@runuai/host 0.1.0

package/lib/github-tokens.ts

@@ -0,0 +1,321 @@
+/**
+ * Host-side GitHub token manager (ADR-027).
+ *
+ * Owns the encrypted refresh token (`host_github_tokens`), the per-task access
+ * token mint + container injection, and the refresh schedule. Access tokens are
+ * never stored — they go straight into the container's gh config. The refresh
+ * exchange is a host→cloud HTTP POST to /api/github/oauth/exchange.
+ */
+
+import { spawnSync } from "node:child_process";
+
+import { and, eq, isNull } from "drizzle-orm";
+
+import { getDb, schema } from "./db";
+import { sealAesGcm, openAesGcm } from "./secrets";
+import type { CloudToHost } from "../src/protocol";
+
+const REFRESH_LEAD_MS = 5 * 60 * 1000; // refresh 5 min before expiry
+const EXEC_TIMEOUT_MS = 10_000;
+const EXCHANGE_TIMEOUT_MS = 15_000; // cap the cloud token-exchange round-trip
+
+type GhConnectSet = Extract<CloudToHost, { kind: "gh.connect.set" }>;
+
+// --- token store ------------------------------------------------------------
+
+/** Encrypt + persist the user's refresh token (gh.connect.set handler). */
+export function onConnectSet(frame: GhConnectSet): { ok: boolean; error?: string } {
+  try {
+    const sealed = sealAesGcm(frame.refreshToken);
+    const now = Date.now();
+    getDb()
+      .insert(schema.githubTokens)
+      .values({
+        userId: frame.userId,
+        installationId: frame.installationId,
+        refreshTokenCt: sealed.ct,
+        refreshTokenNonce: sealed.nonce,
+        refreshTokenExpiresAt: frame.refreshTokenExpiresAt ?? null,
+        updatedAt: now,
+      })
+      .onConflictDoUpdate({
+        target: schema.githubTokens.userId,
+        set: {
+          installationId: frame.installationId,
+          refreshTokenCt: sealed.ct,
+          refreshTokenNonce: sealed.nonce,
+          refreshTokenExpiresAt: frame.refreshTokenExpiresAt ?? null,
+          updatedAt: now,
+        },
+      })
+      .run();
+    return { ok: true };
+  } catch (err) {
+    return { ok: false, error: err instanceof Error ? err.message : "store failed" };
+  }
+}
+
+/** Delete a user's refresh token + clear their active-task refresh timers. */
+export function onConnectClear(userId: string): void {
+  deleteToken(userId);
+  for (const taskId of activeTaskIdsForUser(userId)) {
+    clearRefresh(taskId);
+    authExpiredHandler?.(taskId, userId, "GitHub disconnected");
+  }
+}
+
+export function deleteToken(userId: string): void {
+  getDb()
+    .delete(schema.githubTokens)
+    .where(eq(schema.githubTokens.userId, userId))
+    .run();
+}
+
+export function hasToken(userId: string): boolean {
+  return (
+    getDb()
+      .select({ userId: schema.githubTokens.userId })
+      .from(schema.githubTokens)
+      .where(eq(schema.githubTokens.userId, userId))
+      .get() != null
+  );
+}
+
+function activeTaskIdsForUser(userId: string): string[] {
+  return getDb()
+    .select({ taskId: schema.hostTasks.taskId })
+    .from(schema.hostTasks)
+    .where(
+      and(
+        eq(schema.hostTasks.ownerUserId, userId),
+        isNull(schema.hostTasks.endedAt),
+      ),
+    )
+    .all()
+    .map((r) => r.taskId);
+}
+
+// --- access-token exchange --------------------------------------------------
+
+function exchangeUrl(): string {
+  const cloud = process.env.UAI_CLOUD_URL ?? "ws://127.0.0.1:8789/host";
+  const u = new URL(cloud);
+  const proto =
+    u.protocol === "wss:" ? "https:" : u.protocol === "ws:" ? "http:" : u.protocol;
+  return `${proto}//${u.host}/api/github/oauth/exchange`;
+}
+
+interface ExchangeResult {
+  accessToken: string;
+  expiresAt: number;
+  refreshToken: string | null;
+  refreshTokenExpiresAt: number | null;
+}
+
+/**
+ * Mint a fresh access token for the user via the cloud exchange. Persists a
+ * rotated refresh token if GitHub returned one. Returns null when the user has
+ * no token on this host. Throws on exchange failure.
+ */
+export async function requestAccessToken(
+  userId: string,
+): Promise<{ accessToken: string; expiresAt: number } | null> {
+  const row = getDb()
+    .select()
+    .from(schema.githubTokens)
+    .where(eq(schema.githubTokens.userId, userId))
+    .get();
+  if (!row) return null;
+
+  const refreshToken = openAesGcm(
+    Buffer.from(row.refreshTokenCt as Uint8Array),
+    Buffer.from(row.refreshTokenNonce as Uint8Array),
+  );
+  const res = await fetch(exchangeUrl(), {
+    method: "POST",
+    headers: {
+      "content-type": "application/json",
+      "x-uai-host-token": process.env.UAI_HOST_TOKEN ?? "",
+    },
+    body: JSON.stringify({ refreshToken }),
+    signal: AbortSignal.timeout(EXCHANGE_TIMEOUT_MS),
+  });
+  if (!res.ok) {
+    throw new Error(`gh token exchange failed: HTTP ${res.status}`);
+  }
+  const data = (await res.json()) as ExchangeResult;
+  if (data.refreshToken) {
+    const sealed = sealAesGcm(data.refreshToken);
+    getDb()
+      .update(schema.githubTokens)
+      .set({
+        refreshTokenCt: sealed.ct,
+        refreshTokenNonce: sealed.nonce,
+        refreshTokenExpiresAt:
+          data.refreshTokenExpiresAt ?? row.refreshTokenExpiresAt,
+        updatedAt: Date.now(),
+      })
+      .where(eq(schema.githubTokens.userId, userId))
+      .run();
+  }
+  return { accessToken: data.accessToken, expiresAt: data.expiresAt };
+}
+
+// --- container injection ----------------------------------------------------
+
+/** Injectable docker-exec seam (mocked in tests). */
+export type DockerExec = (
+  args: string[],
+  input: string,
+) => { status: number | null; stderr: string };
+
+const defaultExec: DockerExec = (args, input) => {
+  const res = spawnSync("docker", args, {
+    input,
+    encoding: "utf8",
+    timeout: EXEC_TIMEOUT_MS,
+  });
+  return { status: res.status, stderr: res.stderr ?? "" };
+};
+
+/** Write the access token into the container's gh config via `gh auth login`. */
+export function injectIntoContainer(
+  taskId: string,
+  accessToken: string,
+  exec: DockerExec = defaultExec,
+): void {
+  const container = `task-${taskId}-app-1`;
+  const args = [
+    "exec",
+    "-i",
+    "-u",
+    "node",
+    container,
+    "gh",
+    "auth",
+    "login",
+    "--with-token",
+    "--hostname",
+    "github.com",
+  ];
+  const res = exec(args, `${accessToken}\n`);
+  if (res.status !== 0) {
+    throw new Error(`gh auth login failed in ${container}: ${res.stderr.trim()}`);
+  }
+}
+
+// --- refresh schedule -------------------------------------------------------
+
+const timers = new Map<string, ReturnType<typeof setTimeout>>();
+
+type AuthExpiredHandler = (taskId: string, userId: string, reason: string) => void;
+let authExpiredHandler: AuthExpiredHandler | null = null;
+
+/** Phase D wires this to the task-chat "auth expired" system message. */
+export function setAuthExpiredHandler(fn: AuthExpiredHandler | null): void {
+  authExpiredHandler = fn;
+}
+
+export function scheduleRefresh(
+  taskId: string,
+  userId: string,
+  expiresAt: number,
+): void {
+  clearRefresh(taskId);
+  const delay = Math.max(0, expiresAt - Date.now() - REFRESH_LEAD_MS);
+  const timer = setTimeout(() => {
+    void runRefresh(taskId, userId);
+  }, delay);
+  timer.unref?.();
+  timers.set(taskId, timer);
+}
+
+async function runRefresh(taskId: string, userId: string): Promise<void> {
+  try {
+    const tok = await requestAccessToken(userId);
+    if (!tok) {
+      authExpiredHandler?.(taskId, userId, "no GitHub token on host");
+      return;
+    }
+    injectIntoContainer(taskId, tok.accessToken);
+    scheduleRefresh(taskId, userId, tok.expiresAt);
+  } catch (err) {
+    const reason = err instanceof Error ? err.message : String(err);
+    // A revoked / expired refresh token can't recover — drop it to force a
+    // clean re-grant through the OAuth flow.
+    if (/\b40[13]\b|revoked|invalid_grant|bad_refresh/i.test(reason)) {
+      deleteToken(userId);
+    }
+    authExpiredHandler?.(taskId, userId, reason);
+  }
+}
+
+export function clearRefresh(taskId: string): void {
+  const t = timers.get(taskId);
+  if (t) {
+    clearTimeout(t);
+    timers.delete(taskId);
+  }
+}
+
+/**
+ * Injectable seams for {@link setupTaskGithub} (mocked in tests so the decision
+ * logic needs neither the host DB nor docker). All default to the real impls.
+ */
+export interface SetupTaskDeps {
+  hasToken?: (userId: string) => boolean;
+  requestAccessToken?: (
+    userId: string,
+  ) => Promise<{ accessToken: string; expiresAt: number } | null>;
+  inject?: (taskId: string, token: string) => void;
+  schedule?: (taskId: string, userId: string, expiresAt: number) => void;
+}
+
+/**
+ * Set up GitHub auth for a task at task-up (ADR-027). Connected user → mint +
+ * inject an access token + schedule refresh. Else UAI_GH_PAT_FALLBACK → inject
+ * the PAT (no refresh; attributes to the PAT owner). Else skip. Best-effort:
+ * a failure emits the auth-expired note but never aborts task-up. Returns true
+ * iff a token was injected.
+ */
+export async function setupTaskGithub(
+  taskId: string,
+  userId: string,
+  deps: SetupTaskDeps = {},
+): Promise<boolean> {
+  const _hasToken = deps.hasToken ?? hasToken;
+  const _request = deps.requestAccessToken ?? requestAccessToken;
+  const _inject =
+    deps.inject ?? ((t: string, tok: string) => injectIntoContainer(t, tok));
+  const _schedule = deps.schedule ?? scheduleRefresh;
+  try {
+    if (_hasToken(userId)) {
+      const tok = await _request(userId);
+      if (tok) {
+        _inject(taskId, tok.accessToken);
+        _schedule(taskId, userId, tok.expiresAt);
+        console.log(`[github] task ${taskId}: injected user access token`);
+        return true;
+      }
+    }
+    const pat = process.env.UAI_GH_PAT_FALLBACK;
+    if (pat) {
+      _inject(taskId, pat);
+      console.log(`[github] task ${taskId}: using PAT fallback (no refresh)`);
+      return true;
+    }
+    console.log(`[github] task ${taskId}: gh not configured for user ${userId}`);
+    return false;
+  } catch (err) {
+    const reason = err instanceof Error ? err.message : String(err);
+    console.warn(`[github] task ${taskId}: gh setup failed: ${reason}`);
+    authExpiredHandler?.(taskId, userId, reason);
+    return false;
+  }
+}
+
+/** Test/maintenance hook: drop all scheduled refresh timers. */
+export function clearAllRefreshTimers(): void {
+  for (const t of timers.values()) clearTimeout(t);
+  timers.clear();
+}