@inkeep/agents-work-apps 0.0.0-dev-20260203033642

package/dist/github/mcp/utils.js

@@ -0,0 +1,464 @@
+import { env } from "../../env.js";
+import { getLogger } from "../../logger.js";
+import { createAppAuth } from "@octokit/auth-app";
+import { Octokit } from "@octokit/rest";
+import { minimatch } from "minimatch";
+
+//#region src/github/mcp/utils.ts
+const logger = getLogger("github-mcp-utils");
+function getGitHubClientFromRepo(owner, repo, installationIdMap) {
+	const repoFullName = `${owner}/${repo}`;
+	const installationId = installationIdMap.get(repoFullName);
+	if (!installationId) {
+		logger.error({
+			owner,
+			repo,
+			installationIdMap
+		}, "Installation ID not found for repository");
+		throw new Error(`Installation ID not found for repository ${repoFullName}`);
+	}
+	return getGitHubClientFromInstallationId(installationId);
+}
+function getGitHubClientFromInstallationId(installationId) {
+	if (!env.GITHUB_APP_PRIVATE_KEY) {
+		logger.error({ installationId }, "GITHUB_APP_PRIVATE_KEY is not set");
+		throw new Error("GITHUB_APP_PRIVATE_KEY is not set");
+	}
+	const privateKey = env.GITHUB_APP_PRIVATE_KEY.replace(/\\n/g, "\n");
+	logger.info({ installationId }, "Creating GitHub client for installation ID");
+	return new Octokit({
+		authStrategy: createAppAuth,
+		auth: {
+			appId: env.GITHUB_APP_ID,
+			privateKey,
+			installationId
+		}
+	});
+}
+function mapUser(user) {
+	return {
+		login: user.login,
+		id: user.id,
+		avatarUrl: user.avatar_url,
+		url: user.html_url
+	};
+}
+/**
+* Fetch pull request details
+*/
+async function fetchPrInfo(octokit, owner, repo, prNumber) {
+	logger.info({
+		owner,
+		repo,
+		prNumber
+	}, `Fetching PR #${prNumber} details`);
+	const { data: pr } = await octokit.rest.pulls.get({
+		owner,
+		repo,
+		pull_number: prNumber
+	});
+	return {
+		number: pr.number,
+		title: pr.title,
+		body: pr.body,
+		author: mapUser(pr.user),
+		url: pr.html_url,
+		state: pr.state,
+		base: {
+			ref: pr.base.ref,
+			sha: pr.base.sha
+		},
+		head: {
+			ref: pr.head.ref,
+			sha: pr.head.sha
+		},
+		createdAt: pr.created_at,
+		updatedAt: pr.updated_at
+	};
+}
+/**
+* Fetch all commits in a pull request.
+*/
+async function fetchPrCommits(octokit, owner, repo, prNumber) {
+	try {
+		const commits = [];
+		let page = 1;
+		const perPage = 100;
+		while (true) {
+			const response = await octokit.rest.pulls.listCommits({
+				owner,
+				repo,
+				pull_number: prNumber,
+				per_page: perPage,
+				page
+			});
+			commits.push(...response.data);
+			if (response.data.length < perPage) break;
+			page++;
+		}
+		return commits;
+	} catch (error) {
+		throw new Error(`Failed to get PR commits: ${error instanceof Error ? error.message : "Unknown error"}`);
+	}
+}
+/**
+* Fetch detailed information about a specific commit including its diff.
+*/
+async function fetchCommitDetails(octokit, owner, repo, commitSha) {
+	try {
+		return (await octokit.rest.repos.getCommit({
+			owner,
+			repo,
+			ref: commitSha
+		})).data;
+	} catch (error) {
+		throw new Error(`Failed to get commit details: ${error instanceof Error ? error.message : "Unknown error"}`);
+	}
+}
+/**
+* Fetch changed files with optional path filtering and content fetching
+*/
+async function fetchPrFiles(octokit, owner, repo, prNumber, pathFilters = [], includeContents = false, includePatch = false) {
+	logger.info({
+		owner,
+		repo,
+		prNumber,
+		pathFilters,
+		includeContents,
+		includePatch
+	}, `Fetching PR #${prNumber} changed files`);
+	const files = [];
+	const headSha = (await fetchPrInfo(octokit, owner, repo, prNumber)).head.sha;
+	for await (const response of octokit.paginate.iterator(octokit.rest.pulls.listFiles, {
+		owner,
+		repo,
+		pull_number: prNumber,
+		per_page: 100
+	})) for (const file of response.data) {
+		if (pathFilters.length > 0 && !pathFilters.some((filter) => minimatch(file.filename, filter))) continue;
+		const changedFile = {
+			commit_messages: [],
+			path: file.filename,
+			status: file.status,
+			additions: file.additions,
+			deletions: file.deletions,
+			patch: includePatch ? file.patch : void 0,
+			previousPath: file.previous_filename
+		};
+		if (includeContents && file.status !== "removed") try {
+			const { data: content } = await octokit.rest.repos.getContent({
+				owner,
+				repo,
+				path: file.filename,
+				ref: headSha
+			});
+			if ("content" in content && content.encoding === "base64") changedFile.contents = Buffer.from(content.content, "base64").toString("utf-8");
+		} catch (error) {
+			logger.warn({
+				owner,
+				repo,
+				prNumber,
+				headSha,
+				file
+			}, `Failed to fetch contents for ${file.filename}: ${error}`);
+		}
+		files.push(changedFile);
+	}
+	logger.info({
+		owner,
+		repo,
+		prNumber,
+		headSha,
+		pathFilters,
+		includeContents,
+		files
+	}, `Found ${files.length} changed files${pathFilters.length > 0 ? ` matching "${pathFilters.join(", ")}"` : ""}`);
+	return files;
+}
+/**
+* Get file-based diffs with all commit messages that impacted each file.
+*/
+async function fetchPrFileDiffs(octokit, owner, repo, prNumber) {
+	try {
+		const commits = await fetchPrCommits(octokit, owner, repo, prNumber);
+		const prFiles = await fetchPrFiles(octokit, owner, repo, prNumber);
+		const fileToCommits = {};
+		for (const commit of commits) {
+			const commitSha = commit.sha;
+			const commitDetails = await fetchCommitDetails(octokit, owner, repo, commitSha);
+			const commitMessage = commit.commit.message;
+			for (const fileInfo of commitDetails.files || []) {
+				const filename = fileInfo.filename;
+				if (!fileToCommits[filename]) fileToCommits[filename] = [];
+				fileToCommits[filename].push({
+					commit_sha: commitSha,
+					commit_message: commitMessage,
+					file_info: fileInfo
+				});
+			}
+		}
+		const fileDiffs = [];
+		for (const prFile of prFiles) {
+			const filename = prFile.path;
+			if (filename in fileToCommits) {
+				const commitMessages = fileToCommits[filename].map((commitData) => commitData.commit_message);
+				const diff = prFile.patch;
+				const additions = prFile.additions || 0;
+				const deletions = prFile.deletions || 0;
+				const githubFileDiff = {
+					commit_messages: commitMessages,
+					path: filename,
+					status: prFile.status,
+					additions,
+					deletions,
+					patch: diff
+				};
+				fileDiffs.push(githubFileDiff);
+			}
+		}
+		return fileDiffs;
+	} catch (error) {
+		throw new Error(`Failed to get PR file diffs: ${error instanceof Error ? error.message : "Unknown error"}`);
+	}
+}
+/**
+* Generate a markdown representation of a pull request with file diffs
+*/
+function generatePrMarkdown(pr, fileDiffs, owner, repo) {
+	let markdown = `# Pull Request #${pr.number}: ${pr.title}\n\n`;
+	markdown += `**Repository:** ${owner}/${repo}\n`;
+	markdown += `**State:** ${pr.state}\n`;
+	markdown += `**Author:** ${pr.author.login}\n`;
+	markdown += `**Created:** ${new Date(pr.createdAt).toLocaleDateString()}\n`;
+	markdown += `**Updated:** ${new Date(pr.updatedAt).toLocaleDateString()}\n\n`;
+	markdown += "## Branches\n";
+	markdown += `- **From:** \`${pr.head.ref}\`\n`;
+	markdown += `- **To:** \`${pr.base.ref}\` (${owner}/${repo})\n\n`;
+	markdown += `**URL:** ${pr.url}\n\n`;
+	if (pr.body) markdown += `## Description\n${pr.body}\n\n`;
+	else markdown += "## Description\n_No description provided._\n\n";
+	if (fileDiffs.length > 0) {
+		markdown += "## Files Changed\n";
+		for (const fileDiff of fileDiffs) {
+			markdown += `### ${fileDiff.path}\n`;
+			markdown += `- **Additions:** +${fileDiff.additions}\n`;
+			markdown += `- **Deletions:** -${fileDiff.deletions}\n`;
+			if (fileDiff.commit_messages.length > 0) {
+				markdown += "- **Related commits:**\n";
+				const uniqueMessages = [...new Set(fileDiff.commit_messages)];
+				for (const message of uniqueMessages) markdown += `  - ${message.split("\n")[0]}\n`;
+			}
+			markdown += "\n";
+		}
+	}
+	return markdown;
+}
+/**
+* Validates that line numbers are within valid range
+*/
+function validateLineNumbers(startLine, endLine, totalLines) {
+	if (startLine < 1 || endLine > totalLines) throw new Error(`Line numbers out of range: ${startLine}-${endLine}`);
+	if (startLine > endLine) throw new Error(`Invalid line range: ${startLine} > ${endLine}`);
+}
+async function getFilePathsInRepo(githubClient, owner, repo, path = "") {
+	const filePaths = [];
+	try {
+		const response = await githubClient.rest.repos.getContent({
+			owner,
+			repo,
+			path
+		});
+		if (Array.isArray(response.data)) for (const item of response.data) {
+			if (item.path.trimStart().startsWith(".") || item.path.includes("[") || item.path.includes("]") || item.path.includes("__tests__")) continue;
+			if (item.type === "file") filePaths.push(item.path);
+			else if (item.type === "dir") {
+				console.log(`Getting files from subdirectory: ${item.path}`);
+				const subDirFiles = await getFilePathsInRepo(githubClient, owner, repo, item.path);
+				filePaths.push(...subDirFiles);
+			}
+		}
+		else if (response.data.type === "file") filePaths.push(response.data.path);
+		return filePaths;
+	} catch (error) {
+		throw new Error(`Failed to get file paths from repository: ${error instanceof Error ? error.message : "Unknown error"}`);
+	}
+}
+/**
+* Apply the operations to the document.
+*
+* Operations are applied in reverse order (by line number) to avoid
+* line number shifts affecting subsequent operations.
+*/
+function applyOperations(fileContent, operations) {
+	if (!operations || operations.length === 0) return fileContent;
+	const lines = fileContent.split("\n");
+	const totalLines = lines.length;
+	const sortedOperations = operations.sort((a, b) => {
+		const aStart = a.lineStart || 0;
+		const aEnd = a.lineEnd || 0;
+		const bStart = b.lineStart || 0;
+		const bEnd = b.lineEnd || 0;
+		return bStart - aStart || bEnd - aEnd;
+	});
+	for (const operation of sortedOperations) try {
+		switch (operation.operation) {
+			case "replace_lines": {
+				if (!operation.lineStart || !operation.lineEnd || operation.content === void 0) throw new Error("replace_lines requires lineStart, lineEnd, and content");
+				validateLineNumbers(operation.lineStart, operation.lineEnd, totalLines);
+				const startIdx = operation.lineStart - 1;
+				const endIdx = operation.lineEnd;
+				const newLines = operation.content.split("\n");
+				lines.splice(startIdx, endIdx - startIdx, ...newLines);
+				break;
+			}
+			case "insert_after": {
+				if (!operation.lineStart || operation.content === void 0) throw new Error("insert_after requires lineStart and content");
+				if (operation.lineStart < 1 || operation.lineStart > totalLines) throw new Error(`Line number out of range: ${operation.lineStart}`);
+				const insertIdx = operation.lineStart;
+				const newLines = operation.content.split("\n");
+				lines.splice(insertIdx, 0, ...newLines);
+				break;
+			}
+			case "insert_before": {
+				if (!operation.lineStart || operation.content === void 0) throw new Error("insert_before requires lineStart and content");
+				if (operation.lineStart < 1 || operation.lineStart > totalLines) throw new Error(`Line number out of range: ${operation.lineStart}`);
+				const insertIdx = operation.lineStart - 1;
+				const newLines = operation.content.split("\n");
+				lines.splice(insertIdx, 0, ...newLines);
+				break;
+			}
+			case "delete_lines": {
+				if (!operation.lineStart || !operation.lineEnd) throw new Error("delete_lines requires lineStart and lineEnd");
+				validateLineNumbers(operation.lineStart, operation.lineEnd, totalLines);
+				const startIdx = operation.lineStart - 1;
+				const deleteCount = operation.lineEnd - operation.lineStart + 1;
+				lines.splice(startIdx, deleteCount);
+				break;
+			}
+			default: throw new Error(`Unknown operation: ${operation.operation}`);
+		}
+	} catch (error) {
+		console.error(`Error applying operation ${operation.operation}: ${error instanceof Error ? error.message : "Unknown error"}`);
+	}
+	return lines.join("\n");
+}
+/**
+* Convenience function to apply a single operation to file content
+*/
+function applyOperation(fileContent, operation) {
+	return applyOperations(fileContent, [operation]);
+}
+/**
+* Apply a list of operations to a piece of documentation and return a mapping of line number to line content.
+* This function is useful for visualizing what the operations would do before applying them.
+*
+* @param fileContent - The original content of the file
+* @param operations - A list of operations to apply to the file
+* @returns A mapping of line number to line content, or an error message string if operations fail
+*/
+function visualizeUpdateOperations(fileContent, operations) {
+	try {
+		const lines = applyOperations(fileContent, operations).split("\n");
+		const outputMapping = {};
+		for (let i = 0; i < lines.length; i++) outputMapping[i + 1] = lines[i];
+		return outputMapping;
+	} catch (error) {
+		return `Error applying operations: ${error instanceof Error ? error.message : "Unknown error"}`;
+	}
+}
+async function commitContent({ githubClient, owner, repo, filePath, branchName, content, commitMessage }) {
+	const currentSha = (await githubClient.rest.git.getRef({
+		owner,
+		repo,
+		ref: `heads/${branchName}`
+	})).data.object.sha;
+	const currentTreeSha = (await githubClient.rest.git.getCommit({
+		owner,
+		repo,
+		commit_sha: currentSha
+	})).data.tree.sha;
+	const blob = await githubClient.rest.git.createBlob({
+		owner,
+		repo,
+		content: Buffer.from(content).toString("base64"),
+		encoding: "base64"
+	});
+	const newTree = await githubClient.rest.git.createTree({
+		owner,
+		repo,
+		base_tree: currentTreeSha,
+		tree: [{
+			path: filePath,
+			mode: "100644",
+			type: "blob",
+			sha: blob.data.sha
+		}]
+	});
+	const newCommit = await githubClient.rest.git.createCommit({
+		owner,
+		repo,
+		message: commitMessage,
+		tree: newTree.data.sha,
+		parents: [currentSha]
+	});
+	await githubClient.rest.git.updateRef({
+		owner,
+		repo,
+		ref: `heads/${branchName}`,
+		sha: newCommit.data.sha
+	});
+	return newCommit.data.sha;
+}
+async function commitFileChanges({ githubClient, owner, repo, fileContent, filePath, branchName, operations, commitMessage }) {
+	try {
+		return await commitContent({
+			githubClient,
+			owner,
+			repo,
+			filePath,
+			branchName,
+			content: applyOperations(fileContent, operations),
+			commitMessage
+		});
+	} catch (error) {
+		throw new Error(`Error committing file changes: ${error instanceof Error ? error.message : "Unknown error"}`);
+	}
+}
+async function commitNewFile({ githubClient, owner, repo, filePath, branchName, content, commitMessage }) {
+	try {
+		return await commitContent({
+			githubClient,
+			owner,
+			repo,
+			filePath,
+			branchName,
+			content,
+			commitMessage
+		});
+	} catch (error) {
+		throw new Error(`Failed to commit new file: ${error instanceof Error ? error.message : "Unknown error"}`);
+	}
+}
+async function formatFileDiff(pullRequestNumber, files, includeContents = false) {
+	let output = `## File Patches for PR #${pullRequestNumber}\n\n`;
+	output += `Found ${files.length} file(s) matching the requested paths.\n\n`;
+	for (const file of files) {
+		output += `### ${file.path}\n`;
+		output += `**Status:** ${file.status} | **+${file.additions}** / **-${file.deletions}**\n\n`;
+		if (file.patch) {
+			output += "```diff\n";
+			output += file.patch;
+			output += "\n```\n\n";
+		} else output += "_No patch available (file may be binary or too large)_\n\n";
+		if (includeContents && file.contents) {
+			output += "<details>\n<summary>Full file contents</summary>\n\n";
+			output += "```\n";
+			output += file.contents;
+			output += "\n```\n\n</details>\n\n";
+		}
+	}
+	return output;
+}
+
+//#endregion
+export { applyOperation, applyOperations, commitFileChanges, commitNewFile, fetchCommitDetails, fetchPrCommits, fetchPrFileDiffs, fetchPrFiles, fetchPrInfo, formatFileDiff, generatePrMarkdown, getFilePathsInRepo, getGitHubClientFromInstallationId, getGitHubClientFromRepo, validateLineNumbers, visualizeUpdateOperations };

package/dist/github/oidcToken.d.ts

@@ -0,0 +1,22 @@
+//#region src/github/oidcToken.d.ts
+interface GitHubOidcClaims {
+  repository: string;
+  repository_owner: string;
+  repository_id: string;
+  workflow: string;
+  actor: string;
+  ref: string;
+}
+interface ValidateTokenResult {
+  success: true;
+  claims: GitHubOidcClaims;
+}
+interface ValidateTokenError {
+  success: false;
+  errorType: 'invalid_signature' | 'expired' | 'wrong_issuer' | 'wrong_audience' | 'malformed' | 'jwks_error';
+  message: string;
+}
+type ValidateOidcTokenResult = ValidateTokenResult | ValidateTokenError;
+declare function validateOidcToken(token: string): Promise<ValidateOidcTokenResult>;
+//#endregion
+export { GitHubOidcClaims, ValidateOidcTokenResult, ValidateTokenError, ValidateTokenResult, validateOidcToken };

package/dist/github/oidcToken.js

@@ -0,0 +1,140 @@
+import { getLogger } from "../logger.js";
+import { getJwkForToken } from "./jwks.js";
+import { decodeProtectedHeader, errors, jwtVerify } from "jose";
+
+//#region src/github/oidcToken.ts
+const logger = getLogger("github-oidc-token");
+const GITHUB_OIDC_ISSUER = "https://token.actions.githubusercontent.com";
+const EXPECTED_AUDIENCE = "inkeep-agents-action";
+async function validateOidcToken(token) {
+	let header;
+	try {
+		header = decodeProtectedHeader(token);
+	} catch (error) {
+		const message = error instanceof Error ? error.message : "Unknown error";
+		logger.warn({ error: message }, "Failed to decode JWT header");
+		return {
+			success: false,
+			errorType: "malformed",
+			message: "Invalid JWT format: unable to decode token header"
+		};
+	}
+	if (header.alg !== "RS256") {
+		logger.warn({ algorithm: header.alg }, "Unexpected JWT algorithm");
+		return {
+			success: false,
+			errorType: "malformed",
+			message: `Invalid JWT algorithm: expected RS256, got ${header.alg}`
+		};
+	}
+	const jwkResult = await getJwkForToken(header);
+	if (!jwkResult.success) {
+		logger.error({ error: jwkResult.error }, "Failed to get JWK for token");
+		return {
+			success: false,
+			errorType: "jwks_error",
+			message: jwkResult.error
+		};
+	}
+	try {
+		const { payload } = await jwtVerify(token, jwkResult.key, {
+			issuer: GITHUB_OIDC_ISSUER,
+			audience: EXPECTED_AUDIENCE
+		});
+		const repository = payload.repository;
+		const repositoryOwner = payload.repository_owner;
+		const repositoryId = payload.repository_id;
+		const workflow = payload.workflow;
+		const actor = payload.actor;
+		const ref = payload.ref;
+		if (typeof repository !== "string" || typeof repositoryOwner !== "string" || typeof repositoryId !== "string" || typeof workflow !== "string" || typeof actor !== "string" || typeof ref !== "string") {
+			logger.warn({ payload }, "OIDC token missing required claims");
+			return {
+				success: false,
+				errorType: "malformed",
+				message: "OIDC token missing required claims: repository, repository_owner, repository_id, workflow, actor, or ref"
+			};
+		}
+		logger.info({
+			repository,
+			actor
+		}, "Successfully validated OIDC token");
+		return {
+			success: true,
+			claims: {
+				repository,
+				repository_owner: repositoryOwner,
+				repository_id: repositoryId,
+				workflow,
+				actor,
+				ref
+			}
+		};
+	} catch (error) {
+		if (error instanceof errors.JWTExpired) {
+			logger.warn({}, "OIDC token has expired");
+			return {
+				success: false,
+				errorType: "expired",
+				message: "OIDC token has expired"
+			};
+		}
+		if (error instanceof errors.JWTClaimValidationFailed) {
+			const claimError = error;
+			if (claimError.claim === "iss") {
+				logger.warn({ issuer: claimError.reason }, "Invalid OIDC token issuer");
+				return {
+					success: false,
+					errorType: "wrong_issuer",
+					message: `Invalid token issuer: expected ${GITHUB_OIDC_ISSUER}`
+				};
+			}
+			if (claimError.claim === "aud") {
+				logger.warn({ audience: claimError.reason }, "Invalid OIDC token audience");
+				return {
+					success: false,
+					errorType: "wrong_audience",
+					message: `Invalid token audience: expected ${EXPECTED_AUDIENCE}`
+				};
+			}
+			logger.warn({
+				claim: claimError.claim,
+				reason: claimError.reason
+			}, "JWT claim validation failed");
+			return {
+				success: false,
+				errorType: "malformed",
+				message: `JWT claim validation failed: ${claimError.claim} ${claimError.reason}`
+			};
+		}
+		if (error instanceof errors.JWSSignatureVerificationFailed) {
+			logger.warn({}, "Invalid OIDC token signature");
+			return {
+				success: false,
+				errorType: "invalid_signature",
+				message: "Invalid token signature"
+			};
+		}
+		if (error instanceof errors.JOSEError) {
+			logger.error({
+				error: error.message,
+				code: error.code
+			}, "JOSE error during token validation");
+			return {
+				success: false,
+				errorType: "malformed",
+				message: `Token validation error: ${error.message}`
+			};
+		}
+		const message = error instanceof Error ? error.message : "Unknown error";
+		logger.error({ error: message }, "Unexpected error during token validation");
+		return {
+			success: false,
+			errorType: "malformed",
+			message: `Token validation error: ${message}`
+		};
+	}
+}
+
+//#endregion
+export { validateOidcToken };

package/dist/github/routes/setup.d.ts

@@ -0,0 +1,7 @@
+import { Hono } from "hono";
+import * as hono_types2 from "hono/types";
+
+//#region src/github/routes/setup.d.ts
+declare const app: Hono<hono_types2.BlankEnv, hono_types2.BlankSchema, "/">;
+//#endregion
+export { app as default };