@nairon-ai/aegis 0.2.0

package/src/integrations/linear.ts

@@ -0,0 +1,195 @@
+import type { AegisConfig, WorkItem } from "../shared/types.js";
+
+type LinearIssueNode = {
+	id: string;
+	identifier: string;
+	title: string;
+	description?: string | null;
+	url: string;
+	createdAt: string;
+	updatedAt: string;
+	state?: { id: string; name: string };
+	team?: { id: string; key: string };
+	labels?: { nodes: Array<{ name: string }> };
+};
+
+type LinearStateNode = {
+	id: string;
+	name: string;
+};
+
+export class LinearClient {
+	private readonly config: AegisConfig;
+
+	constructor(config: AegisConfig) {
+		this.config = config;
+	}
+
+	isConfigured(): boolean {
+		return Boolean(this.config.linear?.apiKey && this.config.linear.teamId);
+	}
+
+	async listReadyIssues(): Promise<WorkItem[]> {
+		if (!this.isConfigured()) return [];
+		const linear = this.requireConfig();
+		const result = await this.graphql<{
+			issues: { nodes: LinearIssueNode[] };
+		}>(
+			`query ReadyIssues($filter: IssueFilter, $first: Int!) {
+				issues(filter: $filter, first: $first, orderBy: updatedAt) {
+					nodes {
+						id
+						identifier
+						title
+						description
+						url
+						createdAt
+						updatedAt
+						state { id name }
+						team { id key }
+						labels { nodes { name } }
+					}
+				}
+			}`,
+			{
+				first: 50,
+				filter: {
+					team: { id: { eq: linear.teamId } },
+					...(linear.projectId ? { project: { id: { eq: linear.projectId } } } : {}),
+					state: { name: { eq: linear.readyStatusName } },
+					labels: { some: { name: { eq: linear.bugLabel } } },
+				},
+			},
+		);
+
+		return result.issues.nodes
+			.filter((issue) => {
+				const labels = issue.labels?.nodes.map((label) => label.name.toLowerCase()) ?? [];
+				return ![
+					this.config.inProgressLabel,
+					this.config.needsInfoLabel,
+					this.config.blockedLabel,
+					this.config.prOpenedLabel,
+				].some((label) => labels.includes(label.toLowerCase()));
+			})
+			.map((issue) => ({
+				source: "linear" as const,
+				id: issue.id,
+				identifier: issue.identifier,
+				title: issue.title,
+				body: issue.description ?? "",
+				url: issue.url,
+				repo: this.config.monitoredRepo,
+				labels: issue.labels?.nodes.map((label) => label.name) ?? [],
+				statusName: issue.state?.name,
+				createdAt: issue.createdAt,
+				updatedAt: issue.updatedAt,
+			}));
+	}
+
+	async getIssue(issueIdOrIdentifier: string): Promise<WorkItem> {
+		const result = await this.graphql<{ issue: LinearIssueNode }>(
+			`query Issue($id: String!) {
+				issue(id: $id) {
+					id
+					identifier
+					title
+					description
+					url
+					createdAt
+					updatedAt
+					state { id name }
+					team { id key }
+					labels { nodes { name } }
+				}
+			}`,
+			{ id: issueIdOrIdentifier },
+		);
+		const issue = result.issue;
+		return {
+			source: "linear",
+			id: issue.id,
+			identifier: issue.identifier,
+			title: issue.title,
+			body: issue.description ?? "",
+			url: issue.url,
+			repo: this.config.monitoredRepo,
+			labels: issue.labels?.nodes.map((label) => label.name) ?? [],
+			statusName: issue.state?.name,
+			createdAt: issue.createdAt,
+			updatedAt: issue.updatedAt,
+		};
+	}
+
+	async comment(issueId: string, body: string): Promise<void> {
+		await this.graphql(
+			`mutation CreateComment($issueId: String!, $body: String!) {
+				commentCreate(input: { issueId: $issueId, body: $body }) {
+					success
+				}
+			}`,
+			{ issueId, body },
+		);
+	}
+
+	async moveToStatus(issueId: string, statusName: string | undefined): Promise<void> {
+		if (!statusName) return;
+		const stateId = await this.findStateId(statusName);
+		if (!stateId) return;
+		await this.graphql(
+			`mutation UpdateIssue($id: String!, $stateId: String!) {
+				issueUpdate(id: $id, input: { stateId: $stateId }) { success }
+			}`,
+			{ id: issueId, stateId },
+		);
+	}
+
+	async linkPullRequest(issueId: string, prUrl: string): Promise<void> {
+		await this.comment(issueId, `Aegis opened a PR: ${prUrl}`);
+	}
+
+	private async findStateId(name: string): Promise<string | undefined> {
+		const linear = this.requireConfig();
+		const result = await this.graphql<{ workflowStates: { nodes: LinearStateNode[] } }>(
+			`query WorkflowStates($teamId: String!) {
+				workflowStates(filter: { team: { id: { eq: $teamId } } }) {
+					nodes { id name }
+				}
+			}`,
+			{ teamId: linear.teamId },
+		);
+		return result.workflowStates.nodes.find(
+			(state) => state.name.toLowerCase() === name.toLowerCase(),
+		)?.id;
+	}
+
+	private requireConfig() {
+		const linear = this.config.linear;
+		if (!linear?.apiKey || !linear.teamId) {
+			throw new Error("Linear API key and team ID are required");
+		}
+		return linear;
+	}
+
+	private async graphql<T>(query: string, variables: Record<string, unknown>): Promise<T> {
+		const linear = this.requireConfig();
+		const response = await fetch("https://api.linear.app/graphql", {
+			method: "POST",
+			headers: {
+				Authorization: linear.apiKey ?? "",
+				"Content-Type": "application/json",
+			},
+			body: JSON.stringify({ query, variables }),
+		});
+		const payload = (await response.json()) as { data?: T; errors?: Array<{ message: string }> };
+		if (!response.ok || payload.errors?.length) {
+			throw new Error(
+				`Linear GraphQL failed: ${response.status} ${
+					payload.errors?.map((error) => error.message).join("; ") ?? ""
+				}`,
+			);
+		}
+		if (!payload.data) throw new Error("Linear GraphQL returned no data");
+		return payload.data;
+	}
+}

package/src/integrations/telegram.ts

@@ -0,0 +1,48 @@
+import type { AegisConfig } from "../shared/types.js";
+
+export async function sendTelegramMessage(config: AegisConfig, text: string): Promise<void> {
+	const token = config.telegram?.botToken;
+	const chatId = config.telegram?.chatId;
+	if (!token || !chatId) return;
+
+	const response = await fetch(`https://api.telegram.org/bot${token}/sendMessage`, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify({
+			chat_id: chatId,
+			text,
+			disable_web_page_preview: true,
+		}),
+	});
+
+	if (!response.ok) {
+		const body = await response.text();
+		throw new Error(`Telegram sendMessage failed: ${response.status} ${body}`);
+	}
+}
+
+export type TelegramCommand =
+	| { action: "proceed"; runId: string; text?: string; actor: string }
+	| { action: "stop"; runId: string; text?: string; actor: string }
+	| { action: "ask"; runId: string; text: string; actor: string }
+	| { action: "ignore"; actor: string };
+
+export function parseTelegramUpdate(update: unknown): TelegramCommand {
+	const message = (
+		update as { message?: { text?: string; from?: { username?: string; id?: number } } }
+	).message;
+	const actor = message?.from?.username ?? String(message?.from?.id ?? "telegram");
+	return parseAegisCommand(message?.text ?? "", actor);
+}
+
+export function parseAegisCommand(text: string, actor: string): TelegramCommand {
+	const trimmed = text.trim();
+	if (!trimmed.startsWith("/aegis")) return { action: "ignore", actor };
+	const [, command, runId, ...rest] = trimmed.split(/\s+/);
+	if (command === "proceed" && runId) return { action: "proceed", runId, actor };
+	if (command === "stop" && runId) return { action: "stop", runId, actor };
+	if (command === "ask" && runId) {
+		return { action: "ask", runId, text: rest.join(" ").trim(), actor };
+	}
+	return { action: "ignore", actor };
+}

package/src/integrations/webhooks.ts

@@ -0,0 +1,53 @@
+export async function verifyGitHubWebhook(
+	body: string,
+	signature: string | null | undefined,
+	secret: string | undefined,
+): Promise<boolean> {
+	if (!secret) return true;
+	if (!signature?.startsWith("sha256=")) return false;
+	const expected = signature.slice("sha256=".length);
+	const encoder = new TextEncoder();
+	const key = await crypto.subtle.importKey(
+		"raw",
+		encoder.encode(secret),
+		{ name: "HMAC", hash: "SHA-256" },
+		false,
+		["sign"],
+	);
+	const digest = await crypto.subtle.sign("HMAC", key, encoder.encode(body));
+	const actual = [...new Uint8Array(digest)]
+		.map((byte) => byte.toString(16).padStart(2, "0"))
+		.join("");
+	return timingSafeEqual(actual, expected);
+}
+
+export async function verifyLinearWebhook(
+	body: string,
+	signature: string | null | undefined,
+	secret: string | undefined,
+): Promise<boolean> {
+	if (!secret) return true;
+	if (!signature) return false;
+	const encoder = new TextEncoder();
+	const key = await crypto.subtle.importKey(
+		"raw",
+		encoder.encode(secret),
+		{ name: "HMAC", hash: "SHA-256" },
+		false,
+		["sign"],
+	);
+	const digest = await crypto.subtle.sign("HMAC", key, encoder.encode(body));
+	const actual = [...new Uint8Array(digest)]
+		.map((byte) => byte.toString(16).padStart(2, "0"))
+		.join("");
+	return timingSafeEqual(actual, signature);
+}
+
+function timingSafeEqual(a: string, b: string): boolean {
+	if (a.length !== b.length) return false;
+	let result = 0;
+	for (let i = 0; i < a.length; i++) {
+		result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+	}
+	return result === 0;
+}

package/src/sandbox/github-token.ts

@@ -0,0 +1,92 @@
+/**
+ * GitHub App JWT + installation token generation.
+ * Uses Web Crypto API (works in Cloudflare Workers).
+ */
+
+export async function createAppJwt(appId: string, privateKey: string): Promise<string> {
+	const now = Math.floor(Date.now() / 1000);
+	const payload = {
+		iat: now - 60,
+		exp: now + 600,
+		iss: appId,
+	};
+
+	const header = { alg: "RS256", typ: "JWT" };
+	const encodedHeader = base64url(JSON.stringify(header));
+	const encodedPayload = base64url(JSON.stringify(payload));
+	const signingInput = `${encodedHeader}.${encodedPayload}`;
+
+	const keyData = pemToArrayBuffer(privateKey);
+	const key = await crypto.subtle.importKey(
+		"pkcs8",
+		keyData,
+		{ name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+		false,
+		["sign"],
+	);
+
+	const signature = await crypto.subtle.sign(
+		"RSASSA-PKCS1-v1_5",
+		key,
+		new TextEncoder().encode(signingInput),
+	);
+
+	return `${signingInput}.${base64url(signature)}`;
+}
+
+export async function getInstallationToken(
+	appId: string,
+	privateKey: string,
+	installationId: string,
+): Promise<string> {
+	const jwt = await createAppJwt(appId, privateKey);
+
+	const response = await fetch(
+		`https://api.github.com/app/installations/${installationId}/access_tokens`,
+		{
+			method: "POST",
+			headers: {
+				Authorization: `Bearer ${jwt}`,
+				Accept: "application/vnd.github+json",
+				"X-GitHub-Api-Version": "2022-11-28",
+				"User-Agent": "aegis-bot",
+			},
+		},
+	);
+
+	if (!response.ok) {
+		const text = await response.text();
+		throw new Error(`Failed to get installation token: ${response.status} ${text}`);
+	}
+
+	const data = (await response.json()) as { token: string };
+	return data.token;
+}
+
+function base64url(input: string | ArrayBuffer): string {
+	let base64: string;
+	if (typeof input === "string") {
+		base64 = btoa(input);
+	} else {
+		const bytes = new Uint8Array(input);
+		let binary = "";
+		for (const byte of bytes) {
+			binary += String.fromCharCode(byte);
+		}
+		base64 = btoa(binary);
+	}
+	return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+
+function pemToArrayBuffer(pem: string): ArrayBuffer {
+	const lines = pem
+		.replace(/-----BEGIN .+-----/, "")
+		.replace(/-----END .+-----/, "")
+		.replace(/\s/g, "");
+	const binary = atob(lines);
+	const bytes = new Uint8Array(binary.length);
+	for (let i = 0; i < binary.length; i++) {
+		bytes[i] = binary.charCodeAt(i);
+	}
+	return bytes.buffer;
+}

package/src/sandbox/index.ts

@@ -0,0 +1 @@
+export { getInstallationToken, createAppJwt } from "./github-token.js";

package/src/server/app.ts

@@ -0,0 +1,292 @@
+import { Hono } from "hono";
+import { startImplementationRun, startPlanRun } from "../agent/client.js";
+import { pickupReadyBugs, scanReadyBugs } from "../core/pickup.js";
+import { GitHubClient } from "../integrations/github.js";
+import { LinearClient } from "../integrations/linear.js";
+import {
+	parseAegisCommand,
+	parseTelegramUpdate,
+	sendTelegramMessage,
+} from "../integrations/telegram.js";
+import { verifyGitHubWebhook, verifyLinearWebhook } from "../integrations/webhooks.js";
+import { configFromBindings } from "../shared/config.js";
+import { formatReadyDecisionLine } from "../shared/format.js";
+import { runFromItem } from "../shared/run-state.js";
+import type { Bindings, ReadinessDecision, WorkItem, WorkRun } from "../shared/types.js";
+import { sourceFor } from "../sources/index.js";
+
+type HonoBindings = { Bindings: Bindings };
+
+export function createAegisApp() {
+	const app = new Hono<HonoBindings>();
+
+	app.get("/", (c) => {
+		return c.json({ service: "aegis", status: "ok", product: "AFK bug-fixing agent" });
+	});
+
+	app.get("/api/pickup", async (c) => {
+		const config = { ...configFromBindings(c.env), workerUrl: new URL(c.req.url).origin };
+		const decisions = await scanReadyBugs(config);
+		return c.json({
+			dryRun: true,
+			count: decisions.length,
+			decisions: decisions.map((decision) => ({
+				source: decision.item.source,
+				identifier: decision.item.identifier,
+				title: decision.item.title,
+				url: decision.item.url,
+				action: decision.action,
+				reason: decision.decision.reason,
+				line: formatReadyDecisionLine(decision.item, decision.decision),
+			})),
+		});
+	});
+
+	app.post("/api/pickup", async (c) => {
+		const config = { ...configFromBindings(c.env), workerUrl: new URL(c.req.url).origin };
+		const decisions = await pickupReadyBugs({
+			config,
+			startRun: async (item, run, decision) => {
+				c.executionCtx.waitUntil(
+					startPlanSafely(c.env, item, run, decision, new URL(c.req.url).origin),
+				);
+			},
+		});
+		return c.json({
+			count: decisions.length,
+			decisions: decisions.map((decision) => ({
+				source: decision.item.source,
+				identifier: decision.item.identifier,
+				action: decision.action,
+				reason: decision.decision.reason,
+				runId: decision.run?.id,
+			})),
+		});
+	});
+
+	app.post("/api/runs/:id/proceed", async (c) => {
+		await proceedRun(c.env, c.req.param("id"), "api");
+		return c.json({ accepted: true, runId: c.req.param("id") });
+	});
+
+	app.post("/api/runs/:id/stop", async (c) => {
+		await stopRun(c.env, c.req.param("id"));
+		return c.json({ accepted: true, runId: c.req.param("id") });
+	});
+
+	app.post("/webhook/telegram", async (c) => {
+		const config = configFromBindings(c.env);
+		const secret = c.req.header("X-Telegram-Bot-Api-Secret-Token");
+		if (config.telegram?.webhookSecret && secret !== config.telegram.webhookSecret) {
+			return c.json({ error: "invalid secret" }, 401);
+		}
+		const command = parseTelegramUpdate(await c.req.json());
+		if (command.action === "ignore") return c.json({ ignored: true });
+		if (command.action === "proceed") {
+			await proceedRun(c.env, command.runId, command.actor);
+			return c.json({ accepted: true });
+		}
+		if (command.action === "stop") {
+			await stopRun(c.env, command.runId);
+			await sendTelegramMessage(config, `Stopped Aegis run ${command.runId}.`);
+			return c.json({ accepted: true });
+		}
+		await askRun(c.env, command.runId, command.text, command.actor);
+		return c.json({ accepted: true });
+	});
+
+	app.post("/webhook/github", async (c) => {
+		const config = configFromBindings(c.env);
+		const rawBody = await c.req.text();
+		const valid = await verifyGitHubWebhook(
+			rawBody,
+			c.req.header("X-Hub-Signature-256"),
+			config.github?.webhookSecret,
+		);
+		if (!valid) return c.json({ error: "invalid signature" }, 401);
+		const payload = JSON.parse(rawBody) as {
+			action?: string;
+			issue?: { number?: number };
+			comment?: { body?: string; user?: { login?: string } };
+		};
+		const event = c.req.header("X-GitHub-Event");
+		if (
+			event === "issues" &&
+			["opened", "edited", "labeled", "unlabeled", "reopened"].includes(payload.action ?? "")
+		) {
+			c.executionCtx.waitUntil(pickupFromWebhook(c.env, new URL(c.req.url).origin));
+			return c.json({ accepted: true, trigger: "pickup" });
+		}
+
+		const command = parseAegisCommand(
+			payload.comment?.body ?? "",
+			payload.comment?.user?.login ?? "github",
+		);
+		if (command.action === "ignore") return c.json({ ignored: true });
+		if (!payload.issue?.number) return c.json({ error: "missing issue" }, 400);
+		const item = await new GitHubClient(config).getIssue(
+			config.monitoredRepo,
+			payload.issue.number,
+		);
+		await handleCommand(c.env, command, item);
+		return c.json({ accepted: true });
+	});
+
+	app.post("/webhook/linear", async (c) => {
+		const config = configFromBindings(c.env);
+		const rawBody = await c.req.text();
+		const valid = await verifyLinearWebhook(
+			rawBody,
+			c.req.header("Linear-Signature"),
+			config.linear?.webhookSecret,
+		);
+		if (!valid) return c.json({ error: "invalid signature" }, 401);
+		const payload = JSON.parse(rawBody) as {
+			type?: string;
+			webhookTimestamp?: number;
+			actor?: { name?: string; email?: string };
+			data?: { body?: string; issue?: { id?: string } };
+		};
+		if (
+			payload.webhookTimestamp &&
+			Math.abs(Date.now() - payload.webhookTimestamp) > 5 * 60 * 1000
+		) {
+			return c.json({ error: "stale webhook" }, 401);
+		}
+		if (payload.type !== "Comment") {
+			if (payload.type === "Issue") {
+				c.executionCtx.waitUntil(pickupFromWebhook(c.env, new URL(c.req.url).origin));
+				return c.json({ accepted: true, trigger: "pickup" });
+			}
+			return c.json({ ignored: true });
+		}
+		const command = parseAegisCommand(
+			payload.data?.body ?? "",
+			payload.actor?.name ?? payload.actor?.email ?? "linear",
+		);
+		if (command.action === "ignore") return c.json({ ignored: true });
+		if (!payload.data?.issue?.id) return c.json({ error: "missing issue" }, 400);
+		const item = await new LinearClient(config).getIssue(payload.data.issue.id);
+		await handleCommand(c.env, command, item);
+		return c.json({ accepted: true });
+	});
+
+	return app;
+}
+
+export async function scheduledPickup(
+	_controller: ScheduledController,
+	env: Bindings,
+	ctx: ExecutionContext,
+): Promise<void> {
+	const config = configFromBindings(env);
+	const decisions = await pickupReadyBugs({
+		config,
+		startRun: async (item, run, decision) => {
+			ctx.waitUntil(startPlanSafely(env, item, run, decision));
+		},
+	});
+	console.log(`[aegis] scheduled pickup checked ${decisions.length} item(s)`);
+}
+
+async function handleCommand(
+	env: Bindings,
+	command: ReturnType<typeof parseAegisCommand>,
+	item: WorkItem,
+): Promise<void> {
+	if (command.action === "proceed") {
+		await proceedRun(env, command.runId, command.actor, item);
+		return;
+	}
+	if (command.action === "stop") {
+		await stopRun(env, command.runId, item);
+		return;
+	}
+	if (command.action === "ask") {
+		await askRun(env, command.runId, command.text, command.actor, item);
+	}
+}
+
+async function startPlanSafely(
+	env: Bindings,
+	item: WorkItem,
+	run: WorkRun,
+	decision: ReadinessDecision,
+	workerUrl?: string,
+): Promise<void> {
+	const baseConfig = configFromBindings(env);
+	const config = { ...baseConfig, workerUrl: baseConfig.workerUrl ?? workerUrl };
+	try {
+		await startPlanRun({ config, item, run, decision });
+	} catch (error) {
+		const message = error instanceof Error ? error.message : String(error);
+		await sourceFor(config, item.source).markBlocked(item, `Aegis failed to run: ${message}`);
+	}
+}
+
+async function pickupFromWebhook(env: Bindings, origin: string): Promise<void> {
+	const config = {
+		...configFromBindings(env),
+		workerUrl: configFromBindings(env).workerUrl ?? origin,
+	};
+	await pickupReadyBugs({
+		config,
+		startRun: async (item, run, decision) => {
+			await startPlanSafely(env, item, run, decision, origin);
+		},
+	});
+}
+
+async function proceedRun(
+	env: Bindings,
+	runId: string,
+	actor: string,
+	item?: WorkItem,
+): Promise<void> {
+	const config = configFromBindings(env);
+	const resolved = item ?? (await resolveItemFromRunId(config, runId));
+	const run = runFromItem(resolved, "plan-first");
+	await startImplementationRun({ config, item: resolved, run, approvedBy: actor });
+}
+
+async function askRun(
+	env: Bindings,
+	runId: string,
+	text: string,
+	actor: string,
+	item?: WorkItem,
+): Promise<void> {
+	if (!text.trim()) return;
+	const config = configFromBindings(env);
+	const resolved = item ?? (await resolveItemFromRunId(config, runId));
+	const followUpItem = {
+		...resolved,
+		body: `${resolved.body}
+
+Human follow-up from ${actor}:
+${text}`,
+	};
+	await startPlanRun({
+		config,
+		item: followUpItem,
+		run: runFromItem(resolved, "plan-first"),
+		decision: { ready: true, reason: "human follow-up", risk: "low", autoImplementAllowed: false },
+	});
+}
+
+async function stopRun(env: Bindings, runId: string, item?: WorkItem): Promise<void> {
+	const config = configFromBindings(env);
+	const resolved = item ?? (await resolveItemFromRunId(config, runId));
+	await sourceFor(config, resolved.source).markBlocked(resolved, `Aegis run ${runId} was stopped.`);
+}
+
+async function resolveItemFromRunId(
+	config: ReturnType<typeof configFromBindings>,
+	runId: string,
+): Promise<WorkItem> {
+	const match = runId.match(/^gh-.+-(\d+)$/);
+	if (match) {
+		return new GitHubClient(config).getIssue(config.monitoredRepo, Number(match[1]));
+	}
+	return new LinearClient(config).getIssue(runId.toUpperCase());
+}