clawdex-mobile 5.1.3-internal.1 → 5.1.3-internal.2

package/README.md

@@ -70,7 +70,7 @@ Notes:
 - Browser preview uses a second forwarded port (`8788` by default), so both ports need public visibility.
 - GitHub resets public forwarded ports back to private when a codespace restarts. Restarting the bridge reruns the visibility step.
 - If automatic visibility setup fails, run `gh codespace ports visibility 8787:public 8788:public`.
-- If the mobile app is built with `EXPO_PUBLIC_GITHUB_CLIENT_ID`, users can now tap `Use GitHub Codespaces` in onboarding/settings, sign in with GitHub, pick a Codespace, and connect without manually copying the bridge token.
+- If the mobile app is built with `EXPO_PUBLIC_GITHUB_APP_CLIENT_ID` and `EXPO_PUBLIC_GITHUB_APP_SLUG`, users can now tap `Use GitHub Codespaces` in onboarding/settings, sign in with GitHub, approve the Claudex GitHub App for only the repositories they want, pick a Codespace, and connect without manually copying the bridge token.
 - The app can also create a new repo-backed Codespace directly. It prefers `<signed-in-user>/<EXPO_PUBLIC_GITHUB_CODESPACES_REPO_NAME>` first. If that repo does not exist, it automatically forks `EXPO_PUBLIC_GITHUB_CODESPACES_SOURCE_OWNER/<EXPO_PUBLIC_GITHUB_CODESPACES_REPO_NAME>` into the signed-in user account, then creates the Codespace there.
 
 This repo now also includes a Codespaces bootstrap flow. On Codespace start/resume, `.devcontainer/devcontainer.json` runs:
@@ -89,7 +89,7 @@ That pre-installs Codex and prebuilds the Rust bridge binary so the later startu
 
 The published npm package now includes that bootstrap script too, so a minimal Codespaces template repo can install `clawdex-mobile@latest` in `postCreateCommand` and call the packaged bootstrap without vendoring bridge source into the template itself.
 
-In Codespaces mode, the bootstrap also enables bridge-side GitHub bearer auth for the current `CODESPACE_NAME`, so the mobile app can authenticate with the same GitHub OAuth token it used to discover and start the Codespace.
+In Codespaces mode, the bootstrap also enables bridge-side GitHub bearer auth for the current `CODESPACE_NAME`, so the mobile app can authenticate with the same GitHub App user token it used to discover and start the Codespace.
 
 ## OpenCode Setup
 

package/docs/setup-and-operations.md

@@ -63,10 +63,10 @@ Important constraints:
 - Browser preview uses the preview port (`8788` by default), so that forwarded port must also be public
 - GitHub resets public forwarded ports back to private whenever the codespace restarts
 - Keep bridge auth enabled and use Codespaces only for repos you trust, because public forwarded ports are internet-reachable
-- If the mobile app build sets `EXPO_PUBLIC_GITHUB_CLIENT_ID`, onboarding/settings can now sign in with GitHub, start the Codespace, and connect directly with the same OAuth token instead of copying `BRIDGE_AUTH_TOKEN`
-- That same in-app GitHub sign-in now also bootstraps GitHub git auth inside the Codespace so `git clone`, `git push`, GitHub HTTPS remotes, and common `git@github.com:...` SSH-style remotes can reuse the app login without extra account setup
+- If the mobile app build sets `EXPO_PUBLIC_GITHUB_APP_CLIENT_ID` and `EXPO_PUBLIC_GITHUB_APP_SLUG`, onboarding/settings can now sign in with GitHub, approve the Claudex GitHub App for only the repositories they want, start the Codespace, and connect directly with the same GitHub App user token instead of copying `BRIDGE_AUTH_TOKEN`
+- That same in-app GitHub sign-in also bootstraps GitHub git auth inside the Codespace so `git clone`, `git push`, GitHub HTTPS remotes, and common `git@github.com:...` SSH-style remotes can reuse the app login without extra account setup
 - The same in-app GitHub flow can create a new Codespace. It prefers `<signed-in-user>/<EXPO_PUBLIC_GITHUB_CODESPACES_REPO_NAME>`. If that repo does not exist yet, Clawdex automatically forks `EXPO_PUBLIC_GITHUB_CODESPACES_SOURCE_OWNER/<EXPO_PUBLIC_GITHUB_CODESPACES_REPO_NAME>` into the signed-in user account and creates the Codespace from that fork
-- Older saved GitHub Codespaces sessions may need one fresh sign-in from the app so the stored GitHub token includes repository access
+- Older saved GitHub Codespaces sessions may need one fresh sign-in from the app so the stored GitHub App token and refresh token are updated
 
 Manual recovery if port visibility does not update automatically:
 
@@ -271,7 +271,8 @@ npm run teardown -- --yes
 | Variable | Purpose |
 |---|---|
 | `EXPO_PUBLIC_HOST_BRIDGE_TOKEN` | token used by local mobile dev builds |
-| `EXPO_PUBLIC_GITHUB_CLIENT_ID` | GitHub OAuth app client ID for in-app Codespaces sign-in |
+| `EXPO_PUBLIC_GITHUB_APP_CLIENT_ID` | GitHub App client ID for in-app Codespaces sign-in |
+| `EXPO_PUBLIC_GITHUB_APP_SLUG` | GitHub App slug used to open install/manage-access pages for repository selection |
 | `EXPO_PUBLIC_GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN` | forwarded port domain used to derive Codespaces bridge URLs (`app.github.dev` by default) |
 | `EXPO_PUBLIC_GITHUB_CODESPACES_REPO_NAME` | repository name to sort matching Codespaces first in the in-app picker |
 | `EXPO_PUBLIC_GITHUB_CODESPACES_SOURCE_OWNER` | template/source repository owner used for automatic forking when the signed-in user does not have a same-name repo |

package/docs/troubleshooting.md

@@ -34,7 +34,7 @@ npm run stop:services
 ## Bridge auth errors (`401`, invalid token)
 
 - For the shipped mobile app, rescan the bridge QR or update the stored token in Settings.
-- For GitHub-auth Codespaces profiles, reopen `GitHub Codespaces` in the app and sign in with GitHub again if the OAuth token was revoked or expired.
+- For GitHub-auth Codespaces profiles, reopen `GitHub Codespaces` in the app and sign in with GitHub again if the GitHub App token or refresh token was revoked or expired.
 - For a local dev build, also ensure `BRIDGE_AUTH_TOKEN` in `.env.secure` matches `EXPO_PUBLIC_HOST_BRIDGE_TOKEN` in `apps/mobile/.env`.
 - Restart the bridge after token changes.
 - On secure-launcher installs, `Settings > Bridge Maintenance > Restart bridge safely` can do that from the phone.
@@ -53,7 +53,8 @@ gh codespace ports visibility 8787:public 8788:public
 
 - If `gh` is unavailable in the codespace, use the Codespaces `Ports` panel and change both forwarded ports to `Public`.
 - Keep bridge auth enabled. Public forwarded ports without bridge auth are not a safe setup.
-- If GitHub direct sign-in is not showing in the app, confirm the build includes `EXPO_PUBLIC_GITHUB_CLIENT_ID`.
+- If GitHub direct sign-in is not showing in the app, confirm the build includes `EXPO_PUBLIC_GITHUB_APP_CLIENT_ID` and `EXPO_PUBLIC_GITHUB_APP_SLUG`.
+- If the app signs in but still cannot create a Codespace or clone/push inside it, reopen the GitHub App access step in the app and make sure the template repo and any target repos are selected for the installation.
 - If in-app Codespace creation forks or targets the wrong repo, check `EXPO_PUBLIC_GITHUB_CODESPACES_REPO_NAME`, `EXPO_PUBLIC_GITHUB_CODESPACES_SOURCE_OWNER`, and `EXPO_PUBLIC_GITHUB_CODESPACES_REPO_REF` in the mobile build env.
 
 ## GitHub Codespaces bootstrap did not start the bridge

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clawdex-mobile",
-  "version": "5.1.3-internal.1",
+  "version": "5.1.3-internal.2",
   "description": "Private-network mobile bridge and CLI for Codex and OpenCode",
   "keywords": [
     "codex",

package/services/rust-bridge/Cargo.lock

@@ -149,7 +149,7 @@ dependencies = [
 
 [[package]]
 name = "codex-rust-bridge"
-version = "5.1.3-internal.1"
+version = "5.1.3-internal.2"
 dependencies = [
  "axum",
  "base64",

package/services/rust-bridge/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "codex-rust-bridge"
-version = "5.1.3-internal.1"
+version = "5.1.3-internal.2"
 edition = "2021"
 
 [dependencies]

package/services/rust-bridge/src/main.rs

@@ -392,10 +392,10 @@ async fn install_github_git_auth(
     access_token: &str,
 ) -> Result<GitHubAuthInstallResponse, BridgeError> {
     let viewer = fetch_github_viewer(state, access_token).await?;
-    if !github_scopes_allow_repo_access(&viewer.scopes) {
+    if !github_token_can_be_used_for_git_auth(&viewer.scopes) {
         return Err(BridgeError::forbidden(
             "github_repo_scope_required",
-            "GitHub repository access is required. Sign in again from the app and approve repository access.",
+            "GitHub repository access is required. Sign in again from the app and approve the required repository access.",
         ));
     }
 
@@ -485,6 +485,10 @@ fn github_scopes_allow_repo_access(scopes: &[String]) -> bool {
         .any(|scope| scope == "repo" || scope == "public_repo")
 }
 
+fn github_token_can_be_used_for_git_auth(scopes: &[String]) -> bool {
+    scopes.is_empty() || github_scopes_allow_repo_access(scopes)
+}
+
 fn resolve_github_credentials_file_path() -> Result<PathBuf, BridgeError> {
     let home = read_non_empty_env("HOME")
         .ok_or_else(|| BridgeError::server("HOME is not set; cannot install GitHub auth"))?;
@@ -7326,7 +7330,27 @@ fn bridge_chatgpt_auth_cache() -> &'static StdRwLock<Option<BridgeChatGptAuthBun
     CACHE.get_or_init(|| StdRwLock::new(None))
 }
 
+#[cfg(test)]
+fn bridge_chatgpt_auth_cache_path_override() -> &'static StdRwLock<Option<PathBuf>> {
+    static OVERRIDE: OnceLock<StdRwLock<Option<PathBuf>>> = OnceLock::new();
+    OVERRIDE.get_or_init(|| StdRwLock::new(None))
+}
+
+#[cfg(test)]
+fn set_bridge_chatgpt_auth_cache_path_override(path: Option<PathBuf>) {
+    if let Ok(mut guard) = bridge_chatgpt_auth_cache_path_override().write() {
+        *guard = path;
+    }
+}
+
 fn resolve_bridge_chatgpt_auth_cache_path() -> Option<PathBuf> {
+    #[cfg(test)]
+    if let Ok(guard) = bridge_chatgpt_auth_cache_path_override().read() {
+        if let Some(path) = guard.clone() {
+            return Some(path);
+        }
+    }
+
     let workdir = read_non_empty_env("BRIDGE_WORKDIR").map(PathBuf::from)?;
     Some(workdir.join(BRIDGE_CHATGPT_AUTH_CACHE_FILE_NAME))
 }
@@ -11859,6 +11883,51 @@ fn normalize_path(path: &Path) -> PathBuf {
 mod tests {
     use super::*;
 
+    fn bridge_chatgpt_auth_test_lock() -> &'static std::sync::Mutex<()> {
+        static LOCK: OnceLock<std::sync::Mutex<()>> = OnceLock::new();
+        LOCK.get_or_init(|| std::sync::Mutex::new(()))
+    }
+
+    struct TestBridgeChatGptAuthCacheScope {
+        _guard: std::sync::MutexGuard<'static, ()>,
+        temp_dir: PathBuf,
+    }
+
+    impl TestBridgeChatGptAuthCacheScope {
+        fn new() -> Self {
+            let guard = bridge_chatgpt_auth_test_lock()
+                .lock()
+                .unwrap_or_else(|poisoned| poisoned.into_inner());
+            clear_cached_bridge_chatgpt_auth();
+
+            let nonce = SystemTime::now()
+                .duration_since(SystemTime::UNIX_EPOCH)
+                .expect("valid time")
+                .as_nanos();
+            let temp_dir = env::temp_dir().join(format!(
+                "clawdex-bridge-chatgpt-auth-test-{}-{nonce}",
+                std::process::id()
+            ));
+            std::fs::create_dir_all(&temp_dir).expect("create auth cache test dir");
+            set_bridge_chatgpt_auth_cache_path_override(Some(
+                temp_dir.join(BRIDGE_CHATGPT_AUTH_CACHE_FILE_NAME),
+            ));
+
+            Self {
+                _guard: guard,
+                temp_dir,
+            }
+        }
+    }
+
+    impl Drop for TestBridgeChatGptAuthCacheScope {
+        fn drop(&mut self) {
+            clear_cached_bridge_chatgpt_auth();
+            set_bridge_chatgpt_auth_cache_path_override(None);
+            let _ = std::fs::remove_dir_all(&self.temp_dir);
+        }
+    }
+
     async fn build_test_bridge(hub: Arc<ClientHub>) -> Arc<AppServerBridge> {
         let mut child = Command::new("cat")
             .stdin(Stdio::piped())
@@ -13859,6 +13928,7 @@ mod tests {
 
     #[tokio::test]
     async fn successful_chatgpt_auth_token_login_populates_bridge_auth_cache() {
+        let _auth_cache_scope = TestBridgeChatGptAuthCacheScope::new();
         clear_cached_bridge_chatgpt_auth();
 
         let hub = Arc::new(ClientHub::new());
@@ -13906,6 +13976,7 @@ mod tests {
 
     #[tokio::test]
     async fn successful_account_logout_clears_cached_bridge_chatgpt_auth() {
+        let _auth_cache_scope = TestBridgeChatGptAuthCacheScope::new();
         clear_cached_bridge_chatgpt_auth();
         cache_bridge_chatgpt_auth(BridgeChatGptAuthBundle {
             access_token: "cached-before-logout".to_string(),
@@ -14370,4 +14441,14 @@ mod tests {
             "read:user".to_string()
         ]));
     }
+
+    #[test]
+    fn github_git_auth_accepts_github_app_user_tokens_without_scope_headers() {
+        assert!(github_token_can_be_used_for_git_auth(&[]));
+        assert!(github_token_can_be_used_for_git_auth(&["repo".to_string()]));
+        assert!(!github_token_can_be_used_for_git_auth(&[
+            "codespace".to_string(),
+            "read:user".to_string()
+        ]));
+    }
 }