npm - @h-rig/github-lib - Versions diffs - 0.0.6-alpha.158 - Mend

@h-rig/github-lib 0.0.6-alpha.158

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/README.md +1 -0
package/dist/src/auth-store.d.ts +42 -0
package/dist/src/auth-store.js +227 -0
package/dist/src/credentials.d.ts +20 -0
package/dist/src/credentials.js +118 -0
package/dist/src/github-api.d.ts +107 -0
package/dist/src/github-api.js +452 -0
package/dist/src/index.d.ts +16 -0
package/dist/src/index.js +713 -0
package/dist/src/projects.d.ts +31 -0
package/dist/src/projects.js +148 -0
package/package.json +31 -0

package/dist/src/index.js ADDED Viewed

@@ -0,0 +1,713 @@
+// @bun
+// packages/github-lib/src/auth-store.ts
+import { randomBytes } from "crypto";
+import { chmodSync, copyFileSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { dirname, resolve } from "path";
+import { resolveRigStatePaths } from "@rig/core/server-paths";
+function cleanString(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function cleanScopes(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    const clean = cleanString(entry);
+    return clean ? [clean] : [];
+  });
+}
+function parseApiSessions(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry))
+      return [];
+    const record = entry;
+    const token = cleanString(record.token);
+    if (!token)
+      return [];
+    const createdAt = cleanString(record.createdAt);
+    return [{
+      token,
+      login: cleanString(record.login),
+      userId: cleanString(record.userId),
+      ...createdAt ? { createdAt } : {}
+    }];
+  });
+}
+function parsePendingDevice(value) {
+  if (!value || typeof value !== "object")
+    return null;
+  const record = value;
+  const pollId = cleanString(record.pollId);
+  const deviceCode = cleanString(record.deviceCode);
+  const expiresAt = cleanString(record.expiresAt);
+  const intervalSeconds = typeof record.intervalSeconds === "number" && Number.isFinite(record.intervalSeconds) ? Math.max(1, Math.floor(record.intervalSeconds)) : null;
+  if (!pollId || !deviceCode || !expiresAt || !intervalSeconds)
+    return null;
+  return { pollId, deviceCode, expiresAt, intervalSeconds };
+}
+function parsePendingDevices(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    const pending = parsePendingDevice(entry);
+    return pending ? [pending] : [];
+  });
+}
+function readStoredAuth(stateFile) {
+  if (!existsSync(stateFile))
+    return {};
+  try {
+    const parsed = JSON.parse(readFileSync(stateFile, "utf8"));
+    return {
+      ...cleanString(parsed.token) ? { token: cleanString(parsed.token) } : {},
+      login: cleanString(parsed.login),
+      userId: cleanString(parsed.userId),
+      scopes: cleanScopes(parsed.scopes),
+      selectedRepo: cleanString(parsed.selectedRepo),
+      ...parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? { tokenSource: parsed.tokenSource } : {},
+      pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      pendingDevices: parsePendingDevices(parsed.pendingDevices),
+      apiSessions: parseApiSessions(parsed.apiSessions),
+      ...cleanString(parsed.updatedAt) ? { updatedAt: cleanString(parsed.updatedAt) } : {}
+    };
+  } catch {
+    return {};
+  }
+}
+function newApiSessionToken() {
+  return `rig_${randomBytes(32).toString("base64url")}`;
+}
+function writeStoredAuth(stateFile, payload) {
+  mkdirSync(dirname(stateFile), { recursive: true });
+  writeFileSync(stateFile, `${JSON.stringify(payload, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    chmodSync(stateFile, 384);
+  } catch {}
+}
+function localProjectAuthStateFile(projectRoot) {
+  return resolve(projectRoot, ".rig", "state", "github-auth.json");
+}
+function resolveGitHubAuthStateFile(projectRoot) {
+  return resolve(resolveRigStatePaths(projectRoot).stateDir, "github-auth.json");
+}
+function copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot) {
+  const targetFile = localProjectAuthStateFile(projectRoot);
+  mkdirSync(dirname(targetFile), { recursive: true });
+  if (existsSync(stateFile)) {
+    copyFileSync(stateFile, targetFile);
+    try {
+      chmodSync(targetFile, 384);
+    } catch {}
+    return;
+  }
+  writeStoredAuth(targetFile, {});
+}
+function createGitHubAuthStoreFromStateFile(stateFile) {
+  return {
+    stateFile,
+    status(options) {
+      const stored = readStoredAuth(stateFile);
+      const token = cleanString(stored.token);
+      return {
+        signedIn: Boolean(token),
+        login: cleanString(stored.login),
+        userId: cleanString(stored.userId),
+        scopes: cleanScopes(stored.scopes),
+        selectedRepo: cleanString(stored.selectedRepo),
+        oauthConfigured: options?.oauthConfigured === true,
+        tokenSource: token ? stored.tokenSource ?? "manual-token" : null
+      };
+    },
+    readToken() {
+      return cleanString(readStoredAuth(stateFile).token);
+    },
+    saveToken(input) {
+      const previous = readStoredAuth(stateFile);
+      writeStoredAuth(stateFile, {
+        ...previous,
+        token: input.token,
+        tokenSource: input.tokenSource,
+        login: input.login ?? null,
+        userId: input.userId ?? null,
+        scopes: input.scopes ?? [],
+        selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
+        pendingDevice: null,
+        pendingDevices: [],
+        apiSessions: previous.apiSessions ?? [],
+        updatedAt: new Date().toISOString()
+      });
+    },
+    createApiSession() {
+      const previous = readStoredAuth(stateFile);
+      const token = newApiSessionToken();
+      const session = {
+        token,
+        login: cleanString(previous.login),
+        userId: cleanString(previous.userId),
+        createdAt: new Date().toISOString()
+      };
+      writeStoredAuth(stateFile, {
+        ...previous,
+        apiSessions: [...(previous.apiSessions ?? []).slice(-9), session],
+        updatedAt: new Date().toISOString()
+      });
+      return { token, login: session.login ?? null, userId: session.userId ?? null };
+    },
+    readApiSession(token) {
+      const clean = cleanString(token);
+      if (!clean)
+        return null;
+      const previous = readStoredAuth(stateFile);
+      const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
+      return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
+    },
+    copyToProjectRoot(projectRoot) {
+      const targetFile = resolveGitHubAuthStateFile(projectRoot);
+      writeStoredAuth(targetFile, readStoredAuth(stateFile));
+    },
+    copyToLocalProjectRoot(projectRoot) {
+      copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot);
+    },
+    savePendingDevice(input) {
+      const previous = readStoredAuth(stateFile);
+      const pendingDevices = [
+        ...previous.pendingDevice ? [previous.pendingDevice] : [],
+        ...previous.pendingDevices ?? [],
+        input
+      ].filter((entry, index, entries) => entries.findIndex((candidate) => candidate.pollId === entry.pollId) === index);
+      writeStoredAuth(stateFile, {
+        ...previous,
+        pendingDevice: null,
+        pendingDevices,
+        updatedAt: new Date().toISOString()
+      });
+    },
+    saveSelectedRepo(selectedRepo) {
+      const previous = readStoredAuth(stateFile);
+      writeStoredAuth(stateFile, {
+        ...previous,
+        selectedRepo: selectedRepo ?? null,
+        updatedAt: new Date().toISOString()
+      });
+    },
+    readPendingDevice(pollId) {
+      const previous = readStoredAuth(stateFile);
+      const pending = [
+        ...previous.pendingDevice ? [previous.pendingDevice] : [],
+        ...previous.pendingDevices ?? []
+      ].find((entry) => entry.pollId === pollId) ?? null;
+      if (!pending)
+        return null;
+      if (Date.parse(pending.expiresAt) <= Date.now())
+        return null;
+      return pending;
+    },
+    clearPendingDevice(pollId) {
+      const previous = readStoredAuth(stateFile);
+      const remaining = pollId ? (previous.pendingDevices ?? []).filter((entry) => entry.pollId !== pollId) : [];
+      writeStoredAuth(stateFile, {
+        ...previous,
+        pendingDevice: null,
+        pendingDevices: remaining,
+        updatedAt: new Date().toISOString()
+      });
+    }
+  };
+}
+function createGitHubAuthStore(projectRoot) {
+  return createGitHubAuthStoreFromStateFile(resolveGitHubAuthStateFile(projectRoot));
+}
+// packages/github-lib/src/credentials.ts
+import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve2 } from "path";
+function selectedRepoTokenKey(input) {
+  return `user:${input.userId}|repo:${input.owner}/${input.repo}|workspace:${input.workspaceId}`;
+}
+function cleanToken(value) {
+  const trimmed = value?.trim() ?? "";
+  return trimmed.length > 0 ? trimmed : null;
+}
+function createGitHubCredentialProvider(options = {}) {
+  const sessionTokens = options.sessionTokens ?? {};
+  const hostToken = cleanToken(options.hostToken ?? process.env.GH_TOKEN ?? null);
+  return {
+    async resolveGitHubToken(input) {
+      const owner = input.owner.trim();
+      const repo = input.repo.trim();
+      const workspaceId = input.workspaceId.trim();
+      const userId = input.userId?.trim() ?? "";
+      if (input.purpose === "selected-repo") {
+        if (!owner || !repo || !workspaceId || !userId) {
+          throw new Error("No signed-in GitHub token is available for the selected repo; sign in to GitHub for this workspace.");
+        }
+        const token = cleanToken(sessionTokens[selectedRepoTokenKey({ owner, repo, workspaceId, userId })]);
+        if (!token) {
+          throw new Error("No signed-in GitHub token is available for the selected repo; sign in to GitHub for this workspace.");
+        }
+        return { token, source: "signed-in-user" };
+      }
+      if (hostToken) {
+        return { token: hostToken, source: "host-admin-fallback" };
+      }
+      throw new Error("No host GitHub token is configured for the explicit admin fallback operation.");
+    }
+  };
+}
+function createEnvGitHubCredentialProvider() {
+  return {
+    async resolveGitHubToken(input) {
+      if (input.purpose === "selected-repo") {
+        return { token: cleanToken(process.env.RIG_GITHUB_SELECTED_TOKEN ?? null) ?? "", source: "signed-in-user" };
+      }
+      const token = cleanToken(process.env.RIG_GITHUB_TOKEN ?? process.env.GH_TOKEN ?? process.env.GITHUB_TOKEN ?? null);
+      if (!token) {
+        throw new Error("No host GitHub token is configured for admin fallback.");
+      }
+      return { token, source: "host-admin-fallback" };
+    }
+  };
+}
+function createStateGitHubCredentialProvider(options = {}) {
+  const addCandidate = (candidates, path) => {
+    const trimmed = path?.trim();
+    if (!trimmed)
+      return;
+    const resolved = resolve2(trimmed);
+    if (!candidates.includes(resolved))
+      candidates.push(resolved);
+  };
+  const addStateDir = (candidates, dir) => {
+    const trimmed = dir?.trim();
+    if (!trimmed)
+      return;
+    addCandidate(candidates, resolve2(trimmed, "github-auth.json"));
+  };
+  const addProjectStateDir = (candidates, root) => {
+    const trimmed = root?.trim();
+    if (!trimmed)
+      return;
+    addStateDir(candidates, resolve2(trimmed, ".rig", "state"));
+  };
+  const stateFileCandidates = () => {
+    const candidates = [];
+    addCandidate(candidates, options.stateFile ?? process.env.RIG_GITHUB_AUTH_STATE_FILE);
+    addStateDir(candidates, options.stateDir);
+    addStateDir(candidates, process.env.RIG_STATE_DIR);
+    addProjectStateDir(candidates, process.env.PROJECT_RIG_ROOT);
+    addProjectStateDir(candidates, process.env.RIG_PROJECT_ROOT);
+    addProjectStateDir(candidates, process.env.RIG_HOST_PROJECT_ROOT);
+    addProjectStateDir(candidates, process.cwd());
+    return candidates;
+  };
+  const readToken = () => {
+    for (const stateFile of stateFileCandidates()) {
+      if (!existsSync2(stateFile))
+        continue;
+      try {
+        const parsed = JSON.parse(readFileSync2(stateFile, "utf8"));
+        const token = typeof parsed.token === "string" ? cleanToken(parsed.token) : null;
+        if (token)
+          return token;
+      } catch {}
+    }
+    return null;
+  };
+  return {
+    async resolveGitHubToken(input) {
+      const token = readToken();
+      if (input.purpose === "selected-repo") {
+        return { token: token ?? cleanToken(process.env.RIG_GITHUB_SELECTED_TOKEN ?? null) ?? "", source: "signed-in-user" };
+      }
+      if (token) {
+        return { token, source: "signed-in-user" };
+      }
+      const fallback = cleanToken(process.env.RIG_GITHUB_TOKEN ?? process.env.GH_TOKEN ?? process.env.GITHUB_TOKEN ?? null);
+      if (!fallback) {
+        throw new Error("No signed-in GitHub token is stored for Rig and no host admin fallback token is configured.");
+      }
+      return { token: fallback, source: "host-admin-fallback" };
+    }
+  };
+}
+// packages/github-lib/src/projects.ts
+function asRecord(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : null;
+}
+function asString(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value : undefined;
+}
+function asNumber(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : undefined;
+}
+async function defaultGraphQLFetch(query, variables, token) {
+  const response = await fetch("https://api.github.com/graphql", {
+    method: "POST",
+    headers: {
+      "content-type": "application/json",
+      authorization: `Bearer ${token}`,
+      accept: "application/vnd.github+json"
+    },
+    body: JSON.stringify({ query, variables })
+  });
+  const json = await response.json().catch(() => ({}));
+  if (!response.ok || json.errors) {
+    throw new Error(`GitHub Projects GraphQL request failed: ${JSON.stringify(json.errors ?? { status: response.status })}`);
+  }
+  return json.data;
+}
+function projectNodesFrom(data) {
+  const root = asRecord(data);
+  const owner = asRecord(root?.organization) ?? asRecord(root?.user);
+  const projects = asRecord(owner?.projectsV2);
+  const nodes = projects?.nodes;
+  return Array.isArray(nodes) ? nodes : [];
+}
+async function listGitHubProjects(input) {
+  const query = `
+    query RigListProjects($owner: String!, $first: Int!) {
+      organization(login: $owner) { projectsV2(first: $first, orderBy: { field: UPDATED_AT, direction: DESC }) { nodes { id number title url } } }
+      user(login: $owner) { projectsV2(first: $first, orderBy: { field: UPDATED_AT, direction: DESC }) { nodes { id number title url } } }
+    }
+  `;
+  const fetchGraphQL = input.fetchGraphQL ?? defaultGraphQLFetch;
+  const data = await fetchGraphQL(query, { owner: input.owner, first: input.first ?? 20 }, input.token);
+  return projectNodesFrom(data).flatMap((node) => {
+    const record = asRecord(node);
+    const id = asString(record?.id);
+    const number = asNumber(record?.number);
+    const title = asString(record?.title);
+    if (!id || number === undefined || !title)
+      return [];
+    const url = asString(record?.url);
+    return [{ id, number, title, ...url ? { url } : {} }];
+  });
+}
+async function resolveProjectStatusField(input) {
+  const query = `
+    query RigProjectStatusField($projectId: ID!) {
+      node(id: $projectId) {
+        ... on ProjectV2 {
+          fields(first: 50) {
+            nodes {
+              ... on ProjectV2FieldCommon { id name }
+              ... on ProjectV2SingleSelectField { id name options { id name } }
+            }
+          }
+        }
+      }
+    }
+  `;
+  const fetchGraphQL = input.fetchGraphQL ?? defaultGraphQLFetch;
+  const data = await fetchGraphQL(query, { projectId: input.projectId }, input.token);
+  const fields = asRecord(asRecord(asRecord(data)?.node)?.fields)?.nodes;
+  for (const node of Array.isArray(fields) ? fields : []) {
+    const record = asRecord(node);
+    if (asString(record?.name)?.toLowerCase() !== "status")
+      continue;
+    const id = asString(record?.id);
+    if (!id)
+      continue;
+    const options = Array.isArray(record?.options) ? record.options.flatMap((option) => {
+      const optionRecord = asRecord(option);
+      const optionId = asString(optionRecord?.id);
+      const name = asString(optionRecord?.name);
+      return optionId && name ? [{ id: optionId, name }] : [];
+    }) : [];
+    return { id, name: "Status", options };
+  }
+  throw new Error(`GitHub Project ${input.projectId} does not expose a Status single-select field.`);
+}
+async function ensureIssueProjectItem(input) {
+  const query = `
+    query RigFindProjectIssueItem($projectId: ID!, $issueNodeId: ID!) {
+      node(id: $projectId) {
+        ... on ProjectV2 {
+          items(first: 100) { nodes { id content { ... on Issue { id } } } }
+        }
+      }
+    }
+  `;
+  const fetchGraphQL = input.fetchGraphQL ?? defaultGraphQLFetch;
+  const data = await fetchGraphQL(query, { projectId: input.projectId, issueNodeId: input.issueNodeId }, input.token);
+  const nodes = asRecord(asRecord(asRecord(data)?.node)?.items)?.nodes;
+  for (const node of Array.isArray(nodes) ? nodes : []) {
+    const record = asRecord(node);
+    const content = asRecord(record?.content);
+    if (asString(content?.id) === input.issueNodeId) {
+      const id2 = asString(record?.id);
+      if (id2)
+        return { id: id2, created: false };
+    }
+  }
+  const mutation = `
+    mutation RigAddIssueToProject($projectId: ID!, $contentId: ID!) {
+      addProjectV2ItemById(input: { projectId: $projectId, contentId: $contentId }) { item { id } }
+    }
+  `;
+  const created = await fetchGraphQL(mutation, { projectId: input.projectId, contentId: input.issueNodeId }, input.token);
+  const addResult = asRecord(asRecord(created)?.addProjectV2ItemById);
+  const id = asString(asRecord(addResult?.item)?.id);
+  if (!id)
+    throw new Error("GitHub Project item creation did not return an item id.");
+  return { id, created: true };
+}
+async function updateIssueProjectStatus(input) {
+  const mutation = `
+    mutation RigUpdateProjectStatus($projectId: ID!, $itemId: ID!, $fieldId: ID!, $optionId: String!) {
+      updateProjectV2ItemFieldValue(input: {
+        projectId: $projectId,
+        itemId: $itemId,
+        fieldId: $fieldId,
+        value: { singleSelectOptionId: $optionId }
+      }) { projectV2Item { id } }
+    }
+  `;
+  const fetchGraphQL = input.fetchGraphQL ?? defaultGraphQLFetch;
+  await fetchGraphQL(mutation, {
+    projectId: input.projectId,
+    itemId: input.itemId,
+    fieldId: input.fieldId,
+    optionId: input.optionId
+  }, input.token);
+}
+// packages/github-lib/src/github-api.ts
+import { randomUUID } from "crypto";
+function normalizeString(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function normalizeScopes(value) {
+  if (Array.isArray(value)) {
+    return value.flatMap((entry) => {
+      const normalized = normalizeString(entry);
+      return normalized ? [normalized] : [];
+    });
+  }
+  if (typeof value === "string") {
+    return value.split(/[ ,]+/).map((entry) => entry.trim()).filter(Boolean);
+  }
+  return [];
+}
+async function defaultPostGitHubForm(endpoint, body) {
+  const response = await fetch(endpoint, {
+    method: "POST",
+    headers: {
+      accept: "application/json",
+      "content-type": "application/x-www-form-urlencoded",
+      "user-agent": "rig"
+    },
+    body: new URLSearchParams(body)
+  });
+  const payload = await response.json().catch(() => ({}));
+  return { status: response.status, payload };
+}
+async function fetchGitHubUserInfo(token) {
+  const response = await fetch("https://api.github.com/user", {
+    headers: {
+      accept: "application/vnd.github+json",
+      authorization: `Bearer ${token}`,
+      "user-agent": "rig"
+    }
+  });
+  const payload = await response.json().catch(() => ({}));
+  if (!response.ok) {
+    throw new Error(typeof payload.message === "string" ? payload.message : `GitHub user lookup failed (${response.status}).`);
+  }
+  const login = normalizeString(payload.login);
+  const id = typeof payload.id === "number" ? String(payload.id) : normalizeString(payload.id);
+  if (!login || !id) {
+    throw new Error("GitHub user lookup did not return login/id.");
+  }
+  return { login, id, scopes: normalizeScopes(response.headers.get("x-oauth-scopes")) };
+}
+function resolveGitHubAuthStatus(input) {
+  return createGitHubAuthStore(input.projectRoot).status(input.oauthConfigured !== undefined ? { oauthConfigured: input.oauthConfigured } : {});
+}
+async function saveGitHubTokenForProject(input) {
+  const token = normalizeString(input.token);
+  if (!token) {
+    throw new Error("token is required");
+  }
+  const user = await (input.fetchUser ?? fetchGitHubUserInfo)(token);
+  const store = createGitHubAuthStore(input.projectRoot);
+  store.saveToken({
+    token,
+    tokenSource: input.tokenSource ?? "manual-token",
+    login: user.login,
+    userId: user.id,
+    scopes: user.scopes ?? [],
+    selectedRepo: input.selectedRepo ?? null
+  });
+  return { ok: true, ...store.status({ oauthConfigured: true }) };
+}
+async function beginGitHubDeviceFlow(input) {
+  const clientId = normalizeString(input.clientId);
+  if (!clientId) {
+    throw new Error("clientId is required");
+  }
+  const postForm = input.postForm ?? defaultPostGitHubForm;
+  const result = await postForm("https://github.com/login/device/code", {
+    client_id: clientId,
+    scope: normalizeString(input.scope) ?? "repo read:project user:email"
+  });
+  const deviceCode = normalizeString(result.payload.device_code);
+  if (result.status < 200 || result.status >= 300 || !deviceCode) {
+    throw new Error(normalizeString(result.payload.error_description) ?? "GitHub device flow start failed.");
+  }
+  const expiresIn = typeof result.payload.expires_in === "number" ? result.payload.expires_in : 900;
+  const intervalSeconds = typeof result.payload.interval === "number" ? result.payload.interval : 5;
+  const pollId = randomUUID();
+  createGitHubAuthStore(input.projectRoot).savePendingDevice({
+    pollId,
+    deviceCode,
+    expiresAt: new Date(Date.now() + expiresIn * 1000).toISOString(),
+    intervalSeconds
+  });
+  if (input.selectedRepo) {
+    createGitHubAuthStore(input.projectRoot).saveSelectedRepo(input.selectedRepo);
+  }
+  return {
+    ok: true,
+    pollId,
+    userCode: normalizeString(result.payload.user_code),
+    verificationUri: normalizeString(result.payload.verification_uri),
+    expiresIn,
+    intervalSeconds
+  };
+}
+async function pollGitHubDeviceFlow(input) {
+  const clientId = normalizeString(input.clientId);
+  if (!clientId) {
+    throw new Error("clientId is required");
+  }
+  const store = createGitHubAuthStore(input.projectRoot);
+  const pending = store.readPendingDevice(input.pollId);
+  if (!pending) {
+    return { ok: false, status: "expired", error: "GitHub device flow expired or unknown." };
+  }
+  const result = await (input.postForm ?? defaultPostGitHubForm)("https://github.com/login/oauth/access_token", {
+    client_id: clientId,
+    device_code: pending.deviceCode,
+    grant_type: "urn:ietf:params:oauth:grant-type:device_code"
+  });
+  const error = normalizeString(result.payload.error);
+  if (error === "authorization_pending" || error === "slow_down") {
+    return {
+      ok: false,
+      status: error === "slow_down" ? "slow-down" : "pending",
+      intervalSeconds: error === "slow_down" ? pending.intervalSeconds + 5 : pending.intervalSeconds
+    };
+  }
+  if (error || typeof result.payload.access_token !== "string") {
+    return {
+      ok: false,
+      status: "error",
+      error: normalizeString(result.payload.error_description) ?? "GitHub device authorization failed."
+    };
+  }
+  const token = result.payload.access_token;
+  const user = await (input.fetchUser ?? fetchGitHubUserInfo)(token);
+  store.saveToken({
+    token,
+    tokenSource: "oauth-device",
+    login: user.login,
+    userId: user.id,
+    scopes: user.scopes ?? normalizeScopes(result.payload.scope),
+    selectedRepo: input.selectedRepo ?? null
+  });
+  store.clearPendingDevice(input.pollId);
+  return { ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }) };
+}
+function checkGitHubRepoPermissions(input) {
+  const store = createGitHubAuthStore(input.projectRoot);
+  const auth = store.status(input.oauthConfigured !== undefined ? { oauthConfigured: input.oauthConfigured } : {});
+  if (!auth.signedIn) {
+    return { ok: false, signedIn: false, canOpenPullRequest: false, reason: "not-authenticated" };
+  }
+  const normalizedScopes = auth.scopes.map((scope) => scope.toLowerCase());
+  const broadEnough = normalizedScopes.includes("repo") || normalizedScopes.includes("public_repo");
+  return {
+    ok: true,
+    signedIn: true,
+    login: auth.login,
+    scopes: auth.scopes,
+    canOpenPullRequest: broadEnough,
+    pullRequests: broadEnough,
+    push: broadEnough,
+    reason: broadEnough ? "stored-token" : "token-scope-unverified"
+  };
+}
+async function probeGitHubRepository(input) {
+  const headers = {
+    accept: "application/vnd.github+json",
+    "user-agent": "rig"
+  };
+  if (input.token) {
+    headers.authorization = `Bearer ${input.token}`;
+  }
+  try {
+    const response = await (input.fetchRepository ?? fetch)(`https://api.github.com/repos/${encodeURIComponent(input.owner)}/${encodeURIComponent(input.repo)}`, { headers });
+    const payload = await response.json().catch(() => ({}));
+    if (response.ok) {
+      return {
+        ok: true,
+        owner: input.owner,
+        repo: input.repo,
+        status: response.status,
+        authenticated: Boolean(input.token),
+        authenticationRequired: payload.private === true && !input.token,
+        fullName: typeof payload.full_name === "string" ? payload.full_name : `${input.owner}/${input.repo}`,
+        private: typeof payload.private === "boolean" ? payload.private : null,
+        message: input.token ? "Repository access verified with signed-in GitHub credentials." : "Public repository access verified without credentials.",
+        scopes: input.scopes
+      };
+    }
+    const authenticationRequired = !input.token && (response.status === 401 || response.status === 403 || response.status === 404);
+    return {
+      ok: false,
+      owner: input.owner,
+      repo: input.repo,
+      status: response.status,
+      authenticated: Boolean(input.token),
+      authenticationRequired,
+      fullName: null,
+      private: null,
+      message: authenticationRequired ? "Repository is private, missing, or inaccessible without GitHub sign-in. Sign in before saving this config." : typeof payload.message === "string" ? payload.message : `GitHub repository probe failed (${response.status}).`,
+      scopes: input.scopes
+    };
+  } catch (error) {
+    return {
+      ok: false,
+      owner: input.owner,
+      repo: input.repo,
+      status: 0,
+      authenticated: Boolean(input.token),
+      authenticationRequired: !input.token,
+      fullName: null,
+      private: null,
+      message: error instanceof Error ? error.message : "GitHub repository probe failed.",
+      scopes: input.scopes
+    };
+  }
+}
+export {
+  updateIssueProjectStatus,
+  saveGitHubTokenForProject,
+  resolveProjectStatusField,
+  resolveGitHubAuthStatus,
+  resolveGitHubAuthStateFile,
+  probeGitHubRepository,
+  pollGitHubDeviceFlow,
+  listGitHubProjects,
+  fetchGitHubUserInfo,
+  ensureIssueProjectItem,
+  createStateGitHubCredentialProvider,
+  createGitHubCredentialProvider,
+  createGitHubAuthStoreFromStateFile,
+  createGitHubAuthStore,
+  createEnvGitHubCredentialProvider,
+  copyGitHubAuthStateToLocalProjectRoot,
+  checkGitHubRepoPermissions,
+  beginGitHubDeviceFlow
+};