bosun 0.28.2 → 0.28.4

package/ui-server.mjs

@@ -618,6 +618,8 @@ const SETTINGS_KNOWN_KEYS = [
   "KANBAN_BACKEND", "KANBAN_SYNC_POLICY", "BOSUN_TASK_LABEL",
   "BOSUN_ENFORCE_TASK_LABEL", "STALE_TASK_AGE_HOURS",
   "TASK_PLANNER_MODE", "TASK_PLANNER_DEDUP_HOURS",
+  "TASK_BRANCH_MODE", "TASK_BRANCH_AUTO_MODULE", "TASK_UPSTREAM_SYNC_MAIN",
+  "MODULE_BRANCH_PREFIX", "DEFAULT_TARGET_BRANCH",
   "BOSUN_PROMPT_PLANNER",
   "GITHUB_TOKEN", "GITHUB_REPOSITORY", "GITHUB_PROJECT_MODE",
   "GITHUB_PROJECT_NUMBER", "GITHUB_DEFAULT_ASSIGNEE", "GITHUB_AUTO_ASSIGN_CREATOR",
@@ -2113,6 +2115,430 @@ async function handleGitHubProjectWebhook(req, res) {
   }
 }
 
+// ─── GitHub App webhook ──────────────────────────────────────────────────────
+
+function getAppWebhookPath() {
+  return (
+    process.env.BOSUN_GITHUB_APP_WEBHOOK_PATH ||
+    "/api/webhooks/github/app"
+  );
+}
+
+/**
+ * Handles App-level webhook deliveries from GitHub.
+ * Events: installation, installation_repositories, ping, pull_request, push…
+ * Validates HMAC-SHA256 signature using BOSUN_GITHUB_WEBHOOK_SECRET.
+ */
+async function handleGitHubAppWebhook(req, res) {
+  if (req.method !== "POST") {
+    jsonResponse(res, 405, { ok: false, error: "Method not allowed" });
+    return;
+  }
+
+  const deliveryId = String(req.headers["x-github-delivery"] || "");
+  const eventType = String(req.headers["x-github-event"] || "").toLowerCase();
+
+  let rawBody;
+  try {
+    rawBody = await readRawBody(req);
+  } catch (err) {
+    jsonResponse(res, 400, { ok: false, error: "Failed to read body" });
+    return;
+  }
+
+  // Validate HMAC signature if secret is configured
+  const webhookSecret = process.env.BOSUN_GITHUB_WEBHOOK_SECRET || "";
+  if (webhookSecret) {
+    const sigHeader = req.headers["x-hub-signature-256"] || "";
+    if (!verifyGitHubWebhookSignature(rawBody, sigHeader, webhookSecret)) {
+      console.warn(
+        `[app-webhook] delivery=${deliveryId} invalid signature — check BOSUN_GITHUB_WEBHOOK_SECRET`,
+      );
+      jsonResponse(res, 401, { ok: false, error: "Invalid webhook signature" });
+      return;
+    }
+  }
+
+  let payload = {};
+  try {
+    payload = rawBody ? JSON.parse(rawBody) : {};
+  } catch {
+    jsonResponse(res, 400, { ok: false, error: "Invalid JSON payload" });
+    return;
+  }
+
+  // Acknowledge immediately — GitHub requires a fast response
+  jsonResponse(res, 202, { ok: true, deliveryId, eventType });
+
+  // Process asynchronously
+  setImmediate(() => {
+    try {
+      _processAppWebhookEvent(eventType, payload, deliveryId);
+    } catch (err) {
+      console.warn(`[app-webhook] processing error delivery=${deliveryId}: ${err.message}`);
+    }
+  });
+}
+
+function _processAppWebhookEvent(eventType, payload, deliveryId) {
+  switch (eventType) {
+    case "ping":
+      console.log(
+        `[app-webhook] ping delivery=${deliveryId} zen="${payload.zen || ""}"`,
+      );
+      break;
+
+    case "installation": {
+      const action = payload.action || "";
+      const login = payload.installation?.account?.login || "unknown";
+      const repos = (payload.repositories || []).map((r) => r.full_name);
+      console.log(
+        `[app-webhook] installation ${action} account=${login} repos=${repos.join(",") || "(all)"}`,
+      );
+      broadcastUiEvent(["overview"], "invalidate", {
+        reason: `github-app-installation-${action}`,
+        account: login,
+      });
+      break;
+    }
+
+    case "installation_repositories": {
+      const action = payload.action || "";
+      const added = (payload.repositories_added || []).map((r) => r.full_name);
+      const removed = (payload.repositories_removed || []).map((r) => r.full_name);
+      console.log(
+        `[app-webhook] installation_repositories ${action} added=${added.join(",")} removed=${removed.join(",")}`,
+      );
+      break;
+    }
+
+    default:
+      console.log(
+        `[app-webhook] delivery=${deliveryId} event=${eventType} action=${payload.action || ""} (unhandled, ack'd)`,
+      );
+  }
+}
+
+// ─── GitHub OAuth callback ────────────────────────────────────────────────────
+
+/**
+ * Handles the OAuth redirect from GitHub after a user installs/authorizes
+ * the Bosun[botswain] GitHub App.
+ *
+ * Flow:
+ *   1. GitHub redirects: GET /api/github/callback?code=xxx&installation_id=yyy
+ *   2. We exchange `code` for a user access token
+ *   3. We fetch the user's GitHub login for confirmation
+ *   4. We redirect the user to the main app UI with a success banner
+ *
+ * The token is surfaced in the response so the operator can copy it;
+ * it is also written to .env as GH_TOKEN if GH_TOKEN is currently unset.
+ */
+async function handleGitHubOAuthCallback(req, res) {
+  if (req.method !== "GET") {
+    jsonResponse(res, 405, { ok: false, error: "Method not allowed" });
+    return;
+  }
+
+  const urlObj = new URL(req.url || "/", `http://${req.headers.host || "localhost"}`);
+  const code = urlObj.searchParams.get("code") || "";
+  const installationId = urlObj.searchParams.get("installation_id") || "";
+  const setupAction = urlObj.searchParams.get("setup_action") || "";
+
+  // If no code, this might be a test ping — just return 200
+  if (!code) {
+    jsonResponse(res, 400, { ok: false, error: "Missing code parameter" });
+    return;
+  }
+
+  const clientId = process.env.BOSUN_GITHUB_CLIENT_ID || "";
+  const clientSecret = process.env.BOSUN_GITHUB_CLIENT_SECRET || "";
+
+  if (!clientId || !clientSecret) {
+    console.warn("[oauth-callback] BOSUN_GITHUB_CLIENT_ID/CLIENT_SECRET not set — cannot exchange code");
+    res.writeHead(302, { Location: "/?oauth=error&reason=not_configured" });
+    res.end();
+    return;
+  }
+
+  try {
+    // Exchange code for user access token
+    const tokenBody = new URLSearchParams({
+      client_id: clientId,
+      client_secret: clientSecret,
+      code,
+    });
+    const tokenRes = await fetch("https://github.com/login/oauth/access_token", {
+      method: "POST",
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/x-www-form-urlencoded",
+        "User-Agent": "bosun-botswain",
+      },
+      body: tokenBody.toString(),
+    });
+
+    if (!tokenRes.ok) {
+      throw new Error(`Token exchange HTTP ${tokenRes.status}`);
+    }
+    const tokenData = await tokenRes.json();
+    if (tokenData.error) {
+      throw new Error(`${tokenData.error}: ${tokenData.error_description || ""}`);
+    }
+
+    const accessToken = tokenData.access_token;
+
+    // Fetch the user identity for logging / display
+    let login = "unknown";
+    try {
+      const userRes = await fetch("https://api.github.com/user", {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          Accept: "application/vnd.github+json",
+          "X-GitHub-Api-Version": "2022-11-28",
+          "User-Agent": "bosun-botswain",
+        },
+      });
+      if (userRes.ok) {
+        const u = await userRes.json();
+        login = u.login || "unknown";
+      }
+    } catch {
+      // non-fatal
+    }
+
+    console.log(
+      `[oauth-callback] authorized user=${login} installation_id=${installationId} setup_action=${setupAction}`,
+    );
+
+    // If GH_TOKEN is not already set, write the token to .env so Bosun can use it.
+    if (!process.env.GH_TOKEN && accessToken) {
+      try {
+        updateEnvFile({ GH_TOKEN: accessToken });
+        process.env.GH_TOKEN = accessToken;
+        console.log(`[oauth-callback] wrote GH_TOKEN to .env for user=${login}`);
+      } catch (err) {
+        console.warn(`[oauth-callback] could not write GH_TOKEN to .env: ${err.message}`);
+      }
+    }
+
+    broadcastUiEvent(["overview"], "invalidate", {
+      reason: "github-oauth-authorized",
+      login,
+      installationId,
+    });
+
+    // Redirect to the main UI with success indication
+    const redirectUrl = `/?oauth=success&gh_user=${encodeURIComponent(login)}${installationId ? `&installation_id=${encodeURIComponent(installationId)}` : ""}`;
+    res.writeHead(302, { Location: redirectUrl });
+    res.end();
+  } catch (err) {
+    console.warn(`[oauth-callback] error: ${err.message}`);
+    res.writeHead(302, {
+      Location: `/?oauth=error&reason=${encodeURIComponent(err.message.slice(0, 100))}`,
+    });
+    res.end();
+  }
+}
+
+// ─── GitHub Device Flow ───────────────────────────────────────────────────────
+
+/**
+ * POST /api/github/device/start
+ * Kicks off the OAuth Device Flow — returns a user code + verification URL.
+ * No public URL, no callback, no client secret needed.
+ * User visits github.com/login/device, enters the code, done.
+ */
+async function handleDeviceFlowStart(req, res) {
+  if (req.method !== "POST") {
+    jsonResponse(res, 405, { ok: false, error: "Method not allowed" });
+    return;
+  }
+
+  const clientId = (process.env.BOSUN_GITHUB_CLIENT_ID || "").trim();
+  if (!clientId) {
+    jsonResponse(res, 400, {
+      ok: false,
+      error: "BOSUN_GITHUB_CLIENT_ID is not set. Configure it in Settings → GitHub.",
+    });
+    return;
+  }
+
+  try {
+    const body = new URLSearchParams({ client_id: clientId, scope: "repo" });
+    const ghRes = await fetch("https://github.com/login/device/code", {
+      method: "POST",
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/x-www-form-urlencoded",
+        "User-Agent": "bosun-botswain",
+      },
+      body: body.toString(),
+    });
+
+    if (!ghRes.ok) {
+      const text = await ghRes.text();
+      throw new Error(`GitHub device/code ${ghRes.status}: ${text}`);
+    }
+
+    const data = await ghRes.json();
+    if (data.error) {
+      throw new Error(`${data.error}: ${data.error_description || ""}`);
+    }
+
+    console.log(`[device-flow] started — user code: ${data.user_code}`);
+
+    jsonResponse(res, 200, {
+      ok: true,
+      data: {
+        deviceCode: data.device_code,
+        userCode: data.user_code,
+        verificationUri: data.verification_uri,
+        expiresIn: data.expires_in,
+        interval: data.interval || 5,
+      },
+    });
+  } catch (err) {
+    console.warn(`[device-flow] start error: ${err.message}`);
+    jsonResponse(res, 500, { ok: false, error: err.message });
+  }
+}
+
+/**
+ * POST /api/github/device/poll
+ * Polls GitHub to check if the user has entered the device code.
+ * Body: { deviceCode: "..." }
+ *
+ * Returns:
+ *   { status: "pending" }        — still waiting
+ *   { status: "complete", login } — done, token saved
+ *   { status: "expired" }        — code expired, restart
+ *   { status: "error", error }   — something went wrong
+ */
+async function handleDeviceFlowPoll(req, res) {
+  if (req.method !== "POST") {
+    jsonResponse(res, 405, { ok: false, error: "Method not allowed" });
+    return;
+  }
+
+  const clientId = (process.env.BOSUN_GITHUB_CLIENT_ID || "").trim();
+  if (!clientId) {
+    jsonResponse(res, 400, { ok: false, error: "BOSUN_GITHUB_CLIENT_ID not set" });
+    return;
+  }
+
+  let deviceCode;
+  try {
+    const body = await readJsonBody(req);
+    deviceCode = body?.deviceCode;
+  } catch {
+    jsonResponse(res, 400, { ok: false, error: "Invalid JSON body" });
+    return;
+  }
+
+  if (!deviceCode) {
+    jsonResponse(res, 400, { ok: false, error: "deviceCode is required" });
+    return;
+  }
+
+  try {
+    const body = new URLSearchParams({
+      client_id: clientId,
+      device_code: deviceCode,
+      grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+    });
+
+    const ghRes = await fetch("https://github.com/login/oauth/access_token", {
+      method: "POST",
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/x-www-form-urlencoded",
+        "User-Agent": "bosun-botswain",
+      },
+      body: body.toString(),
+    });
+
+    if (!ghRes.ok) {
+      throw new Error(`Token poll HTTP ${ghRes.status}`);
+    }
+
+    const data = await ghRes.json();
+
+    // Success — got a token
+    if (data.access_token) {
+      const accessToken = data.access_token;
+
+      // Fetch user identity
+      let login = "unknown";
+      try {
+        const userRes = await fetch("https://api.github.com/user", {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            Accept: "application/vnd.github+json",
+            "X-GitHub-Api-Version": "2022-11-28",
+            "User-Agent": "bosun-botswain",
+          },
+        });
+        if (userRes.ok) {
+          const u = await userRes.json();
+          login = u.login || "unknown";
+        }
+      } catch {
+        // non-fatal
+      }
+
+      console.log(`[device-flow] authorized user=${login}`);
+
+      // Save token to .env and process.env
+      if (accessToken) {
+        try {
+          updateEnvFile({ GH_TOKEN: accessToken });
+          process.env.GH_TOKEN = accessToken;
+          console.log(`[device-flow] wrote GH_TOKEN to .env for user=${login}`);
+        } catch (err) {
+          console.warn(`[device-flow] could not write GH_TOKEN to .env: ${err.message}`);
+        }
+      }
+
+      broadcastUiEvent(["overview"], "invalidate", {
+        reason: "github-device-flow-authorized",
+        login,
+      });
+
+      jsonResponse(res, 200, { ok: true, data: { status: "complete", login } });
+      return;
+    }
+
+    // Still pending or error
+    switch (data.error) {
+      case "authorization_pending":
+        jsonResponse(res, 200, { ok: true, data: { status: "pending" } });
+        return;
+      case "slow_down":
+        jsonResponse(res, 200, {
+          ok: true,
+          data: { status: "slow_down", interval: data.interval },
+        });
+        return;
+      case "expired_token":
+        jsonResponse(res, 200, { ok: true, data: { status: "expired" } });
+        return;
+      default:
+        jsonResponse(res, 200, {
+          ok: true,
+          data: {
+            status: "error",
+            error: data.error,
+            description: data.error_description || "",
+          },
+        });
+    }
+  } catch (err) {
+    console.warn(`[device-flow] poll error: ${err.message}`);
+    jsonResponse(res, 500, { ok: false, error: err.message });
+  }
+}
+
 async function readStatusSnapshot() {
   try {
     const raw = await readFile(statusPath, "utf8");
@@ -4045,6 +4471,44 @@ async function handleApi(req, res, url) {
     return;
   }
 
+  if (path === "/api/github/app/config") {
+    const appId = (process.env.BOSUN_GITHUB_APP_ID || "").trim();
+    const privateKeyPath = (process.env.BOSUN_GITHUB_PRIVATE_KEY_PATH || "").trim();
+    const clientId = (process.env.BOSUN_GITHUB_CLIENT_ID || "").trim();
+    const webhookSecretSet = Boolean(process.env.BOSUN_GITHUB_WEBHOOK_SECRET);
+    const appWebhookPath = getAppWebhookPath();
+
+    // Build public URLs from tunnel URL if available, else from request host
+    const host = req.headers["x-forwarded-host"] || req.headers.host || "localhost";
+    const proto = uiServerTls || req.headers["x-forwarded-proto"] === "https" ? "https" : "http";
+    const baseUrl = `${proto}://${host}`;
+
+    jsonResponse(res, 200, {
+      ok: true,
+      data: {
+        appId: appId || null,
+        appSlug: "bosun-botswain",
+        botUsername: "bosun-botswain[bot]",
+        appUrl: "https://github.com/apps/bosun-botswain",
+        configured: {
+          appId: Boolean(appId),
+          privateKey: Boolean(privateKeyPath),
+          oauthClient: Boolean(clientId),
+          webhookSecret: webhookSecretSet,
+        },
+        urls: {
+          webhookUrl: `${baseUrl}${appWebhookPath}`,
+          oauthCallbackUrl: `${baseUrl}/api/github/callback`,
+        },
+        paths: {
+          webhookPath: appWebhookPath,
+          oauthCallbackPath: "/api/github/callback",
+        },
+      },
+    });
+    return;
+  }
+
   if (path === "/api/command") {
     try {
       const body = await readJsonBody(req);
@@ -4789,6 +5253,29 @@ export async function startTelegramUiServer(options = {}) {
       return;
     }
 
+    // GitHub App webhook (installation events, pr events, etc.)
+    const appWebhookPath = getAppWebhookPath();
+    if (url.pathname === appWebhookPath) {
+      await handleGitHubAppWebhook(req, res);
+      return;
+    }
+
+    // GitHub OAuth callback — public (no session auth required)
+    if (url.pathname === "/api/github/callback") {
+      await handleGitHubOAuthCallback(req, res);
+      return;
+    }
+
+    // GitHub Device Flow — no public URL needed
+    if (url.pathname === "/api/github/device/start") {
+      await handleDeviceFlowStart(req, res);
+      return;
+    }
+    if (url.pathname === "/api/github/device/poll") {
+      await handleDeviceFlowPoll(req, res);
+      return;
+    }
+
     if (url.pathname.startsWith("/api/")) {
       await handleApi(req, res, url);
       return;

package/workspace-manager.mjs

@@ -432,12 +432,24 @@ export function pullWorkspaceRepos(configDir, workspaceId) {
           stdio: ["pipe", "pipe", "pipe"],
         });
         if (clone.status !== 0) {
+          const stderr = String(clone.stderr || clone.stdout || "");
+          let hint = "";
+          if (/permission denied \(publickey\)/i.test(stderr)) {
+            hint =
+              "SSH auth failed. Configure SSH keys or use an HTTPS URL instead.";
+          } else if (/authentication failed|fatal: authentication failed/i.test(stderr)) {
+            hint =
+              "HTTPS auth failed. Use a PAT/credential helper or switch to SSH.";
+          } else if (/repository .* not found|not found/i.test(stderr)) {
+            hint =
+              "Repository not found or access denied. Verify the org/repo and permissions.";
+          }
           results.push({
             name: repo.name,
             success: false,
-            error: `git clone failed: ${
-              clone.stderr || clone.stdout || clone.error?.message || "unknown error"
-            }`,
+            error: `git clone failed (${repoUrl}): ${
+              stderr || clone.error?.message || "unknown error"
+            }${hint ? ` — ${hint}` : ""}`,
           });
           continue;
         }
@@ -446,18 +458,52 @@ export function pullWorkspaceRepos(configDir, workspaceId) {
         results.push({
           name: repo.name,
           success: false,
-          error: `git clone failed: ${err.message || err}`,
+          error: `git clone failed (${repoUrl}): ${err.message || err}`,
         });
         continue;
       }
     }
-    if (!existsSync(resolve(repoPath, ".git"))) {
-      results.push({
-        name: repo.name,
-        success: false,
-        error: "Directory exists but is not a git repository",
-      });
-      continue;
+    const gitDir = resolve(repoPath, ".git");
+    if (!existsSync(gitDir)) {
+      try {
+        const contents = existsSync(repoPath) ? readdirSync(repoPath) : [];
+        const isEmpty = contents.length === 0;
+        const repoUrl =
+          repo.url ||
+          (repo.slug ? `https://github.com/${repo.slug.replace(/\.git$/i, "")}.git` : "");
+        if (isEmpty && repoUrl) {
+          console.log(TAG, `Cloning ${repoUrl} into existing empty directory ${repoPath}...`);
+          const clone = spawnSync("git", ["clone", repoUrl, "."], {
+            encoding: "utf8",
+            timeout: 300000,
+            stdio: ["pipe", "pipe", "pipe"],
+            cwd: repoPath,
+          });
+          if (clone.status !== 0) {
+            const stderr = String(clone.stderr || clone.stdout || "");
+            results.push({
+              name: repo.name,
+              success: false,
+              error: `git clone failed (${repoUrl}): ${stderr || clone.error?.message || "unknown error"}`,
+            });
+            continue;
+          }
+        } else {
+          results.push({
+            name: repo.name,
+            success: false,
+            error: "Directory exists but is not a git repository",
+          });
+          continue;
+        }
+      } catch (err) {
+        results.push({
+          name: repo.name,
+          success: false,
+          error: `Directory check failed: ${err.message || err}`,
+        });
+        continue;
+      }
     }
     try {
       execSync("git pull --rebase", {