@h-rig/github-provider-plugin 0.0.6-alpha.156

package/README.md

@@ -0,0 +1 @@
+# @h-rig/github-provider-plugin

package/dist/src/auth-store.d.ts

@@ -0,0 +1,42 @@
+import type { GitHubAuthStatus } from "@rig/contracts";
+export type { GitHubAuthStatus };
+type PendingDeviceFlow = {
+    readonly pollId: string;
+    readonly deviceCode: string;
+    readonly expiresAt: string;
+    readonly intervalSeconds: number;
+};
+export type GitHubAuthStore = {
+    readonly stateFile: string;
+    readonly status: (options?: {
+        oauthConfigured?: boolean;
+    }) => GitHubAuthStatus;
+    readonly readToken: () => string | null;
+    readonly saveToken: (input: {
+        readonly token: string;
+        readonly tokenSource: "oauth-device" | "manual-token";
+        readonly login?: string | null;
+        readonly userId?: string | null;
+        readonly scopes?: readonly string[];
+        readonly selectedRepo?: string | null;
+    }) => void;
+    readonly createApiSession: () => {
+        token: string;
+        login: string | null;
+        userId: string | null;
+    };
+    readonly readApiSession: (token: string) => {
+        login: string | null;
+        userId: string | null;
+    } | null;
+    readonly copyToProjectRoot: (projectRoot: string) => void;
+    readonly copyToLocalProjectRoot: (projectRoot: string) => void;
+    readonly savePendingDevice: (input: PendingDeviceFlow) => void;
+    readonly saveSelectedRepo: (selectedRepo: string | null) => void;
+    readonly readPendingDevice: (pollId: string) => PendingDeviceFlow | null;
+    readonly clearPendingDevice: (pollId?: string) => void;
+};
+export declare function resolveGitHubAuthStateFile(projectRoot: string): string;
+export declare function copyGitHubAuthStateToLocalProjectRoot(stateFile: string, projectRoot: string): void;
+export declare function createGitHubAuthStoreFromStateFile(stateFile: string): GitHubAuthStore;
+export declare function createGitHubAuthStore(projectRoot: string): GitHubAuthStore;

package/dist/src/auth-store.js

@@ -0,0 +1,226 @@
+// @bun
+// packages/github-provider-plugin/src/auth-store.ts
+import { randomBytes } from "crypto";
+import { chmodSync, copyFileSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { dirname, resolve } from "path";
+import { resolveRigStatePaths } from "@rig/runtime/control-plane/server-paths";
+function cleanString(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function cleanScopes(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    const clean = cleanString(entry);
+    return clean ? [clean] : [];
+  });
+}
+function parseApiSessions(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry))
+      return [];
+    const record = entry;
+    const token = cleanString(record.token);
+    if (!token)
+      return [];
+    return [{
+      token,
+      login: cleanString(record.login),
+      userId: cleanString(record.userId),
+      createdAt: cleanString(record.createdAt) ?? undefined
+    }];
+  });
+}
+function parsePendingDevice(value) {
+  if (!value || typeof value !== "object")
+    return null;
+  const record = value;
+  const pollId = cleanString(record.pollId);
+  const deviceCode = cleanString(record.deviceCode);
+  const expiresAt = cleanString(record.expiresAt);
+  const intervalSeconds = typeof record.intervalSeconds === "number" && Number.isFinite(record.intervalSeconds) ? Math.max(1, Math.floor(record.intervalSeconds)) : null;
+  if (!pollId || !deviceCode || !expiresAt || !intervalSeconds)
+    return null;
+  return { pollId, deviceCode, expiresAt, intervalSeconds };
+}
+function parsePendingDevices(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    const pending = parsePendingDevice(entry);
+    return pending ? [pending] : [];
+  });
+}
+function readStoredAuth(stateFile) {
+  if (!existsSync(stateFile))
+    return {};
+  try {
+    const parsed = JSON.parse(readFileSync(stateFile, "utf8"));
+    return {
+      ...cleanString(parsed.token) ? { token: cleanString(parsed.token) } : {},
+      login: cleanString(parsed.login),
+      userId: cleanString(parsed.userId),
+      scopes: cleanScopes(parsed.scopes),
+      selectedRepo: cleanString(parsed.selectedRepo),
+      tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
+      pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      pendingDevices: parsePendingDevices(parsed.pendingDevices),
+      apiSessions: parseApiSessions(parsed.apiSessions),
+      updatedAt: cleanString(parsed.updatedAt) ?? undefined
+    };
+  } catch {
+    return {};
+  }
+}
+function newApiSessionToken() {
+  return `rig_${randomBytes(32).toString("base64url")}`;
+}
+function writeStoredAuth(stateFile, payload) {
+  mkdirSync(dirname(stateFile), { recursive: true });
+  writeFileSync(stateFile, `${JSON.stringify(payload, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    chmodSync(stateFile, 384);
+  } catch {}
+}
+function localProjectAuthStateFile(projectRoot) {
+  return resolve(projectRoot, ".rig", "state", "github-auth.json");
+}
+function resolveGitHubAuthStateFile(projectRoot) {
+  return resolve(resolveRigStatePaths(projectRoot).stateDir, "github-auth.json");
+}
+function copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot) {
+  const targetFile = localProjectAuthStateFile(projectRoot);
+  mkdirSync(dirname(targetFile), { recursive: true });
+  if (existsSync(stateFile)) {
+    copyFileSync(stateFile, targetFile);
+    try {
+      chmodSync(targetFile, 384);
+    } catch {}
+    return;
+  }
+  writeStoredAuth(targetFile, {});
+}
+function createGitHubAuthStoreFromStateFile(stateFile) {
+  return {
+    stateFile,
+    status(options) {
+      const stored = readStoredAuth(stateFile);
+      const token = cleanString(stored.token);
+      return {
+        signedIn: Boolean(token),
+        login: cleanString(stored.login),
+        userId: cleanString(stored.userId),
+        scopes: cleanScopes(stored.scopes),
+        selectedRepo: cleanString(stored.selectedRepo),
+        oauthConfigured: options?.oauthConfigured === true,
+        tokenSource: token ? stored.tokenSource ?? "manual-token" : null
+      };
+    },
+    readToken() {
+      return cleanString(readStoredAuth(stateFile).token);
+    },
+    saveToken(input) {
+      const previous = readStoredAuth(stateFile);
+      writeStoredAuth(stateFile, {
+        ...previous,
+        token: input.token,
+        tokenSource: input.tokenSource,
+        login: input.login ?? null,
+        userId: input.userId ?? null,
+        scopes: input.scopes ?? [],
+        selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
+        pendingDevice: null,
+        pendingDevices: [],
+        apiSessions: previous.apiSessions ?? [],
+        updatedAt: new Date().toISOString()
+      });
+    },
+    createApiSession() {
+      const previous = readStoredAuth(stateFile);
+      const token = newApiSessionToken();
+      const session = {
+        token,
+        login: cleanString(previous.login),
+        userId: cleanString(previous.userId),
+        createdAt: new Date().toISOString()
+      };
+      writeStoredAuth(stateFile, {
+        ...previous,
+        apiSessions: [...(previous.apiSessions ?? []).slice(-9), session],
+        updatedAt: new Date().toISOString()
+      });
+      return { token, login: session.login ?? null, userId: session.userId ?? null };
+    },
+    readApiSession(token) {
+      const clean = cleanString(token);
+      if (!clean)
+        return null;
+      const previous = readStoredAuth(stateFile);
+      const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
+      return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
+    },
+    copyToProjectRoot(projectRoot) {
+      const targetFile = resolveGitHubAuthStateFile(projectRoot);
+      writeStoredAuth(targetFile, readStoredAuth(stateFile));
+    },
+    copyToLocalProjectRoot(projectRoot) {
+      copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot);
+    },
+    savePendingDevice(input) {
+      const previous = readStoredAuth(stateFile);
+      const pendingDevices = [
+        ...previous.pendingDevice ? [previous.pendingDevice] : [],
+        ...previous.pendingDevices ?? [],
+        input
+      ].filter((entry, index, entries) => entries.findIndex((candidate) => candidate.pollId === entry.pollId) === index);
+      writeStoredAuth(stateFile, {
+        ...previous,
+        pendingDevice: null,
+        pendingDevices,
+        updatedAt: new Date().toISOString()
+      });
+    },
+    saveSelectedRepo(selectedRepo) {
+      const previous = readStoredAuth(stateFile);
+      writeStoredAuth(stateFile, {
+        ...previous,
+        selectedRepo: selectedRepo ?? null,
+        updatedAt: new Date().toISOString()
+      });
+    },
+    readPendingDevice(pollId) {
+      const previous = readStoredAuth(stateFile);
+      const pending = [
+        ...previous.pendingDevice ? [previous.pendingDevice] : [],
+        ...previous.pendingDevices ?? []
+      ].find((entry) => entry.pollId === pollId) ?? null;
+      if (!pending)
+        return null;
+      if (Date.parse(pending.expiresAt) <= Date.now())
+        return null;
+      return pending;
+    },
+    clearPendingDevice(pollId) {
+      const previous = readStoredAuth(stateFile);
+      const remaining = pollId ? (previous.pendingDevices ?? []).filter((entry) => entry.pollId !== pollId) : [];
+      writeStoredAuth(stateFile, {
+        ...previous,
+        pendingDevice: null,
+        pendingDevices: remaining,
+        updatedAt: new Date().toISOString()
+      });
+    }
+  };
+}
+function createGitHubAuthStore(projectRoot) {
+  return createGitHubAuthStoreFromStateFile(resolveGitHubAuthStateFile(projectRoot));
+}
+export {
+  resolveGitHubAuthStateFile,
+  createGitHubAuthStoreFromStateFile,
+  createGitHubAuthStore,
+  copyGitHubAuthStateToLocalProjectRoot
+};

package/dist/src/credentials.d.ts

@@ -0,0 +1,20 @@
+import type { GitHubCredentialProvider, GitHubCredentialProviderOptions, GitHubStateCredentialProviderOptions } from "@rig/contracts";
+export type { GitHubCredentialProvider, GitHubCredentialProviderOptions, GitHubCredentialPurpose, GitHubCredentialSource, GitHubStateCredentialProviderOptions, ResolveGitHubTokenInput, ResolvedGitHubToken, } from "@rig/contracts";
+/**
+ * Session-token-map credential provider. Selected-repo operations resolve from
+ * the per-session token map; admin-fallback resolves from the host token.
+ */
+export declare function createGitHubCredentialProvider(options?: GitHubCredentialProviderOptions): GitHubCredentialProvider;
+/**
+ * Env-only credential provider. Selected-repo reads `RIG_GITHUB_SELECTED_TOKEN`
+ * (browser-selected public repos read without a token); admin-fallback reads the
+ * host token env vars. Consolidated here from task-sources so the credential
+ * abstraction has a single home.
+ */
+export declare function createEnvGitHubCredentialProvider(): GitHubCredentialProvider;
+/**
+ * State-file-backed credential provider. Resolves the signed-in token from a
+ * `github-auth.json` discovered across explicit/state/project-root candidates,
+ * falling back to host token env vars. Consolidated here from task-sources.
+ */
+export declare function createStateGitHubCredentialProvider(options?: GitHubStateCredentialProviderOptions): GitHubCredentialProvider;

package/dist/src/credentials.js

@@ -0,0 +1,118 @@
+// @bun
+// packages/github-provider-plugin/src/credentials.ts
+import { existsSync, readFileSync } from "fs";
+import { resolve } from "path";
+function selectedRepoTokenKey(input) {
+  return `user:${input.userId}|repo:${input.owner}/${input.repo}|workspace:${input.workspaceId}`;
+}
+function cleanToken(value) {
+  const trimmed = value?.trim() ?? "";
+  return trimmed.length > 0 ? trimmed : null;
+}
+function createGitHubCredentialProvider(options = {}) {
+  const sessionTokens = options.sessionTokens ?? {};
+  const hostToken = cleanToken(options.hostToken ?? process.env.GH_TOKEN ?? null);
+  return {
+    async resolveGitHubToken(input) {
+      const owner = input.owner.trim();
+      const repo = input.repo.trim();
+      const workspaceId = input.workspaceId.trim();
+      const userId = input.userId?.trim() ?? "";
+      if (input.purpose === "selected-repo") {
+        if (!owner || !repo || !workspaceId || !userId) {
+          throw new Error("No signed-in GitHub token is available for the selected repo; sign in to GitHub for this workspace.");
+        }
+        const token = cleanToken(sessionTokens[selectedRepoTokenKey({ owner, repo, workspaceId, userId })]);
+        if (!token) {
+          throw new Error("No signed-in GitHub token is available for the selected repo; sign in to GitHub for this workspace.");
+        }
+        return { token, source: "signed-in-user" };
+      }
+      if (hostToken) {
+        return { token: hostToken, source: "host-admin-fallback" };
+      }
+      throw new Error("No host GitHub token is configured for the explicit admin fallback operation.");
+    }
+  };
+}
+function createEnvGitHubCredentialProvider() {
+  return {
+    async resolveGitHubToken(input) {
+      if (input.purpose === "selected-repo") {
+        return { token: cleanToken(process.env.RIG_GITHUB_SELECTED_TOKEN ?? null) ?? "", source: "signed-in-user" };
+      }
+      const token = cleanToken(process.env.RIG_GITHUB_TOKEN ?? process.env.GH_TOKEN ?? process.env.GITHUB_TOKEN ?? null);
+      if (!token) {
+        throw new Error("No host GitHub token is configured for admin fallback.");
+      }
+      return { token, source: "host-admin-fallback" };
+    }
+  };
+}
+function createStateGitHubCredentialProvider(options = {}) {
+  const addCandidate = (candidates, path) => {
+    const trimmed = path?.trim();
+    if (!trimmed)
+      return;
+    const resolved = resolve(trimmed);
+    if (!candidates.includes(resolved))
+      candidates.push(resolved);
+  };
+  const addStateDir = (candidates, dir) => {
+    const trimmed = dir?.trim();
+    if (!trimmed)
+      return;
+    addCandidate(candidates, resolve(trimmed, "github-auth.json"));
+  };
+  const addProjectStateDir = (candidates, root) => {
+    const trimmed = root?.trim();
+    if (!trimmed)
+      return;
+    addStateDir(candidates, resolve(trimmed, ".rig", "state"));
+  };
+  const stateFileCandidates = () => {
+    const candidates = [];
+    addCandidate(candidates, options.stateFile ?? process.env.RIG_GITHUB_AUTH_STATE_FILE);
+    addStateDir(candidates, options.stateDir);
+    addStateDir(candidates, process.env.RIG_STATE_DIR);
+    addProjectStateDir(candidates, process.env.PROJECT_RIG_ROOT);
+    addProjectStateDir(candidates, process.env.RIG_PROJECT_ROOT);
+    addProjectStateDir(candidates, process.env.RIG_HOST_PROJECT_ROOT);
+    addProjectStateDir(candidates, process.cwd());
+    return candidates;
+  };
+  const readToken = () => {
+    for (const stateFile of stateFileCandidates()) {
+      if (!existsSync(stateFile))
+        continue;
+      try {
+        const parsed = JSON.parse(readFileSync(stateFile, "utf8"));
+        const token = typeof parsed.token === "string" ? cleanToken(parsed.token) : null;
+        if (token)
+          return token;
+      } catch {}
+    }
+    return null;
+  };
+  return {
+    async resolveGitHubToken(input) {
+      const token = readToken();
+      if (input.purpose === "selected-repo") {
+        return { token: token ?? cleanToken(process.env.RIG_GITHUB_SELECTED_TOKEN ?? null) ?? "", source: "signed-in-user" };
+      }
+      if (token) {
+        return { token, source: "signed-in-user" };
+      }
+      const fallback = cleanToken(process.env.RIG_GITHUB_TOKEN ?? process.env.GH_TOKEN ?? process.env.GITHUB_TOKEN ?? null);
+      if (!fallback) {
+        throw new Error("No signed-in GitHub token is stored for Rig and no host admin fallback token is configured.");
+      }
+      return { token: fallback, source: "host-admin-fallback" };
+    }
+  };
+}
+export {
+  createStateGitHubCredentialProvider,
+  createGitHubCredentialProvider,
+  createEnvGitHubCredentialProvider
+};

package/dist/src/github-api.d.ts

@@ -0,0 +1,107 @@
+import type { GitHubRepositoryProbe, GitHubUserInfo } from "@rig/contracts";
+export type { GitHubRepositoryProbe, GitHubUserInfo };
+export type GitHubFormPostResult = {
+    readonly status: number;
+    readonly payload: Record<string, unknown>;
+};
+export type GitHubFormPoster = (endpoint: string, body: Record<string, string>) => Promise<GitHubFormPostResult>;
+export type GitHubUserFetcher = (token: string) => Promise<GitHubUserInfo>;
+export declare function fetchGitHubUserInfo(token: string): Promise<GitHubUserInfo>;
+export declare function resolveGitHubAuthStatus(input: {
+    readonly projectRoot: string;
+    readonly oauthConfigured?: boolean;
+}): import("@rig/contracts").GitHubAuthStatus;
+export declare function saveGitHubTokenForProject(input: {
+    readonly projectRoot: string;
+    readonly token: string;
+    readonly tokenSource?: "oauth-device" | "manual-token";
+    readonly selectedRepo?: string | null;
+    readonly fetchUser?: GitHubUserFetcher;
+}): Promise<{
+    signedIn: boolean;
+    login: string | null;
+    userId: string | null;
+    scopes: readonly string[];
+    selectedRepo: string | null;
+    oauthConfigured: boolean;
+    tokenSource: "oauth-device" | "manual-token" | "env" | null;
+    ok: true;
+}>;
+export declare function beginGitHubDeviceFlow(input: {
+    readonly projectRoot: string;
+    readonly clientId: string;
+    readonly scope?: string;
+    readonly selectedRepo?: string | null;
+    readonly postForm?: GitHubFormPoster;
+}): Promise<{
+    ok: true;
+    pollId: `${string}-${string}-${string}-${string}-${string}`;
+    userCode: string | null;
+    verificationUri: string | null;
+    expiresIn: number;
+    intervalSeconds: number;
+}>;
+export declare function pollGitHubDeviceFlow(input: {
+    readonly projectRoot: string;
+    readonly clientId: string;
+    readonly pollId: string;
+    readonly selectedRepo?: string | null;
+    readonly postForm?: GitHubFormPoster;
+    readonly fetchUser?: GitHubUserFetcher;
+}): Promise<{
+    ok: false;
+    status: "expired";
+    error: string;
+    intervalSeconds?: undefined;
+} | {
+    ok: false;
+    status: "pending" | "slow-down";
+    intervalSeconds: number;
+    error?: undefined;
+} | {
+    ok: false;
+    status: "error";
+    error: string;
+    intervalSeconds?: undefined;
+} | {
+    signedIn: boolean;
+    login: string | null;
+    userId: string | null;
+    scopes: readonly string[];
+    selectedRepo: string | null;
+    oauthConfigured: boolean;
+    tokenSource: "oauth-device" | "manual-token" | "env" | null;
+    ok: true;
+    status: "signed-in";
+    error?: undefined;
+    intervalSeconds?: undefined;
+}>;
+export declare function checkGitHubRepoPermissions(input: {
+    readonly projectRoot: string;
+    readonly oauthConfigured?: boolean;
+}): {
+    ok: false;
+    signedIn: boolean;
+    canOpenPullRequest: boolean;
+    reason: "not-authenticated";
+    login?: undefined;
+    scopes?: undefined;
+    pullRequests?: undefined;
+    push?: undefined;
+} | {
+    ok: true;
+    signedIn: boolean;
+    login: string | null;
+    scopes: readonly string[];
+    canOpenPullRequest: boolean;
+    pullRequests: boolean;
+    push: boolean;
+    reason: "stored-token" | "token-scope-unverified";
+};
+export declare function probeGitHubRepository(input: {
+    readonly owner: string;
+    readonly repo: string;
+    readonly token: string | null;
+    readonly scopes: readonly string[];
+    readonly fetchRepository?: (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+}): Promise<GitHubRepositoryProbe>;