@neuralnomads/codenomad-dev 0.10.3-dev-20260213-ba418a85

package/dist/integrations/github/job-runner.js

@@ -0,0 +1,608 @@
+import os from "os";
+import path from "path";
+import { createManagedWorktree, listWorktrees, resolveRepoRoot } from "../../workspaces/git-worktrees";
+import { ensureCodenomadGitExclude } from "../../workspaces/worktree-map";
+import { verifyGitHubWebhookSignature } from "./webhook-verify";
+import { createAppOctokit, createInstallationOctokit, getInstallationToken } from "./octokit";
+import { ensureClonedAndUpdated, gitFetchAndResetToRemote, gitRemoteRefExists } from "./git-ops";
+import { clearGitHubWorkspaceContext, setGitHubWorkspaceContext } from "./workspace-context";
+import { clearGitHubWorktreeContext, setGitHubWorktreeContext } from "./worktree-context";
+import { buildOpencodeRequestContext } from "../../opencode/request-context";
+import { createOpencodeClient } from "@opencode-ai/sdk/v2/client";
+import { sanitizeGitHubWebhookPayload } from "./sanitize-webhook";
+import { appendCodeNomadBotSignature } from "./bot-signature";
+export class GitHubJobRunner {
+    constructor(deps) {
+        this.deps = deps;
+        this.repoWorkspaceId = new Map();
+        this.activeByRepo = new Map();
+        this.stopTimersByWorkspace = new Map();
+        this.seenDeliveries = new Set();
+        this.cachedBotLogin = null;
+        this.threads = new Map();
+    }
+    enqueue(job) {
+        this.deps.logger.debug({ deliveryId: job.deliveryId, event: job.event }, "Enqueued GitHub webhook");
+        if (job.deliveryId) {
+            if (this.seenDeliveries.has(job.deliveryId)) {
+                this.deps.logger.debug({ deliveryId: job.deliveryId }, "Dropping duplicate GitHub delivery");
+                return;
+            }
+            this.seenDeliveries.add(job.deliveryId);
+            if (this.seenDeliveries.size > 5000) {
+                // best-effort cap
+                this.seenDeliveries.clear();
+            }
+        }
+        const settings = this.readSettings();
+        if (!settings.enabled) {
+            this.deps.logger.warn("GitHub integration disabled; ignoring webhook");
+            return;
+        }
+        if (!settings.webhookSecret) {
+            this.deps.logger.error("GitHub integration misconfigured (missing webhookSecret)");
+            return;
+        }
+        const valid = verifyGitHubWebhookSignature({
+            secret: settings.webhookSecret,
+            signatureHeader: job.signature,
+            body: job.body,
+        });
+        if (!valid) {
+            this.deps.logger.warn({ deliveryId: job.deliveryId }, "Invalid GitHub webhook signature");
+            return;
+        }
+        if (job.event !== "issue_comment") {
+            return;
+        }
+        let payload;
+        try {
+            payload = JSON.parse(job.body.toString("utf-8"));
+        }
+        catch (error) {
+            this.deps.logger.warn({ err: error }, "Failed to parse GitHub webhook JSON");
+            return;
+        }
+        if (payload.action !== "created") {
+            return;
+        }
+        const owner = payload.repository?.owner?.login;
+        const repo = payload.repository?.name;
+        const issueNumber = payload.issue?.number;
+        if (!owner || !repo || !issueNumber) {
+            this.deps.logger.warn("GitHub webhook missing repository/issue info");
+            return;
+        }
+        if (!this.isAllowedAuthor(settings, payload)) {
+            this.deps.logger.info({
+                owner,
+                repo,
+                issueNumber,
+                author: payload.comment?.user?.login,
+                authorAssociation: payload.comment?.author_association,
+            }, "GitHub mention ignored (author not allowed)");
+            return;
+        }
+        const key = `${owner}/${repo}#${issueNumber}`;
+        this.submitToThread(key, { job, payload, settings });
+    }
+    submitToThread(key, item) {
+        const state = this.threads.get(key) ?? { running: false };
+        if (!state.running) {
+            state.running = true;
+            this.threads.set(key, state);
+            void this.runThread(key, item);
+            return;
+        }
+        // Supersede current run with the latest comment.
+        this.deps.logger.info({
+            key,
+            newDeliveryId: item.job.deliveryId,
+            newCommentId: item.payload.comment?.id,
+        }, "New comment received; cancelling active GitHub run");
+        state.pending = item;
+        if (state.current) {
+            state.current.cancelRequested = true;
+            state.current.controller.abort();
+            if (state.current.abortSession) {
+                void state.current.abortSession().catch(() => undefined);
+            }
+        }
+        this.threads.set(key, state);
+    }
+    async runThread(key, item) {
+        const state = this.threads.get(key);
+        if (!state)
+            return;
+        const controller = new AbortController();
+        state.current = { controller, cancelRequested: false };
+        this.threads.set(key, state);
+        try {
+            await this.handleVerified(item.job, item.payload, item.settings, {
+                signal: controller.signal,
+                registerAbortSession: (fn) => {
+                    const current = this.threads.get(key)?.current;
+                    if (!current)
+                        return;
+                    current.abortSession = fn;
+                    if (current.cancelRequested) {
+                        void fn().catch(() => undefined);
+                    }
+                },
+            });
+        }
+        finally {
+            const latest = this.threads.get(key);
+            if (!latest)
+                return;
+            latest.current = undefined;
+            const pending = latest.pending;
+            latest.pending = undefined;
+            if (pending) {
+                this.threads.set(key, latest);
+                await this.runThread(key, pending);
+                return;
+            }
+            latest.running = false;
+            this.threads.delete(key);
+        }
+    }
+    readSettings() {
+        const cfg = this.deps.configStore.get().integrations?.github;
+        const webhook = cfg?.webhook;
+        return {
+            enabled: Boolean(cfg?.enabled),
+            appId: cfg?.appId,
+            privateKeyPath: cfg?.privateKeyPath,
+            webhookSecret: cfg?.webhookSecret,
+            workspaceRoot: cfg?.workspaceRoot,
+            mentionHandle: cfg?.mentionHandle,
+            webhookAgent: typeof webhook?.agent === "string" ? webhook.agent : undefined,
+            webhookModel: webhook?.model && typeof webhook.model === "object" && typeof webhook.model.providerId === "string" && typeof webhook.model.modelId === "string"
+                ? { providerId: webhook.model.providerId, modelId: webhook.model.modelId }
+                : undefined,
+            webhookVariant: typeof webhook?.variant === "string" ? webhook.variant : undefined,
+            allowedOwners: cfg?.allowedOwners ?? [],
+            allowedRepos: cfg?.allowedRepos ?? [],
+            allowedUsers: cfg?.allowedUsers ?? [],
+            allowedAuthorAssociations: cfg?.allowedAuthorAssociations ?? ["OWNER", "COLLABORATOR"],
+            botLogin: cfg?.botLogin,
+        };
+    }
+    isAllowedAuthor(settings, payload) {
+        const login = (payload.comment?.user?.login ?? "").trim().toLowerCase();
+        if (login) {
+            const allowedUsers = (settings.allowedUsers ?? []).map((u) => u.trim().toLowerCase()).filter(Boolean);
+            if (allowedUsers.includes(login)) {
+                return true;
+            }
+        }
+        const association = payload.comment?.author_association;
+        if (!association || typeof association !== "string") {
+            return false;
+        }
+        const allowed = new Set((settings.allowedAuthorAssociations ?? []).map((v) => v.trim().toUpperCase()).filter(Boolean));
+        return allowed.has(association.trim().toUpperCase());
+    }
+    isAllowedRepo(settings, owner, repo) {
+        const full = `${owner}/${repo}`;
+        if (settings.allowedRepos.length > 0) {
+            return settings.allowedRepos.includes(full);
+        }
+        if (settings.allowedOwners.length > 0) {
+            return settings.allowedOwners.includes(owner);
+        }
+        return true;
+    }
+    async ensureBotLogin(settings) {
+        if (settings.botLogin)
+            return settings.botLogin;
+        if (this.cachedBotLogin)
+            return this.cachedBotLogin;
+        if (!settings.appId || !settings.privateKeyPath)
+            return null;
+        try {
+            const appOctokit = createAppOctokit({ appId: settings.appId, privateKeyPath: settings.privateKeyPath });
+            const response = await appOctokit.request("GET /app");
+            const slug = response.data?.slug;
+            if (typeof slug === "string" && slug.trim()) {
+                this.cachedBotLogin = `${slug}[bot]`;
+                return this.cachedBotLogin;
+            }
+        }
+        catch (error) {
+            this.deps.logger.debug({ err: error }, "Failed to resolve GitHub App bot login");
+        }
+        return null;
+    }
+    async handleVerified(_job, payload, settings, cancel) {
+        if (cancel.signal.aborted) {
+            return;
+        }
+        if (!settings.appId || !settings.privateKeyPath || !settings.webhookSecret) {
+            this.deps.logger.error("GitHub integration misconfigured (missing appId/privateKeyPath/webhookSecret)");
+            return;
+        }
+        const installationId = payload.installation?.id;
+        if (!installationId || typeof installationId !== "number") {
+            this.deps.logger.warn("GitHub webhook missing installation id");
+            return;
+        }
+        const owner = payload.repository?.owner?.login;
+        const repo = payload.repository?.name;
+        if (!owner || !repo) {
+            this.deps.logger.warn("GitHub webhook missing repository info");
+            return;
+        }
+        this.deps.logger.info({ owner, repo }, "GitHub webhook accepted");
+        if (!this.isAllowedRepo(settings, owner, repo)) {
+            this.deps.logger.info({ owner, repo }, "GitHub repo not allowed; ignoring");
+            return;
+        }
+        const botLogin = await this.ensureBotLogin(settings);
+        const authorLogin = payload.comment?.user?.login;
+        if (botLogin && authorLogin && authorLogin === botLogin) {
+            this.deps.logger.debug({ owner, repo, botLogin }, "Ignoring comment from our own bot");
+            return;
+        }
+        const body = (payload.comment?.body ?? "").trim();
+        if (!this.hasTrigger(body, settings)) {
+            this.deps.logger.debug({ owner, repo }, "GitHub webhook ignored (no mention trigger)");
+            return;
+        }
+        this.deps.logger.info({ owner, repo, issueNumber: payload.issue?.number, commentId: payload.comment?.id }, "GitHub mention triggered");
+        const defaultBranch = payload.repository?.default_branch?.trim() || "main";
+        const repoUrl = payload.repository?.clone_url?.trim() || `https://github.com/${owner}/${repo}.git`;
+        const workspaceRoot = this.resolveWorkspaceRoot(settings);
+        const repoDir = path.join(workspaceRoot, owner, repo);
+        const token = await getInstallationToken({ appId: settings.appId, privateKeyPath: settings.privateKeyPath }, installationId);
+        const octokit = createInstallationOctokit({ appId: settings.appId, privateKeyPath: settings.privateKeyPath }, installationId);
+        // Mark as read.
+        await this.addEyesReaction(octokit, owner, repo, payload.comment.id).catch((error) => {
+            this.deps.logger.warn({ err: error }, "Failed to add eyes reaction");
+        });
+        this.deps.logger.info({ owner, repo, commentId: payload.comment.id }, "Added eyes reaction");
+        await ensureClonedAndUpdated({ repoUrl, directory: repoDir, defaultBranch, token });
+        this.deps.logger.info({ owner, repo, repoDir, defaultBranch }, "Repo ready");
+        await ensureCodenomadGitExclude(repoDir, this.deps.logger).catch(() => undefined);
+        const fullName = `${owner}/${repo}`;
+        const workspaceId = await this.ensureWorkspace(fullName, repoDir);
+        this.deps.logger.info({ owner, repo, workspaceId }, "Workspace ready");
+        this.acquireWorkspace(fullName, workspaceId);
+        try {
+            setGitHubWorkspaceContext(workspaceId, {
+                installationId,
+                owner,
+                repo,
+                defaultBranch,
+                repoUrl,
+                botLogin: botLogin ?? undefined,
+            });
+            const issueNumber = payload.issue.number;
+            const commentId = payload.comment.id;
+            const isPullRequest = Boolean(payload.issue?.pull_request);
+            let worktreeSlug;
+            let worktreeDir;
+            if (isPullRequest) {
+                // For PR comments, use a stable bot worktree/branch keyed by PR number.
+                const pr = await octokit.request("GET /repos/{owner}/{repo}/pulls/{pull_number}", {
+                    owner,
+                    repo,
+                    pull_number: issueNumber,
+                });
+                const prAuthorLogin = pr.data?.user?.login;
+                const headRef = pr.data?.head?.ref;
+                const headRepoFullName = pr.data?.head?.repo?.full_name;
+                const baseRepoFullName = pr.data?.base?.repo?.full_name;
+                const baseRef = pr.data?.base?.ref;
+                if (typeof baseRef !== "string" || !baseRef.trim()) {
+                    throw new Error("PR payload missing base ref");
+                }
+                const isFromFork = Boolean(headRepoFullName && baseRepoFullName && headRepoFullName !== baseRepoFullName);
+                const botOwned = Boolean(botLogin && prAuthorLogin && prAuthorLogin === botLogin);
+                // If the PR is bot-owned, operate directly on its head branch to avoid creating duplicate PRs.
+                // Otherwise, operate on a bot-controlled branch keyed by PR number.
+                worktreeSlug = botOwned && typeof headRef === "string" && headRef.trim()
+                    ? headRef.trim()
+                    : `codenomad/pr-${issueNumber}`;
+                const ensured = await this.ensureWorktree({ repoDir, workspaceFolder: repoDir, slug: worktreeSlug });
+                worktreeDir = ensured.directory;
+                // Prefer resetting to the remote branch for this worktree.
+                // If it doesn't exist yet, initialize from the PR head commit.
+                const remoteRef = `refs/heads/${worktreeSlug}`;
+                const hasRemoteBranch = await gitRemoteRefExists({ cwd: worktreeDir, remoteUrl: repoUrl, ref: remoteRef, token });
+                const resetRef = hasRemoteBranch ? worktreeSlug : `pull/${issueNumber}/head`;
+                await gitFetchAndResetToRemote({ cwd: worktreeDir, remoteUrl: repoUrl, ref: resetRef, token });
+                const publishBase = botOwned
+                    ? baseRef.trim()
+                    : typeof headRef === "string" && headRef.trim() && !isFromFork
+                        ? headRef.trim()
+                        : baseRef.trim();
+                setGitHubWorktreeContext(workspaceId, worktreeSlug, {
+                    issueNumber,
+                    isPullRequest: true,
+                    publishBase,
+                    prNumber: issueNumber,
+                    prFromFork: isFromFork,
+                    prAuthorLogin: typeof prAuthorLogin === "string" ? prAuthorLogin : undefined,
+                });
+                this.deps.logger.info({ owner, repo, workspaceId, worktreeSlug, publishBase, botOwned, isFromFork }, "PR worktree ready");
+            }
+            else {
+                // For issue comments, use a stable worktree per issue number.
+                worktreeSlug = `codenomad/issue-${issueNumber}`;
+                const ensured = await this.ensureWorktree({ repoDir, workspaceFolder: repoDir, slug: worktreeSlug });
+                worktreeDir = ensured.directory;
+                // Prefer resetting to the remote bot branch (accumulates prior runs).
+                // If it doesn't exist yet, initialize from the default branch.
+                const remoteBotRef = `refs/heads/${worktreeSlug}`;
+                const hasRemoteBotBranch = await gitRemoteRefExists({ cwd: worktreeDir, remoteUrl: repoUrl, ref: remoteBotRef, token });
+                const resetRef = hasRemoteBotBranch ? worktreeSlug : defaultBranch;
+                await gitFetchAndResetToRemote({ cwd: worktreeDir, remoteUrl: repoUrl, ref: resetRef, token });
+                setGitHubWorktreeContext(workspaceId, worktreeSlug, {
+                    issueNumber,
+                    isPullRequest: false,
+                    publishBase: defaultBranch,
+                });
+                this.deps.logger.info({ owner, repo, workspaceId, worktreeSlug }, "Issue worktree ready");
+            }
+            await this.runOpencode({
+                workspaceId,
+                worktreeSlug,
+                payload,
+                agent: settings.webhookAgent,
+                model: settings.webhookModel,
+                variant: settings.webhookVariant,
+                logger: this.deps.logger,
+                signal: cancel.signal,
+                registerAbortSession: cancel.registerAbortSession,
+            });
+            // Success path: the agent is responsible for commenting via the GitHub tool.
+            this.deps.logger.info({ owner, repo, issueNumber }, "GitHub job completed");
+        }
+        catch (error) {
+            const name = error?.name;
+            if (cancel.signal.aborted || name === "AbortError") {
+                this.deps.logger.info({ owner, repo, issueNumber: payload.issue.number }, "GitHub run superseded; skipping failure comment");
+                return;
+            }
+            const message = error instanceof Error ? error.message : String(error);
+            this.deps.logger.error({ err: error, owner, repo }, "GitHub job failed");
+            // Failure path: comment back with an error so the user knows automation did not complete.
+            // Do not @mention the bot in this comment to avoid loops.
+            await octokit
+                .request("POST /repos/{owner}/{repo}/issues/{issue_number}/comments", {
+                owner,
+                repo,
+                issue_number: payload.issue.number,
+                body: appendCodeNomadBotSignature(`Automation failed.\n\n${message}`),
+            })
+                .catch((commentError) => {
+                this.deps.logger.warn({ err: commentError, owner, repo }, "Failed to post failure comment");
+            });
+        }
+        finally {
+            this.releaseWorkspace(fullName, workspaceId);
+        }
+    }
+    async ensureWorktree(params) {
+        const { repoRoot, isGitRepo } = await resolveRepoRoot(params.workspaceFolder, this.deps.logger);
+        if (!isGitRepo) {
+            throw new Error("Workspace is not a Git repository");
+        }
+        const existing = await listWorktrees({ repoRoot, workspaceFolder: params.workspaceFolder, logger: this.deps.logger });
+        const match = existing.find((wt) => wt.slug === params.slug);
+        if (match) {
+            return { slug: match.slug, directory: match.directory, branch: match.branch };
+        }
+        return await createManagedWorktree({
+            repoRoot,
+            workspaceFolder: params.workspaceFolder,
+            slug: params.slug,
+            logger: this.deps.logger,
+        });
+    }
+    resolveWorkspaceRoot(settings) {
+        if (settings.workspaceRoot) {
+            return settings.workspaceRoot.startsWith("~/")
+                ? path.join(process.env.HOME ?? os.homedir(), settings.workspaceRoot.slice(2))
+                : settings.workspaceRoot;
+        }
+        return path.join(process.env.HOME ?? os.homedir(), ".config", "codenomad", "github-workspace");
+    }
+    hasTrigger(body, settings) {
+        const text = (body ?? "").trim();
+        if (!text)
+            return false;
+        const handles = [];
+        const configured = (settings.mentionHandle ?? "").trim();
+        if (configured)
+            handles.push(configured);
+        const botLogin = (settings.botLogin ?? "").trim();
+        if (botLogin) {
+            handles.push(botLogin.replace(/\[bot\]$/i, ""));
+            handles.push(botLogin);
+        }
+        if (handles.length === 0) {
+            handles.push("codenomad");
+        }
+        const unique = Array.from(new Set(handles.map((h) => h.trim()).filter(Boolean)));
+        for (const handle of unique) {
+            const escaped = handle.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+            const re = new RegExp(`(^|\\s)@${escaped}(\\b|\\s|$)`, "i");
+            if (re.test(text))
+                return true;
+        }
+        return false;
+    }
+    async ensureWorkspace(repoFullName, repoDir) {
+        const existingId = this.repoWorkspaceId.get(repoFullName);
+        if (existingId) {
+            const existing = this.deps.workspaceManager.get(existingId);
+            if (existing && existing.status === "ready") {
+                return existingId;
+            }
+        }
+        const workspace = await this.deps.workspaceManager.create(repoDir, repoFullName, {
+            extraEnvironment: {
+                CODENOMAD_MODE: "github",
+            },
+        });
+        this.repoWorkspaceId.set(repoFullName, workspace.id);
+        return workspace.id;
+    }
+    acquireWorkspace(repoFullName, workspaceId) {
+        const current = this.activeByRepo.get(repoFullName) ?? 0;
+        this.activeByRepo.set(repoFullName, current + 1);
+        const timer = this.stopTimersByWorkspace.get(workspaceId);
+        if (timer) {
+            clearTimeout(timer);
+            this.stopTimersByWorkspace.delete(workspaceId);
+        }
+    }
+    releaseWorkspace(repoFullName, workspaceId) {
+        const current = this.activeByRepo.get(repoFullName) ?? 0;
+        const next = Math.max(0, current - 1);
+        if (next === 0) {
+            this.activeByRepo.delete(repoFullName);
+            const timer = setTimeout(() => {
+                void this.deps.workspaceManager
+                    .delete(workspaceId)
+                    .catch((error) => this.deps.logger.warn({ err: error, workspaceId }, "Failed to stop GitHub workspace"))
+                    .finally(() => {
+                    this.stopTimersByWorkspace.delete(workspaceId);
+                    clearGitHubWorkspaceContext(workspaceId);
+                    clearGitHubWorktreeContext(workspaceId);
+                    const mapped = this.repoWorkspaceId.get(repoFullName);
+                    if (mapped === workspaceId) {
+                        this.repoWorkspaceId.delete(repoFullName);
+                    }
+                });
+            }, 30000);
+            this.stopTimersByWorkspace.set(workspaceId, timer);
+            return;
+        }
+        this.activeByRepo.set(repoFullName, next);
+    }
+    async addEyesReaction(octokit, owner, repo, commentId) {
+        await octokit.request("POST /repos/{owner}/{repo}/issues/comments/{comment_id}/reactions", {
+            owner,
+            repo,
+            comment_id: commentId,
+            content: "eyes",
+            headers: {
+                accept: "application/vnd.github+json",
+            },
+        });
+    }
+    async runOpencode(params) {
+        if (params.signal.aborted) {
+            const err = new Error("Run superseded");
+            err.name = "AbortError";
+            throw err;
+        }
+        const ctx = await buildOpencodeRequestContext({
+            workspaceManager: this.deps.workspaceManager,
+            workspaceId: params.workspaceId,
+            worktreeSlug: params.worktreeSlug,
+            logger: params.logger,
+        });
+        const unwrap = async (promise, label) => {
+            const result = await promise;
+            if (!result) {
+                throw new Error(`${label} returned no result`);
+            }
+            if (result.error) {
+                const err = result.error;
+                const errName = err && typeof err === "object" ? err.name : undefined;
+                if (errName === "AbortError") {
+                    throw err;
+                }
+                const msg = err instanceof Error ? err.message : String(err);
+                throw new Error(`${label} failed: ${msg}`);
+            }
+            return result.data;
+        };
+        // Use the OpenCode SDK with CodeNomad-managed auth + worktree scoping.
+        const client = createOpencodeClient({
+            baseUrl: ctx.baseUrl,
+            headers: ctx.headers,
+        });
+        const session = await unwrap(client.session.create({}, { signal: params.signal }), "session.create");
+        const sessionId = session?.id;
+        if (!sessionId || typeof sessionId !== "string") {
+            throw new Error("OpenCode session.create returned no id");
+        }
+        // OpenCode expects message IDs to start with "msg".
+        const messageId = `msg-${Date.now().toString(36)}-${Math.random().toString(36).slice(2)}`;
+        params.logger.info({ workspaceId: params.workspaceId, sessionId }, "Sending OpenCode message");
+        params.registerAbortSession(async () => {
+            try {
+                await client.session.abort({
+                    sessionID: sessionId,
+                }, { throwOnError: false });
+            }
+            catch {
+                // ignore
+            }
+        });
+        const sanitized = sanitizeGitHubWebhookPayload(params.payload);
+        const webhookJson = JSON.stringify(sanitized, null, 2);
+        const promptText = [
+            "You are a GitHub App bot running inside CodeNomad.",
+            "You are running in headless mode.",
+            "The only way to ask clarifying questions is by posting a GitHub comment using the github tool.",
+            "If your confidence/understanding is below 90%, post a clarifying comment on the same issue/PR and end the task.",
+            "Use the github tool for all GitHub operations.",
+            "Do NOT use gh CLI. It will not be authenticated.",
+            "Before taking any action, call github(op=list_issue_comments, issueNumber=<webhook.issue.number>) to read the full thread context.",
+            "Prefer using github tool operations:",
+            "- github(op=list_issue_comments, issueNumber): list all issue/PR conversation comments (read background)",
+            "- github(op=post_issue_comment, issueNumber, body): post a comment (also works for PRs; PRs are issues)",
+            "- github(op=add_reaction, commentId, content): add a reaction to an issue comment (content: eyes/rocket/+1/-1/laugh/confused/heart/hooray)",
+            "- github(op=publish_pr, title, body?, base?, draft?): push current branch; opens a PR if needed, otherwise returns the existing PR for this branch. Requires clean git state; commit changes first.",
+            "The github tool returns a JSON object with op-specific data; prefer using returned fields like number/url for follow-up actions.",
+            "If you omit base when calling publish_pr, CodeNomad will pick a default base appropriate for this thread (PR vs issue).",
+            "Below is the webhook payload we received (sanitized). Perform tasks based on the user request in comment.body.",
+            "At the end, post a comment in the same issue/PR using github(op=post_issue_comment).",
+            "",
+            "Webhook payload:",
+            "```json",
+            webhookJson,
+            "```",
+            "",
+        ].join("\n");
+        const response = await unwrap(client.session.prompt({
+            sessionID: sessionId,
+            messageID: messageId,
+            ...(params.agent ? { agent: params.agent } : {}),
+            ...(params.model
+                ? {
+                    model: {
+                        providerID: params.model.providerId,
+                        modelID: params.model.modelId,
+                    },
+                }
+                : {}),
+            ...(params.variant ? { variant: params.variant } : {}),
+            parts: [
+                {
+                    type: "text",
+                    text: promptText,
+                },
+            ],
+        }, { signal: params.signal }), "session.prompt");
+        const infoError = response?.info?.error;
+        if (infoError) {
+            const message = typeof infoError?.data?.message === "string"
+                ? infoError.data.message
+                : typeof infoError?.message === "string"
+                    ? infoError.message
+                    : undefined;
+            const errorText = message?.trim() || JSON.stringify(infoError);
+            throw new Error(`OpenCode assistant error: ${errorText}`);
+        }
+        // Success path: agent posts GitHub comments via tools.
+        void response;
+    }
+}

package/dist/integrations/github/octokit.js

@@ -0,0 +1,58 @@
+import fs from "fs";
+import { Octokit } from "@octokit/rest";
+import { createAppAuth } from "@octokit/auth-app";
+let cachedKey = null;
+function readPrivateKey(privateKeyPath) {
+    const resolved = privateKeyPath.startsWith("~/")
+        ? `${process.env.HOME ?? ""}/${privateKeyPath.slice(2)}`
+        : privateKeyPath;
+    if (cachedKey && cachedKey.path === resolved) {
+        return cachedKey.value;
+    }
+    const value = fs.readFileSync(resolved, "utf-8");
+    cachedKey = { path: resolved, value };
+    return value;
+}
+export function createAppOctokit(config) {
+    const privateKey = readPrivateKey(config.privateKeyPath);
+    const appId = Number(config.appId);
+    if (!Number.isFinite(appId)) {
+        throw new Error("Invalid GitHub App ID");
+    }
+    return new Octokit({
+        authStrategy: createAppAuth,
+        auth: {
+            appId,
+            privateKey,
+        },
+    });
+}
+export function createInstallationOctokit(config, installationId) {
+    const privateKey = readPrivateKey(config.privateKeyPath);
+    const appId = Number(config.appId);
+    if (!Number.isFinite(appId)) {
+        throw new Error("Invalid GitHub App ID");
+    }
+    return new Octokit({
+        authStrategy: createAppAuth,
+        auth: {
+            appId,
+            privateKey,
+            installationId,
+        },
+    });
+}
+export async function getInstallationToken(config, installationId) {
+    const privateKey = readPrivateKey(config.privateKeyPath);
+    const appId = Number(config.appId);
+    if (!Number.isFinite(appId)) {
+        throw new Error("Invalid GitHub App ID");
+    }
+    const auth = createAppAuth({
+        appId,
+        privateKey,
+        installationId,
+    });
+    const result = await auth({ type: "installation" });
+    return result.token;
+}