@inkeep/agents-api 0.0.0-dev-20260202060901 → 0.0.0-dev-20260203023016

package/dist/domains/github/oidcToken.js

@@ -1,140 +0,0 @@
-import { getLogger } from "../../logger.js";
-import { getJwkForToken } from "./jwks.js";
-import { decodeProtectedHeader, errors, jwtVerify } from "jose";
-
-//#region src/domains/github/oidcToken.ts
-const logger = getLogger("github-oidc-token");
-const GITHUB_OIDC_ISSUER = "https://token.actions.githubusercontent.com";
-const EXPECTED_AUDIENCE = "inkeep-agents-action";
-async function validateOidcToken(token) {
-	let header;
-	try {
-		header = decodeProtectedHeader(token);
-	} catch (error) {
-		const message = error instanceof Error ? error.message : "Unknown error";
-		logger.warn({ error: message }, "Failed to decode JWT header");
-		return {
-			success: false,
-			errorType: "malformed",
-			message: "Invalid JWT format: unable to decode token header"
-		};
-	}
-	if (header.alg !== "RS256") {
-		logger.warn({ algorithm: header.alg }, "Unexpected JWT algorithm");
-		return {
-			success: false,
-			errorType: "malformed",
-			message: `Invalid JWT algorithm: expected RS256, got ${header.alg}`
-		};
-	}
-	const jwkResult = await getJwkForToken(header);
-	if (!jwkResult.success) {
-		logger.error({ error: jwkResult.error }, "Failed to get JWK for token");
-		return {
-			success: false,
-			errorType: "jwks_error",
-			message: jwkResult.error
-		};
-	}
-	try {
-		const { payload } = await jwtVerify(token, jwkResult.key, {
-			issuer: GITHUB_OIDC_ISSUER,
-			audience: EXPECTED_AUDIENCE
-		});
-		const repository = payload.repository;
-		const repositoryOwner = payload.repository_owner;
-		const repositoryId = payload.repository_id;
-		const workflow = payload.workflow;
-		const actor = payload.actor;
-		const ref = payload.ref;
-		if (typeof repository !== "string" || typeof repositoryOwner !== "string" || typeof repositoryId !== "string" || typeof workflow !== "string" || typeof actor !== "string" || typeof ref !== "string") {
-			logger.warn({ payload }, "OIDC token missing required claims");
-			return {
-				success: false,
-				errorType: "malformed",
-				message: "OIDC token missing required claims: repository, repository_owner, repository_id, workflow, actor, or ref"
-			};
-		}
-		logger.info({
-			repository,
-			actor
-		}, "Successfully validated OIDC token");
-		return {
-			success: true,
-			claims: {
-				repository,
-				repository_owner: repositoryOwner,
-				repository_id: repositoryId,
-				workflow,
-				actor,
-				ref
-			}
-		};
-	} catch (error) {
-		if (error instanceof errors.JWTExpired) {
-			logger.warn({}, "OIDC token has expired");
-			return {
-				success: false,
-				errorType: "expired",
-				message: "OIDC token has expired"
-			};
-		}
-		if (error instanceof errors.JWTClaimValidationFailed) {
-			const claimError = error;
-			if (claimError.claim === "iss") {
-				logger.warn({ issuer: claimError.reason }, "Invalid OIDC token issuer");
-				return {
-					success: false,
-					errorType: "wrong_issuer",
-					message: `Invalid token issuer: expected ${GITHUB_OIDC_ISSUER}`
-				};
-			}
-			if (claimError.claim === "aud") {
-				logger.warn({ audience: claimError.reason }, "Invalid OIDC token audience");
-				return {
-					success: false,
-					errorType: "wrong_audience",
-					message: `Invalid token audience: expected ${EXPECTED_AUDIENCE}`
-				};
-			}
-			logger.warn({
-				claim: claimError.claim,
-				reason: claimError.reason
-			}, "JWT claim validation failed");
-			return {
-				success: false,
-				errorType: "malformed",
-				message: `JWT claim validation failed: ${claimError.claim} ${claimError.reason}`
-			};
-		}
-		if (error instanceof errors.JWSSignatureVerificationFailed) {
-			logger.warn({}, "Invalid OIDC token signature");
-			return {
-				success: false,
-				errorType: "invalid_signature",
-				message: "Invalid token signature"
-			};
-		}
-		if (error instanceof errors.JOSEError) {
-			logger.error({
-				error: error.message,
-				code: error.code
-			}, "JOSE error during token validation");
-			return {
-				success: false,
-				errorType: "malformed",
-				message: `Token validation error: ${error.message}`
-			};
-		}
-		const message = error instanceof Error ? error.message : "Unknown error";
-		logger.error({ error: message }, "Unexpected error during token validation");
-		return {
-			success: false,
-			errorType: "malformed",
-			message: `Token validation error: ${message}`
-		};
-	}
-}
-
-//#endregion
-export { validateOidcToken };

package/dist/domains/github/routes/tokenExchange.d.ts

@@ -1,7 +0,0 @@
-import { Hono } from "hono";
-import * as hono_types14 from "hono/types";
-
-//#region src/domains/github/routes/tokenExchange.d.ts
-declare const app: Hono<hono_types14.BlankEnv, hono_types14.BlankSchema, "/">;
-//#endregion
-export { app as default };

package/dist/domains/github/routes/tokenExchange.js

@@ -1,130 +0,0 @@
-import { getLogger } from "../../../logger.js";
-import { isGitHubAppConfigured } from "../config.js";
-import { generateInstallationAccessToken, lookupInstallationForRepo } from "../installation.js";
-import { validateOidcToken } from "../oidcToken.js";
-import { Hono } from "hono";
-import { z } from "zod";
-
-//#region src/domains/github/routes/tokenExchange.ts
-const logger = getLogger("github-token-exchange");
-const TokenExchangeRequestSchema = z.object({ oidc_token: z.string() });
-const app = new Hono();
-/**
-* Exchange GitHub OIDC token for installation token.
-*
-* This is an internal infrastructure endpoint called by the CLI from GitHub Actions.
-* It exchanges a GitHub Actions OIDC token for a GitHub App installation access token.
-* Not included in the public OpenAPI spec.
-*/
-app.post("/", async (c) => {
-	const rawBody = await c.req.json().catch(() => null);
-	const parseResult = TokenExchangeRequestSchema.safeParse(rawBody);
-	if (!parseResult.success) {
-		const errorMessage = parseResult.error.issues.map((issue) => `${issue.path.join(".")}: ${issue.message}`).join("; ");
-		c.header("Content-Type", "application/problem+json");
-		return c.json({
-			title: "Bad Request",
-			status: 400,
-			detail: errorMessage,
-			error: errorMessage
-		}, 400);
-	}
-	const body = parseResult.data;
-	logger.info({}, "Processing token exchange request");
-	if (!isGitHubAppConfigured()) {
-		logger.error({}, "GitHub App credentials not configured");
-		const errorMessage = "GitHub App credentials are not configured. Please contact the administrator to set up GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY.";
-		c.header("Content-Type", "application/problem+json");
-		return c.json({
-			title: "GitHub App Not Configured",
-			status: 500,
-			detail: errorMessage,
-			error: errorMessage
-		}, 500);
-	}
-	const validationResult = await validateOidcToken(body.oidc_token);
-	if (!validationResult.success) {
-		const errorType = validationResult.errorType;
-		logger.warn({
-			errorType,
-			message: validationResult.message
-		}, "OIDC token validation failed");
-		c.header("Content-Type", "application/problem+json");
-		if (errorType === "malformed") return c.json({
-			title: "Bad Request",
-			status: 400,
-			detail: validationResult.message,
-			error: validationResult.message
-		}, 400);
-		return c.json({
-			title: "Token Validation Failed",
-			status: 401,
-			detail: validationResult.message,
-			error: validationResult.message
-		}, 401);
-	}
-	const { claims } = validationResult;
-	const installationResult = await lookupInstallationForRepo(claims.repository_owner, claims.repository.split("/")[1]);
-	if (!installationResult.success) {
-		const { errorType, message } = installationResult;
-		if (errorType === "not_installed") {
-			c.header("Content-Type", "application/problem+json");
-			return c.json({
-				title: "GitHub App Not Installed",
-				status: 403,
-				detail: message,
-				error: message
-			}, 403);
-		}
-		logger.error({
-			errorType,
-			message,
-			repository: claims.repository
-		}, "Failed to look up GitHub App installation");
-		c.header("Content-Type", "application/problem+json");
-		return c.json({
-			title: "Installation Lookup Failed",
-			status: 500,
-			detail: message,
-			error: message
-		}, 500);
-	}
-	const { installation } = installationResult;
-	logger.info({
-		installationId: installation.installationId,
-		repository: claims.repository
-	}, "Found GitHub App installation");
-	const tokenResult = await generateInstallationAccessToken(installation.installationId);
-	if (!tokenResult.success) {
-		const { errorType, message } = tokenResult;
-		logger.error({
-			errorType,
-			message,
-			installationId: installation.installationId,
-			repository: claims.repository
-		}, "Failed to generate installation access token");
-		c.header("Content-Type", "application/problem+json");
-		return c.json({
-			title: "Token Generation Failed",
-			status: 500,
-			detail: message,
-			error: message
-		}, 500);
-	}
-	const { accessToken } = tokenResult;
-	logger.info({
-		installationId: installation.installationId,
-		repository: claims.repository,
-		expiresAt: accessToken.expiresAt
-	}, "Token exchange completed successfully");
-	return c.json({
-		token: accessToken.token,
-		expires_at: accessToken.expiresAt,
-		repository: claims.repository,
-		installation_id: installation.installationId
-	}, 200);
-});
-var tokenExchange_default = app;
-
-//#endregion
-export { tokenExchange_default as default };