bosun 0.31.7 → 0.31.8

package/.env.example

@@ -345,31 +345,42 @@ TELEGRAM_MINIAPP_ENABLED=false
 # OAuth Client Secret (only needed for callback-based OAuth, not for Device Flow):
 # BOSUN_GITHUB_CLIENT_SECRET=
 #
-# Webhook secret (set this in App settings → Webhook, and keep in sync):
+# Webhook secret (VirtEngine relay signs forwarded events with this — leave blank
+# until VirtEngine’s relay server is live; Bosun polls GitHub API in the meantime):
 # BOSUN_GITHUB_WEBHOOK_SECRET=
 #
 # Path to the PEM private key downloaded from App settings → Generate a private key:
 # BOSUN_GITHUB_PRIVATE_KEY_PATH=/path/to/bosun-botswain.pem
 #
+# ─── GitHub App Settings (enable all three in https://github.com/settings/apps/bosun-botswain) ────
+# ✅ Callback URL  →  http://127.0.0.1:54317/github/callback  (set this FIRST, then Save)
+# ✅ "Request user authorization (OAuth) during installation"  →  ON
+#      GitHub does OAuth at install time, redirecting to the Callback URL with
+#      installation_id + setup_action=install. Setup URL is DISABLED — that's fine.
+# ✅ "Enable Device Flow"  →  ON  (only available AFTER Callback URL is saved)
+#      Allows CLI/terminal auth without a public URL (like VS Code / Roo Code)
+# ✕ Setup URL  →  leave BLANK (GitHub disables this field when OAuth-at-install is ON)
+# ✕ "Redirect on update"  →  leave OFF (disabled alongside Setup URL)
+#
 # ─── Authentication Method ───────────────────────────────────────────────
 # RECOMMENDED: Device Flow (like VS Code / Roo Code — no public URL needed!)
 #   1. Set BOSUN_GITHUB_CLIENT_ID above
-#   2. Enable "Device Flow" in GitHub App settings (Settings → Optional features)
-#   3. Go to Settings → GitHub in the Bosun UI and click "Sign in with GitHub"
-#   4. That's it — no callback URL, no tunnel URL, no client secret needed
+#   2. Enable “Device Flow” in GitHub App settings (only clickable after Callback URL is saved)
+#   3. Go to Settings → GitHub in the Bosun UI and click “Sign in with GitHub”
+#   4. That’s it — no webhook URL, no tunnel, no public server needed
 #
-# ALTERNATIVE: OAuth Callback (requires a stable public URL)
+# ALTERNATIVE: OAuth Callback
 #   Set BOSUN_GITHUB_CLIENT_ID + BOSUN_GITHUB_CLIENT_SECRET
-#   Register callback URL in App settings:
-#     https://<your-bosun-public-url>/api/github/callback
+#   Register callback URL: http://127.0.0.1:54317/github/callback
 #
-# WEBHOOKS (optional — for real-time PR/issue sync):
-#   Register webhook URL in App settings:
-#     https://<your-bosun-public-url>/api/webhooks/github/app
-#   Webhooks require a stable public URL. Without them, Bosun polls instead.
+# NOTE on webhooks:
+#   Real-time GitHub events (PR comments, issue mentions) are received via
+#   VirtEngine’s relay server and forwarded to your Bosun instance.
+#   Until the relay is live, Bosun polls the GitHub API every few minutes instead.
+#   Users do NOT need to configure a webhook URL or run any tunnel.
 #
 # Leave BOSUN_GITHUB_APP_ID unset to disable co-author trailer injection.
-# BOSUN_GITHUB_APP_ID=
+# (App ID and Client ID are already filled in above — no need to set them again.)
 
 # ─── Kanban Backend ──────────────────────────────────────────────────────────
 # Task-board backend:

package/config-doctor.mjs

@@ -340,6 +340,27 @@ export function runConfigDoctor(options = {}) {
     }
   }
 
+  if (backend === "jira") {
+    const missing = [];
+    if (!effective.JIRA_BASE_URL) missing.push("JIRA_BASE_URL");
+    if (!effective.JIRA_EMAIL) missing.push("JIRA_EMAIL");
+    if (!effective.JIRA_API_TOKEN) missing.push("JIRA_API_TOKEN");
+    const hasProjectKey = Boolean(
+      effective.JIRA_PROJECT_KEY || effective.KANBAN_PROJECT_ID,
+    );
+    if (!hasProjectKey) {
+      missing.push("JIRA_PROJECT_KEY (or KANBAN_PROJECT_ID)");
+    }
+    if (missing.length > 0) {
+      issues.errors.push({
+        code: "JIRA_BACKEND_REQUIRED",
+        message: `KANBAN_BACKEND=jira is missing required config: ${missing.join(", ")}`,
+        fix:
+          "Set required JIRA_* variables (and project key), or switch KANBAN_BACKEND=internal.",
+      });
+    }
+  }
+
   const vkNeeded = backend === "vk" || mode === "vk" || mode === "hybrid";
   if (vkNeeded) {
     const vkBaseUrl = effective.VK_BASE_URL || "";

package/config.mjs

@@ -162,6 +162,80 @@ function loadDotEnvFile(envPath, options = {}) {
   }
 }
 
+function readEnvValueFromFile(envPath, key) {
+  if (!envPath || !existsSync(envPath)) return undefined;
+  const lines = readFileSync(envPath, "utf8").split("\n");
+  let found;
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eqIdx = trimmed.indexOf("=");
+    if (eqIdx === -1) continue;
+    const parsedKey = trimmed.slice(0, eqIdx).trim();
+    if (parsedKey !== key) continue;
+    let value = trimmed.slice(eqIdx + 1).trim();
+    if (
+      (value.startsWith('"') && value.endsWith('"')) ||
+      (value.startsWith("'") && value.endsWith("'"))
+    ) {
+      value = value.slice(1, -1);
+    }
+    found = value;
+  }
+  return found;
+}
+
+function resolveKanbanBackendSource({ envPaths = [], configFilePath, configData }) {
+  const key = "KANBAN_BACKEND";
+  let source = "default";
+  let sourcePath = null;
+
+  if (process.env[key] != null && String(process.env[key]).trim() !== "") {
+    let envFileMatch = null;
+    for (const envPath of envPaths) {
+      const value = readEnvValueFromFile(envPath, key);
+      if (value != null && String(value).trim() !== "") {
+        envFileMatch = envPath;
+      }
+    }
+    if (envFileMatch) {
+      source = "env-file";
+      sourcePath = envFileMatch;
+    } else {
+      source = "process-env";
+    }
+  } else if (configData?.kanban?.backend != null) {
+    source = "config-file";
+    sourcePath = configFilePath || null;
+  }
+
+  return Object.freeze({
+    key,
+    rawValue:
+      process.env[key] || configData?.kanban?.backend || "internal",
+    source,
+    sourcePath,
+  });
+}
+
+function validateKanbanBackendConfig({ kanbanBackend, kanban, jira }) {
+  if (kanbanBackend !== "jira") return;
+  const missing = [];
+  if (!jira?.baseUrl) missing.push("JIRA_BASE_URL");
+  if (!jira?.email) missing.push("JIRA_EMAIL");
+  if (!jira?.apiToken) missing.push("JIRA_API_TOKEN");
+  const hasProjectKey = Boolean(jira?.projectKey || kanban?.projectId);
+  if (!hasProjectKey) {
+    missing.push("JIRA_PROJECT_KEY (or KANBAN_PROJECT_ID)");
+  }
+  if (missing.length > 0) {
+    throw new Error(
+      `[config] KANBAN_BACKEND=jira requires ${missing.join(", ")}. ` +
+        `Either configure Jira credentials/project key or switch KANBAN_BACKEND=internal.`,
+    );
+  }
+}
+
 function loadConfigFile(configDir) {
   for (const name of CONFIG_FILES) {
     const p = resolve(configDir, name);
@@ -1147,6 +1221,11 @@ export function loadConfig(argv = process.argv, options = {}) {
     resolve(configDir, ".env"),
     resolve(repoRoot, ".env"),
   ].filter((p, i, arr) => arr.indexOf(p) === i);
+  const kanbanSource = resolveKanbanBackendSource({
+    envPaths,
+    configFilePath: configFile.path,
+    configData,
+  });
 
   // ── Project identity ─────────────────────────────────────
   const projectName =
@@ -1461,6 +1540,7 @@ export function loadConfig(argv = process.argv, options = {}) {
         "",
     }),
   });
+  validateKanbanBackendConfig({ kanbanBackend, kanban, jira });
 
   const internalExecutorConfig = configData.internalExecutor || {};
   const projectRequirements = {
@@ -1900,6 +1980,7 @@ export function loadConfig(argv = process.argv, options = {}) {
     internalExecutor,
     executorMode: internalExecutor.mode,
     kanban,
+    kanbanSource,
     githubProjectSync,
     jira,
     projectRequirements,

package/copilot-shell.mjs

@@ -13,6 +13,7 @@ import { resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 import { execSync } from "node:child_process";
 import { resolveRepoRoot } from "./repo-root.mjs";
+import { getGitHubToken } from "./github-auth-manager.mjs";
 
 const __dirname = resolve(fileURLToPath(new URL(".", import.meta.url)));
 
@@ -318,32 +319,39 @@ async function loadCopilotSdk() {
 
 /**
  * Detect GitHub token from multiple sources (auth passthrough).
- * Priority: ENV > gh CLI > undefined (SDK will use default auth).
+ * Priority: Copilot-specific ENV > github-auth-manager (OAuth/App/gh-CLI/env) > undefined
  */
-function detectGitHubToken() {
-  // 1. Direct token env vars (highest priority)
-  const envToken =
-    process.env.COPILOT_CLI_TOKEN ||
-    process.env.GITHUB_TOKEN ||
-    process.env.GH_TOKEN ||
-    process.env.GITHUB_PAT;
-  if (envToken) {
-    console.log("[copilot-shell] using token from environment");
-    return envToken;
-  }
-
-  // 2. Try to read from gh CLI auth
+async function detectGitHubToken() {
+  // 1. Copilot-specific token env var (highest priority, no round-trips)
+  const copilotEnvToken = process.env.COPILOT_CLI_TOKEN || process.env.GITHUB_PAT;
+  if (copilotEnvToken) {
+    console.log("[copilot-shell] using Copilot token from environment");
+    return copilotEnvToken;
+  }
+
+  // 2. Use unified auth manager (OAuth > App installation > gh CLI > GITHUB_TOKEN/GH_TOKEN)
+  try {
+    const { token, type } = await getGitHubToken().catch(() => ({
+      token: process.env.GITHUB_TOKEN || process.env.GH_TOKEN || "",
+      type: "env",
+    }));
+    if (token) {
+      console.log(`[copilot-shell] using token from auth manager (${type})`);
+      return token;
+    }
+  } catch {
+    // fall through
+  }
+
+  // 3. gh CLI is authenticated — SDK will use it automatically
   try {
     execSync("gh auth status", { stdio: "pipe", encoding: "utf8" });
-    console.log("[copilot-shell] detected gh CLI authentication");
-    // gh CLI is authenticated - SDK will use it automatically
+    console.log("[copilot-shell] gh CLI is authenticated — using SDK default auth");
     return undefined;
   } catch {
     // gh not authenticated or not installed
   }
 
-  // 3. VS Code auth detection could be added here
-  // For now, return undefined to let SDK use default auth flow
   console.log("[copilot-shell] no pre-auth detected, using SDK default auth");
   return undefined;
 }
@@ -383,7 +391,7 @@ async function ensureClientStarted() {
     process.env.GITHUB_COPILOT_CLI_PATH ||
     undefined;
   const cliUrl = process.env.COPILOT_CLI_URL || undefined;
-  const token = detectGitHubToken();
+  const token = await detectGitHubToken();
   const transport = resolveCopilotTransport();
 
   // Session mode: "local" (default) uses stdio for full model access + MCP + sub-agents.