clawdex-mobile 5.1.3-internal.0 → 5.1.3-internal.2

package/README.md

@@ -70,7 +70,7 @@ Notes:
 - Browser preview uses a second forwarded port (`8788` by default), so both ports need public visibility.
 - GitHub resets public forwarded ports back to private when a codespace restarts. Restarting the bridge reruns the visibility step.
 - If automatic visibility setup fails, run `gh codespace ports visibility 8787:public 8788:public`.
-- If the mobile app is built with `EXPO_PUBLIC_GITHUB_CLIENT_ID`, users can now tap `Use GitHub Codespaces` in onboarding/settings, sign in with GitHub, pick a Codespace, and connect without manually copying the bridge token.
+- If the mobile app is built with `EXPO_PUBLIC_GITHUB_APP_CLIENT_ID` and `EXPO_PUBLIC_GITHUB_APP_SLUG`, users can now tap `Use GitHub Codespaces` in onboarding/settings, sign in with GitHub, approve the Claudex GitHub App for only the repositories they want, pick a Codespace, and connect without manually copying the bridge token.
 - The app can also create a new repo-backed Codespace directly. It prefers `<signed-in-user>/<EXPO_PUBLIC_GITHUB_CODESPACES_REPO_NAME>` first. If that repo does not exist, it automatically forks `EXPO_PUBLIC_GITHUB_CODESPACES_SOURCE_OWNER/<EXPO_PUBLIC_GITHUB_CODESPACES_REPO_NAME>` into the signed-in user account, then creates the Codespace there.
 
 This repo now also includes a Codespaces bootstrap flow. On Codespace start/resume, `.devcontainer/devcontainer.json` runs:
@@ -89,7 +89,7 @@ That pre-installs Codex and prebuilds the Rust bridge binary so the later startu
 
 The published npm package now includes that bootstrap script too, so a minimal Codespaces template repo can install `clawdex-mobile@latest` in `postCreateCommand` and call the packaged bootstrap without vendoring bridge source into the template itself.
 
-In Codespaces mode, the bootstrap also enables bridge-side GitHub bearer auth for the current `CODESPACE_NAME`, so the mobile app can authenticate with the same GitHub OAuth token it used to discover and start the Codespace.
+In Codespaces mode, the bootstrap also enables bridge-side GitHub bearer auth for the current `CODESPACE_NAME`, so the mobile app can authenticate with the same GitHub App user token it used to discover and start the Codespace.
 
 ## OpenCode Setup
 

package/docs/setup-and-operations.md

@@ -63,8 +63,10 @@ Important constraints:
 - Browser preview uses the preview port (`8788` by default), so that forwarded port must also be public
 - GitHub resets public forwarded ports back to private whenever the codespace restarts
 - Keep bridge auth enabled and use Codespaces only for repos you trust, because public forwarded ports are internet-reachable
-- If the mobile app build sets `EXPO_PUBLIC_GITHUB_CLIENT_ID`, onboarding/settings can now sign in with GitHub, start the Codespace, and connect directly with the same OAuth token instead of copying `BRIDGE_AUTH_TOKEN`
+- If the mobile app build sets `EXPO_PUBLIC_GITHUB_APP_CLIENT_ID` and `EXPO_PUBLIC_GITHUB_APP_SLUG`, onboarding/settings can now sign in with GitHub, approve the Claudex GitHub App for only the repositories they want, start the Codespace, and connect directly with the same GitHub App user token instead of copying `BRIDGE_AUTH_TOKEN`
+- That same in-app GitHub sign-in also bootstraps GitHub git auth inside the Codespace so `git clone`, `git push`, GitHub HTTPS remotes, and common `git@github.com:...` SSH-style remotes can reuse the app login without extra account setup
 - The same in-app GitHub flow can create a new Codespace. It prefers `<signed-in-user>/<EXPO_PUBLIC_GITHUB_CODESPACES_REPO_NAME>`. If that repo does not exist yet, Clawdex automatically forks `EXPO_PUBLIC_GITHUB_CODESPACES_SOURCE_OWNER/<EXPO_PUBLIC_GITHUB_CODESPACES_REPO_NAME>` into the signed-in user account and creates the Codespace from that fork
+- Older saved GitHub Codespaces sessions may need one fresh sign-in from the app so the stored GitHub App token and refresh token are updated
 
 Manual recovery if port visibility does not update automatically:
 
@@ -269,7 +271,8 @@ npm run teardown -- --yes
 | Variable | Purpose |
 |---|---|
 | `EXPO_PUBLIC_HOST_BRIDGE_TOKEN` | token used by local mobile dev builds |
-| `EXPO_PUBLIC_GITHUB_CLIENT_ID` | GitHub OAuth app client ID for in-app Codespaces sign-in |
+| `EXPO_PUBLIC_GITHUB_APP_CLIENT_ID` | GitHub App client ID for in-app Codespaces sign-in |
+| `EXPO_PUBLIC_GITHUB_APP_SLUG` | GitHub App slug used to open install/manage-access pages for repository selection |
 | `EXPO_PUBLIC_GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN` | forwarded port domain used to derive Codespaces bridge URLs (`app.github.dev` by default) |
 | `EXPO_PUBLIC_GITHUB_CODESPACES_REPO_NAME` | repository name to sort matching Codespaces first in the in-app picker |
 | `EXPO_PUBLIC_GITHUB_CODESPACES_SOURCE_OWNER` | template/source repository owner used for automatic forking when the signed-in user does not have a same-name repo |

package/docs/troubleshooting.md

@@ -34,7 +34,7 @@ npm run stop:services
 ## Bridge auth errors (`401`, invalid token)
 
 - For the shipped mobile app, rescan the bridge QR or update the stored token in Settings.
-- For GitHub-auth Codespaces profiles, reopen `GitHub Codespaces` in the app and sign in with GitHub again if the OAuth token was revoked or expired.
+- For GitHub-auth Codespaces profiles, reopen `GitHub Codespaces` in the app and sign in with GitHub again if the GitHub App token or refresh token was revoked or expired.
 - For a local dev build, also ensure `BRIDGE_AUTH_TOKEN` in `.env.secure` matches `EXPO_PUBLIC_HOST_BRIDGE_TOKEN` in `apps/mobile/.env`.
 - Restart the bridge after token changes.
 - On secure-launcher installs, `Settings > Bridge Maintenance > Restart bridge safely` can do that from the phone.
@@ -53,7 +53,8 @@ gh codespace ports visibility 8787:public 8788:public
 
 - If `gh` is unavailable in the codespace, use the Codespaces `Ports` panel and change both forwarded ports to `Public`.
 - Keep bridge auth enabled. Public forwarded ports without bridge auth are not a safe setup.
-- If GitHub direct sign-in is not showing in the app, confirm the build includes `EXPO_PUBLIC_GITHUB_CLIENT_ID`.
+- If GitHub direct sign-in is not showing in the app, confirm the build includes `EXPO_PUBLIC_GITHUB_APP_CLIENT_ID` and `EXPO_PUBLIC_GITHUB_APP_SLUG`.
+- If the app signs in but still cannot create a Codespace or clone/push inside it, reopen the GitHub App access step in the app and make sure the template repo and any target repos are selected for the installation.
 - If in-app Codespace creation forks or targets the wrong repo, check `EXPO_PUBLIC_GITHUB_CODESPACES_REPO_NAME`, `EXPO_PUBLIC_GITHUB_CODESPACES_SOURCE_OWNER`, and `EXPO_PUBLIC_GITHUB_CODESPACES_REPO_REF` in the mobile build env.
 
 ## GitHub Codespaces bootstrap did not start the bridge
@@ -89,6 +90,13 @@ ls -la .bridge.pid .bridge.log .env.secure
 npm run codespaces:bootstrap -- --no-start
 ```
 
+## Git push in a Codespace fails with `403` or permission denied
+
+- The app now bootstraps GitHub HTTPS git credentials inside the Codespace after GitHub sign-in.
+- If you signed in before this behavior shipped, reopen `GitHub Codespaces` in the app and sign in with GitHub once more so the saved token includes repository access.
+- The bootstrap also rewrites common `git@github.com:...` and `ssh://git@github.com/...` remotes to HTTPS so they can use the same credential.
+- After reconnecting, retry the clone/push from the app or from the Codespace shell.
+
 ## Voice transcription says no credentials were found
 
 - The bridge can transcribe with either `OPENAI_API_KEY`, `BRIDGE_CHATGPT_ACCESS_TOKEN`, or the same ChatGPT auth tokens already used for Codex login.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clawdex-mobile",
-  "version": "5.1.3-internal.0",
+  "version": "5.1.3-internal.2",
   "description": "Private-network mobile bridge and CLI for Codex and OpenCode",
   "keywords": [
     "codex",

package/services/rust-bridge/Cargo.lock

@@ -149,7 +149,7 @@ dependencies = [
 
 [[package]]
 name = "codex-rust-bridge"
-version = "5.1.3-internal.0"
+version = "5.1.3-internal.2"
 dependencies = [
  "axum",
  "base64",

package/services/rust-bridge/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "codex-rust-bridge"
-version = "5.1.3-internal.0"
+version = "5.1.3-internal.2"
 edition = "2021"
 
 [dependencies]

package/services/rust-bridge/src/main.rs

@@ -1,3 +1,5 @@
+#[cfg(unix)]
+use std::os::unix::fs::PermissionsExt;
 use std::{
     collections::{HashMap, HashSet, VecDeque},
     env,
@@ -86,6 +88,10 @@ const BROWSER_PREVIEW_HTML_REWRITE_LIMIT_BYTES: usize = 4 * 1024 * 1024;
 const BROWSER_PREVIEW_DISCOVERY_HTTP_TIMEOUT: Duration = Duration::from_millis(500);
 const GITHUB_CODESPACES_AUTH_CACHE_TTL: Duration = Duration::from_secs(60 * 5);
 const GITHUB_CODESPACES_API_VERSION: &str = "2022-11-28";
+const GITHUB_API_URL: &str = "https://api.github.com";
+const GITHUB_HOST: &str = "github.com";
+const GITHUB_CREDENTIALS_DIR_NAME: &str = ".clawdex";
+const GITHUB_CREDENTIALS_FILE_NAME: &str = "github-credentials";
 
 #[derive(Debug, Clone)]
 struct GitHubCodespacesAuthConfig {
@@ -375,6 +381,222 @@ impl GitHubCodespacesAuthService {
     }
 }
 
+#[derive(Debug, Clone)]
+struct GitHubViewer {
+    login: String,
+    scopes: Vec<String>,
+}
+
+async fn install_github_git_auth(
+    state: &Arc<AppState>,
+    access_token: &str,
+) -> Result<GitHubAuthInstallResponse, BridgeError> {
+    let viewer = fetch_github_viewer(state, access_token).await?;
+    if !github_token_can_be_used_for_git_auth(&viewer.scopes) {
+        return Err(BridgeError::forbidden(
+            "github_repo_scope_required",
+            "GitHub repository access is required. Sign in again from the app and approve the required repository access.",
+        ));
+    }
+
+    let credentials_file = resolve_github_credentials_file_path()?;
+    ensure_private_parent_dir(&credentials_file).await?;
+    write_github_credentials_file(&credentials_file, access_token).await?;
+    configure_git_credential_store(state, &credentials_file).await?;
+
+    Ok(GitHubAuthInstallResponse {
+        installed: true,
+        host: GITHUB_HOST.to_string(),
+        login: viewer.login,
+        scopes: viewer.scopes,
+        credential_file: credentials_file.to_string_lossy().to_string(),
+    })
+}
+
+async fn fetch_github_viewer(
+    state: &Arc<AppState>,
+    access_token: &str,
+) -> Result<GitHubViewer, BridgeError> {
+    let trimmed = access_token.trim();
+    if trimmed.is_empty() {
+        return Err(BridgeError::invalid_params("accessToken must not be empty"));
+    }
+
+    let api_url = state
+        .config
+        .github_codespaces_auth
+        .as_ref()
+        .map(|config| config.api_url.as_str())
+        .unwrap_or(GITHUB_API_URL);
+    let http = HttpClient::builder()
+        .user_agent("clawdex-rust-bridge")
+        .build()
+        .map_err(|error| {
+            BridgeError::server(&format!("failed to build GitHub auth client: {error}"))
+        })?;
+    let response = http
+        .get(format!("{api_url}/user"))
+        .header("accept", "application/vnd.github+json")
+        .header("x-github-api-version", GITHUB_CODESPACES_API_VERSION)
+        .bearer_auth(trimmed)
+        .send()
+        .await
+        .map_err(|error| BridgeError::server(&format!("GitHub auth check failed: {error}")))?;
+
+    if !response.status().is_success() {
+        let status = response.status();
+        let body = response.text().await.unwrap_or_default();
+        let message = if let Ok(value) = serde_json::from_str::<Value>(&body) {
+            read_string(value.get("message"))
+                .unwrap_or_else(|| format!("GitHub auth check failed ({status})"))
+        } else {
+            format!("GitHub auth check failed ({status})")
+        };
+        return Err(BridgeError::server(&message));
+    }
+
+    let scopes = parse_github_oauth_scopes(
+        response
+            .headers()
+            .get("x-oauth-scopes")
+            .and_then(|value| value.to_str().ok()),
+    );
+    let payload = response.json::<Value>().await.map_err(|error| {
+        BridgeError::server(&format!("failed to parse GitHub user response: {error}"))
+    })?;
+    let login = read_string(payload.get("login"))
+        .ok_or_else(|| BridgeError::server("GitHub auth check returned an invalid user payload"))?;
+
+    Ok(GitHubViewer { login, scopes })
+}
+
+fn parse_github_oauth_scopes(header: Option<&str>) -> Vec<String> {
+    header
+        .unwrap_or_default()
+        .split(',')
+        .map(|value| value.trim().to_lowercase())
+        .filter(|value| !value.is_empty())
+        .collect()
+}
+
+fn github_scopes_allow_repo_access(scopes: &[String]) -> bool {
+    scopes
+        .iter()
+        .any(|scope| scope == "repo" || scope == "public_repo")
+}
+
+fn github_token_can_be_used_for_git_auth(scopes: &[String]) -> bool {
+    scopes.is_empty() || github_scopes_allow_repo_access(scopes)
+}
+
+fn resolve_github_credentials_file_path() -> Result<PathBuf, BridgeError> {
+    let home = read_non_empty_env("HOME")
+        .ok_or_else(|| BridgeError::server("HOME is not set; cannot install GitHub auth"))?;
+    Ok(PathBuf::from(home)
+        .join(GITHUB_CREDENTIALS_DIR_NAME)
+        .join(GITHUB_CREDENTIALS_FILE_NAME))
+}
+
+async fn ensure_private_parent_dir(path: &Path) -> Result<(), BridgeError> {
+    let Some(parent) = path.parent() else {
+        return Err(BridgeError::server(
+            "failed to resolve GitHub credential directory",
+        ));
+    };
+    fs::create_dir_all(parent).await.map_err(|error| {
+        BridgeError::server(&format!("failed to create GitHub auth directory: {error}"))
+    })?;
+    #[cfg(unix)]
+    {
+        fs::set_permissions(parent, std::fs::Permissions::from_mode(0o700))
+            .await
+            .map_err(|error| {
+                BridgeError::server(&format!(
+                    "failed to secure GitHub auth directory permissions: {error}"
+                ))
+            })?;
+    }
+    Ok(())
+}
+
+async fn write_github_credentials_file(
+    credentials_file: &Path,
+    access_token: &str,
+) -> Result<(), BridgeError> {
+    let content = format!(
+        "https://x-access-token:{}@{}\n",
+        access_token.trim(),
+        GITHUB_HOST
+    );
+    fs::write(credentials_file, content)
+        .await
+        .map_err(|error| {
+            BridgeError::server(&format!("failed to write GitHub credentials: {error}"))
+        })?;
+    #[cfg(unix)]
+    {
+        fs::set_permissions(credentials_file, std::fs::Permissions::from_mode(0o600))
+            .await
+            .map_err(|error| {
+                BridgeError::server(&format!(
+                    "failed to secure GitHub credential permissions: {error}"
+                ))
+            })?;
+    }
+    Ok(())
+}
+
+async fn configure_git_credential_store(
+    state: &Arc<AppState>,
+    credentials_file: &Path,
+) -> Result<(), BridgeError> {
+    let helper_value = format!("store --file {}", credentials_file.to_string_lossy());
+    let commands = vec![
+        vec![
+            "config".to_string(),
+            "--global".to_string(),
+            "--replace-all".to_string(),
+            "credential.helper".to_string(),
+            helper_value,
+        ],
+        vec![
+            "config".to_string(),
+            "--global".to_string(),
+            "--replace-all".to_string(),
+            "url.https://github.com/.insteadOf".to_string(),
+            "git@github.com:".to_string(),
+        ],
+        vec![
+            "config".to_string(),
+            "--global".to_string(),
+            "--replace-all".to_string(),
+            "url.https://github.com/.insteadOf".to_string(),
+            "ssh://git@github.com/".to_string(),
+        ],
+    ];
+
+    for args in commands {
+        let result = state
+            .terminal
+            .execute_binary("git", &args, state.config.workdir.clone(), None)
+            .await?;
+
+        if result.code != Some(0) {
+            return Err(BridgeError::server(
+                &(if !result.stderr.is_empty() {
+                    result.stderr
+                } else if !result.stdout.is_empty() {
+                    result.stdout
+                } else {
+                    "failed to configure git credentials".to_string()
+                }),
+            ));
+        }
+    }
+
+    Ok(())
+}
+
 #[derive(Clone)]
 struct AppState {
     config: Arc<BridgeConfig>,
@@ -5200,6 +5422,22 @@ struct GitQueryRequest {
     cwd: Option<String>,
 }
 
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct GitHubAuthInstallRequest {
+    access_token: String,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+struct GitHubAuthInstallResponse {
+    installed: bool,
+    host: String,
+    login: String,
+    scopes: Vec<String>,
+    credential_file: String,
+}
+
 #[derive(Debug, Clone, Default, Serialize, Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct GitHistoryRequest {
@@ -6556,6 +6794,13 @@ async fn handle_bridge_method(
 
             Ok(result_value)
         }
+        "bridge/github/auth/install" => {
+            let request: GitHubAuthInstallRequest =
+                serde_json::from_value(params.unwrap_or_else(|| json!({})))
+                    .map_err(|error| BridgeError::invalid_params(&error.to_string()))?;
+            let result = install_github_git_auth(state, &request.access_token).await?;
+            serde_json::to_value(result).map_err(|error| BridgeError::server(&error.to_string()))
+        }
         "bridge/attachments/upload" => {
             let request: AttachmentUploadRequest =
                 serde_json::from_value(params.unwrap_or_else(|| json!({})))
@@ -7085,7 +7330,27 @@ fn bridge_chatgpt_auth_cache() -> &'static StdRwLock<Option<BridgeChatGptAuthBun
     CACHE.get_or_init(|| StdRwLock::new(None))
 }
 
+#[cfg(test)]
+fn bridge_chatgpt_auth_cache_path_override() -> &'static StdRwLock<Option<PathBuf>> {
+    static OVERRIDE: OnceLock<StdRwLock<Option<PathBuf>>> = OnceLock::new();
+    OVERRIDE.get_or_init(|| StdRwLock::new(None))
+}
+
+#[cfg(test)]
+fn set_bridge_chatgpt_auth_cache_path_override(path: Option<PathBuf>) {
+    if let Ok(mut guard) = bridge_chatgpt_auth_cache_path_override().write() {
+        *guard = path;
+    }
+}
+
 fn resolve_bridge_chatgpt_auth_cache_path() -> Option<PathBuf> {
+    #[cfg(test)]
+    if let Ok(guard) = bridge_chatgpt_auth_cache_path_override().read() {
+        if let Some(path) = guard.clone() {
+            return Some(path);
+        }
+    }
+
     let workdir = read_non_empty_env("BRIDGE_WORKDIR").map(PathBuf::from)?;
     Some(workdir.join(BRIDGE_CHATGPT_AUTH_CACHE_FILE_NAME))
 }
@@ -11618,6 +11883,51 @@ fn normalize_path(path: &Path) -> PathBuf {
 mod tests {
     use super::*;
 
+    fn bridge_chatgpt_auth_test_lock() -> &'static std::sync::Mutex<()> {
+        static LOCK: OnceLock<std::sync::Mutex<()>> = OnceLock::new();
+        LOCK.get_or_init(|| std::sync::Mutex::new(()))
+    }
+
+    struct TestBridgeChatGptAuthCacheScope {
+        _guard: std::sync::MutexGuard<'static, ()>,
+        temp_dir: PathBuf,
+    }
+
+    impl TestBridgeChatGptAuthCacheScope {
+        fn new() -> Self {
+            let guard = bridge_chatgpt_auth_test_lock()
+                .lock()
+                .unwrap_or_else(|poisoned| poisoned.into_inner());
+            clear_cached_bridge_chatgpt_auth();
+
+            let nonce = SystemTime::now()
+                .duration_since(SystemTime::UNIX_EPOCH)
+                .expect("valid time")
+                .as_nanos();
+            let temp_dir = env::temp_dir().join(format!(
+                "clawdex-bridge-chatgpt-auth-test-{}-{nonce}",
+                std::process::id()
+            ));
+            std::fs::create_dir_all(&temp_dir).expect("create auth cache test dir");
+            set_bridge_chatgpt_auth_cache_path_override(Some(
+                temp_dir.join(BRIDGE_CHATGPT_AUTH_CACHE_FILE_NAME),
+            ));
+
+            Self {
+                _guard: guard,
+                temp_dir,
+            }
+        }
+    }
+
+    impl Drop for TestBridgeChatGptAuthCacheScope {
+        fn drop(&mut self) {
+            clear_cached_bridge_chatgpt_auth();
+            set_bridge_chatgpt_auth_cache_path_override(None);
+            let _ = std::fs::remove_dir_all(&self.temp_dir);
+        }
+    }
+
     async fn build_test_bridge(hub: Arc<ClientHub>) -> Arc<AppServerBridge> {
         let mut child = Command::new("cat")
             .stdin(Stdio::piped())
@@ -13618,6 +13928,7 @@ mod tests {
 
     #[tokio::test]
     async fn successful_chatgpt_auth_token_login_populates_bridge_auth_cache() {
+        let _auth_cache_scope = TestBridgeChatGptAuthCacheScope::new();
         clear_cached_bridge_chatgpt_auth();
 
         let hub = Arc::new(ClientHub::new());
@@ -13665,6 +13976,7 @@ mod tests {
 
     #[tokio::test]
     async fn successful_account_logout_clears_cached_bridge_chatgpt_auth() {
+        let _auth_cache_scope = TestBridgeChatGptAuthCacheScope::new();
         clear_cached_bridge_chatgpt_auth();
         cache_bridge_chatgpt_auth(BridgeChatGptAuthBundle {
             access_token: "cached-before-logout".to_string(),
@@ -14103,4 +14415,40 @@ mod tests {
 
         shutdown_test_backend(&state.backend).await;
     }
+
+    #[test]
+    fn github_oauth_scope_header_parsing_is_trimmed_and_lowercased() {
+        let scopes = parse_github_oauth_scopes(Some("codespace, repo, Read:User , public_repo"));
+        assert_eq!(
+            scopes,
+            vec![
+                "codespace".to_string(),
+                "repo".to_string(),
+                "read:user".to_string(),
+                "public_repo".to_string()
+            ]
+        );
+    }
+
+    #[test]
+    fn github_repo_scope_check_accepts_repo_and_public_repo() {
+        assert!(github_scopes_allow_repo_access(&["repo".to_string()]));
+        assert!(github_scopes_allow_repo_access(
+            &["public_repo".to_string()]
+        ));
+        assert!(!github_scopes_allow_repo_access(&[
+            "codespace".to_string(),
+            "read:user".to_string()
+        ]));
+    }
+
+    #[test]
+    fn github_git_auth_accepts_github_app_user_tokens_without_scope_headers() {
+        assert!(github_token_can_be_used_for_git_auth(&[]));
+        assert!(github_token_can_be_used_for_git_auth(&["repo".to_string()]));
+        assert!(!github_token_can_be_used_for_git_auth(&[
+            "codespace".to_string(),
+            "read:user".to_string()
+        ]));
+    }
 }