW,gBAAgB;IAmC9B;;OAEG;IACH,OAAO,CAAC,KAAK;CAGd;AAED;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC5B,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CAC7B;AAED;;;;GAIG;AACH,qBAAa,mBAAoB,YAAW,aAAa;IAC3C,OAAO,CAAC,KAAK;gBAAL,KAAK,EAAE,MAAM;IAE3B,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;CAGlC;AAED;;;;GAIG;AACH,qBAAa,sBAAuB,YAAW,aAAa;IAC9C,OAAO,CAAC,IAAI;gBAAJ,IAAI,EAAE,aAAa;IAEjC,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;CAGlC"}

package/dist/auth/github-app.js ADDED Viewed

@@ -0,0 +1,348 @@
+/**
+ * @fractary/faber - GitHub App Authentication
+ *
+ * Provides JWT generation, installation token exchange, and token caching
+ * for GitHub App authentication.
+ *
+ * This module is used by both the SDK and CLI for GitHub App auth.
+ */
+import jwt from 'jsonwebtoken';
+import fs from 'fs/promises';
+import path from 'path';
+import os from 'os';
+/**
+ * Private Key Loader
+ *
+ * Loads private keys from file path or environment variable
+ */
+export class PrivateKeyLoader {
+    /**
+     * Load private key from configured sources.
+     * Priority: env var > file path
+     *
+     * @param config - GitHub App configuration
+     * @returns The private key content
+     * @throws Error if private key cannot be loaded
+     */
+    static async load(config) {
+        // Try environment variable first (priority)
+        if (config.private_key_env_var) {
+            const envValue = process.env[config.private_key_env_var];
+            if (envValue) {
+                try {
+                    // Decode base64-encoded key
+                    const decoded = Buffer.from(envValue, 'base64').toString('utf-8');
+                    if (PrivateKeyLoader.validate(decoded)) {
+                        return decoded;
+                    }
+                }
+                catch {
+                    // Invalid base64, fall through to file path
+                }
+            }
+        }
+        // Try file path
+        if (config.private_key_path) {
+            try {
+                // Expand ~ to home directory
+                const expandedPath = config.private_key_path.startsWith('~')
+                    ? config.private_key_path.replace('~', os.homedir())
+                    : config.private_key_path;
+                const resolvedPath = path.resolve(expandedPath);
+                const key = await fs.readFile(resolvedPath, 'utf-8');
+                if (PrivateKeyLoader.validate(key)) {
+                    return key;
+                }
+                throw new Error('Invalid private key format. Expected PEM-encoded RSA private key');
+            }
+            catch (error) {
+                if (error instanceof Error && error.message.includes('ENOENT')) {
+                    throw new Error(`GitHub App private key not found at '${config.private_key_path}'. ` +
+                        `Check 'private_key_path' in config or set ${config.private_key_env_var || 'GITHUB_APP_PRIVATE_KEY'} env var`);
+                }
+                throw error;
+            }
+        }
+        throw new Error('GitHub App private key not found. ' +
+            "Configure 'private_key_path' in .fractary/config.yaml or set GITHUB_APP_PRIVATE_KEY env var");
+    }
+    /**
+     * Validate private key format.
+     *
+     * @param key - The private key content
+     * @returns true if valid PEM format
+     */
+    static validate(key) {
+        // Check for PEM format (RSA or PKCS#8)
+        const trimmed = key.trim();
+        return ((trimmed.startsWith('-----BEGIN RSA PRIVATE KEY-----') &&
+            trimmed.endsWith('-----END RSA PRIVATE KEY-----')) ||
+            (trimmed.startsWith('-----BEGIN PRIVATE KEY-----') &&
+                trimmed.endsWith('-----END PRIVATE KEY-----')));
+    }
+}
+/**
+ * GitHub App Authentication
+ *
+ * Handles JWT generation, installation token exchange, and caching
+ */
+export class GitHubAppAuth {
+    cache = new Map();
+    config;
+    refreshPromise = null;
+    // Token refresh threshold (5 minutes before expiration)
+    static REFRESH_THRESHOLD_MS = 5 * 60 * 1000;
+    // JWT validity period (reduced to 5 minutes to handle clock skew)
+    static JWT_EXPIRY_SECONDS = 300;
+    // GitHub API base URL
+    static GITHUB_API_URL = 'https://api.github.com';
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * Get the configuration
+     */
+    getConfig() {
+        return this.config;
+    }
+    /**
+     * Get a valid installation token.
+     * Returns cached token if still valid, otherwise generates new one.
+     *
+     * @returns Installation access token
+     */
+    async getToken() {
+        const cacheKey = this.config.installation_id;
+        const cached = this.cache.get(cacheKey);
+        if (cached && !this.isExpired(cached) && !this.isExpiringSoon(cached)) {
+            return cached.token;
+        }
+        // If token is expiring soon but still valid, trigger background refresh
+        if (cached && !this.isExpired(cached) && this.isExpiringSoon(cached)) {
+            this.triggerBackgroundRefresh();
+            return cached.token;
+        }
+        // Token expired or missing, must refresh synchronously
+        return this.refreshToken();
+    }
+    /**
+     * Force refresh the token.
+     *
+     * @returns New installation access token
+     */
+    async refreshToken() {
+        // Deduplicate concurrent refresh requests
+        if (this.refreshPromise) {
+            return this.refreshPromise;
+        }
+        this.refreshPromise = this.doRefresh();
+        try {
+            return await this.refreshPromise;
+        }
+        finally {
+            this.refreshPromise = null;
+        }
+    }
+    /**
+     * Check if token needs refresh (within 5 minutes of expiration).
+     *
+     * @returns true if token should be refreshed
+     */
+    isTokenExpiringSoon() {
+        const cached = this.cache.get(this.config.installation_id);
+        return cached ? this.isExpiringSoon(cached) : true;
+    }
+    /**
+     * Validate the configuration and private key.
+     *
+     * @throws Error if configuration is invalid
+     */
+    async validate() {
+        // Validate required fields
+        if (!this.config.id) {
+            throw new Error("GitHub App ID is required. Configure 'app.id' in .fractary/config.yaml");
+        }
+        if (!this.config.installation_id) {
+            throw new Error("GitHub App Installation ID is required. Configure 'app.installation_id' in .fractary/config.yaml");
+        }
+        // Validate private key can be loaded
+        await PrivateKeyLoader.load(this.config);
+        // Attempt to generate JWT to validate key
+        await this.generateJWT();
+    }
+    /**
+     * Perform the actual token refresh
+     */
+    async doRefresh() {
+        const jwtToken = await this.generateJWT();
+        const installationToken = await this.exchangeForInstallationToken(jwtToken);
+        // Cache the token
+        this.cache.set(this.config.installation_id, {
+            token: installationToken.token,
+            expires_at: new Date(installationToken.expires_at),
+            installation_id: this.config.installation_id,
+        });
+        return installationToken.token;
+    }
+    /**
+     * Generate a JWT for GitHub App authentication
+     */
+    async generateJWT() {
+        const privateKey = await PrivateKeyLoader.load(this.config);
+        const now = Math.floor(Date.now() / 1000);
+        const payload = {
+            iat: now - 60, // Issued 60 seconds ago to allow for clock drift
+            exp: now + GitHubAppAuth.JWT_EXPIRY_SECONDS,
+            iss: this.config.id,
+        };
+        try {
+            return jwt.sign(payload, privateKey, { algorithm: 'RS256' });
+        }
+        catch (error) {
+            if (error instanceof Error) {
+                throw new Error(`Failed to generate JWT: ${error.message}`);
+            }
+            throw error;
+        }
+    }
+    /**
+     * Exchange JWT for installation access token
+     */
+    async exchangeForInstallationToken(jwtToken) {
+        const url = `${GitHubAppAuth.GITHUB_API_URL}/app/installations/${this.config.installation_id}/access_tokens`;
+        let response;
+        try {
+            response = await fetch(url, {
+                method: 'POST',
+                headers: {
+                    Accept: 'application/vnd.github+json',
+                    Authorization: `Bearer ${jwtToken}`,
+                    'X-GitHub-Api-Version': '2022-11-28',
+                },
+            });
+        }
+        catch (error) {
+            if (error instanceof Error) {
+                throw new Error(`Failed to connect to GitHub API: ${error.message}`);
+            }
+            throw error;
+        }
+        if (!response.ok) {
+            const errorBody = await response.text().catch(() => 'Unknown error');
+            if (response.status === 401) {
+                throw new Error(`Failed to authenticate with GitHub App. Status: ${response.status}, Response: ${errorBody}`);
+            }
+            if (response.status === 404) {
+                throw new Error(`GitHub App installation not found (ID: ${this.config.installation_id}). ` +
+                    'Verify the Installation ID is correct and the app is installed.');
+            }
+            if (response.status === 403) {
+                // Check for rate limiting
+                const rateLimitRemaining = response.headers.get('x-ratelimit-remaining');
+                const rateLimitReset = response.headers.get('x-ratelimit-reset');
+                if (rateLimitRemaining === '0' && rateLimitReset) {
+                    const resetValue = parseInt(rateLimitReset, 10);
+                    if (!isNaN(resetValue)) {
+                        const resetTime = new Date(resetValue * 1000);
+                        const secondsUntilReset = Math.ceil((resetTime.getTime() - Date.now()) / 1000);
+                        throw new Error(`GitHub API rate limited. Retry after ${secondsUntilReset} seconds.`);
+                    }
+                }
+            }
+            throw new Error(`Failed to get installation token: ${response.status} ${errorBody}`);
+        }
+        return response.json();
+    }
+    /**
+     * Check if token is expired
+     */
+    isExpired(cached) {
+        return cached.expires_at.getTime() <= Date.now();
+    }
+    /**
+     * Check if token is expiring soon
+     */
+    isExpiringSoon(cached) {
+        return cached.expires_at.getTime() - Date.now() < GitHubAppAuth.REFRESH_THRESHOLD_MS;
+    }
+    /**
+     * Trigger background token refresh with retry (non-blocking)
+     */
+    triggerBackgroundRefresh() {
+        if (this.refreshPromise) {
+            return; // Already refreshing
+        }
+        // Retry with exponential backoff for transient failures
+        this.refreshWithRetry(3, 1000).catch(error => {
+            console.error('[GitHubAppAuth] Background token refresh failed after retries:', error.message);
+        });
+    }
+    /**
+     * Refresh token with exponential backoff retry
+     *
+     * @param maxRetries - Maximum number of retry attempts
+     * @param baseDelayMs - Base delay in milliseconds (doubles each retry)
+     */
+    async refreshWithRetry(maxRetries, baseDelayMs) {
+        let lastError = null;
+        for (let attempt = 0; attempt <= maxRetries; attempt++) {
+            try {
+                return await this.refreshToken();
+            }
+            catch (error) {
+                lastError = error instanceof Error ? error : new Error(String(error));
+                // Don't retry auth errors (invalid credentials, wrong installation ID)
+                const errorMessage = lastError.message.toLowerCase();
+                if (errorMessage.includes('401') ||
+                    errorMessage.includes('404') ||
+                    errorMessage.includes('invalid') ||
+                    errorMessage.includes('not found')) {
+                    throw lastError;
+                }
+                // If we have retries left, wait with exponential backoff
+                if (attempt < maxRetries) {
+                    const delay = baseDelayMs * Math.pow(2, attempt);
+                    console.error(`[GitHubAppAuth] Token refresh failed (attempt ${attempt + 1}/${maxRetries + 1}), ` +
+                        `retrying in ${delay}ms: ${lastError.message}`);
+                    await this.sleep(delay);
+                }
+            }
+        }
+        throw lastError || new Error('Token refresh failed after retries');
+    }
+    /**
+     * Sleep helper for retry delays
+     */
+    sleep(ms) {
+        return new Promise(resolve => setTimeout(resolve, ms));
+    }
+}
+/**
+ * Static Token Provider
+ *
+ * Simple provider for static PAT tokens
+ */
+export class StaticTokenProvider {
+    token;
+    constructor(token) {
+        this.token = token;
+    }
+    async getToken() {
+        return this.token;
+    }
+}
+/**
+ * GitHub App Token Provider
+ *
+ * Provider that uses GitHubAppAuth for dynamic token generation
+ */
+export class GitHubAppTokenProvider {
+    auth;
+    constructor(auth) {
+        this.auth = auth;
+    }
+    async getToken() {
+        return this.auth.getToken();
+    }
+}
+//# sourceMappingURL=github-app.js.map

package/dist/auth/github-app.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"github-app.js","sourceRoot":"","sources":["../../src/auth/github-app.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,GAAG,MAAM,cAAc,CAAC;AAC/B,OAAO,EAAE,MAAM,aAAa,CAAC;AAC7B,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,MAAM,IAAI,CAAC;AAuCpB;;;;GAIG;AACH,MAAM,OAAO,gBAAgB;IAC3B;;;;;;;OAOG;IACH,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,MAAuB;QACvC,4CAA4C;QAC5C,IAAI,MAAM,CAAC,mBAAmB,EAAE,CAAC;YAC/B,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;YACzD,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,CAAC;oBACH,4BAA4B;oBAC5B,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;oBAClE,IAAI,gBAAgB,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;wBACvC,OAAO,OAAO,CAAC;oBACjB,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,4CAA4C;gBAC9C,CAAC;YACH,CAAC;QACH,CAAC;QAED,gBAAgB;QAChB,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,6BAA6B;gBAC7B,MAAM,YAAY,GAAG,MAAM,CAAC,gBAAgB,CAAC,UAAU,CAAC,GAAG,CAAC;oBAC1D,CAAC,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,EAAE,CAAC;oBACpD,CAAC,CAAC,MAAM,CAAC,gBAAgB,CAAC;gBAE5B,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;gBAChD,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;gBAErD,IAAI,gBAAgB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBACnC,OAAO,GAAG,CAAC;gBACb,CAAC;gBACD,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;YACtF,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC/D,MAAM,IAAI,KAAK,CACb,wCAAwC,MAAM,CAAC,gBAAgB,KAAK;wBACpE,6CAA6C,MAAM,CAAC,mBAAmB,IAAI,wBAAwB,UAAU,CAC9G,CAAC;gBACJ,CAAC;gBACD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CACb,oCAAoC;YACpC,6FAA6F,CAC9F,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,MAAM,CAAC,QAAQ,CAAC,GAAW;QACzB,uCAAuC;QACvC,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QAC3B,OAAO,CACL,CAAC,OAAO,CAAC,UAAU,CAAC,iCAAiC,CAAC;YACpD,OAAO,CAAC,QAAQ,CAAC,+BAA+B,CAAC,CAAC;YACpD,CAAC,OAAO,CAAC,UAAU,CAAC,6BAA6B,CAAC;gBAChD,OAAO,CAAC,QAAQ,CAAC,2BAA2B,CAAC,CAAC,CACjD,CAAC;IACJ,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,OAAO,aAAa;IAChB,KAAK,GAA6B,IAAI,GAAG,EAAE,CAAC;IAC5C,MAAM,CAAkB;IACxB,cAAc,GAA2B,IAAI,CAAC;IAEtD,wDAAwD;IAChD,MAAM,CAAU,oBAAoB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IAC7D,kEAAkE;IAC1D,MAAM,CAAU,kBAAkB,GAAG,GAAG,CAAC;IACjD,sBAAsB;IACd,MAAM,CAAU,cAAc,GAAG,wBAAwB,CAAC;IAElE,YAAY,MAAuB;QACjC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,QAAQ;QACZ,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC;QAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAExC,IAAI,MAAM,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,EAAE,CAAC;YACtE,OAAO,MAAM,CAAC,KAAK,CAAC;QACtB,CAAC;QAED,wEAAwE;QACxE,IAAI,MAAM,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,EAAE,CAAC;YACrE,IAAI,CAAC,wBAAwB,EAAE,CAAC;YAChC,OAAO,MAAM,CAAC,KAAK,CAAC;QACtB,CAAC;QAED,uDAAuD;QACvD,OAAO,IAAI,CAAC,YAAY,EAAE,CAAC;IAC7B,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,YAAY;QAChB,0CAA0C;QAC1C,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC,cAAc,CAAC;QAC7B,CAAC;QAED,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QAEvC,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,cAAc,CAAC;QACnC,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC7B,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,mBAAmB;QACjB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QAC3D,OAAO,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACrD,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,QAAQ;QACZ,2BAA2B;QAC3B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;QAC5F,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CACb,kGAAkG,CACnG,CAAC;QACJ,CAAC;QAED,qCAAqC;QACrC,MAAM,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAEzC,0CAA0C;QAC1C,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;IAC3B,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS;QACrB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;QAC1C,MAAM,iBAAiB,GAAG,MAAM,IAAI,CAAC,4BAA4B,CAAC,QAAQ,CAAC,CAAC;QAE5E,kBAAkB;QAClB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE;YAC1C,KAAK,EAAE,iBAAiB,CAAC,KAAK;YAC9B,UAAU,EAAE,IAAI,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC;YAClD,eAAe,EAAE,IAAI,CAAC,MAAM,CAAC,eAAe;SAC7C,CAAC,CAAC;QAEH,OAAO,iBAAiB,CAAC,KAAK,CAAC;IACjC,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,WAAW;QACvB,MAAM,UAAU,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAE5D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,OAAO,GAAG;YACd,GAAG,EAAE,GAAG,GAAG,EAAE,EAAE,iDAAiD;YAChE,GAAG,EAAE,GAAG,GAAG,aAAa,CAAC,kBAAkB;YAC3C,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE;SACpB,CAAC;QAEF,IAAI,CAAC;YACH,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;QAC/D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;gBAC3B,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC9D,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,4BAA4B,CAAC,QAAgB;QACzD,MAAM,GAAG,GAAG,GAAG,aAAa,CAAC,cAAc,sBAAsB,IAAI,CAAC,MAAM,CAAC,eAAe,gBAAgB,CAAC;QAE7G,IAAI,QAAkB,CAAC;QACvB,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC1B,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,MAAM,EAAE,6BAA6B;oBACrC,aAAa,EAAE,UAAU,QAAQ,EAAE;oBACnC,sBAAsB,EAAE,YAAY;iBACrC;aACF,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;gBAC3B,MAAM,IAAI,KAAK,CAAC,oCAAoC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YACvE,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,CAAC;YAErE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CACb,mDAAmD,QAAQ,CAAC,MAAM,eAAe,SAAS,EAAE,CAC7F,CAAC;YACJ,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CACb,0CAA0C,IAAI,CAAC,MAAM,CAAC,eAAe,KAAK;oBAC1E,iEAAiE,CAClE,CAAC;YACJ,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,0BAA0B;gBAC1B,MAAM,kBAAkB,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;gBACzE,MAAM,cAAc,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;gBAEjE,IAAI,kBAAkB,KAAK,GAAG,IAAI,cAAc,EAAE,CAAC;oBACjD,MAAM,UAAU,GAAG,QAAQ,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;oBAChD,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;wBACvB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;wBAC9C,MAAM,iBAAiB,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;wBAC/E,MAAM,IAAI,KAAK,CACb,wCAAwC,iBAAiB,WAAW,CACrE,CAAC;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;YAED,MAAM,IAAI,KAAK,CAAC,qCAAqC,QAAQ,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC,CAAC;QACvF,CAAC;QAED,OAAO,QAAQ,CAAC,IAAI,EAAwC,CAAC;IAC/D,CAAC;IAED;;OAEG;IACK,SAAS,CAAC,MAAmB;QACnC,OAAO,MAAM,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;IACnD,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,MAAmB;QACxC,OAAO,MAAM,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,CAAC,oBAAoB,CAAC;IACvF,CAAC;IAED;;OAEG;IACK,wBAAwB;QAC9B,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,OAAO,CAAC,qBAAqB;QAC/B,CAAC;QAED,wDAAwD;QACxD,IAAI,CAAC,gBAAgB,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;YAC3C,OAAO,CAAC,KAAK,CAAC,gEAAgE,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACjG,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,gBAAgB,CAAC,UAAkB,EAAE,WAAmB;QACpE,IAAI,SAAS,GAAiB,IAAI,CAAC;QAEnC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,UAAU,EAAE,OAAO,EAAE,EAAE,CAAC;YACvD,IAAI,CAAC;gBACH,OAAO,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;YACnC,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,SAAS,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;gBAEtE,uEAAuE;gBACvE,MAAM,YAAY,GAAG,SAAS,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;gBACrD,IACE,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC;oBAC5B,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC;oBAC5B,YAAY,CAAC,QAAQ,CAAC,SAAS,CAAC;oBAChC,YAAY,CAAC,QAAQ,CAAC,WAAW,CAAC,EAClC,CAAC;oBACD,MAAM,SAAS,CAAC;gBAClB,CAAC;gBAED,yDAAyD;gBACzD,IAAI,OAAO,GAAG,UAAU,EAAE,CAAC;oBACzB,MAAM,KAAK,GAAG,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;oBACjD,OAAO,CAAC,KAAK,CACX,iDAAiD,OAAO,GAAG,CAAC,IAAI,UAAU,GAAG,CAAC,KAAK;wBACnF,eAAe,KAAK,OAAO,SAAS,CAAC,OAAO,EAAE,CAC/C,CAAC;oBACF,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBAC1B,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,SAAS,IAAI,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACrE,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,EAAU;QACtB,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;IACzD,CAAC;;AAYH;;;;GAIG;AACH,MAAM,OAAO,mBAAmB;IACV;IAApB,YAAoB,KAAa;QAAb,UAAK,GAAL,KAAK,CAAQ;IAAG,CAAC;IAErC,KAAK,CAAC,QAAQ;QACZ,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,OAAO,sBAAsB;IACb;IAApB,YAAoB,IAAmB;QAAnB,SAAI,GAAJ,IAAI,CAAe;IAAG,CAAC;IAE3C,KAAK,CAAC,QAAQ;QACZ,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;IAC9B,CAAC;CACF"}

package/dist/auth/index.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+/**
+ * @fractary/faber - Auth Module
+ *
+ * Authentication utilities for GitHub App and PAT authentication.
+ */
+export { GitHubAppAuth, GitHubAppConfig, PrivateKeyLoader, TokenProvider, StaticTokenProvider, GitHubAppTokenProvider, } from './github-app.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,aAAa,EACb,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,mBAAmB,EACnB,sBAAsB,GACvB,MAAM,iBAAiB,CAAC"}

package/dist/auth/index.js ADDED Viewed

@@ -0,0 +1,7 @@
+/**
+ * @fractary/faber - Auth Module
+ *
+ * Authentication utilities for GitHub App and PAT authentication.
+ */
+export { GitHubAppAuth, PrivateKeyLoader, StaticTokenProvider, GitHubAppTokenProvider, } from './github-app.js';
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,aAAa,EAEb,gBAAgB,EAEhB,mBAAmB,EACnB,sBAAsB,GACvB,MAAM,iBAAiB,CAAC"}

package/dist/index.d.ts CHANGED Viewed

@@ -24,4 +24,5 @@ export * from './state/index.js';
 export * from './workflow/index.js';
 export * from './storage/index.js';
 export * from './agents/index.js';
+export * from './auth/index.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAGH,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAG5B,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,kBAAkB,CAAC;AACjC,cAAc,qBAAqB,CAAC;AACpC,cAAc,oBAAoB,CAAC;AACnC,cAAc,mBAAmB,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAGH,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAG5B,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,kBAAkB,CAAC;AACjC,cAAc,qBAAqB,CAAC;AACpC,cAAc,oBAAoB,CAAC;AACnC,cAAc,mBAAmB,CAAC;AAGlC,cAAc,iBAAiB,CAAC"}

package/dist/index.js CHANGED Viewed

@@ -26,4 +26,6 @@ export * from './state/index.js';
 export * from './workflow/index.js';
 export * from './storage/index.js';
 export * from './agents/index.js';
+// Auth module
+export * from './auth/index.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,eAAe;AACf,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAE5B,iBAAiB;AACjB,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,kBAAkB,CAAC;AACjC,cAAc,qBAAqB,CAAC;AACpC,cAAc,oBAAoB,CAAC;AACnC,cAAc,mBAAmB,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,eAAe;AACf,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAE5B,iBAAiB;AACjB,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,kBAAkB,CAAC;AACjC,cAAc,qBAAqB,CAAC;AACpC,cAAc,oBAAoB,CAAC;AACnC,cAAc,mBAAmB,CAAC;AAElC,cAAc;AACd,cAAc,iBAAiB,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@fractary/faber",
-  "version": "2.2.0",
+  "version": "2.3.0",
   "description": "FABER SDK - Development toolkit for AI-assisted workflows",
   "type": "module",
   "main": "dist/index.js",
@@ -41,6 +41,10 @@
     "./agents": {
       "types": "./dist/agents/index.d.ts",
       "default": "./dist/agents/index.js"
+    },
+    "./auth": {
+      "types": "./dist/auth/index.d.ts",
+      "default": "./dist/auth/index.js"
     }
   },
   "files": [
@@ -78,11 +82,13 @@
     "@fractary/forge": "^1.1.4",
     "commander": "^12.0.0",
     "js-yaml": "^4.1.1",
+    "jsonwebtoken": "^9.0.0",
     "zod": "^3.22.4"
   },
   "devDependencies": {
     "@types/jest": "^30.0.0",
     "@types/js-yaml": "^4.0.9",
+    "@types/jsonwebtoken": "^9.0.0",
     "@types/node": "^20.19.26",
     "@typescript-eslint/eslint-plugin": "^6.19.0",
     "@typescript-eslint/parser": "^6.19.0",