npm - @themoltnet/legreffier - Versions diffs - 0.32.0 → 0.32.2 - Mend

@themoltnet/legreffier 0.32.0 → 0.32.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +141 -13
package/package.json +5 -5

package/dist/index.js CHANGED Viewed

@@ -7707,12 +7707,19 @@ function buildGhTokenRule() {
 		"",
 		"> **STRICT RULE — read this before every `gh` call.**",
 		">",
-		"> When `GIT_CONFIG_GLOBAL` is set (matches `.moltnet/<agent>/gitconfig`), you",
-		"> **MUST NOT** run bare `gh <command>`. You **MUST** prefix every `gh` call",
-		"> with a `GH_TOKEN` resolved from an **absolute path** to `moltnet.json`.",
-		"> Running bare `gh` silently falls back to the human personal token and",
-		"> attributes the action to the wrong identity — this is a correctness bug,",
-		"> not a warning.",
+		"> When `GIT_CONFIG_GLOBAL` is set (matches `.moltnet/<agent>/gitconfig`), the",
+		"> default is: you **MUST NOT** run bare `gh <command>`. You **MUST** prefix",
+		"> every `gh` call with a `GH_TOKEN` resolved from an **absolute path** to",
+		"> `moltnet.json`. Running bare `gh` silently falls back to the human personal",
+		"> token and attributes the action to the wrong identity — this is a",
+		"> correctness bug, not a warning.",
+		">",
+		"> **Exception — `human` authorship mode**: when `MOLTNET_COMMIT_AUTHORSHIP=human`",
+		"> in `.moltnet/<agent>/env`, `gh pr ...` and `gh issue ...` **must** run bare",
+		"> (no `GH_TOKEN`) so the PR/issue appears as authored by the human. All other",
+		"> `gh` calls (including `gh api repos/.../contents/...`) still require the agent",
+		"> token. `git push` is not a `gh` call and always uses the agent token via the",
+		"> gitconfig-configured credential helper.",
 		"",
 		"## The only correct form",
 		"",
@@ -7749,7 +7756,8 @@ function buildGhTokenRule() {
 		"",
 		"## Forbidden patterns",
 		"",
-		"- `gh <command>` — bare, no `GH_TOKEN`. **Never.**",
+		"- `gh <command>` — bare, no `GH_TOKEN`. **Never** (except the `human` mode",
+		"  write-op carve-out for `gh pr` / `gh issue` described in the header above).",
 		"- `GH_TOKEN=$(... --credentials \"$(dirname \"$GIT_CONFIG_GLOBAL\")/moltnet.json\") gh ...`",
 		"  — uses the raw relative path. Breaks in worktrees.",
 		"- `GH_TOKEN=$(... --credentials \"./moltnet.json\") gh ...` — relative. Breaks.",
@@ -8084,6 +8092,28 @@ async function writeEnvFile(opts) {
 	await writeFile(envPath, outputLines.join("\n") + "\n", "utf-8");
 }
 /**
+* Update a single managed key in an existing env file.
+* If the key exists, its value is replaced; otherwise appended.
+*/
+async function updateEnvVar(envDir, key, value) {
+	const envPath = join(envDir, "env");
+	let content;
+	try {
+		content = await readFile(envPath, "utf-8");
+	} catch {
+		content = "";
+	}
+	const line = `${key}=${q(value)}`;
+	const keyPrefix = `${key}=`;
+	const lines = content === "" ? [] : content.split("\n");
+	const index = lines.findIndex((l) => l.startsWith(keyPrefix));
+	if (index !== -1) {
+		lines[index] = line;
+		content = lines.join("\n");
+	} else content = content.endsWith("\n") ? content + line + "\n" : content + "\n" + line + "\n";
+	await writeFile(envPath, content, "utf-8");
+}
+/**
 * Resolve the human operator's git identity from global git config.
 * Must be called BEFORE GIT_CONFIG_GLOBAL is set (so it reads the
 * human's config, not the agent's).
@@ -8529,10 +8559,41 @@ async function writeTokenCache(cachePath, token, expiresAt) {
 	} catch {}
 }
 /**
-* Exchange a GitHub App JWT for an installation access token.
-* Uses a file-based cache next to the private key to avoid
-* hitting the GitHub API on every call.
+* List all installations of this GitHub App and return the one whose
+* `account.login` matches the given owner (case-insensitive).
+*
+* Uses the App JWT (not an installation token), so it works even when
+* `installation_id` is missing or stale.
 */
+async function findInstallationForOwner(opts) {
+	const privateKeyPem = await readFile(opts.privateKeyPath, "utf-8");
+	const jwt = createAppJWT(opts.appId, privateKeyPem);
+	const ownerLower = opts.owner.toLowerCase();
+	let nextUrl = "https://api.github.com/app/installations?per_page=100";
+	let pageCount = 0;
+	const MAX_PAGES = 10;
+	while (nextUrl && pageCount < MAX_PAGES) {
+		pageCount++;
+		const res = await fetch(nextUrl, { headers: {
+			Authorization: `Bearer ${jwt}`,
+			Accept: "application/vnd.github+json",
+			"X-GitHub-Api-Version": "2022-11-28"
+		} });
+		if (!res.ok) throw new Error(`GitHub API error listing installations (${res.status}): ${await res.text()}`);
+		const match = (await res.json()).find((i) => i.account?.login.toLowerCase() === ownerLower);
+		if (match) return { installationId: String(match.id) };
+		const linkHeader = res.headers.get("link");
+		nextUrl = linkHeader ? parseNextLinkHeader(linkHeader) : null;
+	}
+	return null;
+}
+function parseNextLinkHeader(header) {
+	for (const part of header.split(",")) {
+		const match = part.match(/<([^>]+)>\s*;\s*rel="next"/);
+		if (match) return match[1];
+	}
+	return null;
+}
 async function getInstallationToken(opts) {
 	const cachePath = join(dirname(opts.privateKeyPath), "gh-token-cache.json");
 	const cached = await readTokenCache(cachePath);
@@ -9554,6 +9615,62 @@ async function runPortDiaryPhase(opts) {
 	};
 }
 //#endregion
+//#region src/phases/portResolveInstallation.ts
+/**
+* Resolve the correct `installation_id` for the target owner.
+*
+* When porting a config across orgs the source `installation_id` is scoped
+* to the original account. This phase uses the App JWT to list all
+* installations and find the one matching the target owner, then updates
+* `moltnet.json` if it differs.
+*/
+async function runPortResolveInstallationPhase(opts) {
+	const { targetDir, config, currentRepo } = opts;
+	if (!currentRepo) return {
+		status: "skipped",
+		message: "unable to determine target repo — skipping installation_id resolution",
+		installationId: config.github?.installation_id ?? ""
+	};
+	if (!config.github?.app_id || !config.github?.private_key_path) return {
+		status: "skipped",
+		message: "github.app_id or private_key_path missing — cannot resolve",
+		installationId: config.github?.installation_id ?? ""
+	};
+	const targetOwner = currentRepo.split("/")[0];
+	let result;
+	try {
+		result = await findInstallationForOwner({
+			appId: config.github.app_id,
+			privateKeyPath: config.github.private_key_path,
+			owner: targetOwner
+		});
+	} catch (err) {
+		return {
+			status: "skipped",
+			message: `could not list app installations: ${err.message}`,
+			installationId: config.github?.installation_id ?? ""
+		};
+	}
+	if (!result) return {
+		status: "not-installed",
+		message: `GitHub App is not installed on ${targetOwner} — install it first`,
+		installationId: config.github?.installation_id ?? ""
+	};
+	const oldId = config.github.installation_id;
+	if (oldId === result.installationId) return {
+		status: "unchanged",
+		message: `installation_id ${oldId} already matches ${targetOwner}`,
+		installationId: oldId
+	};
+	await updateConfigSection("github", { installation_id: result.installationId }, targetDir);
+	if (opts.envPrefix) await updateEnvVar(targetDir, `${opts.envPrefix}_GITHUB_APP_INSTALLATION_ID`, result.installationId);
+	return {
+		status: "updated",
+		message: `installation_id updated: ${oldId || "(empty)"} → ${result.installationId} (${targetOwner})`,
+		installationId: result.installationId
+	};
+}
+//#endregion
 //#region src/phases/portRewrite.ts
 /**
 * Rewrite absolute paths in the ported `moltnet.json` so they point to
@@ -9777,6 +9894,16 @@ function PortApp({ name, agents, sourceDir, targetRepoDir, diaryMode, apiUrl })
 				});
 				filesWritten.push(rewriteResult.gitConfigPath);
 				filesWritten.push(join(targetDir, "env"));
+				setPhase("resolving_installation");
+				const currentRepo = detectCurrentRepo(targetRepoDir);
+				const prefix = toEnvPrefix(name);
+				const resolveResult = await runPortResolveInstallationPhase({
+					targetDir,
+					config: await readConfig(targetDir) ?? config,
+					currentRepo: currentRepo ?? void 0,
+					envPrefix: prefix
+				});
+				if (resolveResult.status === "not-installed" || resolveResult.status === "skipped") warnings.push(resolveResult.message);
 				setPhase("diary");
 				const diaryResult = await runPortDiaryPhase({
 					targetDir,
@@ -9787,14 +9914,14 @@ function PortApp({ name, agents, sourceDir, targetRepoDir, diaryMode, apiUrl })
 				const adapterOpts = {
 					repoDir: targetRepoDir,
 					agentName: name,
-					prefix: toEnvPrefix(name),
+					prefix,
 					mcpUrl: config.endpoints?.mcp ?? apiUrl.replace("://api.", "://mcp.") + "/mcp",
 					clientId: config.oauth2.client_id,
 					clientSecret: config.oauth2.client_secret,
 					appSlug: config.github?.app_slug ?? "",
 					appId: config.github?.app_id ?? "",
 					pemPath: join(targetDir, basename(config.github?.private_key_path ?? "")),
-					installationId: config.github?.installation_id ?? ""
+					installationId: resolveResult.installationId
 				};
 				for (const agentType of agents) {
 					const adapter = adapters[agentType];
@@ -9810,7 +9937,7 @@ function PortApp({ name, agents, sourceDir, targetRepoDir, diaryMode, apiUrl })
 				setPhase("verifying");
 				const verifyResult = await runPortVerifyInstallationPhase({
 					config: await readConfig(targetDir) ?? config,
-					currentRepo: detectCurrentRepo(targetRepoDir) ?? void 0
+					currentRepo: currentRepo ?? void 0
 				});
 				if (verifyResult.status !== "ok") warnings.push(verifyResult.message);
 				setSummary({
@@ -9852,6 +9979,7 @@ function PortApp({ name, agents, sourceDir, targetRepoDir, diaryMode, apiUrl })
 			validating: `Validating source .moltnet/${name}...`,
 			copying: `Copying private material...`,
 			rewriting: `Rewriting paths in moltnet.json...`,
+			resolving_installation: `Resolving GitHub App installation for target org...`,
 			diary: `Configuring diary (${diaryMode})...`,
 			agent_setup: `Installing agent files for ${agents.join(", ")}...`,
 			verifying: `Verifying GitHub App installation scope...`

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@themoltnet/legreffier",
-  "version": "0.32.0",
+  "version": "0.32.2",
   "description": "LeGreffier — attribution and measured memory for AI coding agents.",
   "license": "AGPL-3.0-only",
   "type": "module",
@@ -32,11 +32,11 @@
     "typescript": "^5.3.3",
     "vite": "^8.0.0",
     "vitest": "^3.0.0",
-    "@moltnet/crypto-service": "0.1.0",
     "@moltnet/api-client": "0.1.0",
-    "@themoltnet/design-system": "0.5.1",
-    "@themoltnet/github-agent": "0.23.0",
-    "@themoltnet/sdk": "0.89.0"
+    "@moltnet/crypto-service": "0.1.0",
+    "@themoltnet/github-agent": "0.23.2",
+    "@themoltnet/sdk": "0.91.0",
+    "@themoltnet/design-system": "0.6.0"
   },
   "scripts": {
     "dev": "vite build --watch",