git-workspace-service 0.1.0

package/dist/index.cjs

@@ -0,0 +1,2425 @@
+'use strict';
+
+var crypto = require('crypto');
+var child_process = require('child_process');
+var util = require('util');
+var fs3 = require('fs/promises');
+var path = require('path');
+var fs = require('fs');
+var os = require('os');
+
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+
+var crypto__namespace = /*#__PURE__*/_interopNamespace(crypto);
+var fs3__namespace = /*#__PURE__*/_interopNamespace(fs3);
+var path__namespace = /*#__PURE__*/_interopNamespace(path);
+var fs__namespace = /*#__PURE__*/_interopNamespace(fs);
+var os__namespace = /*#__PURE__*/_interopNamespace(os);
+
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
+// src/utils/branch-naming.ts
+var DEFAULT_BRANCH_PREFIX = "parallax";
+var DEFAULT_OPTIONS = {
+  maxSlugLength: 30,
+  prefix: DEFAULT_BRANCH_PREFIX
+};
+function generateBranchName(config, options) {
+  const opts = { ...DEFAULT_OPTIONS, ...options };
+  const role = sanitizeForBranch(config.role);
+  const slug = config.slug ? sanitizeForBranch(config.slug, opts.maxSlugLength) : "";
+  const parts = [opts.prefix, config.executionId, role];
+  if (slug) {
+    parts[2] = `${role}-${slug}`;
+  }
+  return parts.join("/");
+}
+function parseBranchName(branchName, options) {
+  const opts = { ...DEFAULT_OPTIONS, ...options };
+  if (!branchName.startsWith(`${opts.prefix}/`)) {
+    return null;
+  }
+  const parts = branchName.split("/");
+  if (parts.length < 3) {
+    return null;
+  }
+  const [, executionId, roleAndSlug] = parts;
+  const dashIndex = roleAndSlug.indexOf("-");
+  if (dashIndex === -1) {
+    return { executionId, role: roleAndSlug };
+  }
+  return {
+    executionId,
+    role: roleAndSlug.substring(0, dashIndex),
+    slug: roleAndSlug.substring(dashIndex + 1)
+  };
+}
+function isManagedBranch(branchName, options) {
+  const opts = { ...DEFAULT_OPTIONS, ...options };
+  return branchName.startsWith(`${opts.prefix}/`);
+}
+function filterBranchesByExecution(branches, executionId, options) {
+  const opts = { ...DEFAULT_OPTIONS, ...options };
+  const prefix = `${opts.prefix}/${executionId}/`;
+  return branches.filter((b) => b.startsWith(prefix));
+}
+function createBranchInfo(config, options) {
+  return {
+    name: generateBranchName(config, options),
+    executionId: config.executionId,
+    baseBranch: config.baseBranch,
+    createdAt: /* @__PURE__ */ new Date()
+  };
+}
+function sanitizeForBranch(input, maxLength) {
+  let result = input.toLowerCase().replace(/[\s_]+/g, "-").replace(/[^a-z0-9-]/g, "").replace(/-+/g, "-").replace(/^-|-$/g, "");
+  if (maxLength && result.length > maxLength) {
+    result = result.substring(0, maxLength).replace(/-$/, "");
+  }
+  return result;
+}
+function generateSlug(description, maxLength = 30) {
+  const words = description.toLowerCase().replace(/[^a-z0-9\s]/g, "").split(/\s+/).filter((w) => w.length > 2).filter((w) => !STOP_WORDS.has(w)).slice(0, 4);
+  return sanitizeForBranch(words.join("-"), maxLength);
+}
+var STOP_WORDS = /* @__PURE__ */ new Set([
+  "the",
+  "and",
+  "for",
+  "with",
+  "this",
+  "that",
+  "from",
+  "have",
+  "has",
+  "will",
+  "would",
+  "could",
+  "should",
+  "been",
+  "being",
+  "into",
+  "than",
+  "then",
+  "when",
+  "where",
+  "which",
+  "while",
+  "about",
+  "after",
+  "before"
+]);
+function createNodeCredentialHelperScript(contextFilePath) {
+  return `#!/usr/bin/env node
+const fs = require('fs');
+const readline = require('readline');
+
+const contextFile = '${contextFilePath}';
+
+async function main() {
+  // Parse input from git
+  const rl = readline.createInterface({ input: process.stdin });
+  const request = {};
+
+  for await (const line of rl) {
+    if (!line.trim()) break;
+    const [key, value] = line.split('=');
+    if (key && value !== undefined) {
+      request[key.trim()] = value.trim();
+    }
+  }
+
+  // Read context file
+  try {
+    const context = JSON.parse(fs.readFileSync(contextFile, 'utf8'));
+
+    // Check expiration
+    if (new Date(context.expiresAt) < new Date()) {
+      console.error('Credential expired');
+      process.exit(1);
+    }
+
+    // Output credentials
+    console.log('username=x-access-token');
+    console.log('password=' + context.token);
+    console.log('');
+  } catch (error) {
+    console.error('Failed to read credentials:', error.message);
+    process.exit(1);
+  }
+}
+
+main();
+`;
+}
+function createShellCredentialHelperScript(contextFilePath) {
+  return `#!/bin/sh
+# Git Credential Helper
+# Reads credentials from: ${contextFilePath}
+
+# Read the context file
+if [ ! -f "${contextFilePath}" ]; then
+  echo "Credential context file not found" >&2
+  exit 1
+fi
+
+# Parse JSON and extract token (using basic shell tools)
+TOKEN=$(cat "${contextFilePath}" | grep -o '"token":"[^"]*"' | cut -d'"' -f4)
+EXPIRES=$(cat "${contextFilePath}" | grep -o '"expiresAt":"[^"]*"' | cut -d'"' -f4)
+
+# Check if we got a token
+if [ -z "$TOKEN" ]; then
+  echo "No token found in credential context" >&2
+  exit 1
+fi
+
+# Output credentials in git credential format
+echo "username=x-access-token"
+echo "password=$TOKEN"
+echo ""
+`;
+}
+async function configureCredentialHelper(workspacePath, context) {
+  const helperDir = path__namespace.join(workspacePath, ".git-workspace");
+  await fs__namespace.promises.mkdir(helperDir, { recursive: true });
+  const contextFilePath = path__namespace.join(helperDir, "credential-context.json");
+  await fs__namespace.promises.writeFile(
+    contextFilePath,
+    JSON.stringify(context, null, 2),
+    { mode: 384 }
+    // Read/write only for owner
+  );
+  const helperScriptPath = path__namespace.join(helperDir, "git-credential-helper");
+  const helperScript = createShellCredentialHelperScript(contextFilePath);
+  await fs__namespace.promises.writeFile(helperScriptPath, helperScript, { mode: 448 });
+  return helperScriptPath;
+}
+async function updateCredentials(workspacePath, newToken, newExpiresAt) {
+  const contextFilePath = path__namespace.join(workspacePath, ".git-workspace", "credential-context.json");
+  const existingContent = await fs__namespace.promises.readFile(contextFilePath, "utf8");
+  const context = JSON.parse(existingContent);
+  context.token = newToken;
+  context.expiresAt = newExpiresAt;
+  await fs__namespace.promises.writeFile(
+    contextFilePath,
+    JSON.stringify(context, null, 2),
+    { mode: 384 }
+  );
+}
+async function cleanupCredentialFiles(workspacePath) {
+  const helperDir = path__namespace.join(workspacePath, ".git-workspace");
+  try {
+    await fs__namespace.promises.rm(helperDir, { recursive: true, force: true });
+  } catch {
+  }
+}
+function getGitCredentialConfig(helperScriptPath) {
+  return [
+    // Clear any existing helpers
+    `git config credential.helper ''`,
+    // Use our custom helper script
+    `git config --add credential.helper '!${helperScriptPath}'`,
+    // Disable interactive prompts
+    `git config credential.interactive false`
+  ];
+}
+function outputCredentials(username, password) {
+  console.log(`username=${username}`);
+  console.log(`password=${password}`);
+  console.log("");
+}
+
+// src/workspace-service.ts
+var execAsync = util.promisify(child_process.exec);
+var WorkspaceService = class {
+  workspaces = /* @__PURE__ */ new Map();
+  baseDir;
+  branchPrefix;
+  credentialService;
+  logger;
+  eventHandlers = /* @__PURE__ */ new Set();
+  constructor(options) {
+    this.baseDir = options.config.baseDir;
+    this.branchPrefix = options.config.branchPrefix || "parallax";
+    this.credentialService = options.credentialService;
+    this.logger = options.logger;
+  }
+  /**
+   * Initialize the workspace service
+   */
+  async initialize() {
+    await fs3__namespace.mkdir(this.baseDir, { recursive: true });
+    this.log("info", { baseDir: this.baseDir }, "Workspace service initialized");
+  }
+  /**
+   * Register an event handler
+   */
+  onEvent(handler) {
+    this.eventHandlers.add(handler);
+    return () => this.eventHandlers.delete(handler);
+  }
+  /**
+   * Provision a new workspace for a task
+   */
+  async provision(config) {
+    const workspaceId = crypto.randomUUID();
+    this.log(
+      "info",
+      {
+        workspaceId,
+        repo: config.repo,
+        executionId: config.execution.id,
+        role: config.task.role
+      },
+      "Provisioning workspace"
+    );
+    await this.emitEvent({
+      type: "workspace:provisioning",
+      workspaceId,
+      executionId: config.execution.id,
+      timestamp: /* @__PURE__ */ new Date()
+    });
+    const workspacePath = path__namespace.join(this.baseDir, workspaceId);
+    await fs3__namespace.mkdir(workspacePath, { recursive: true });
+    const credential = await this.credentialService.getCredentials({
+      repo: config.repo,
+      access: "write",
+      context: {
+        executionId: config.execution.id,
+        taskId: config.task.id,
+        userId: config.user?.id,
+        reason: `Workspace for ${config.task.role} in ${config.execution.patternName}`
+      },
+      // Pass user-provided credentials if available
+      userProvided: config.userCredentials
+    });
+    await this.emitEvent({
+      type: "credential:granted",
+      workspaceId,
+      credentialId: credential.id,
+      executionId: config.execution.id,
+      timestamp: /* @__PURE__ */ new Date()
+    });
+    const branchInfo = createBranchInfo(
+      {
+        executionId: config.execution.id,
+        role: config.task.role,
+        slug: config.task.slug,
+        baseBranch: config.baseBranch
+      },
+      { prefix: this.branchPrefix }
+    );
+    const workspace = {
+      id: workspaceId,
+      path: workspacePath,
+      repo: config.repo,
+      branch: branchInfo,
+      credential,
+      provisionedAt: /* @__PURE__ */ new Date(),
+      status: "provisioning"
+    };
+    this.workspaces.set(workspaceId, workspace);
+    try {
+      await this.cloneRepo(workspace, credential.token);
+      await this.createBranch(workspace);
+      await this.configureGit(workspace);
+      workspace.status = "ready";
+      this.workspaces.set(workspaceId, workspace);
+      this.log(
+        "info",
+        {
+          workspaceId,
+          path: workspacePath,
+          branch: branchInfo.name
+        },
+        "Workspace provisioned"
+      );
+      await this.emitEvent({
+        type: "workspace:ready",
+        workspaceId,
+        executionId: config.execution.id,
+        timestamp: /* @__PURE__ */ new Date()
+      });
+      return workspace;
+    } catch (error) {
+      workspace.status = "error";
+      this.workspaces.set(workspaceId, workspace);
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      this.log("error", { workspaceId, error: errorMessage }, "Failed to provision workspace");
+      await this.emitEvent({
+        type: "workspace:error",
+        workspaceId,
+        executionId: config.execution.id,
+        timestamp: /* @__PURE__ */ new Date(),
+        error: errorMessage
+      });
+      throw error;
+    }
+  }
+  /**
+   * Finalize a workspace (push, create PR, cleanup)
+   */
+  async finalize(workspaceId, options) {
+    const workspace = this.workspaces.get(workspaceId);
+    if (!workspace) {
+      throw new Error(`Workspace not found: ${workspaceId}`);
+    }
+    workspace.status = "finalizing";
+    this.workspaces.set(workspaceId, workspace);
+    this.log(
+      "info",
+      {
+        workspaceId,
+        push: options.push,
+        createPr: options.createPr
+      },
+      "Finalizing workspace"
+    );
+    await this.emitEvent({
+      type: "workspace:finalizing",
+      workspaceId,
+      executionId: workspace.branch.executionId,
+      timestamp: /* @__PURE__ */ new Date()
+    });
+    let pr;
+    try {
+      if (options.push) {
+        await this.pushBranch(workspace);
+      }
+      if (options.createPr && options.pr) {
+        pr = await this.createPullRequest(workspace, options.pr);
+        workspace.branch.pullRequest = pr;
+        await this.emitEvent({
+          type: "pr:created",
+          workspaceId,
+          executionId: workspace.branch.executionId,
+          timestamp: /* @__PURE__ */ new Date(),
+          data: {
+            prNumber: pr.number,
+            prUrl: pr.url
+          }
+        });
+      }
+      if (options.cleanup) {
+        await this.cleanup(workspaceId);
+      } else {
+        workspace.status = "ready";
+        this.workspaces.set(workspaceId, workspace);
+      }
+      return pr;
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      this.log("error", { workspaceId, error: errorMessage }, "Failed to finalize workspace");
+      throw error;
+    }
+  }
+  /**
+   * Get a workspace by ID
+   */
+  get(workspaceId) {
+    return this.workspaces.get(workspaceId) || null;
+  }
+  /**
+   * Get all workspaces for an execution
+   */
+  getForExecution(executionId) {
+    return Array.from(this.workspaces.values()).filter(
+      (w) => w.branch.executionId === executionId
+    );
+  }
+  /**
+   * Clean up a workspace
+   */
+  async cleanup(workspaceId) {
+    const workspace = this.workspaces.get(workspaceId);
+    if (!workspace) {
+      return;
+    }
+    this.log("info", { workspaceId }, "Cleaning up workspace");
+    try {
+      await cleanupCredentialFiles(workspace.path);
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      this.log("warn", { workspaceId, error: errorMessage }, "Failed to clean up credential files");
+    }
+    await this.credentialService.revokeCredential(workspace.credential.id);
+    await this.emitEvent({
+      type: "credential:revoked",
+      workspaceId,
+      credentialId: workspace.credential.id,
+      executionId: workspace.branch.executionId,
+      timestamp: /* @__PURE__ */ new Date()
+    });
+    try {
+      await fs3__namespace.rm(workspace.path, { recursive: true, force: true });
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      this.log("warn", { workspaceId, error: errorMessage }, "Failed to remove workspace directory");
+    }
+    workspace.status = "cleaned_up";
+    this.workspaces.set(workspaceId, workspace);
+    await this.emitEvent({
+      type: "workspace:cleaned_up",
+      workspaceId,
+      executionId: workspace.branch.executionId,
+      timestamp: /* @__PURE__ */ new Date()
+    });
+  }
+  /**
+   * Clean up all workspaces for an execution
+   */
+  async cleanupForExecution(executionId) {
+    const workspaces = this.getForExecution(executionId);
+    await Promise.all(workspaces.map((w) => this.cleanup(w.id)));
+    await this.credentialService.revokeForExecution(executionId);
+  }
+  // ─────────────────────────────────────────────────────────────
+  // Private Methods
+  // ─────────────────────────────────────────────────────────────
+  async cloneRepo(workspace, token) {
+    const cloneUrl = token ? this.buildAuthenticatedUrl(workspace.repo, token) : workspace.repo;
+    await this.execInDir(
+      workspace.path,
+      `git clone --depth 1 --branch ${workspace.branch.baseBranch} ${cloneUrl} .`
+    );
+  }
+  async createBranch(workspace) {
+    await this.execInDir(workspace.path, `git checkout -b ${workspace.branch.name}`);
+  }
+  async configureGit(workspace) {
+    await this.execInDir(workspace.path, 'git config user.name "Workspace Agent"');
+    await this.execInDir(workspace.path, 'git config user.email "agent@workspace.local"');
+    if (!workspace.credential.token) {
+      this.log(
+        "debug",
+        { workspaceId: workspace.id },
+        "Using SSH authentication, skipping credential helper"
+      );
+      return;
+    }
+    const credentialContext = {
+      workspaceId: workspace.id,
+      executionId: workspace.branch.executionId,
+      repo: workspace.repo,
+      token: workspace.credential.token,
+      expiresAt: workspace.credential.expiresAt.toISOString()
+    };
+    const helperScriptPath = await configureCredentialHelper(
+      workspace.path,
+      credentialContext
+    );
+    const configCommands = getGitCredentialConfig(helperScriptPath);
+    for (const cmd of configCommands) {
+      await this.execInDir(workspace.path, cmd);
+    }
+    this.log(
+      "debug",
+      { workspaceId: workspace.id, helperPath: helperScriptPath },
+      "Git credential helper configured"
+    );
+  }
+  async pushBranch(workspace) {
+    await this.execInDir(workspace.path, `git push -u origin ${workspace.branch.name}`);
+  }
+  async createPullRequest(workspace, config) {
+    const repoInfo = this.parseRepo(workspace.repo);
+    if (!repoInfo) {
+      throw new Error(`Invalid repository format: ${workspace.repo}`);
+    }
+    const provider = this.credentialService.getProvider(workspace.credential.provider);
+    if (!provider) {
+      throw new Error(`Provider not configured: ${workspace.credential.provider}`);
+    }
+    const pr = await provider.createPullRequest({
+      repo: workspace.repo,
+      sourceBranch: workspace.branch.name,
+      targetBranch: config.targetBranch,
+      title: config.title,
+      body: config.body,
+      draft: config.draft,
+      labels: config.labels,
+      reviewers: config.reviewers,
+      credential: workspace.credential
+    });
+    pr.executionId = workspace.branch.executionId;
+    this.log(
+      "info",
+      {
+        workspaceId: workspace.id,
+        prNumber: pr.number,
+        prUrl: pr.url
+      },
+      "Pull request created"
+    );
+    return pr;
+  }
+  parseRepo(repo) {
+    const patterns = [/github\.com[/:]([^/]+)\/([^/.]+)/, /^([^/]+)\/([^/]+)$/];
+    for (const pattern of patterns) {
+      const match = repo.match(pattern);
+      if (match) {
+        return { owner: match[1], repo: match[2].replace(/\.git$/, "") };
+      }
+    }
+    return null;
+  }
+  buildAuthenticatedUrl(repo, token) {
+    let url = repo;
+    if (url.startsWith("git@github.com:")) {
+      url = url.replace("git@github.com:", "https://github.com/");
+    }
+    if (!url.endsWith(".git")) {
+      url = `${url}.git`;
+    }
+    if (!url.startsWith("https://")) {
+      url = `https://${url}`;
+    }
+    url = url.replace("https://", `https://x-access-token:${token}@`);
+    return url;
+  }
+  async execInDir(dir, command) {
+    const safeCommand = command.replace(/x-access-token:[^@]+@/g, "x-access-token:***@");
+    this.log("debug", { dir, command: safeCommand }, "Executing git command");
+    const { stdout, stderr } = await execAsync(command, { cwd: dir });
+    if (stderr && !stderr.includes("Cloning into")) {
+      this.log("debug", { stderr: stderr.substring(0, 200) }, "Git stderr");
+    }
+    return stdout;
+  }
+  log(level, data, message) {
+    if (this.logger) {
+      this.logger[level](data, message);
+    }
+  }
+  async emitEvent(event) {
+    for (const handler of this.eventHandlers) {
+      try {
+        await handler(event);
+      } catch (error) {
+        const errorMessage = error instanceof Error ? error.message : String(error);
+        this.log("warn", { event: event.type, error: errorMessage }, "Event handler error");
+      }
+    }
+  }
+};
+
+// src/oauth/device-flow.ts
+var GITHUB_DEVICE_CODE_URL = "https://github.com/login/device/code";
+var GITHUB_TOKEN_URL = "https://github.com/login/oauth/access_token";
+var ERROR_AUTHORIZATION_PENDING = "authorization_pending";
+var ERROR_SLOW_DOWN = "slow_down";
+var ERROR_EXPIRED_TOKEN = "expired_token";
+var ERROR_ACCESS_DENIED = "access_denied";
+var OAuthDeviceFlow = class {
+  clientId;
+  clientSecret;
+  provider;
+  permissions;
+  promptEmitter;
+  timeout;
+  logger;
+  constructor(config, logger) {
+    this.clientId = config.clientId;
+    this.clientSecret = config.clientSecret;
+    this.provider = config.provider || "github";
+    this.permissions = config.permissions || {
+      repositories: { type: "all" },
+      contents: "write",
+      pullRequests: "write",
+      issues: "write",
+      metadata: "read",
+      canDeleteBranch: true,
+      canForcePush: false,
+      canDeleteRepository: false,
+      canAdminister: false
+    };
+    this.promptEmitter = config.promptEmitter;
+    this.timeout = config.timeout || 900;
+    this.logger = logger;
+  }
+  /**
+   * Start the device code flow and wait for authorization
+   */
+  async authorize() {
+    this.log("info", {}, "Starting OAuth device code flow");
+    const deviceCode = await this.requestDeviceCode();
+    const prompt = {
+      provider: this.provider,
+      verificationUri: deviceCode.verificationUri,
+      userCode: deviceCode.userCode,
+      expiresIn: deviceCode.expiresIn,
+      requestedPermissions: this.permissions
+    };
+    if (this.promptEmitter) {
+      this.promptEmitter.onAuthRequired(prompt);
+    } else {
+      this.printAuthPrompt(prompt);
+    }
+    try {
+      const token = await this.pollForToken(deviceCode);
+      const result = {
+        success: true,
+        provider: this.provider
+      };
+      if (this.promptEmitter) {
+        this.promptEmitter.onAuthComplete(result);
+      }
+      this.log("info", {}, "OAuth authorization successful");
+      return token;
+    } catch (error) {
+      const result = {
+        success: false,
+        provider: this.provider,
+        error: error instanceof Error ? error.message : String(error)
+      };
+      if (this.promptEmitter) {
+        this.promptEmitter.onAuthComplete(result);
+      }
+      throw error;
+    }
+  }
+  /**
+   * Request a device code from GitHub
+   */
+  async requestDeviceCode() {
+    const scope = this.permissionsToScopes(this.permissions);
+    this.log("debug", { scope }, "Requesting device code");
+    const response = await fetch(GITHUB_DEVICE_CODE_URL, {
+      method: "POST",
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        client_id: this.clientId,
+        scope
+      })
+    });
+    if (!response.ok) {
+      const text = await response.text();
+      throw new Error(`Failed to request device code: ${response.status} ${text}`);
+    }
+    const data = await response.json();
+    return {
+      deviceCode: data.device_code,
+      userCode: data.user_code,
+      verificationUri: data.verification_uri,
+      verificationUriComplete: data.verification_uri_complete,
+      expiresIn: data.expires_in,
+      interval: data.interval || 5
+    };
+  }
+  /**
+   * Poll for the access token until authorized or timeout
+   */
+  async pollForToken(deviceCode) {
+    const startTime = Date.now();
+    let interval = deviceCode.interval * 1e3;
+    const expiresAt = startTime + deviceCode.expiresIn * 1e3;
+    while (Date.now() < expiresAt) {
+      if (Date.now() - startTime > this.timeout * 1e3) {
+        throw new Error("OAuth flow timed out");
+      }
+      await this.sleep(interval);
+      const secondsRemaining = Math.ceil((expiresAt - Date.now()) / 1e3);
+      if (this.promptEmitter?.onAuthPending) {
+        this.promptEmitter.onAuthPending(secondsRemaining);
+      }
+      try {
+        const token = await this.exchangeDeviceCode(deviceCode.deviceCode);
+        return token;
+      } catch (error) {
+        if (error instanceof DeviceFlowError) {
+          switch (error.code) {
+            case ERROR_AUTHORIZATION_PENDING:
+              this.log("debug", {}, "Authorization pending, continuing to poll");
+              continue;
+            case ERROR_SLOW_DOWN:
+              interval += 5e3;
+              this.log("debug", { interval }, "Slowing down polling");
+              continue;
+            case ERROR_EXPIRED_TOKEN:
+              throw new Error("Device code expired. Please try again.");
+            case ERROR_ACCESS_DENIED:
+              throw new Error("User denied authorization");
+            default:
+              throw error;
+          }
+        }
+        throw error;
+      }
+    }
+    throw new Error("Device code expired");
+  }
+  /**
+   * Exchange device code for access token
+   */
+  async exchangeDeviceCode(deviceCode) {
+    const body = {
+      client_id: this.clientId,
+      device_code: deviceCode,
+      grant_type: "urn:ietf:params:oauth:grant-type:device_code"
+    };
+    if (this.clientSecret) {
+      body.client_secret = this.clientSecret;
+    }
+    const response = await fetch(GITHUB_TOKEN_URL, {
+      method: "POST",
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(body)
+    });
+    const data = await response.json();
+    if (data.error) {
+      throw new DeviceFlowError(data.error, data.error_description);
+    }
+    const scopes = (data.scope || "").split(/[,\s]+/).filter(Boolean);
+    return {
+      accessToken: data.access_token,
+      tokenType: data.token_type || "bearer",
+      scopes,
+      expiresAt: data.expires_in ? new Date(Date.now() + data.expires_in * 1e3) : void 0,
+      refreshToken: data.refresh_token,
+      provider: this.provider,
+      permissions: this.permissions,
+      createdAt: /* @__PURE__ */ new Date()
+    };
+  }
+  /**
+   * Refresh an expired token
+   */
+  async refreshToken(refreshTokenValue) {
+    this.log("info", {}, "Refreshing OAuth token");
+    const body = {
+      client_id: this.clientId,
+      grant_type: "refresh_token",
+      refresh_token: refreshTokenValue
+    };
+    if (this.clientSecret) {
+      body.client_secret = this.clientSecret;
+    }
+    const response = await fetch(GITHUB_TOKEN_URL, {
+      method: "POST",
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(body)
+    });
+    if (!response.ok) {
+      const text = await response.text();
+      throw new Error(`Failed to refresh token: ${response.status} ${text}`);
+    }
+    const data = await response.json();
+    if (data.error) {
+      throw new Error(`Token refresh failed: ${data.error_description || data.error}`);
+    }
+    const scopes = (data.scope || "").split(/[,\s]+/).filter(Boolean);
+    return {
+      accessToken: data.access_token,
+      tokenType: data.token_type || "bearer",
+      scopes,
+      expiresAt: data.expires_in ? new Date(Date.now() + data.expires_in * 1e3) : void 0,
+      refreshToken: data.refresh_token || refreshTokenValue,
+      provider: this.provider,
+      permissions: this.permissions,
+      createdAt: /* @__PURE__ */ new Date()
+    };
+  }
+  /**
+   * Convert AgentPermissions to GitHub OAuth scopes
+   */
+  permissionsToScopes(permissions) {
+    const scopes = [];
+    if (permissions.contents === "write") {
+      scopes.push("repo");
+    } else if (permissions.contents === "read") {
+      scopes.push("public_repo");
+    }
+    if (permissions.pullRequests !== "none" && !scopes.includes("repo")) {
+      scopes.push("public_repo");
+    }
+    scopes.push("read:user");
+    return scopes.join(" ");
+  }
+  /**
+   * Print auth prompt to console (default behavior)
+   */
+  printAuthPrompt(prompt) {
+    console.log("\n\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510");
+    console.log("\u2502       GitHub Authorization Required            \u2502");
+    console.log("\u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524");
+    console.log(`\u2502  1. Go to: ${prompt.verificationUri.padEnd(35)}\u2502`);
+    console.log(`\u2502  2. Enter code: ${prompt.userCode.padEnd(29)}\u2502`);
+    console.log("\u251C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524");
+    console.log(`\u2502  \u23F3 Waiting for authorization...               \u2502`);
+    console.log(`\u2502  Code expires in ${prompt.expiresIn} seconds${" ".repeat(18)}\u2502`);
+    console.log("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n");
+  }
+  sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+  }
+  log(level, data, message) {
+    if (this.logger) {
+      this.logger[level](data, message);
+    }
+  }
+};
+var DeviceFlowError = class extends Error {
+  constructor(code, description) {
+    super(description || code);
+    this.code = code;
+    this.description = description;
+    this.name = "DeviceFlowError";
+  }
+};
+var TokenStore = class {
+  /**
+   * Check if a token is expired
+   */
+  isExpired(token) {
+    if (!token.expiresAt) {
+      return false;
+    }
+    const buffer = 5 * 60 * 1e3;
+    return Date.now() > token.expiresAt.getTime() - buffer;
+  }
+  /**
+   * Check if a token needs refresh (expired or close to expiry)
+   */
+  needsRefresh(token) {
+    if (!token.expiresAt) {
+      return false;
+    }
+    const buffer = 10 * 60 * 1e3;
+    return Date.now() > token.expiresAt.getTime() - buffer;
+  }
+};
+var MemoryTokenStore = class extends TokenStore {
+  tokens = /* @__PURE__ */ new Map();
+  async save(provider, token) {
+    this.tokens.set(provider, token);
+  }
+  async get(provider) {
+    return this.tokens.get(provider) || null;
+  }
+  async clear(provider) {
+    if (provider) {
+      this.tokens.delete(provider);
+    } else {
+      this.tokens.clear();
+    }
+  }
+  async list() {
+    return Array.from(this.tokens.keys());
+  }
+};
+var FileTokenStore = class extends TokenStore {
+  directory;
+  encryptionKey;
+  constructor(options = {}) {
+    super();
+    this.directory = options.directory || path__namespace.join(os__namespace.homedir(), ".parallax", "tokens");
+    if (options.encryptionKey) {
+      this.encryptionKey = crypto__namespace.createHash("sha256").update(options.encryptionKey).digest();
+    }
+  }
+  async save(provider, token) {
+    await this.ensureDirectory();
+    const filePath = this.getTokenPath(provider);
+    const serialized = JSON.stringify({
+      ...token,
+      expiresAt: token.expiresAt?.toISOString(),
+      createdAt: token.createdAt.toISOString()
+    });
+    const data = this.encryptionKey ? this.encrypt(serialized) : serialized;
+    await fs3__namespace.writeFile(filePath, data, "utf-8");
+  }
+  async get(provider) {
+    const filePath = this.getTokenPath(provider);
+    try {
+      const data = await fs3__namespace.readFile(filePath, "utf-8");
+      const serialized = this.encryptionKey ? this.decrypt(data) : data;
+      const parsed = JSON.parse(serialized);
+      return {
+        ...parsed,
+        expiresAt: parsed.expiresAt ? new Date(parsed.expiresAt) : void 0,
+        createdAt: new Date(parsed.createdAt)
+      };
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        return null;
+      }
+      throw error;
+    }
+  }
+  async clear(provider) {
+    if (provider) {
+      const filePath = this.getTokenPath(provider);
+      try {
+        await fs3__namespace.unlink(filePath);
+      } catch (error) {
+        if (error.code !== "ENOENT") {
+          throw error;
+        }
+      }
+    } else {
+      try {
+        const files = await fs3__namespace.readdir(this.directory);
+        await Promise.all(
+          files.filter((f) => f.endsWith(".token")).map((f) => fs3__namespace.unlink(path__namespace.join(this.directory, f)))
+        );
+      } catch (error) {
+        if (error.code !== "ENOENT") {
+          throw error;
+        }
+      }
+    }
+  }
+  async list() {
+    try {
+      const files = await fs3__namespace.readdir(this.directory);
+      return files.filter((f) => f.endsWith(".token")).map((f) => f.replace(".token", ""));
+    } catch {
+      return [];
+    }
+  }
+  getTokenPath(provider) {
+    return path__namespace.join(this.directory, `${provider}.token`);
+  }
+  async ensureDirectory() {
+    await fs3__namespace.mkdir(this.directory, { recursive: true, mode: 448 });
+  }
+  encrypt(data) {
+    if (!this.encryptionKey) {
+      return data;
+    }
+    const iv = crypto__namespace.randomBytes(16);
+    const cipher = crypto__namespace.createCipheriv("aes-256-cbc", this.encryptionKey, iv);
+    let encrypted = cipher.update(data, "utf8", "hex");
+    encrypted += cipher.final("hex");
+    return iv.toString("hex") + ":" + encrypted;
+  }
+  decrypt(data) {
+    if (!this.encryptionKey) {
+      return data;
+    }
+    const [ivHex, encrypted] = data.split(":");
+    const iv = Buffer.from(ivHex, "hex");
+    const decipher = crypto__namespace.createDecipheriv("aes-256-cbc", this.encryptionKey, iv);
+    let decrypted = decipher.update(encrypted, "hex", "utf8");
+    decrypted += decipher.final("utf8");
+    return decrypted;
+  }
+};
+
+// src/credential-service.ts
+var CredentialService = class {
+  grants = /* @__PURE__ */ new Map();
+  defaultTtl;
+  maxTtl;
+  providers;
+  grantStore;
+  tokenStore;
+  oauthConfig;
+  logger;
+  constructor(options = {}) {
+    this.defaultTtl = options.defaultTtlSeconds || 3600;
+    this.maxTtl = options.maxTtlSeconds || 3600;
+    this.providers = options.providers || /* @__PURE__ */ new Map();
+    this.grantStore = options.grantStore;
+    this.tokenStore = options.tokenStore || new MemoryTokenStore();
+    this.oauthConfig = options.oauth;
+    this.logger = options.logger;
+  }
+  /**
+   * Get the token store (for external access to cached tokens)
+   */
+  getTokenStore() {
+    return this.tokenStore;
+  }
+  /**
+   * Register a provider adapter
+   */
+  registerProvider(provider) {
+    this.providers.set(provider.name, provider);
+    this.log("info", { provider: provider.name }, "Provider registered");
+  }
+  /**
+   * Get a provider adapter
+   */
+  getProvider(name) {
+    return this.providers.get(name);
+  }
+  /**
+   * Request credentials for a repository
+   */
+  async getCredentials(request) {
+    const provider = this.detectProvider(request.repo);
+    this.log(
+      "info",
+      {
+        repo: request.repo,
+        provider,
+        access: request.access,
+        executionId: request.context.executionId
+      },
+      "Credential request"
+    );
+    const ttlSeconds = Math.min(
+      request.ttlSeconds || this.defaultTtl,
+      this.maxTtl
+    );
+    let credential = null;
+    if (request.userProvided) {
+      credential = this.createUserProvidedCredential(request, ttlSeconds, provider);
+      this.log(
+        "info",
+        { repo: request.repo, type: request.userProvided.type },
+        "Using user-provided credentials"
+      );
+    }
+    if (!credential) {
+      credential = await this.getCachedOAuthCredential(provider, request, ttlSeconds);
+    }
+    if (!credential) {
+      const providerAdapter = this.providers.get(provider);
+      if (providerAdapter) {
+        try {
+          credential = await providerAdapter.getCredentials(request);
+        } catch (error) {
+          this.log(
+            "warn",
+            { repo: request.repo, provider, error },
+            "Failed to get provider credentials"
+          );
+        }
+      }
+    }
+    if (!credential && this.oauthConfig) {
+      credential = await this.getOAuthCredentialViaDeviceFlow(provider, request, ttlSeconds);
+    }
+    if (!credential) {
+      throw new Error(
+        `No credentials available for repository: ${request.repo}. ` + (this.oauthConfig ? "OAuth device flow failed or was cancelled." : "Configure OAuth to enable interactive authentication.")
+      );
+    }
+    const grant = {
+      id: credential.id,
+      type: credential.type,
+      repo: request.repo,
+      provider,
+      grantedTo: {
+        executionId: request.context.executionId,
+        taskId: request.context.taskId,
+        agentId: request.context.agentId
+      },
+      permissions: credential.permissions,
+      createdAt: /* @__PURE__ */ new Date(),
+      expiresAt: credential.expiresAt
+    };
+    this.grants.set(grant.id, grant);
+    if (this.grantStore) {
+      try {
+        await this.grantStore.create({
+          ...grant,
+          reason: request.context.reason
+        });
+      } catch (error) {
+        this.log(
+          "warn",
+          { grantId: grant.id, error },
+          "Failed to persist credential grant"
+        );
+      }
+    }
+    this.log(
+      "info",
+      {
+        grantId: grant.id,
+        repo: request.repo,
+        expiresAt: credential.expiresAt,
+        persisted: !!this.grantStore
+      },
+      "Credential granted"
+    );
+    return credential;
+  }
+  /**
+   * Revoke a credential grant
+   */
+  async revokeCredential(grantId) {
+    const grant = this.grants.get(grantId);
+    if (!grant) {
+      if (this.grantStore) {
+        try {
+          await this.grantStore.revoke(grantId);
+        } catch (error) {
+          this.log("warn", { grantId, error }, "Failed to revoke credential in store");
+        }
+      }
+      return;
+    }
+    grant.revokedAt = /* @__PURE__ */ new Date();
+    this.grants.set(grantId, grant);
+    const provider = this.providers.get(grant.provider);
+    if (provider) {
+      try {
+        await provider.revokeCredential(grantId);
+      } catch (error) {
+        this.log("warn", { grantId, error }, "Failed to revoke credential via provider");
+      }
+    }
+    if (this.grantStore) {
+      try {
+        await this.grantStore.revoke(grantId);
+      } catch (error) {
+        this.log("warn", { grantId, error }, "Failed to revoke credential in store");
+      }
+    }
+    this.log("info", { grantId }, "Credential revoked");
+  }
+  /**
+   * Revoke all credentials for an execution
+   */
+  async revokeForExecution(executionId) {
+    let count = 0;
+    for (const [id, grant] of this.grants) {
+      if (grant.grantedTo.executionId === executionId && !grant.revokedAt) {
+        grant.revokedAt = /* @__PURE__ */ new Date();
+        this.grants.set(id, grant);
+        count++;
+      }
+    }
+    if (this.grantStore) {
+      try {
+        const storeCount = await this.grantStore.revokeForExecution(executionId);
+        count = Math.max(count, storeCount);
+      } catch (error) {
+        this.log("warn", { executionId, error }, "Failed to revoke credentials in store");
+      }
+    }
+    this.log("info", { executionId, revokedCount: count }, "Credentials revoked for execution");
+    return count;
+  }
+  /**
+   * Check if a credential is valid
+   */
+  isValid(grantId) {
+    const grant = this.grants.get(grantId);
+    if (!grant) return false;
+    if (grant.revokedAt) return false;
+    if (/* @__PURE__ */ new Date() > grant.expiresAt) return false;
+    return true;
+  }
+  /**
+   * Get grant info for audit
+   */
+  async getGrant(grantId) {
+    const memoryGrant = this.grants.get(grantId);
+    if (memoryGrant) {
+      return memoryGrant;
+    }
+    if (this.grantStore) {
+      try {
+        return await this.grantStore.findById(grantId);
+      } catch (error) {
+        this.log("warn", { grantId, error }, "Failed to get grant from store");
+      }
+    }
+    return null;
+  }
+  /**
+   * List all grants for an execution
+   */
+  async getGrantsForExecution(executionId) {
+    if (this.grantStore) {
+      try {
+        return await this.grantStore.findByExecutionId(executionId);
+      } catch (error) {
+        this.log("warn", { executionId, error }, "Failed to get grants from store");
+      }
+    }
+    return Array.from(this.grants.values()).filter(
+      (g) => g.grantedTo.executionId === executionId
+    );
+  }
+  // ─────────────────────────────────────────────────────────────
+  // Private Methods
+  // ─────────────────────────────────────────────────────────────
+  detectProvider(repo) {
+    const lowerRepo = repo.toLowerCase();
+    if (lowerRepo.includes("github.com") || lowerRepo.startsWith("github:")) {
+      return "github";
+    }
+    if (lowerRepo.includes("gitlab.com") || lowerRepo.startsWith("gitlab:")) {
+      return "gitlab";
+    }
+    if (lowerRepo.includes("bitbucket.org") || lowerRepo.startsWith("bitbucket:")) {
+      return "bitbucket";
+    }
+    if (lowerRepo.includes("dev.azure.com") || lowerRepo.includes("visualstudio.com")) {
+      return "azure_devops";
+    }
+    return "self_hosted";
+  }
+  /**
+   * Create a GitCredential from user-provided credentials (PAT or OAuth token)
+   */
+  createUserProvidedCredential(request, ttlSeconds, provider) {
+    const userCreds = request.userProvided;
+    const expiresAt = new Date(Date.now() + ttlSeconds * 1e3);
+    let credentialType;
+    let token;
+    if (userCreds.type === "ssh") {
+      credentialType = "ssh_key";
+      token = "";
+    } else {
+      credentialType = userCreds.type === "pat" ? "pat" : "oauth";
+      token = userCreds.token;
+    }
+    const permissions = request.access === "write" ? ["contents:read", "contents:write", "pull_requests:write"] : ["contents:read"];
+    return {
+      id: crypto.randomUUID(),
+      type: credentialType,
+      token,
+      repo: request.repo,
+      permissions,
+      expiresAt,
+      provider: userCreds.provider || provider
+    };
+  }
+  /**
+   * Check for a cached OAuth token and create credential from it
+   */
+  async getCachedOAuthCredential(provider, request, ttlSeconds) {
+    try {
+      const cachedToken = await this.tokenStore.get(provider);
+      if (!cachedToken) {
+        return null;
+      }
+      if (this.tokenStore.isExpired(cachedToken)) {
+        if (cachedToken.refreshToken && this.oauthConfig) {
+          const refreshedToken = await this.refreshOAuthToken(provider, cachedToken.refreshToken);
+          if (refreshedToken) {
+            return this.createOAuthCredential(refreshedToken, request, ttlSeconds);
+          }
+        }
+        this.log("info", { provider }, "Cached OAuth token expired");
+        return null;
+      }
+      if (this.tokenStore.needsRefresh(cachedToken) && cachedToken.refreshToken && this.oauthConfig) {
+        const refreshedToken = await this.refreshOAuthToken(provider, cachedToken.refreshToken);
+        if (refreshedToken) {
+          return this.createOAuthCredential(refreshedToken, request, ttlSeconds);
+        }
+      }
+      this.log("info", { provider }, "Using cached OAuth token");
+      return this.createOAuthCredential(cachedToken, request, ttlSeconds);
+    } catch (error) {
+      this.log("warn", { provider, error }, "Failed to get cached OAuth token");
+      return null;
+    }
+  }
+  /**
+   * Initiate interactive OAuth device flow
+   */
+  async getOAuthCredentialViaDeviceFlow(provider, request, ttlSeconds) {
+    if (!this.oauthConfig) {
+      return null;
+    }
+    if (provider !== "github") {
+      this.log("warn", { provider }, "OAuth device flow only supported for GitHub");
+      return null;
+    }
+    this.log("info", { repo: request.repo }, "Starting OAuth device flow for authentication");
+    try {
+      const deviceFlow = new OAuthDeviceFlow({
+        clientId: this.oauthConfig.clientId,
+        clientSecret: this.oauthConfig.clientSecret,
+        provider,
+        permissions: this.oauthConfig.permissions,
+        promptEmitter: this.oauthConfig.promptEmitter
+      });
+      const token = await deviceFlow.authorize();
+      await this.tokenStore.save(provider, token);
+      this.log("info", { provider }, "OAuth device flow completed successfully");
+      return this.createOAuthCredential(token, request, ttlSeconds);
+    } catch (error) {
+      this.log("error", { provider, error }, "OAuth device flow failed");
+      return null;
+    }
+  }
+  /**
+   * Refresh an OAuth token
+   */
+  async refreshOAuthToken(provider, refreshToken) {
+    if (!this.oauthConfig) {
+      return null;
+    }
+    try {
+      const deviceFlow = new OAuthDeviceFlow({
+        clientId: this.oauthConfig.clientId,
+        clientSecret: this.oauthConfig.clientSecret,
+        provider,
+        permissions: this.oauthConfig.permissions
+      });
+      const newToken = await deviceFlow.refreshToken(refreshToken);
+      await this.tokenStore.save(provider, newToken);
+      this.log("info", { provider }, "OAuth token refreshed successfully");
+      return newToken;
+    } catch (error) {
+      this.log("warn", { provider, error }, "Failed to refresh OAuth token");
+      return null;
+    }
+  }
+  /**
+   * Create a GitCredential from an OAuthToken
+   */
+  createOAuthCredential(token, request, ttlSeconds) {
+    const expiresAt = new Date(Date.now() + ttlSeconds * 1e3);
+    const permissions = [];
+    if (token.permissions.contents === "read" || token.permissions.contents === "write") {
+      permissions.push("contents:read");
+    }
+    if (token.permissions.contents === "write") {
+      permissions.push("contents:write");
+    }
+    if (token.permissions.pullRequests === "read" || token.permissions.pullRequests === "write") {
+      permissions.push("pull_requests:read");
+    }
+    if (token.permissions.pullRequests === "write") {
+      permissions.push("pull_requests:write");
+    }
+    if (token.permissions.issues === "read" || token.permissions.issues === "write") {
+      permissions.push("issues:read");
+    }
+    if (token.permissions.issues === "write") {
+      permissions.push("issues:write");
+    }
+    return {
+      id: crypto.randomUUID(),
+      type: "oauth",
+      token: token.accessToken,
+      repo: request.repo,
+      permissions,
+      expiresAt,
+      provider: token.provider
+    };
+  }
+  log(level, data, message) {
+    if (this.logger) {
+      this.logger[level](data, message);
+    }
+  }
+};
+var octokitCache = null;
+function loadOctokit() {
+  if (!octokitCache) {
+    try {
+      const { Octokit } = __require("@octokit/rest");
+      const { createAppAuth } = __require("@octokit/auth-app");
+      octokitCache = { Octokit, createAppAuth };
+    } catch {
+      throw new Error(
+        "@octokit/rest and @octokit/auth-app are required for GitHub provider. Install them with: npm install @octokit/rest @octokit/auth-app"
+      );
+    }
+  }
+  return octokitCache;
+}
+var GitHubProvider = class {
+  constructor(config, logger) {
+    this.config = config;
+    this.logger = logger;
+  }
+  name = "github";
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  appOctokit;
+  installations = /* @__PURE__ */ new Map();
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  installationOctokits = /* @__PURE__ */ new Map();
+  initialized = false;
+  /**
+   * Initialize provider - fetch all installations
+   */
+  async initialize() {
+    if (this.initialized) {
+      return;
+    }
+    const { Octokit, createAppAuth } = loadOctokit();
+    this.log("info", {}, "Initializing GitHub provider");
+    this.appOctokit = new Octokit({
+      authStrategy: createAppAuth,
+      auth: {
+        appId: this.config.appId,
+        privateKey: this.config.privateKey
+      },
+      baseUrl: this.config.baseUrl
+    });
+    try {
+      const { data: installations } = await this.appOctokit.apps.listInstallations();
+      for (const installation of installations) {
+        await this.registerInstallation(installation.id);
+      }
+      this.initialized = true;
+      this.log(
+        "info",
+        { installationCount: installations.length },
+        "GitHub provider initialized"
+      );
+    } catch (error) {
+      this.log("error", { error }, "Failed to initialize GitHub provider");
+      throw error;
+    }
+  }
+  /**
+   * Register an installation (called on webhook or init)
+   */
+  async registerInstallation(installationId) {
+    if (!this.appOctokit) {
+      await this.initialize();
+    }
+    try {
+      const { data: installation } = await this.appOctokit.apps.getInstallation({
+        installation_id: installationId
+      });
+      const octokit = await this.getInstallationOctokit(installationId);
+      const { data: repos } = await octokit.apps.listReposAccessibleToInstallation({
+        per_page: 100
+      });
+      const account = installation.account;
+      const accountLogin = account?.login || account?.slug || "unknown";
+      const accountType = account?.type === "Organization" ? "Organization" : "User";
+      const appInstallation = {
+        installationId,
+        accountLogin,
+        accountType,
+        repositories: repos.repositories?.map((r) => r.full_name) || [],
+        permissions: installation.permissions
+      };
+      this.installations.set(appInstallation.accountLogin, appInstallation);
+      this.log(
+        "info",
+        {
+          installationId,
+          account: appInstallation.accountLogin,
+          repoCount: appInstallation.repositories.length
+        },
+        "Installation registered"
+      );
+      return appInstallation;
+    } catch (error) {
+      this.log("error", { installationId, error }, "Failed to register installation");
+      throw error;
+    }
+  }
+  /**
+   * Get installation for a repository
+   */
+  getInstallationForRepo(owner, repo) {
+    const installation = this.installations.get(owner);
+    if (!installation) {
+      return null;
+    }
+    const fullName = `${owner}/${repo}`;
+    if (!installation.repositories.includes(fullName)) {
+      return null;
+    }
+    return installation;
+  }
+  /**
+   * Get credentials for a repository (implements GitProviderAdapter)
+   */
+  async getCredentials(request) {
+    const repoInfo = this.parseRepo(request.repo);
+    if (!repoInfo) {
+      throw new Error(`Invalid repository format: ${request.repo}`);
+    }
+    return this.getCredentialsForRepo(
+      repoInfo.owner,
+      repoInfo.repo,
+      request.access,
+      request.ttlSeconds
+    );
+  }
+  /**
+   * Get credentials for a repository by owner/repo
+   */
+  async getCredentialsForRepo(owner, repo, access, ttlSeconds = 3600) {
+    if (!this.initialized) {
+      await this.initialize();
+    }
+    const installation = this.getInstallationForRepo(owner, repo);
+    if (!installation) {
+      throw new Error(`No GitHub App installation found for ${owner}/${repo}`);
+    }
+    const { createAppAuth } = loadOctokit();
+    const auth = createAppAuth({
+      appId: this.config.appId,
+      privateKey: this.config.privateKey
+    });
+    const { token, expiresAt } = await auth({
+      type: "installation",
+      installationId: installation.installationId,
+      repositoryNames: [repo],
+      permissions: access === "write" ? { contents: "write", pull_requests: "write", metadata: "read" } : { contents: "read", metadata: "read" }
+    });
+    return {
+      id: crypto.randomUUID(),
+      type: "github_app",
+      token,
+      repo: `${owner}/${repo}`,
+      permissions: access === "write" ? ["contents:write", "pull_requests:write", "metadata:read"] : ["contents:read", "metadata:read"],
+      expiresAt: expiresAt ? new Date(expiresAt) : new Date(Date.now() + ttlSeconds * 1e3),
+      provider: "github"
+    };
+  }
+  /**
+   * Revoke a credential (no-op for GitHub App tokens - they expire automatically)
+   */
+  async revokeCredential(_credentialId) {
+  }
+  /**
+   * Create a pull request (implements GitProviderAdapter)
+   */
+  async createPullRequest(options) {
+    const repoInfo = this.parseRepo(options.repo);
+    if (!repoInfo) {
+      throw new Error(`Invalid repository format: ${options.repo}`);
+    }
+    return this.createPullRequestForRepo(repoInfo.owner, repoInfo.repo, {
+      title: options.title,
+      body: options.body,
+      head: options.sourceBranch,
+      base: options.targetBranch,
+      draft: options.draft,
+      labels: options.labels,
+      reviewers: options.reviewers
+    });
+  }
+  /**
+   * Create a pull request by owner/repo
+   */
+  async createPullRequestForRepo(owner, repo, options) {
+    if (!this.initialized) {
+      await this.initialize();
+    }
+    const installation = this.getInstallationForRepo(owner, repo);
+    if (!installation) {
+      throw new Error(`No GitHub App installation found for ${owner}/${repo}`);
+    }
+    const octokit = await this.getInstallationOctokit(installation.installationId);
+    const { data: pr } = await octokit.pulls.create({
+      owner,
+      repo,
+      title: options.title,
+      body: options.body,
+      head: options.head,
+      base: options.base,
+      draft: options.draft
+    });
+    if (options.labels && options.labels.length > 0) {
+      await octokit.issues.addLabels({
+        owner,
+        repo,
+        issue_number: pr.number,
+        labels: options.labels
+      });
+    }
+    if (options.reviewers && options.reviewers.length > 0) {
+      await octokit.pulls.requestReviewers({
+        owner,
+        repo,
+        pull_number: pr.number,
+        reviewers: options.reviewers
+      });
+    }
+    this.log(
+      "info",
+      { owner, repo, prNumber: pr.number, title: options.title },
+      "Pull request created"
+    );
+    return {
+      number: pr.number,
+      url: pr.html_url,
+      state: pr.state,
+      sourceBranch: options.head,
+      targetBranch: options.base,
+      title: options.title,
+      executionId: "",
+      // Set by caller
+      createdAt: new Date(pr.created_at)
+    };
+  }
+  /**
+   * Check if a branch exists (implements GitProviderAdapter)
+   */
+  async branchExists(repo, branch, _credential) {
+    const repoInfo = this.parseRepo(repo);
+    if (!repoInfo) {
+      return false;
+    }
+    if (!this.initialized) {
+      await this.initialize();
+    }
+    const installation = this.getInstallationForRepo(repoInfo.owner, repoInfo.repo);
+    if (!installation) {
+      return false;
+    }
+    const octokit = await this.getInstallationOctokit(installation.installationId);
+    try {
+      await octokit.repos.getBranch({
+        owner: repoInfo.owner,
+        repo: repoInfo.repo,
+        branch
+      });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Get the default branch for a repository (implements GitProviderAdapter)
+   */
+  async getDefaultBranch(repo, _credential) {
+    const repoInfo = this.parseRepo(repo);
+    if (!repoInfo) {
+      throw new Error(`Invalid repository format: ${repo}`);
+    }
+    if (!this.initialized) {
+      await this.initialize();
+    }
+    const installation = this.getInstallationForRepo(repoInfo.owner, repoInfo.repo);
+    if (!installation) {
+      throw new Error(`No GitHub App installation found for ${repo}`);
+    }
+    const octokit = await this.getInstallationOctokit(installation.installationId);
+    const { data: repoData } = await octokit.repos.get({
+      owner: repoInfo.owner,
+      repo: repoInfo.repo
+    });
+    return repoData.default_branch;
+  }
+  /**
+   * Get pull request status
+   */
+  async getPullRequest(owner, repo, prNumber) {
+    if (!this.initialized) {
+      await this.initialize();
+    }
+    const installation = this.getInstallationForRepo(owner, repo);
+    if (!installation) {
+      throw new Error(`No GitHub App installation found for ${owner}/${repo}`);
+    }
+    const octokit = await this.getInstallationOctokit(installation.installationId);
+    const { data: pr } = await octokit.pulls.get({
+      owner,
+      repo,
+      pull_number: prNumber
+    });
+    return {
+      number: pr.number,
+      url: pr.html_url,
+      state: pr.merged ? "merged" : pr.state,
+      sourceBranch: pr.head.ref,
+      targetBranch: pr.base.ref,
+      title: pr.title,
+      executionId: "",
+      // Would need to parse from branch name
+      createdAt: new Date(pr.created_at),
+      mergedAt: pr.merged_at ? new Date(pr.merged_at) : void 0
+    };
+  }
+  /**
+   * Delete a branch
+   */
+  async deleteBranch(owner, repo, branch) {
+    if (!this.initialized) {
+      await this.initialize();
+    }
+    const installation = this.getInstallationForRepo(owner, repo);
+    if (!installation) {
+      throw new Error(`No GitHub App installation found for ${owner}/${repo}`);
+    }
+    const octokit = await this.getInstallationOctokit(installation.installationId);
+    await octokit.git.deleteRef({
+      owner,
+      repo,
+      ref: `heads/${branch}`
+    });
+    this.log("info", { owner, repo, branch }, "Branch deleted");
+  }
+  /**
+   * List all managed branches for a repo
+   */
+  async listManagedBranches(owner, repo, prefix = "parallax/") {
+    if (!this.initialized) {
+      await this.initialize();
+    }
+    const installation = this.getInstallationForRepo(owner, repo);
+    if (!installation) {
+      throw new Error(`No GitHub App installation found for ${owner}/${repo}`);
+    }
+    const octokit = await this.getInstallationOctokit(installation.installationId);
+    const branches = [];
+    let page = 1;
+    while (true) {
+      const { data } = await octokit.repos.listBranches({
+        owner,
+        repo,
+        per_page: 100,
+        page
+      });
+      if (data.length === 0) break;
+      for (const branch of data) {
+        if (branch.name.startsWith(prefix)) {
+          branches.push(branch.name);
+        }
+      }
+      page++;
+    }
+    return branches;
+  }
+  // ─────────────────────────────────────────────────────────────
+  // Issue Management
+  // ─────────────────────────────────────────────────────────────
+  /**
+   * Create an issue
+   */
+  async createIssue(owner, repo, options) {
+    if (!this.initialized) {
+      await this.initialize();
+    }
+    const installation = this.getInstallationForRepo(owner, repo);
+    if (!installation) {
+      throw new Error(`No GitHub App installation found for ${owner}/${repo}`);
+    }
+    const octokit = await this.getInstallationOctokit(installation.installationId);
+    const { data: issue } = await octokit.issues.create({
+      owner,
+      repo,
+      title: options.title,
+      body: options.body,
+      labels: options.labels,
+      assignees: options.assignees,
+      milestone: options.milestone
+    });
+    this.log(
+      "info",
+      { owner, repo, issueNumber: issue.number, title: options.title },
+      "Issue created"
+    );
+    return {
+      number: issue.number,
+      url: issue.html_url,
+      state: issue.state,
+      title: issue.title,
+      body: issue.body || "",
+      labels: issue.labels.map(
+        (l) => typeof l === "string" ? l : l.name || ""
+      ),
+      assignees: issue.assignees?.map((a) => a.login) || [],
+      createdAt: new Date(issue.created_at),
+      closedAt: issue.closed_at ? new Date(issue.closed_at) : void 0
+    };
+  }
+  /**
+   * Get an issue by number
+   */
+  async getIssue(owner, repo, issueNumber) {
+    if (!this.initialized) {
+      await this.initialize();
+    }
+    const installation = this.getInstallationForRepo(owner, repo);
+    if (!installation) {
+      throw new Error(`No GitHub App installation found for ${owner}/${repo}`);
+    }
+    const octokit = await this.getInstallationOctokit(installation.installationId);
+    const { data: issue } = await octokit.issues.get({
+      owner,
+      repo,
+      issue_number: issueNumber
+    });
+    return {
+      number: issue.number,
+      url: issue.html_url,
+      state: issue.state,
+      title: issue.title,
+      body: issue.body || "",
+      labels: issue.labels.map(
+        (l) => typeof l === "string" ? l : l.name || ""
+      ),
+      assignees: issue.assignees?.map((a) => a.login) || [],
+      createdAt: new Date(issue.created_at),
+      closedAt: issue.closed_at ? new Date(issue.closed_at) : void 0
+    };
+  }
+  /**
+   * List issues with optional filters
+   */
+  async listIssues(owner, repo, options) {
+    if (!this.initialized) {
+      await this.initialize();
+    }
+    const installation = this.getInstallationForRepo(owner, repo);
+    if (!installation) {
+      throw new Error(`No GitHub App installation found for ${owner}/${repo}`);
+    }
+    const octokit = await this.getInstallationOctokit(installation.installationId);
+    const { data: issues } = await octokit.issues.listForRepo({
+      owner,
+      repo,
+      state: options?.state || "open",
+      labels: options?.labels?.join(","),
+      assignee: options?.assignee,
+      since: options?.since?.toISOString(),
+      per_page: 100
+    });
+    return issues.filter((issue) => !issue.pull_request).map((issue) => ({
+      number: issue.number,
+      url: issue.html_url,
+      state: issue.state,
+      title: issue.title,
+      body: issue.body || "",
+      labels: issue.labels.map(
+        (l) => typeof l === "string" ? l : l.name || ""
+      ),
+      assignees: issue.assignees?.map((a) => a.login) || [],
+      createdAt: new Date(issue.created_at),
+      closedAt: issue.closed_at ? new Date(issue.closed_at) : void 0
+    }));
+  }
+  /**
+   * Update an issue (labels, state, assignees, etc.)
+   */
+  async updateIssue(owner, repo, issueNumber, options) {
+    if (!this.initialized) {
+      await this.initialize();
+    }
+    const installation = this.getInstallationForRepo(owner, repo);
+    if (!installation) {
+      throw new Error(`No GitHub App installation found for ${owner}/${repo}`);
+    }
+    const octokit = await this.getInstallationOctokit(installation.installationId);
+    const { data: issue } = await octokit.issues.update({
+      owner,
+      repo,
+      issue_number: issueNumber,
+      title: options.title,
+      body: options.body,
+      state: options.state,
+      labels: options.labels,
+      assignees: options.assignees
+    });
+    this.log(
+      "info",
+      { owner, repo, issueNumber, updates: Object.keys(options) },
+      "Issue updated"
+    );
+    return {
+      number: issue.number,
+      url: issue.html_url,
+      state: issue.state,
+      title: issue.title,
+      body: issue.body || "",
+      labels: issue.labels.map(
+        (l) => typeof l === "string" ? l : l.name || ""
+      ),
+      assignees: issue.assignees?.map((a) => a.login) || [],
+      createdAt: new Date(issue.created_at),
+      closedAt: issue.closed_at ? new Date(issue.closed_at) : void 0
+    };
+  }
+  /**
+   * Add labels to an issue
+   */
+  async addLabels(owner, repo, issueNumber, labels) {
+    if (!this.initialized) {
+      await this.initialize();
+    }
+    const installation = this.getInstallationForRepo(owner, repo);
+    if (!installation) {
+      throw new Error(`No GitHub App installation found for ${owner}/${repo}`);
+    }
+    const octokit = await this.getInstallationOctokit(installation.installationId);
+    await octokit.issues.addLabels({
+      owner,
+      repo,
+      issue_number: issueNumber,
+      labels
+    });
+    this.log("info", { owner, repo, issueNumber, labels }, "Labels added to issue");
+  }
+  /**
+   * Remove a label from an issue
+   */
+  async removeLabel(owner, repo, issueNumber, label) {
+    if (!this.initialized) {
+      await this.initialize();
+    }
+    const installation = this.getInstallationForRepo(owner, repo);
+    if (!installation) {
+      throw new Error(`No GitHub App installation found for ${owner}/${repo}`);
+    }
+    const octokit = await this.getInstallationOctokit(installation.installationId);
+    await octokit.issues.removeLabel({
+      owner,
+      repo,
+      issue_number: issueNumber,
+      name: label
+    });
+    this.log("info", { owner, repo, issueNumber, label }, "Label removed from issue");
+  }
+  /**
+   * Add a comment to an issue
+   */
+  async addComment(owner, repo, issueNumber, options) {
+    if (!this.initialized) {
+      await this.initialize();
+    }
+    const installation = this.getInstallationForRepo(owner, repo);
+    if (!installation) {
+      throw new Error(`No GitHub App installation found for ${owner}/${repo}`);
+    }
+    const octokit = await this.getInstallationOctokit(installation.installationId);
+    const { data: comment } = await octokit.issues.createComment({
+      owner,
+      repo,
+      issue_number: issueNumber,
+      body: options.body
+    });
+    this.log("info", { owner, repo, issueNumber, commentId: comment.id }, "Comment added to issue");
+    return {
+      id: comment.id,
+      url: comment.html_url,
+      body: comment.body || "",
+      author: comment.user?.login || "unknown",
+      createdAt: new Date(comment.created_at)
+    };
+  }
+  /**
+   * List comments on an issue
+   */
+  async listComments(owner, repo, issueNumber) {
+    if (!this.initialized) {
+      await this.initialize();
+    }
+    const installation = this.getInstallationForRepo(owner, repo);
+    if (!installation) {
+      throw new Error(`No GitHub App installation found for ${owner}/${repo}`);
+    }
+    const octokit = await this.getInstallationOctokit(installation.installationId);
+    const { data: comments } = await octokit.issues.listComments({
+      owner,
+      repo,
+      issue_number: issueNumber,
+      per_page: 100
+    });
+    return comments.map((comment) => ({
+      id: comment.id,
+      url: comment.html_url,
+      body: comment.body || "",
+      author: comment.user?.login || "unknown",
+      createdAt: new Date(comment.created_at)
+    }));
+  }
+  /**
+   * Close an issue
+   */
+  async closeIssue(owner, repo, issueNumber) {
+    return this.updateIssue(owner, repo, issueNumber, { state: "closed" });
+  }
+  /**
+   * Reopen an issue
+   */
+  async reopenIssue(owner, repo, issueNumber) {
+    return this.updateIssue(owner, repo, issueNumber, { state: "open" });
+  }
+  // ─────────────────────────────────────────────────────────────
+  // Private Methods
+  // ─────────────────────────────────────────────────────────────
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  async getInstallationOctokit(installationId) {
+    if (!this.installationOctokits.has(installationId)) {
+      const { Octokit, createAppAuth } = loadOctokit();
+      const octokit = new Octokit({
+        authStrategy: createAppAuth,
+        auth: {
+          appId: this.config.appId,
+          privateKey: this.config.privateKey,
+          installationId
+        },
+        baseUrl: this.config.baseUrl
+      });
+      this.installationOctokits.set(installationId, octokit);
+    }
+    return this.installationOctokits.get(installationId);
+  }
+  parseRepo(repo) {
+    const patterns = [
+      /github\.com[/:]([^/]+)\/([^/.]+)/,
+      /^([^/]+)\/([^/]+)$/
+    ];
+    for (const pattern of patterns) {
+      const match = repo.match(pattern);
+      if (match) {
+        return { owner: match[1], repo: match[2].replace(/\.git$/, "") };
+      }
+    }
+    return null;
+  }
+  log(level, data, message) {
+    if (this.logger) {
+      this.logger[level](data, message);
+    }
+  }
+};
+
+// src/providers/github-pat-client.ts
+var OctokitClass = null;
+function loadOctokit2() {
+  if (!OctokitClass) {
+    try {
+      const { Octokit } = __require("@octokit/rest");
+      OctokitClass = Octokit;
+    } catch {
+      throw new Error(
+        "@octokit/rest is required for GitHubPatClient. Install it with: npm install @octokit/rest"
+      );
+    }
+  }
+  return OctokitClass;
+}
+var GitHubPatClient = class {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  octokit;
+  logger;
+  constructor(options, logger) {
+    this.logger = logger;
+    const Octokit = loadOctokit2();
+    this.octokit = new Octokit({
+      auth: options.token,
+      baseUrl: options.baseUrl
+    });
+  }
+  // ─────────────────────────────────────────────────────────────
+  // Pull Requests
+  // ─────────────────────────────────────────────────────────────
+  /**
+   * Create a pull request
+   */
+  async createPullRequest(owner, repo, options) {
+    const { data: pr } = await this.octokit.pulls.create({
+      owner,
+      repo,
+      title: options.title,
+      body: options.body,
+      head: options.head,
+      base: options.base,
+      draft: options.draft
+    });
+    if (options.labels && options.labels.length > 0) {
+      await this.octokit.issues.addLabels({
+        owner,
+        repo,
+        issue_number: pr.number,
+        labels: options.labels
+      });
+    }
+    if (options.reviewers && options.reviewers.length > 0) {
+      await this.octokit.pulls.requestReviewers({
+        owner,
+        repo,
+        pull_number: pr.number,
+        reviewers: options.reviewers
+      });
+    }
+    this.log("info", { owner, repo, prNumber: pr.number }, "Pull request created");
+    return {
+      number: pr.number,
+      url: pr.html_url,
+      state: pr.state,
+      sourceBranch: options.head,
+      targetBranch: options.base,
+      title: options.title,
+      executionId: "",
+      createdAt: new Date(pr.created_at)
+    };
+  }
+  /**
+   * Get a pull request
+   */
+  async getPullRequest(owner, repo, prNumber) {
+    const { data: pr } = await this.octokit.pulls.get({
+      owner,
+      repo,
+      pull_number: prNumber
+    });
+    return {
+      number: pr.number,
+      url: pr.html_url,
+      state: pr.merged ? "merged" : pr.state,
+      sourceBranch: pr.head.ref,
+      targetBranch: pr.base.ref,
+      title: pr.title,
+      executionId: "",
+      createdAt: new Date(pr.created_at),
+      mergedAt: pr.merged_at ? new Date(pr.merged_at) : void 0
+    };
+  }
+  // ─────────────────────────────────────────────────────────────
+  // Issues
+  // ─────────────────────────────────────────────────────────────
+  /**
+   * Create an issue
+   */
+  async createIssue(owner, repo, options) {
+    const { data: issue } = await this.octokit.issues.create({
+      owner,
+      repo,
+      title: options.title,
+      body: options.body,
+      labels: options.labels,
+      assignees: options.assignees,
+      milestone: options.milestone
+    });
+    this.log("info", { owner, repo, issueNumber: issue.number }, "Issue created");
+    return this.mapIssue(issue);
+  }
+  /**
+   * Get an issue
+   */
+  async getIssue(owner, repo, issueNumber) {
+    const { data: issue } = await this.octokit.issues.get({
+      owner,
+      repo,
+      issue_number: issueNumber
+    });
+    return this.mapIssue(issue);
+  }
+  /**
+   * List issues
+   */
+  async listIssues(owner, repo, options) {
+    const { data: issues } = await this.octokit.issues.listForRepo({
+      owner,
+      repo,
+      state: options?.state || "open",
+      labels: options?.labels?.join(","),
+      assignee: options?.assignee,
+      per_page: 100
+    });
+    return issues.filter((issue) => !issue.pull_request).map((issue) => this.mapIssue(issue));
+  }
+  /**
+   * Update an issue
+   */
+  async updateIssue(owner, repo, issueNumber, options) {
+    const { data: issue } = await this.octokit.issues.update({
+      owner,
+      repo,
+      issue_number: issueNumber,
+      ...options
+    });
+    this.log("info", { owner, repo, issueNumber }, "Issue updated");
+    return this.mapIssue(issue);
+  }
+  /**
+   * Add labels to an issue
+   */
+  async addLabels(owner, repo, issueNumber, labels) {
+    await this.octokit.issues.addLabels({
+      owner,
+      repo,
+      issue_number: issueNumber,
+      labels
+    });
+    this.log("info", { owner, repo, issueNumber, labels }, "Labels added");
+  }
+  /**
+   * Remove a label from an issue
+   */
+  async removeLabel(owner, repo, issueNumber, label) {
+    await this.octokit.issues.removeLabel({
+      owner,
+      repo,
+      issue_number: issueNumber,
+      name: label
+    });
+    this.log("info", { owner, repo, issueNumber, label }, "Label removed");
+  }
+  /**
+   * Add a comment to an issue or PR
+   */
+  async addComment(owner, repo, issueNumber, options) {
+    const { data: comment } = await this.octokit.issues.createComment({
+      owner,
+      repo,
+      issue_number: issueNumber,
+      body: options.body
+    });
+    this.log("info", { owner, repo, issueNumber, commentId: comment.id }, "Comment added");
+    return {
+      id: comment.id,
+      url: comment.html_url,
+      body: comment.body || "",
+      author: comment.user?.login || "unknown",
+      createdAt: new Date(comment.created_at)
+    };
+  }
+  /**
+   * List comments on an issue or PR
+   */
+  async listComments(owner, repo, issueNumber) {
+    const { data: comments } = await this.octokit.issues.listComments({
+      owner,
+      repo,
+      issue_number: issueNumber,
+      per_page: 100
+    });
+    return comments.map((comment) => ({
+      id: comment.id,
+      url: comment.html_url,
+      body: comment.body || "",
+      author: comment.user?.login || "unknown",
+      createdAt: new Date(comment.created_at)
+    }));
+  }
+  /**
+   * Close an issue
+   */
+  async closeIssue(owner, repo, issueNumber) {
+    return this.updateIssue(owner, repo, issueNumber, { state: "closed" });
+  }
+  /**
+   * Reopen an issue
+   */
+  async reopenIssue(owner, repo, issueNumber) {
+    return this.updateIssue(owner, repo, issueNumber, { state: "open" });
+  }
+  // ─────────────────────────────────────────────────────────────
+  // Branches
+  // ─────────────────────────────────────────────────────────────
+  /**
+   * Delete a branch
+   */
+  async deleteBranch(owner, repo, branch) {
+    await this.octokit.git.deleteRef({
+      owner,
+      repo,
+      ref: `heads/${branch}`
+    });
+    this.log("info", { owner, repo, branch }, "Branch deleted");
+  }
+  /**
+   * Check if a branch exists
+   */
+  async branchExists(owner, repo, branch) {
+    try {
+      await this.octokit.repos.getBranch({ owner, repo, branch });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  // ─────────────────────────────────────────────────────────────
+  // Private Methods
+  // ─────────────────────────────────────────────────────────────
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  mapIssue(issue) {
+    return {
+      number: issue.number,
+      url: issue.html_url,
+      state: issue.state,
+      title: issue.title,
+      body: issue.body || "",
+      labels: issue.labels.map(
+        (l) => typeof l === "string" ? l : l.name || ""
+      ),
+      assignees: issue.assignees?.map((a) => a.login) || [],
+      createdAt: new Date(issue.created_at),
+      closedAt: issue.closed_at ? new Date(issue.closed_at) : void 0
+    };
+  }
+  log(level, data, message) {
+    if (this.logger) {
+      this.logger[level](data, message);
+    }
+  }
+};
+
+// src/types.ts
+var DEFAULT_AGENT_PERMISSIONS = {
+  repositories: { type: "selected", repos: [] },
+  contents: "write",
+  pullRequests: "write",
+  issues: "write",
+  metadata: "read",
+  canDeleteBranch: true,
+  // Needed for cleanup
+  canForcePush: false,
+  canDeleteRepository: false,
+  canAdminister: false
+};
+var READONLY_AGENT_PERMISSIONS = {
+  repositories: { type: "selected", repos: [] },
+  contents: "read",
+  pullRequests: "read",
+  issues: "read",
+  metadata: "read",
+  canDeleteBranch: false,
+  canForcePush: false,
+  canDeleteRepository: false,
+  canAdminister: false
+};
+
+exports.CredentialService = CredentialService;
+exports.DEFAULT_AGENT_PERMISSIONS = DEFAULT_AGENT_PERMISSIONS;
+exports.DEFAULT_BRANCH_PREFIX = DEFAULT_BRANCH_PREFIX;
+exports.FileTokenStore = FileTokenStore;
+exports.GitHubPatClient = GitHubPatClient;
+exports.GitHubProvider = GitHubProvider;
+exports.MemoryTokenStore = MemoryTokenStore;
+exports.OAuthDeviceFlow = OAuthDeviceFlow;
+exports.READONLY_AGENT_PERMISSIONS = READONLY_AGENT_PERMISSIONS;
+exports.TokenStore = TokenStore;
+exports.WorkspaceService = WorkspaceService;
+exports.cleanupCredentialFiles = cleanupCredentialFiles;
+exports.configureCredentialHelper = configureCredentialHelper;
+exports.createBranchInfo = createBranchInfo;
+exports.createNodeCredentialHelperScript = createNodeCredentialHelperScript;
+exports.createShellCredentialHelperScript = createShellCredentialHelperScript;
+exports.filterBranchesByExecution = filterBranchesByExecution;
+exports.generateBranchName = generateBranchName;
+exports.generateSlug = generateSlug;
+exports.getGitCredentialConfig = getGitCredentialConfig;
+exports.isManagedBranch = isManagedBranch;
+exports.outputCredentials = outputCredentials;
+exports.parseBranchName = parseBranchName;
+exports.updateCredentials = updateCredentials;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map