@h-rig/github-provider-plugin 0.0.6-alpha.156 → 0.0.6-alpha.158

package/dist/src/identity-env.d.ts

@@ -0,0 +1,16 @@
+import { type IdentityRegistryFilter, resolveRigIdentity, resolveRigIdentityFilter } from "./identity";
+export { resolveRigIdentity, resolveRigIdentityFilter };
+export type { IdentityRegistryFilter };
+declare const PUBLIC_IDENTITY_ENV_KEYS: readonly ["RIG_SELECTED_REPO", "RIG_GITHUB_USER_ID", "RIG_GITHUB_LOGIN", "RIG_GITHUB_NAMESPACE_KEY"];
+export declare function resolveIdentityEnv(workspaceRoot: string): Partial<Record<(typeof PUBLIC_IDENTITY_ENV_KEYS)[number], string>>;
+export declare function applyIdentityEnv(workspaceRoot: string): () => void;
+export declare function identityFilterFromEnv(): IdentityRegistryFilter;
+/**
+ * Credential env keys that must be STRIPPED from a spawned run-host child's
+ * environment. The operator's session/admin GitHub tokens must not leak into the
+ * detached run worker, which resolves its OWN scoped token from the run identity
+ * (`github-auth.json` via `RIG_GITHUB_AUTH_STATE_FILE`).
+ */
+export declare const RUN_CHILD_STRIPPED_CREDENTIAL_ENV_KEYS: readonly ["RIG_GITHUB_TOKEN", "RIG_GITHUB_SELECTED_TOKEN", "GH_TOKEN", "GITHUB_TOKEN"];
+/** Return a copy of `env` (default process.env) with run-scoped credential tokens removed. */
+export declare function stripRunChildCredentialEnv(env?: Record<string, string | undefined>): Record<string, string | undefined>;

package/dist/src/identity-env.js

@@ -0,0 +1,239 @@
+// @bun
+// packages/github-provider-plugin/src/identity-env.ts
+import { existsSync, readFileSync } from "fs";
+import { resolve } from "path";
+
+// packages/github-provider-plugin/src/identity.ts
+import {
+  RIG_WORKFLOW_STARTED
+} from "@rig/contracts";
+function stringField(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : undefined;
+}
+function numericStringField(value) {
+  return typeof value === "number" && Number.isInteger(value) ? String(value) : stringField(value);
+}
+function asRecord(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : null;
+}
+function customEntries(entries) {
+  const customs = [];
+  for (const entry of entries) {
+    if (entry.type === "custom")
+      customs.push(entry);
+  }
+  return customs;
+}
+function candidateFromStartedData(data) {
+  const record = asRecord(data);
+  if (!record)
+    return null;
+  const owner = asRecord(record.owner);
+  const selectedRepo = stringField(record.selectedRepo);
+  const githubUserId = stringField(owner?.githubUserId) ?? numericStringField(record.githubUserId) ?? numericStringField(record.userId);
+  const login = stringField(owner?.login) ?? stringField(record.login);
+  const namespaceKey = stringField(owner?.namespaceKey) ?? stringField(record.namespaceKey) ?? stringField(record.userNamespaceKey);
+  if (!selectedRepo && !githubUserId && !login && !namespaceKey)
+    return null;
+  return { selectedRepo, githubUserId, login, namespaceKey, source: "workflow-metadata" };
+}
+function workflowIdentityCandidate(entries) {
+  const customs = customEntries(entries);
+  for (let index = customs.length - 1;index >= 0; index -= 1) {
+    const entry = customs[index];
+    if (entry?.customType !== RIG_WORKFLOW_STARTED)
+      continue;
+    const candidate = candidateFromStartedData(entry.data);
+    if (candidate)
+      return candidate;
+  }
+  return null;
+}
+function ompGitHubIdentityCandidate(ctx) {
+  const account = asRecord(ctx.modelRegistry?.authStorage?.getOAuthAccountIdentity?.("github-copilot", ctx.sessionManager.getSessionId()));
+  if (!account)
+    return null;
+  const githubUserId = stringField(account.accountId);
+  const login = stringField(account.login) ?? stringField(account.email);
+  if (!githubUserId && !login)
+    return null;
+  return {
+    githubUserId,
+    login,
+    namespaceKey: githubUserId ? `gh:${githubUserId}` : undefined,
+    source: "omp-github-copilot-auth"
+  };
+}
+function envField(name) {
+  return stringField(process.env[name]);
+}
+function envIdentityCandidate() {
+  const selectedRepo = envField("RIG_SELECTED_REPO");
+  const githubUserId = envField("RIG_GITHUB_USER_ID");
+  const login = envField("RIG_GITHUB_LOGIN");
+  const namespaceKey = envField("RIG_GITHUB_NAMESPACE_KEY") ?? (githubUserId ? `gh:${githubUserId}` : undefined);
+  if (!selectedRepo && !githubUserId && !login && !namespaceKey)
+    return null;
+  return {
+    selectedRepo,
+    githubUserId,
+    login,
+    namespaceKey,
+    source: "rig-public-identity-env"
+  };
+}
+function mergeSource(sources, source) {
+  if (source && !sources.includes(source))
+    sources.push(source);
+}
+function completeIdentity(candidate, sources) {
+  const selectedRepo = stringField(candidate.selectedRepo);
+  const githubUserId = stringField(candidate.githubUserId);
+  const login = stringField(candidate.login);
+  const namespaceKey = stringField(candidate.namespaceKey) ?? (githubUserId ? `gh:${githubUserId}` : undefined);
+  if (!selectedRepo || !githubUserId || !login || !namespaceKey)
+    return null;
+  const uniqueSources = [];
+  for (const value of sources) {
+    if (!uniqueSources.includes(value))
+      uniqueSources.push(value);
+  }
+  return {
+    selectedRepo,
+    owner: { githubUserId, login, namespaceKey },
+    source: uniqueSources.join("+")
+  };
+}
+function resolveRigIdentity(ctx) {
+  const workflow = workflowIdentityCandidate(ctx.sessionManager.getBranch());
+  const omp = ompGitHubIdentityCandidate(ctx);
+  const env = envIdentityCandidate();
+  const sources = [];
+  const selectedRepo = workflow?.selectedRepo ?? env?.selectedRepo;
+  const githubUserId = workflow?.githubUserId ?? omp?.githubUserId ?? env?.githubUserId;
+  const login = workflow?.login ?? omp?.login ?? env?.login;
+  const namespaceKey = workflow?.namespaceKey ?? omp?.namespaceKey ?? env?.namespaceKey;
+  if (workflow && (workflow.selectedRepo || workflow.githubUserId || workflow.login || workflow.namespaceKey))
+    mergeSource(sources, workflow.source);
+  if (omp && (!workflow?.githubUserId || !workflow?.login || !workflow?.namespaceKey))
+    mergeSource(sources, omp.source);
+  if (env && (!workflow?.selectedRepo && env.selectedRepo || !workflow?.githubUserId && !omp?.githubUserId && env.githubUserId || !workflow?.login && !omp?.login && env.login || !workflow?.namespaceKey && !omp?.namespaceKey && env.namespaceKey))
+    mergeSource(sources, env.source);
+  return completeIdentity({ selectedRepo, githubUserId, login, namespaceKey, source: sources.join("+") }, sources);
+}
+function resolveRigIdentityFilter(ctx) {
+  const identity = resolveRigIdentity(ctx);
+  if (!identity)
+    return null;
+  return {
+    cwd: ctx.sessionManager.getCwd(),
+    selectedRepo: identity.selectedRepo,
+    githubUserId: identity.owner.githubUserId,
+    namespaceKey: identity.owner.namespaceKey
+  };
+}
+
+// packages/github-provider-plugin/src/identity-env.ts
+var PUBLIC_IDENTITY_ENV_KEYS = [
+  "RIG_SELECTED_REPO",
+  "RIG_GITHUB_USER_ID",
+  "RIG_GITHUB_LOGIN",
+  "RIG_GITHUB_NAMESPACE_KEY"
+];
+var RIG_STATE_ENV_KEYS = [
+  "RIG_GITHUB_AUTH_STATE_FILE"
+];
+function stringField2(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : undefined;
+}
+function githubUserId(value) {
+  if (typeof value === "number" && Number.isInteger(value))
+    return String(value);
+  return stringField2(value);
+}
+function readJsonRecord(path) {
+  if (!existsSync(path))
+    return null;
+  try {
+    const parsed = JSON.parse(readFileSync(path, "utf8"));
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+function resolveIdentityEnv(workspaceRoot) {
+  const stateDir = resolve(workspaceRoot, ".rig", "state");
+  const auth = readJsonRecord(resolve(stateDir, "github-auth.json"));
+  const connection = readJsonRecord(resolve(stateDir, "connection.json"));
+  const projectLink = readJsonRecord(resolve(stateDir, "project-link.json"));
+  const values = {};
+  const selectedRepo = stringField2(auth?.selectedRepo) ?? stringField2(connection?.project) ?? stringField2(projectLink?.repoSlug);
+  const userId = githubUserId(auth?.userId);
+  const login = stringField2(auth?.login);
+  const namespaceKey = stringField2(auth?.userNamespaceKey);
+  if (selectedRepo)
+    values.RIG_SELECTED_REPO = selectedRepo;
+  if (userId)
+    values.RIG_GITHUB_USER_ID = userId;
+  if (login)
+    values.RIG_GITHUB_LOGIN = login;
+  if (namespaceKey)
+    values.RIG_GITHUB_NAMESPACE_KEY = namespaceKey;
+  return values;
+}
+function applyIdentityEnv(workspaceRoot) {
+  const previous = new Map;
+  for (const key of [...PUBLIC_IDENTITY_ENV_KEYS, ...RIG_STATE_ENV_KEYS])
+    previous.set(key, process.env[key]);
+  const stateDir = resolve(workspaceRoot, ".rig", "state");
+  const auth = readJsonRecord(resolve(stateDir, "github-auth.json"));
+  const connection = readJsonRecord(resolve(stateDir, "connection.json"));
+  const projectLink = readJsonRecord(resolve(stateDir, "project-link.json"));
+  const values = { ...resolveIdentityEnv(workspaceRoot) };
+  values.RIG_GITHUB_AUTH_STATE_FILE = resolve(stateDir, "github-auth.json");
+  const hasLocalIdentityState = Boolean(auth || connection || projectLink);
+  for (const key of [...PUBLIC_IDENTITY_ENV_KEYS, ...RIG_STATE_ENV_KEYS]) {
+    const value = values[key];
+    if (value)
+      process.env[key] = value;
+    else if (hasLocalIdentityState)
+      delete process.env[key];
+  }
+  return () => {
+    for (const key of [...PUBLIC_IDENTITY_ENV_KEYS, ...RIG_STATE_ENV_KEYS]) {
+      const value = previous.get(key);
+      if (value === undefined)
+        delete process.env[key];
+      else
+        process.env[key] = value;
+    }
+  };
+}
+function identityFilterFromEnv() {
+  return {
+    ...process.env.RIG_SELECTED_REPO ? { selectedRepo: process.env.RIG_SELECTED_REPO } : {},
+    ...process.env.RIG_GITHUB_USER_ID ? { githubUserId: process.env.RIG_GITHUB_USER_ID } : {},
+    ...process.env.RIG_GITHUB_NAMESPACE_KEY ? { namespaceKey: process.env.RIG_GITHUB_NAMESPACE_KEY } : {}
+  };
+}
+var RUN_CHILD_STRIPPED_CREDENTIAL_ENV_KEYS = [
+  "RIG_GITHUB_TOKEN",
+  "RIG_GITHUB_SELECTED_TOKEN",
+  "GH_TOKEN",
+  "GITHUB_TOKEN"
+];
+function stripRunChildCredentialEnv(env = process.env) {
+  const next = { ...env };
+  for (const key of RUN_CHILD_STRIPPED_CREDENTIAL_ENV_KEYS)
+    delete next[key];
+  return next;
+}
+export {
+  stripRunChildCredentialEnv,
+  resolveRigIdentityFilter,
+  resolveRigIdentity,
+  resolveIdentityEnv,
+  identityFilterFromEnv,
+  applyIdentityEnv,
+  RUN_CHILD_STRIPPED_CREDENTIAL_ENV_KEYS
+};

package/dist/src/identity.d.ts

@@ -0,0 +1,17 @@
+/**
+ * identity.ts — GitHub-owned Rig run-identity resolver.
+ *
+ * Derives `{ selectedRepo, owner }` from the OMP workflow/session projection,
+ * GitHub Copilot auth identity, and public Rig identity env. The structural
+ * vocabulary lives in `@rig/contracts`; this package owns the provider behavior
+ * and exposes it through the RUN_IDENTITY_ENV capability for sibling plugins.
+ *
+ * The discovery-filter return type is declared structurally in the contract (an
+ * exact structural mirror of `CollabRegistryFilter` from `@rig/relay-registry`)
+ * so provider consumers can pass it to registry/discovery seams without adding a
+ * transport package dependency.
+ */
+import { type RigIdentityContext, type RigResolvedIdentity, type IdentityRegistryFilter } from "@rig/contracts";
+export type { RigIdentity, RigIdentityContext, RigResolvedIdentity, IdentityRegistryFilter } from "@rig/contracts";
+export declare function resolveRigIdentity(ctx: RigIdentityContext): RigResolvedIdentity | null;
+export declare function resolveRigIdentityFilter(ctx: RigIdentityContext): IdentityRegistryFilter | null;

package/dist/src/identity.js

@@ -0,0 +1,134 @@
+// @bun
+// packages/github-provider-plugin/src/identity.ts
+import {
+  RIG_WORKFLOW_STARTED
+} from "@rig/contracts";
+function stringField(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : undefined;
+}
+function numericStringField(value) {
+  return typeof value === "number" && Number.isInteger(value) ? String(value) : stringField(value);
+}
+function asRecord(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : null;
+}
+function customEntries(entries) {
+  const customs = [];
+  for (const entry of entries) {
+    if (entry.type === "custom")
+      customs.push(entry);
+  }
+  return customs;
+}
+function candidateFromStartedData(data) {
+  const record = asRecord(data);
+  if (!record)
+    return null;
+  const owner = asRecord(record.owner);
+  const selectedRepo = stringField(record.selectedRepo);
+  const githubUserId = stringField(owner?.githubUserId) ?? numericStringField(record.githubUserId) ?? numericStringField(record.userId);
+  const login = stringField(owner?.login) ?? stringField(record.login);
+  const namespaceKey = stringField(owner?.namespaceKey) ?? stringField(record.namespaceKey) ?? stringField(record.userNamespaceKey);
+  if (!selectedRepo && !githubUserId && !login && !namespaceKey)
+    return null;
+  return { selectedRepo, githubUserId, login, namespaceKey, source: "workflow-metadata" };
+}
+function workflowIdentityCandidate(entries) {
+  const customs = customEntries(entries);
+  for (let index = customs.length - 1;index >= 0; index -= 1) {
+    const entry = customs[index];
+    if (entry?.customType !== RIG_WORKFLOW_STARTED)
+      continue;
+    const candidate = candidateFromStartedData(entry.data);
+    if (candidate)
+      return candidate;
+  }
+  return null;
+}
+function ompGitHubIdentityCandidate(ctx) {
+  const account = asRecord(ctx.modelRegistry?.authStorage?.getOAuthAccountIdentity?.("github-copilot", ctx.sessionManager.getSessionId()));
+  if (!account)
+    return null;
+  const githubUserId = stringField(account.accountId);
+  const login = stringField(account.login) ?? stringField(account.email);
+  if (!githubUserId && !login)
+    return null;
+  return {
+    githubUserId,
+    login,
+    namespaceKey: githubUserId ? `gh:${githubUserId}` : undefined,
+    source: "omp-github-copilot-auth"
+  };
+}
+function envField(name) {
+  return stringField(process.env[name]);
+}
+function envIdentityCandidate() {
+  const selectedRepo = envField("RIG_SELECTED_REPO");
+  const githubUserId = envField("RIG_GITHUB_USER_ID");
+  const login = envField("RIG_GITHUB_LOGIN");
+  const namespaceKey = envField("RIG_GITHUB_NAMESPACE_KEY") ?? (githubUserId ? `gh:${githubUserId}` : undefined);
+  if (!selectedRepo && !githubUserId && !login && !namespaceKey)
+    return null;
+  return {
+    selectedRepo,
+    githubUserId,
+    login,
+    namespaceKey,
+    source: "rig-public-identity-env"
+  };
+}
+function mergeSource(sources, source) {
+  if (source && !sources.includes(source))
+    sources.push(source);
+}
+function completeIdentity(candidate, sources) {
+  const selectedRepo = stringField(candidate.selectedRepo);
+  const githubUserId = stringField(candidate.githubUserId);
+  const login = stringField(candidate.login);
+  const namespaceKey = stringField(candidate.namespaceKey) ?? (githubUserId ? `gh:${githubUserId}` : undefined);
+  if (!selectedRepo || !githubUserId || !login || !namespaceKey)
+    return null;
+  const uniqueSources = [];
+  for (const value of sources) {
+    if (!uniqueSources.includes(value))
+      uniqueSources.push(value);
+  }
+  return {
+    selectedRepo,
+    owner: { githubUserId, login, namespaceKey },
+    source: uniqueSources.join("+")
+  };
+}
+function resolveRigIdentity(ctx) {
+  const workflow = workflowIdentityCandidate(ctx.sessionManager.getBranch());
+  const omp = ompGitHubIdentityCandidate(ctx);
+  const env = envIdentityCandidate();
+  const sources = [];
+  const selectedRepo = workflow?.selectedRepo ?? env?.selectedRepo;
+  const githubUserId = workflow?.githubUserId ?? omp?.githubUserId ?? env?.githubUserId;
+  const login = workflow?.login ?? omp?.login ?? env?.login;
+  const namespaceKey = workflow?.namespaceKey ?? omp?.namespaceKey ?? env?.namespaceKey;
+  if (workflow && (workflow.selectedRepo || workflow.githubUserId || workflow.login || workflow.namespaceKey))
+    mergeSource(sources, workflow.source);
+  if (omp && (!workflow?.githubUserId || !workflow?.login || !workflow?.namespaceKey))
+    mergeSource(sources, omp.source);
+  if (env && (!workflow?.selectedRepo && env.selectedRepo || !workflow?.githubUserId && !omp?.githubUserId && env.githubUserId || !workflow?.login && !omp?.login && env.login || !workflow?.namespaceKey && !omp?.namespaceKey && env.namespaceKey))
+    mergeSource(sources, env.source);
+  return completeIdentity({ selectedRepo, githubUserId, login, namespaceKey, source: sources.join("+") }, sources);
+}
+function resolveRigIdentityFilter(ctx) {
+  const identity = resolveRigIdentity(ctx);
+  if (!identity)
+    return null;
+  return {
+    cwd: ctx.sessionManager.getCwd(),
+    selectedRepo: identity.selectedRepo,
+    githubUserId: identity.owner.githubUserId,
+    namespaceKey: identity.owner.namespaceKey
+  };
+}
+export {
+  resolveRigIdentityFilter,
+  resolveRigIdentity
+};

package/dist/src/index.d.ts

@@ -1,7 +1,4 @@
-export * from "./auth-store";
-export * from "./credentials";
-export * from "./projects";
-export * from "./github-api";
+export * from "@rig/github-lib";
 export * from "./issue-analysis";
 export * from "./triage-run";
 export { GITHUB_PROVIDER_PLUGIN_NAME, githubProviderPlugin, createGitHubProviderPlugin, } from "./plugin";