@inkeep/agents-work-apps 0.0.0-dev-20260203033642
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +49 -0
- package/dist/db/index.d.ts +2 -0
- package/dist/db/index.js +3 -0
- package/dist/db/runDbClient.d.ts +6 -0
- package/dist/db/runDbClient.js +9 -0
- package/dist/env.d.ts +47 -0
- package/dist/env.js +48 -0
- package/dist/github/config.d.ts +22 -0
- package/dist/github/config.js +79 -0
- package/dist/github/index.d.ts +13 -0
- package/dist/github/index.js +23 -0
- package/dist/github/installation.d.ts +66 -0
- package/dist/github/installation.js +293 -0
- package/dist/github/jwks.d.ts +20 -0
- package/dist/github/jwks.js +85 -0
- package/dist/github/mcp/auth.d.ts +10 -0
- package/dist/github/mcp/auth.js +43 -0
- package/dist/github/mcp/index.d.ts +11 -0
- package/dist/github/mcp/index.js +670 -0
- package/dist/github/mcp/schemas.d.ts +87 -0
- package/dist/github/mcp/schemas.js +69 -0
- package/dist/github/mcp/utils.d.ts +228 -0
- package/dist/github/mcp/utils.js +464 -0
- package/dist/github/oidcToken.d.ts +22 -0
- package/dist/github/oidcToken.js +140 -0
- package/dist/github/routes/setup.d.ts +7 -0
- package/dist/github/routes/setup.js +217 -0
- package/dist/github/routes/tokenExchange.d.ts +7 -0
- package/dist/github/routes/tokenExchange.js +233 -0
- package/dist/github/routes/webhooks.d.ts +12 -0
- package/dist/github/routes/webhooks.js +278 -0
- package/dist/logger.d.ts +2 -0
- package/dist/logger.js +3 -0
- package/package.json +65 -0
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
import { CryptoKey, JWSHeaderParameters } from "jose";
|
|
2
|
+
|
|
3
|
+
//#region src/github/jwks.d.ts
|
|
4
|
+
interface JwksResult {
|
|
5
|
+
success: true;
|
|
6
|
+
key: CryptoKey;
|
|
7
|
+
}
|
|
8
|
+
interface JwksError {
|
|
9
|
+
success: false;
|
|
10
|
+
error: string;
|
|
11
|
+
}
|
|
12
|
+
type GetJwkResult = JwksResult | JwksError;
|
|
13
|
+
declare function getJwkForToken(header: JWSHeaderParameters): Promise<GetJwkResult>;
|
|
14
|
+
declare function clearJwksCache(): void;
|
|
15
|
+
declare function getJwksCacheStatus(): {
|
|
16
|
+
cached: boolean;
|
|
17
|
+
expiresIn?: number;
|
|
18
|
+
};
|
|
19
|
+
//#endregion
|
|
20
|
+
export { GetJwkResult, JwksError, JwksResult, clearJwksCache, getJwkForToken, getJwksCacheStatus };
|
|
@@ -0,0 +1,85 @@
|
|
|
1
|
+
import { getLogger } from "../logger.js";
|
|
2
|
+
import { createRemoteJWKSet } from "jose";
|
|
3
|
+
|
|
4
|
+
//#region src/github/jwks.ts
|
|
5
|
+
const logger = getLogger("github-jwks");
|
|
6
|
+
const GITHUB_OIDC_JWKS_URL = "https://token.actions.githubusercontent.com/.well-known/jwks";
|
|
7
|
+
const CACHE_TTL_MS = 3600 * 1e3;
|
|
8
|
+
let jwksCache = null;
|
|
9
|
+
function createJwksWithLogging() {
|
|
10
|
+
logger.info({}, "Creating new JWKS fetch function for GitHub OIDC");
|
|
11
|
+
return createRemoteJWKSet(new URL(GITHUB_OIDC_JWKS_URL), { cacheMaxAge: CACHE_TTL_MS });
|
|
12
|
+
}
|
|
13
|
+
function isCacheExpired() {
|
|
14
|
+
if (!jwksCache) return true;
|
|
15
|
+
return Date.now() - jwksCache.fetchedAt > CACHE_TTL_MS;
|
|
16
|
+
}
|
|
17
|
+
function getOrCreateJwksFunction() {
|
|
18
|
+
if (!jwksCache || isCacheExpired()) jwksCache = {
|
|
19
|
+
jwks: createJwksWithLogging(),
|
|
20
|
+
fetchedAt: Date.now()
|
|
21
|
+
};
|
|
22
|
+
return jwksCache.jwks;
|
|
23
|
+
}
|
|
24
|
+
async function getJwkForToken(header) {
|
|
25
|
+
const kid = header.kid;
|
|
26
|
+
if (!kid) return {
|
|
27
|
+
success: false,
|
|
28
|
+
error: "Token is missing key ID (kid) in header"
|
|
29
|
+
};
|
|
30
|
+
try {
|
|
31
|
+
const key = await getOrCreateJwksFunction()(header);
|
|
32
|
+
logger.debug({ kid }, "Successfully retrieved JWK for token");
|
|
33
|
+
return {
|
|
34
|
+
success: true,
|
|
35
|
+
key
|
|
36
|
+
};
|
|
37
|
+
} catch (error) {
|
|
38
|
+
const errorMessage = error instanceof Error ? error.message : "Unknown error";
|
|
39
|
+
if (errorMessage.includes("no applicable key found")) {
|
|
40
|
+
logger.warn({ kid }, "Key ID not found in JWKS, refreshing cache");
|
|
41
|
+
jwksCache = null;
|
|
42
|
+
try {
|
|
43
|
+
const key = await getOrCreateJwksFunction()(header);
|
|
44
|
+
logger.info({ kid }, "Successfully retrieved JWK after cache refresh");
|
|
45
|
+
return {
|
|
46
|
+
success: true,
|
|
47
|
+
key
|
|
48
|
+
};
|
|
49
|
+
} catch (retryError) {
|
|
50
|
+
const retryErrorMessage = retryError instanceof Error ? retryError.message : "Unknown error";
|
|
51
|
+
logger.error({
|
|
52
|
+
kid,
|
|
53
|
+
error: retryErrorMessage
|
|
54
|
+
}, "Failed to retrieve JWK after cache refresh");
|
|
55
|
+
return {
|
|
56
|
+
success: false,
|
|
57
|
+
error: `Key ID '${kid}' not found in GitHub OIDC JWKS`
|
|
58
|
+
};
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
logger.error({
|
|
62
|
+
kid,
|
|
63
|
+
error: errorMessage
|
|
64
|
+
}, "Failed to fetch JWKS from GitHub");
|
|
65
|
+
return {
|
|
66
|
+
success: false,
|
|
67
|
+
error: `Failed to fetch GitHub OIDC JWKS: ${errorMessage}`
|
|
68
|
+
};
|
|
69
|
+
}
|
|
70
|
+
}
|
|
71
|
+
function clearJwksCache() {
|
|
72
|
+
jwksCache = null;
|
|
73
|
+
logger.debug({}, "JWKS cache cleared");
|
|
74
|
+
}
|
|
75
|
+
function getJwksCacheStatus() {
|
|
76
|
+
if (!jwksCache) return { cached: false };
|
|
77
|
+
const expiresIn = CACHE_TTL_MS - (Date.now() - jwksCache.fetchedAt);
|
|
78
|
+
return {
|
|
79
|
+
cached: true,
|
|
80
|
+
expiresIn: Math.max(0, expiresIn)
|
|
81
|
+
};
|
|
82
|
+
}
|
|
83
|
+
|
|
84
|
+
//#endregion
|
|
85
|
+
export { clearJwksCache, getJwkForToken, getJwksCacheStatus };
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
import { env } from "../../env.js";
|
|
2
|
+
import { createApiError } from "@inkeep/agents-core";
|
|
3
|
+
import { createMiddleware } from "hono/factory";
|
|
4
|
+
|
|
5
|
+
//#region src/github/mcp/auth.ts
|
|
6
|
+
const githubMcpAuth = () => createMiddleware(async (c, next) => {
|
|
7
|
+
const toolId = c.req.header("x-inkeep-tool-id");
|
|
8
|
+
if (!toolId) throw createApiError({
|
|
9
|
+
code: "unauthorized",
|
|
10
|
+
message: "Missing required header: x-inkeep-tool-id",
|
|
11
|
+
extensions: { parameter: {
|
|
12
|
+
in: "header",
|
|
13
|
+
name: "x-inkeep-tool-id"
|
|
14
|
+
} }
|
|
15
|
+
});
|
|
16
|
+
const authHeader = c.req.header("Authorization");
|
|
17
|
+
if (!authHeader) throw createApiError({
|
|
18
|
+
code: "unauthorized",
|
|
19
|
+
message: "Missing required header: Authorization",
|
|
20
|
+
extensions: { parameter: {
|
|
21
|
+
in: "header",
|
|
22
|
+
name: "Authorization"
|
|
23
|
+
} }
|
|
24
|
+
});
|
|
25
|
+
const apiKey = authHeader.startsWith("Bearer ") ? authHeader.substring(7) : void 0;
|
|
26
|
+
if (!apiKey) throw createApiError({
|
|
27
|
+
code: "unauthorized",
|
|
28
|
+
message: "Invalid Authorization header format. Expected: Bearer <token>",
|
|
29
|
+
extensions: { parameter: {
|
|
30
|
+
in: "header",
|
|
31
|
+
name: "Authorization"
|
|
32
|
+
} }
|
|
33
|
+
});
|
|
34
|
+
if (apiKey !== env.GITHUB_MCP_API_KEY) throw createApiError({
|
|
35
|
+
code: "unauthorized",
|
|
36
|
+
message: "Invalid API key"
|
|
37
|
+
});
|
|
38
|
+
c.set("toolId", toolId);
|
|
39
|
+
await next();
|
|
40
|
+
});
|
|
41
|
+
|
|
42
|
+
//#endregion
|
|
43
|
+
export { githubMcpAuth };
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
import { Hono } from "hono";
|
|
2
|
+
import * as hono_types0 from "hono/types";
|
|
3
|
+
|
|
4
|
+
//#region src/github/mcp/index.d.ts
|
|
5
|
+
declare const app: Hono<{
|
|
6
|
+
Variables: {
|
|
7
|
+
toolId: string;
|
|
8
|
+
};
|
|
9
|
+
}, hono_types0.BlankSchema, "/">;
|
|
10
|
+
//#endregion
|
|
11
|
+
export { app as default };
|