@inkeep/agents-work-apps 0.0.0-dev-20260203033642

package/dist/github/routes/setup.js

@@ -0,0 +1,217 @@
+import { env } from "../../env.js";
+import { getLogger } from "../../logger.js";
+import runDbClient_default from "../../db/runDbClient.js";
+import { getStateSigningSecret, isStateSigningConfigured } from "../config.js";
+import { createAppJwt, determineStatus, fetchInstallationDetails, fetchInstallationRepositories } from "../installation.js";
+import { createInstallation, generateId, getInstallationByGitHubId, listProjectsMetadata, setProjectAccessMode, syncRepositories, updateInstallationStatusByGitHubId } from "@inkeep/agents-core";
+import { Hono } from "hono";
+import { jwtVerify } from "jose";
+import { z } from "zod";
+
+//#region src/github/routes/setup.ts
+const logger = getLogger("github-setup");
+const STATE_JWT_ISSUER = "inkeep-agents-api";
+const STATE_JWT_AUDIENCE = "github-app-install";
+const CallbackQuerySchema = z.object({
+	installation_id: z.string(),
+	setup_action: z.enum([
+		"install",
+		"update",
+		"request"
+	]),
+	state: z.string()
+});
+function getManageUiUrl() {
+	return env.INKEEP_AGENTS_MANAGE_UI_URL || "http://localhost:3000";
+}
+function buildErrorRedirectUrl(message) {
+	const baseUrl = getManageUiUrl();
+	const url = new URL("/github/setup-error", baseUrl);
+	url.searchParams.set("message", message);
+	return url.toString();
+}
+function buildRedirectUrl(params) {
+	const baseUrl = getManageUiUrl();
+	const url = new URL(`/${params.tenantId}/work-apps/github`, baseUrl);
+	url.searchParams.set("status", params.status);
+	if (params.message) url.searchParams.set("message", params.message);
+	if (params.installationId) url.searchParams.set("installation_id", params.installationId);
+	return url.toString();
+}
+async function verifyStateToken(state) {
+	if (!isStateSigningConfigured()) return {
+		success: false,
+		error: "GitHub App installation is not configured"
+	};
+	const secret = getStateSigningSecret();
+	const secretKey = new TextEncoder().encode(secret);
+	try {
+		const { payload } = await jwtVerify(state, secretKey, {
+			issuer: STATE_JWT_ISSUER,
+			audience: STATE_JWT_AUDIENCE
+		});
+		const tenantId = payload.tenantId;
+		if (!tenantId) return {
+			success: false,
+			error: "Invalid state: missing tenantId"
+		};
+		return {
+			success: true,
+			tenantId
+		};
+	} catch (error) {
+		if (error instanceof Error) {
+			const errorMessage = error.message.toLowerCase();
+			const errorName = error.name.toLowerCase();
+			if (errorMessage.includes("expired") || errorName.includes("expired")) return {
+				success: false,
+				error: "State token has expired. Please try installing again."
+			};
+			if (errorMessage.includes("signature")) return {
+				success: false,
+				error: "Invalid state signature"
+			};
+		}
+		logger.error({ error }, "Failed to verify state token");
+		return {
+			success: false,
+			error: "Invalid state token"
+		};
+	}
+}
+const app = new Hono();
+app.get("/", async (c) => {
+	const queryParams = {
+		installation_id: c.req.query("installation_id"),
+		setup_action: c.req.query("setup_action"),
+		state: c.req.query("state")
+	};
+	const parseResult = CallbackQuerySchema.safeParse(queryParams);
+	if (!parseResult.success) {
+		logger.warn({ errors: parseResult.error.issues }, "Invalid callback parameters");
+		return c.redirect(buildErrorRedirectUrl("Invalid callback parameters"));
+	}
+	const { installation_id, setup_action, state } = parseResult.data;
+	logger.info({
+		installation_id,
+		setup_action
+	}, "Processing GitHub callback");
+	const stateResult = await verifyStateToken(state);
+	if (!stateResult.success) {
+		logger.warn({ error: stateResult.error }, "State verification failed");
+		return c.redirect(buildErrorRedirectUrl(stateResult.error));
+	}
+	const { tenantId } = stateResult;
+	logger.info({
+		tenantId,
+		installation_id
+	}, "State verified successfully");
+	let appJwt;
+	try {
+		appJwt = await createAppJwt();
+	} catch (error) {
+		logger.error({ error }, "Failed to create GitHub App JWT");
+		return c.redirect(buildErrorRedirectUrl("GitHub App not configured properly"));
+	}
+	const installationResult = await fetchInstallationDetails(installation_id, appJwt);
+	if (!installationResult.success) return c.redirect(buildRedirectUrl({
+		tenantId,
+		status: "error",
+		message: "Failed to verify installation with GitHub"
+	}));
+	const { installation } = installationResult;
+	logger.info({
+		accountLogin: installation.account.login,
+		accountType: installation.account.type,
+		installationId: installation.id
+	}, "Fetched installation details from GitHub");
+	const reposResult = await fetchInstallationRepositories(installation_id, appJwt);
+	if (!reposResult.success) logger.warn({ error: reposResult.error }, "Failed to fetch repositories, continuing with empty list");
+	const repositories = reposResult.success ? reposResult.repositories : [];
+	logger.info({ repositoryCount: repositories.length }, "Fetched repositories from GitHub");
+	const status = determineStatus(setup_action);
+	try {
+		const existingInstallation = await getInstallationByGitHubId(runDbClient_default)(installation_id);
+		let internalInstallationId;
+		if (existingInstallation) {
+			logger.info({
+				existingId: existingInstallation.id,
+				setup_action
+			}, "Updating existing installation");
+			const updated = await updateInstallationStatusByGitHubId(runDbClient_default)({
+				gitHubInstallationId: installation_id,
+				status
+			});
+			if (!updated) throw new Error("Failed to update installation status");
+			internalInstallationId = updated.id;
+		} else {
+			logger.info({
+				tenantId,
+				setup_action
+			}, "Creating new installation record");
+			internalInstallationId = (await createInstallation(runDbClient_default)({
+				id: generateId(),
+				tenantId,
+				installationId: installation_id,
+				accountLogin: installation.account.login,
+				accountId: String(installation.account.id),
+				accountType: installation.account.type,
+				status
+			})).id;
+			const projectsInTenant = await listProjectsMetadata(runDbClient_default)({ tenantId });
+			if (projectsInTenant.length > 0) {
+				logger.info({
+					tenantId,
+					projectCount: projectsInTenant.length
+				}, "Setting GitHub access mode to \"all\" for all existing projects");
+				await Promise.all(projectsInTenant.map((project) => setProjectAccessMode(runDbClient_default)({
+					tenantId,
+					projectId: project.id,
+					mode: "all"
+				})));
+			}
+		}
+		if (repositories.length > 0) {
+			const syncResult = await syncRepositories(runDbClient_default)({
+				installationId: internalInstallationId,
+				repositories: repositories.map((repo) => ({
+					repositoryId: String(repo.id),
+					repositoryName: repo.name,
+					repositoryFullName: repo.full_name,
+					private: repo.private
+				}))
+			});
+			logger.info({
+				added: syncResult.added,
+				removed: syncResult.removed,
+				updated: syncResult.updated
+			}, "Synced repositories");
+		}
+		logger.info({
+			tenantId,
+			installationId: installation_id,
+			accountLogin: installation.account.login,
+			status
+		}, "GitHub App installation processed successfully");
+		return c.redirect(buildRedirectUrl({
+			tenantId,
+			status: "success",
+			installationId: internalInstallationId
+		}));
+	} catch (error) {
+		logger.error({
+			error,
+			tenantId,
+			installation_id
+		}, "Failed to store installation in database");
+		return c.redirect(buildRedirectUrl({
+			tenantId,
+			status: "error",
+			message: "Failed to complete installation setup"
+		}));
+	}
+});
+var setup_default = app;
+
+//#endregion
+export { setup_default as default };

package/dist/github/routes/tokenExchange.d.ts

@@ -0,0 +1,7 @@
+import { Hono } from "hono";
+import * as hono_types0 from "hono/types";
+
+//#region src/github/routes/tokenExchange.d.ts
+declare const app: Hono<hono_types0.BlankEnv, hono_types0.BlankSchema, "/">;
+//#endregion
+export { app as default };

package/dist/github/routes/tokenExchange.js

@@ -0,0 +1,233 @@
+import { getLogger } from "../../logger.js";
+import runDbClient_default from "../../db/runDbClient.js";
+import { isGitHubAppConfigured } from "../config.js";
+import { generateInstallationAccessToken, lookupInstallationForRepo } from "../installation.js";
+import { validateOidcToken } from "../oidcToken.js";
+import { checkProjectRepositoryAccess, getInstallationByGitHubId } from "@inkeep/agents-core";
+import { Hono } from "hono";
+import { z } from "zod";
+
+//#region src/github/routes/tokenExchange.ts
+const logger = getLogger("github-token-exchange");
+const TokenExchangeRequestSchema = z.object({
+	oidc_token: z.string(),
+	project_id: z.string().optional()
+});
+const app = new Hono();
+/**
+* Exchange GitHub OIDC token for installation token.
+*
+* This is an internal infrastructure endpoint called by the CLI from GitHub Actions.
+* It exchanges a GitHub Actions OIDC token for a GitHub App installation access token.
+* Not included in the public OpenAPI spec.
+*/
+app.post("/", async (c) => {
+	const rawBody = await c.req.json().catch(() => null);
+	const parseResult = TokenExchangeRequestSchema.safeParse(rawBody);
+	if (!parseResult.success) {
+		const errorMessage = parseResult.error.issues.map((issue) => `${issue.path.join(".")}: ${issue.message}`).join("; ");
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "Bad Request",
+			status: 400,
+			detail: errorMessage,
+			error: errorMessage
+		}, 400);
+	}
+	const body = parseResult.data;
+	logger.info({}, "Processing token exchange request");
+	if (!isGitHubAppConfigured()) {
+		logger.error({}, "GitHub App credentials not configured");
+		const errorMessage = "GitHub App credentials are not configured. Please contact the administrator to set up GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY.";
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "GitHub App Not Configured",
+			status: 500,
+			detail: errorMessage,
+			error: errorMessage
+		}, 500);
+	}
+	const validationResult = await validateOidcToken(body.oidc_token);
+	if (!validationResult.success) {
+		const errorType = validationResult.errorType;
+		logger.warn({
+			errorType,
+			message: validationResult.message
+		}, "OIDC token validation failed");
+		c.header("Content-Type", "application/problem+json");
+		if (errorType === "malformed") return c.json({
+			title: "Bad Request",
+			status: 400,
+			detail: validationResult.message,
+			error: validationResult.message
+		}, 400);
+		return c.json({
+			title: "Token Validation Failed",
+			status: 401,
+			detail: validationResult.message,
+			error: validationResult.message
+		}, 401);
+	}
+	const { claims } = validationResult;
+	const installationResult = await lookupInstallationForRepo(claims.repository_owner, claims.repository.split("/")[1]);
+	if (!installationResult.success) {
+		const { errorType, message } = installationResult;
+		if (errorType === "not_installed") {
+			c.header("Content-Type", "application/problem+json");
+			return c.json({
+				title: "GitHub App Not Installed",
+				status: 403,
+				detail: message,
+				error: message
+			}, 403);
+		}
+		logger.error({
+			errorType,
+			message,
+			repository: claims.repository
+		}, "Failed to look up GitHub App installation");
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "Installation Lookup Failed",
+			status: 500,
+			detail: message,
+			error: message
+		}, 500);
+	}
+	const { installation } = installationResult;
+	logger.info({
+		installationId: installation.installationId,
+		repository: claims.repository
+	}, "Found GitHub App installation");
+	const dbInstallation = await getInstallationByGitHubId(runDbClient_default)(installation.installationId.toString());
+	if (!dbInstallation) {
+		const errorMessage = "GitHub App installation not registered. Please connect your GitHub organization in the Inkeep dashboard.";
+		logger.warn({
+			installationId: installation.installationId,
+			repository: claims.repository
+		}, "Installation not found in database");
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "Installation Not Registered",
+			status: 403,
+			detail: errorMessage,
+			error: errorMessage
+		}, 403);
+	}
+	if (dbInstallation.status === "pending") {
+		const errorMessage = "GitHub App installation is pending organization admin approval";
+		logger.warn({
+			installationId: installation.installationId,
+			repository: claims.repository,
+			status: dbInstallation.status
+		}, "Installation is pending approval");
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "Installation Pending",
+			status: 403,
+			detail: errorMessage,
+			error: errorMessage
+		}, 403);
+	}
+	if (dbInstallation.status === "suspended") {
+		const errorMessage = "GitHub App installation is suspended";
+		logger.warn({
+			installationId: installation.installationId,
+			repository: claims.repository,
+			status: dbInstallation.status
+		}, "Installation is suspended");
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "Installation Suspended",
+			status: 403,
+			detail: errorMessage,
+			error: errorMessage
+		}, 403);
+	}
+	if (dbInstallation.status === "deleted") {
+		const errorMessage = "GitHub App installation has been disconnected";
+		logger.warn({
+			installationId: installation.installationId,
+			repository: claims.repository,
+			status: dbInstallation.status
+		}, "Installation has been deleted");
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "Installation Disconnected",
+			status: 403,
+			detail: errorMessage,
+			error: errorMessage
+		}, 403);
+	}
+	logger.info({
+		installationId: installation.installationId,
+		tenantId: dbInstallation.tenantId,
+		repository: claims.repository
+	}, "Installation validated against database");
+	if (body.project_id) {
+		const accessCheck = await checkProjectRepositoryAccess(runDbClient_default)({
+			projectId: body.project_id,
+			repositoryFullName: claims.repository,
+			tenantId: dbInstallation.tenantId
+		});
+		if (!accessCheck.hasAccess) {
+			const errorMessage = `Project does not have access to repository ${claims.repository}. ${accessCheck.reason}`;
+			logger.warn({
+				installationId: installation.installationId,
+				tenantId: dbInstallation.tenantId,
+				projectId: body.project_id,
+				repository: claims.repository,
+				reason: accessCheck.reason
+			}, "Project does not have access to repository");
+			c.header("Content-Type", "application/problem+json");
+			return c.json({
+				title: "Repository Access Denied",
+				status: 403,
+				detail: errorMessage,
+				error: errorMessage
+			}, 403);
+		}
+		logger.info({
+			installationId: installation.installationId,
+			tenantId: dbInstallation.tenantId,
+			projectId: body.project_id,
+			repository: claims.repository,
+			reason: accessCheck.reason
+		}, "Project has access to repository");
+	}
+	const tokenResult = await generateInstallationAccessToken(installation.installationId);
+	if (!tokenResult.success) {
+		const { errorType, message } = tokenResult;
+		logger.error({
+			errorType,
+			message,
+			installationId: installation.installationId,
+			repository: claims.repository
+		}, "Failed to generate installation access token");
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "Token Generation Failed",
+			status: 500,
+			detail: message,
+			error: message
+		}, 500);
+	}
+	const { accessToken } = tokenResult;
+	logger.info({
+		installationId: installation.installationId,
+		tenantId: dbInstallation.tenantId,
+		repository: claims.repository,
+		expiresAt: accessToken.expiresAt
+	}, "Token exchange completed successfully");
+	return c.json({
+		token: accessToken.token,
+		expires_at: accessToken.expiresAt,
+		repository: claims.repository,
+		installation_id: installation.installationId,
+		tenant_id: dbInstallation.tenantId
+	}, 200);
+});
+var tokenExchange_default = app;
+
+//#endregion
+export { tokenExchange_default as default };

package/dist/github/routes/webhooks.d.ts

@@ -0,0 +1,12 @@
+import { Hono } from "hono";
+import * as hono_types4 from "hono/types";
+
+//#region src/github/routes/webhooks.d.ts
+interface WebhookVerificationResult {
+  success: boolean;
+  error?: string;
+}
+declare function verifyWebhookSignature(payload: string, signature: string | undefined, secret: string): WebhookVerificationResult;
+declare const app: Hono<hono_types4.BlankEnv, hono_types4.BlankSchema, "/">;
+//#endregion
+export { WebhookVerificationResult, app as default, verifyWebhookSignature };