npm - @h-rig/github-lib - Versions diffs - 0.0.6-alpha.158 - Mend

@h-rig/github-lib 0.0.6-alpha.158

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/README.md +1 -0
package/dist/src/auth-store.d.ts +42 -0
package/dist/src/auth-store.js +227 -0
package/dist/src/credentials.d.ts +20 -0
package/dist/src/credentials.js +118 -0
package/dist/src/github-api.d.ts +107 -0
package/dist/src/github-api.js +452 -0
package/dist/src/index.d.ts +16 -0
package/dist/src/index.js +713 -0
package/dist/src/projects.d.ts +31 -0
package/dist/src/projects.js +148 -0
package/package.json +31 -0

package/dist/src/github-api.js ADDED Viewed

@@ -0,0 +1,452 @@
+// @bun
+// packages/github-lib/src/github-api.ts
+import { randomUUID } from "crypto";
+// packages/github-lib/src/auth-store.ts
+import { randomBytes } from "crypto";
+import { chmodSync, copyFileSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { dirname, resolve } from "path";
+import { resolveRigStatePaths } from "@rig/core/server-paths";
+function cleanString(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function cleanScopes(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    const clean = cleanString(entry);
+    return clean ? [clean] : [];
+  });
+}
+function parseApiSessions(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry))
+      return [];
+    const record = entry;
+    const token = cleanString(record.token);
+    if (!token)
+      return [];
+    const createdAt = cleanString(record.createdAt);
+    return [{
+      token,
+      login: cleanString(record.login),
+      userId: cleanString(record.userId),
+      ...createdAt ? { createdAt } : {}
+    }];
+  });
+}
+function parsePendingDevice(value) {
+  if (!value || typeof value !== "object")
+    return null;
+  const record = value;
+  const pollId = cleanString(record.pollId);
+  const deviceCode = cleanString(record.deviceCode);
+  const expiresAt = cleanString(record.expiresAt);
+  const intervalSeconds = typeof record.intervalSeconds === "number" && Number.isFinite(record.intervalSeconds) ? Math.max(1, Math.floor(record.intervalSeconds)) : null;
+  if (!pollId || !deviceCode || !expiresAt || !intervalSeconds)
+    return null;
+  return { pollId, deviceCode, expiresAt, intervalSeconds };
+}
+function parsePendingDevices(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    const pending = parsePendingDevice(entry);
+    return pending ? [pending] : [];
+  });
+}
+function readStoredAuth(stateFile) {
+  if (!existsSync(stateFile))
+    return {};
+  try {
+    const parsed = JSON.parse(readFileSync(stateFile, "utf8"));
+    return {
+      ...cleanString(parsed.token) ? { token: cleanString(parsed.token) } : {},
+      login: cleanString(parsed.login),
+      userId: cleanString(parsed.userId),
+      scopes: cleanScopes(parsed.scopes),
+      selectedRepo: cleanString(parsed.selectedRepo),
+      ...parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? { tokenSource: parsed.tokenSource } : {},
+      pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      pendingDevices: parsePendingDevices(parsed.pendingDevices),
+      apiSessions: parseApiSessions(parsed.apiSessions),
+      ...cleanString(parsed.updatedAt) ? { updatedAt: cleanString(parsed.updatedAt) } : {}
+    };
+  } catch {
+    return {};
+  }
+}
+function newApiSessionToken() {
+  return `rig_${randomBytes(32).toString("base64url")}`;
+}
+function writeStoredAuth(stateFile, payload) {
+  mkdirSync(dirname(stateFile), { recursive: true });
+  writeFileSync(stateFile, `${JSON.stringify(payload, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    chmodSync(stateFile, 384);
+  } catch {}
+}
+function localProjectAuthStateFile(projectRoot) {
+  return resolve(projectRoot, ".rig", "state", "github-auth.json");
+}
+function resolveGitHubAuthStateFile(projectRoot) {
+  return resolve(resolveRigStatePaths(projectRoot).stateDir, "github-auth.json");
+}
+function copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot) {
+  const targetFile = localProjectAuthStateFile(projectRoot);
+  mkdirSync(dirname(targetFile), { recursive: true });
+  if (existsSync(stateFile)) {
+    copyFileSync(stateFile, targetFile);
+    try {
+      chmodSync(targetFile, 384);
+    } catch {}
+    return;
+  }
+  writeStoredAuth(targetFile, {});
+}
+function createGitHubAuthStoreFromStateFile(stateFile) {
+  return {
+    stateFile,
+    status(options) {
+      const stored = readStoredAuth(stateFile);
+      const token = cleanString(stored.token);
+      return {
+        signedIn: Boolean(token),
+        login: cleanString(stored.login),
+        userId: cleanString(stored.userId),
+        scopes: cleanScopes(stored.scopes),
+        selectedRepo: cleanString(stored.selectedRepo),
+        oauthConfigured: options?.oauthConfigured === true,
+        tokenSource: token ? stored.tokenSource ?? "manual-token" : null
+      };
+    },
+    readToken() {
+      return cleanString(readStoredAuth(stateFile).token);
+    },
+    saveToken(input) {
+      const previous = readStoredAuth(stateFile);
+      writeStoredAuth(stateFile, {
+        ...previous,
+        token: input.token,
+        tokenSource: input.tokenSource,
+        login: input.login ?? null,
+        userId: input.userId ?? null,
+        scopes: input.scopes ?? [],
+        selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
+        pendingDevice: null,
+        pendingDevices: [],
+        apiSessions: previous.apiSessions ?? [],
+        updatedAt: new Date().toISOString()
+      });
+    },
+    createApiSession() {
+      const previous = readStoredAuth(stateFile);
+      const token = newApiSessionToken();
+      const session = {
+        token,
+        login: cleanString(previous.login),
+        userId: cleanString(previous.userId),
+        createdAt: new Date().toISOString()
+      };
+      writeStoredAuth(stateFile, {
+        ...previous,
+        apiSessions: [...(previous.apiSessions ?? []).slice(-9), session],
+        updatedAt: new Date().toISOString()
+      });
+      return { token, login: session.login ?? null, userId: session.userId ?? null };
+    },
+    readApiSession(token) {
+      const clean = cleanString(token);
+      if (!clean)
+        return null;
+      const previous = readStoredAuth(stateFile);
+      const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
+      return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
+    },
+    copyToProjectRoot(projectRoot) {
+      const targetFile = resolveGitHubAuthStateFile(projectRoot);
+      writeStoredAuth(targetFile, readStoredAuth(stateFile));
+    },
+    copyToLocalProjectRoot(projectRoot) {
+      copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot);
+    },
+    savePendingDevice(input) {
+      const previous = readStoredAuth(stateFile);
+      const pendingDevices = [
+        ...previous.pendingDevice ? [previous.pendingDevice] : [],
+        ...previous.pendingDevices ?? [],
+        input
+      ].filter((entry, index, entries) => entries.findIndex((candidate) => candidate.pollId === entry.pollId) === index);
+      writeStoredAuth(stateFile, {
+        ...previous,
+        pendingDevice: null,
+        pendingDevices,
+        updatedAt: new Date().toISOString()
+      });
+    },
+    saveSelectedRepo(selectedRepo) {
+      const previous = readStoredAuth(stateFile);
+      writeStoredAuth(stateFile, {
+        ...previous,
+        selectedRepo: selectedRepo ?? null,
+        updatedAt: new Date().toISOString()
+      });
+    },
+    readPendingDevice(pollId) {
+      const previous = readStoredAuth(stateFile);
+      const pending = [
+        ...previous.pendingDevice ? [previous.pendingDevice] : [],
+        ...previous.pendingDevices ?? []
+      ].find((entry) => entry.pollId === pollId) ?? null;
+      if (!pending)
+        return null;
+      if (Date.parse(pending.expiresAt) <= Date.now())
+        return null;
+      return pending;
+    },
+    clearPendingDevice(pollId) {
+      const previous = readStoredAuth(stateFile);
+      const remaining = pollId ? (previous.pendingDevices ?? []).filter((entry) => entry.pollId !== pollId) : [];
+      writeStoredAuth(stateFile, {
+        ...previous,
+        pendingDevice: null,
+        pendingDevices: remaining,
+        updatedAt: new Date().toISOString()
+      });
+    }
+  };
+}
+function createGitHubAuthStore(projectRoot) {
+  return createGitHubAuthStoreFromStateFile(resolveGitHubAuthStateFile(projectRoot));
+}
+// packages/github-lib/src/github-api.ts
+function normalizeString(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function normalizeScopes(value) {
+  if (Array.isArray(value)) {
+    return value.flatMap((entry) => {
+      const normalized = normalizeString(entry);
+      return normalized ? [normalized] : [];
+    });
+  }
+  if (typeof value === "string") {
+    return value.split(/[ ,]+/).map((entry) => entry.trim()).filter(Boolean);
+  }
+  return [];
+}
+async function defaultPostGitHubForm(endpoint, body) {
+  const response = await fetch(endpoint, {
+    method: "POST",
+    headers: {
+      accept: "application/json",
+      "content-type": "application/x-www-form-urlencoded",
+      "user-agent": "rig"
+    },
+    body: new URLSearchParams(body)
+  });
+  const payload = await response.json().catch(() => ({}));
+  return { status: response.status, payload };
+}
+async function fetchGitHubUserInfo(token) {
+  const response = await fetch("https://api.github.com/user", {
+    headers: {
+      accept: "application/vnd.github+json",
+      authorization: `Bearer ${token}`,
+      "user-agent": "rig"
+    }
+  });
+  const payload = await response.json().catch(() => ({}));
+  if (!response.ok) {
+    throw new Error(typeof payload.message === "string" ? payload.message : `GitHub user lookup failed (${response.status}).`);
+  }
+  const login = normalizeString(payload.login);
+  const id = typeof payload.id === "number" ? String(payload.id) : normalizeString(payload.id);
+  if (!login || !id) {
+    throw new Error("GitHub user lookup did not return login/id.");
+  }
+  return { login, id, scopes: normalizeScopes(response.headers.get("x-oauth-scopes")) };
+}
+function resolveGitHubAuthStatus(input) {
+  return createGitHubAuthStore(input.projectRoot).status(input.oauthConfigured !== undefined ? { oauthConfigured: input.oauthConfigured } : {});
+}
+async function saveGitHubTokenForProject(input) {
+  const token = normalizeString(input.token);
+  if (!token) {
+    throw new Error("token is required");
+  }
+  const user = await (input.fetchUser ?? fetchGitHubUserInfo)(token);
+  const store = createGitHubAuthStore(input.projectRoot);
+  store.saveToken({
+    token,
+    tokenSource: input.tokenSource ?? "manual-token",
+    login: user.login,
+    userId: user.id,
+    scopes: user.scopes ?? [],
+    selectedRepo: input.selectedRepo ?? null
+  });
+  return { ok: true, ...store.status({ oauthConfigured: true }) };
+}
+async function beginGitHubDeviceFlow(input) {
+  const clientId = normalizeString(input.clientId);
+  if (!clientId) {
+    throw new Error("clientId is required");
+  }
+  const postForm = input.postForm ?? defaultPostGitHubForm;
+  const result = await postForm("https://github.com/login/device/code", {
+    client_id: clientId,
+    scope: normalizeString(input.scope) ?? "repo read:project user:email"
+  });
+  const deviceCode = normalizeString(result.payload.device_code);
+  if (result.status < 200 || result.status >= 300 || !deviceCode) {
+    throw new Error(normalizeString(result.payload.error_description) ?? "GitHub device flow start failed.");
+  }
+  const expiresIn = typeof result.payload.expires_in === "number" ? result.payload.expires_in : 900;
+  const intervalSeconds = typeof result.payload.interval === "number" ? result.payload.interval : 5;
+  const pollId = randomUUID();
+  createGitHubAuthStore(input.projectRoot).savePendingDevice({
+    pollId,
+    deviceCode,
+    expiresAt: new Date(Date.now() + expiresIn * 1000).toISOString(),
+    intervalSeconds
+  });
+  if (input.selectedRepo) {
+    createGitHubAuthStore(input.projectRoot).saveSelectedRepo(input.selectedRepo);
+  }
+  return {
+    ok: true,
+    pollId,
+    userCode: normalizeString(result.payload.user_code),
+    verificationUri: normalizeString(result.payload.verification_uri),
+    expiresIn,
+    intervalSeconds
+  };
+}
+async function pollGitHubDeviceFlow(input) {
+  const clientId = normalizeString(input.clientId);
+  if (!clientId) {
+    throw new Error("clientId is required");
+  }
+  const store = createGitHubAuthStore(input.projectRoot);
+  const pending = store.readPendingDevice(input.pollId);
+  if (!pending) {
+    return { ok: false, status: "expired", error: "GitHub device flow expired or unknown." };
+  }
+  const result = await (input.postForm ?? defaultPostGitHubForm)("https://github.com/login/oauth/access_token", {
+    client_id: clientId,
+    device_code: pending.deviceCode,
+    grant_type: "urn:ietf:params:oauth:grant-type:device_code"
+  });
+  const error = normalizeString(result.payload.error);
+  if (error === "authorization_pending" || error === "slow_down") {
+    return {
+      ok: false,
+      status: error === "slow_down" ? "slow-down" : "pending",
+      intervalSeconds: error === "slow_down" ? pending.intervalSeconds + 5 : pending.intervalSeconds
+    };
+  }
+  if (error || typeof result.payload.access_token !== "string") {
+    return {
+      ok: false,
+      status: "error",
+      error: normalizeString(result.payload.error_description) ?? "GitHub device authorization failed."
+    };
+  }
+  const token = result.payload.access_token;
+  const user = await (input.fetchUser ?? fetchGitHubUserInfo)(token);
+  store.saveToken({
+    token,
+    tokenSource: "oauth-device",
+    login: user.login,
+    userId: user.id,
+    scopes: user.scopes ?? normalizeScopes(result.payload.scope),
+    selectedRepo: input.selectedRepo ?? null
+  });
+  store.clearPendingDevice(input.pollId);
+  return { ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }) };
+}
+function checkGitHubRepoPermissions(input) {
+  const store = createGitHubAuthStore(input.projectRoot);
+  const auth = store.status(input.oauthConfigured !== undefined ? { oauthConfigured: input.oauthConfigured } : {});
+  if (!auth.signedIn) {
+    return { ok: false, signedIn: false, canOpenPullRequest: false, reason: "not-authenticated" };
+  }
+  const normalizedScopes = auth.scopes.map((scope) => scope.toLowerCase());
+  const broadEnough = normalizedScopes.includes("repo") || normalizedScopes.includes("public_repo");
+  return {
+    ok: true,
+    signedIn: true,
+    login: auth.login,
+    scopes: auth.scopes,
+    canOpenPullRequest: broadEnough,
+    pullRequests: broadEnough,
+    push: broadEnough,
+    reason: broadEnough ? "stored-token" : "token-scope-unverified"
+  };
+}
+async function probeGitHubRepository(input) {
+  const headers = {
+    accept: "application/vnd.github+json",
+    "user-agent": "rig"
+  };
+  if (input.token) {
+    headers.authorization = `Bearer ${input.token}`;
+  }
+  try {
+    const response = await (input.fetchRepository ?? fetch)(`https://api.github.com/repos/${encodeURIComponent(input.owner)}/${encodeURIComponent(input.repo)}`, { headers });
+    const payload = await response.json().catch(() => ({}));
+    if (response.ok) {
+      return {
+        ok: true,
+        owner: input.owner,
+        repo: input.repo,
+        status: response.status,
+        authenticated: Boolean(input.token),
+        authenticationRequired: payload.private === true && !input.token,
+        fullName: typeof payload.full_name === "string" ? payload.full_name : `${input.owner}/${input.repo}`,
+        private: typeof payload.private === "boolean" ? payload.private : null,
+        message: input.token ? "Repository access verified with signed-in GitHub credentials." : "Public repository access verified without credentials.",
+        scopes: input.scopes
+      };
+    }
+    const authenticationRequired = !input.token && (response.status === 401 || response.status === 403 || response.status === 404);
+    return {
+      ok: false,
+      owner: input.owner,
+      repo: input.repo,
+      status: response.status,
+      authenticated: Boolean(input.token),
+      authenticationRequired,
+      fullName: null,
+      private: null,
+      message: authenticationRequired ? "Repository is private, missing, or inaccessible without GitHub sign-in. Sign in before saving this config." : typeof payload.message === "string" ? payload.message : `GitHub repository probe failed (${response.status}).`,
+      scopes: input.scopes
+    };
+  } catch (error) {
+    return {
+      ok: false,
+      owner: input.owner,
+      repo: input.repo,
+      status: 0,
+      authenticated: Boolean(input.token),
+      authenticationRequired: !input.token,
+      fullName: null,
+      private: null,
+      message: error instanceof Error ? error.message : "GitHub repository probe failed.",
+      scopes: input.scopes
+    };
+  }
+}
+export {
+  saveGitHubTokenForProject,
+  resolveGitHubAuthStatus,
+  probeGitHubRepository,
+  pollGitHubDeviceFlow,
+  fetchGitHubUserInfo,
+  checkGitHubRepoPermissions,
+  beginGitHubDeviceFlow
+};

package/dist/src/index.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+/**
+ * @rig/github-lib — the GitHub SCM IO library (auth-store, credential providers,
+ * GitHub REST/GraphQL API: device flow, repo probe, auth status, Projects v2).
+ *
+ * This is a NON-PLUGIN domain library extracted out of `@rig/github-provider-plugin`
+ * so that above-runtime GitHub surfaces (cli-surface auth UI, init setup, doctor
+ * diagnostics, task-sources credential providers) consume the GitHub API WITHOUT
+ * importing a sibling plugin's impl (SEAM-ONLY §6.4). The plugin re-exports this
+ * library and wraps the genuinely-swappable credential resolution as the
+ * GITHUB_PROVIDER capability; issue-analysis/triage stay plugin-internal behind
+ * the ISSUE_TRIAGE capability. Deps are floor only (@rig/contracts, @rig/core).
+ */
+export * from "./auth-store";
+export * from "./credentials";
+export * from "./projects";
+export * from "./github-api";