hippo-memory 1.2.0 → 1.3.0

package/dist/src/connectors/github/dlq.js

@@ -0,0 +1,181 @@
+import { openHippoDb, closeHippoDb } from '../../db.js';
+import { verifyGitHubSignature } from './signature.js';
+import { isGitHubWebhookEnvelope } from './types.js';
+export function writeToDlq(db, opts) {
+    const result = db
+        .prepare(`INSERT INTO github_dlq
+        (tenant_id, raw_payload, error, event_name, delivery_id, signature,
+         installation_id, repo_full_name, received_at, bucket)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`)
+        .run(opts.tenantId ?? '__unroutable__', opts.rawPayload, opts.error, opts.eventName ?? null, opts.deliveryId ?? null, opts.signature ?? null, opts.installationId ?? null, opts.repoFullName ?? null, new Date().toISOString(), opts.bucket ?? 'parse_error');
+    return Number(result.lastInsertRowid);
+}
+const SELECT_COLUMNS = `id, tenant_id, raw_payload, error, event_name, delivery_id,
+            signature, installation_id, repo_full_name, retry_count,
+            received_at, retried_at, bucket`;
+export function listDlq(db, opts) {
+    const rows = db
+        .prepare(`SELECT ${SELECT_COLUMNS}
+         FROM github_dlq
+        WHERE tenant_id = ?
+        ORDER BY received_at ASC
+        LIMIT ?`)
+        .all(opts.tenantId, opts.limit ?? 100);
+    return rows.map(rowToItem);
+}
+export function getDlqEntry(db, id) {
+    const row = db
+        .prepare(`SELECT ${SELECT_COLUMNS}
+         FROM github_dlq
+        WHERE id = ?`)
+        .get(id);
+    if (!row)
+        return null;
+    return rowToItem(row);
+}
+function rowToItem(r) {
+    return {
+        id: Number(r.id),
+        tenantId: String(r.tenant_id),
+        rawPayload: String(r.raw_payload),
+        error: String(r.error),
+        eventName: r.event_name == null ? null : String(r.event_name),
+        deliveryId: r.delivery_id == null ? null : String(r.delivery_id),
+        signature: r.signature == null ? null : String(r.signature),
+        installationId: r.installation_id == null ? null : String(r.installation_id),
+        repoFullName: r.repo_full_name == null ? null : String(r.repo_full_name),
+        retryCount: Number(r.retry_count ?? 0),
+        receivedAt: String(r.received_at),
+        retriedAt: r.retried_at == null ? null : String(r.retried_at),
+        bucket: r.bucket == null ? 'parse_error' : String(r.bucket),
+    };
+}
+function bumpRetryCount(hippoRoot, id) {
+    const db = openHippoDb(hippoRoot);
+    try {
+        db.prepare(`UPDATE github_dlq
+          SET retry_count = retry_count + 1,
+              retried_at = ?
+        WHERE id = ?`).run(new Date().toISOString(), id);
+    }
+    finally {
+        closeHippoDb(db);
+    }
+}
+/**
+ * Replay a DLQ row through the normal ingest path. Behavior:
+ *   1. Fetch row by id. Not found → `not_found`.
+ *   2. If !force and webhookSecret provided, verify signature with the
+ *      current secret. Fail → bump retry_count, `sig_fail`.
+ *      Missing signature on the row → `sig_missing` (no bump; --force required).
+ *   3. JSON.parse the raw payload. Fail → bump, `parse_error`.
+ *   4. Type-guard the envelope. Fail → bump, `unhandled`.
+ *   5. If an `ingestHook` is supplied, call it and return its memoryId.
+ *      If not (dry-run path), bump retry_count and return status `replayed`
+ *      with memoryId=null. The webhook route wires the real hook in Task 14.
+ *
+ * Mirrors Slack's "always use current routing" policy: replays use the
+ * deployment state NOW, not at the time of original DLQing.
+ */
+export async function replayDlqEntry(ctx, id, opts = {}) {
+    const db = openHippoDb(ctx.hippoRoot);
+    let row;
+    try {
+        row = getDlqEntry(db, id);
+    }
+    finally {
+        closeHippoDb(db);
+    }
+    if (!row) {
+        return {
+            ok: false,
+            status: 'not_found',
+            memoryId: null,
+            retryCount: 0,
+            reason: `dlq id ${id} not found`,
+        };
+    }
+    // Signature verification (current secret, not the one in effect when DLQed).
+    if (!opts.force && opts.webhookSecret) {
+        if (!row.signature) {
+            return {
+                ok: false,
+                status: 'sig_missing',
+                memoryId: null,
+                retryCount: row.retryCount,
+                reason: 'legacy row without signature; pass --force to replay',
+            };
+        }
+        const sigOk = verifyGitHubSignature({
+            rawBody: row.rawPayload,
+            signature: row.signature,
+            webhookSecret: opts.webhookSecret,
+        });
+        if (!sigOk) {
+            bumpRetryCount(ctx.hippoRoot, id);
+            return {
+                ok: false,
+                status: 'sig_fail',
+                memoryId: null,
+                retryCount: row.retryCount + 1,
+                reason: 'signature did not verify against current GITHUB_WEBHOOK_SECRET; pass --force to replay anyway',
+            };
+        }
+    }
+    // Parse + envelope guard.
+    let parsed;
+    try {
+        parsed = JSON.parse(row.rawPayload);
+    }
+    catch (e) {
+        bumpRetryCount(ctx.hippoRoot, id);
+        return {
+            ok: false,
+            status: 'parse_error',
+            memoryId: null,
+            retryCount: row.retryCount + 1,
+            reason: `still unparseable: ${e.message}`,
+        };
+    }
+    if (!isGitHubWebhookEnvelope(parsed)) {
+        bumpRetryCount(ctx.hippoRoot, id);
+        return {
+            ok: false,
+            status: 'unhandled',
+            memoryId: null,
+            retryCount: row.retryCount + 1,
+            reason: 'not a GitHub webhook envelope',
+        };
+    }
+    // Without an ingest hook this is a dry-run validation. Bump and report.
+    if (!opts.ingestHook) {
+        bumpRetryCount(ctx.hippoRoot, id);
+        return {
+            ok: true,
+            status: 'replayed',
+            memoryId: null,
+            retryCount: row.retryCount + 1,
+            reason: 'dry-run: no ingest hook supplied',
+        };
+    }
+    // Real replay path. The route's IngestHook is responsible for routing,
+    // idempotency, and writing the memory. The DLQ module only validates the
+    // surface and bumps the retry counter.
+    const eventName = row.eventName ?? '';
+    const deliveryId = row.deliveryId ?? '';
+    const idempotencyKey = (await import('./signature.js')).computeIdempotencyKey(eventName, row.rawPayload);
+    const { memoryId } = await opts.ingestHook(ctx, {
+        rawPayload: row.rawPayload,
+        eventName,
+        idempotencyKey,
+        deliveryId,
+    });
+    bumpRetryCount(ctx.hippoRoot, id);
+    return {
+        ok: true,
+        status: 'replayed',
+        memoryId,
+        retryCount: row.retryCount + 1,
+    };
+}
+//# sourceMappingURL=dlq.js.map

package/dist/src/connectors/github/dlq.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dlq.js","sourceRoot":"","sources":["../../../../src/connectors/github/dlq.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,uBAAuB,EAAE,MAAM,YAAY,CAAC;AAmDrD,MAAM,UAAU,UAAU,CAAC,EAAoB,EAAE,IAAkB;IACjE,MAAM,MAAM,GAAG,EAAE;SACd,OAAO,CACN;;;6CAGuC,CACxC;SACA,GAAG,CACF,IAAI,CAAC,QAAQ,IAAI,gBAAgB,EACjC,IAAI,CAAC,UAAU,EACf,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,SAAS,IAAI,IAAI,EACtB,IAAI,CAAC,UAAU,IAAI,IAAI,EACvB,IAAI,CAAC,SAAS,IAAI,IAAI,EACtB,IAAI,CAAC,cAAc,IAAI,IAAI,EAC3B,IAAI,CAAC,YAAY,IAAI,IAAI,EACzB,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EACxB,IAAI,CAAC,MAAM,IAAI,aAAa,CAC7B,CAAC;IACJ,OAAO,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,cAAc,GAAG;;4CAEqB,CAAC;AAE7C,MAAM,UAAU,OAAO,CACrB,EAAoB,EACpB,IAA0C;IAE1C,MAAM,IAAI,GAAG,EAAE;SACZ,OAAO,CACN,UAAU,cAAc;;;;gBAId,CACX;SACA,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,IAAI,GAAG,CAAmC,CAAC;IAC3E,OAAO,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,EAAoB,EAAE,EAAU;IAC1D,MAAM,GAAG,GAAG,EAAE;SACX,OAAO,CACN,UAAU,cAAc;;qBAET,CAChB;SACA,GAAG,CAAC,EAAE,CAAwC,CAAC;IAClD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC;AACxB,CAAC;AAED,SAAS,SAAS,CAAC,CAA0B;IAC3C,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;QAC7B,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC;QACjC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;QACtB,SAAS,EAAE,CAAC,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;QAC7D,UAAU,EAAE,CAAC,CAAC,WAAW,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC;QAChE,SAAS,EAAE,CAAC,CAAC,SAAS,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;QAC3D,cAAc,EAAE,CAAC,CAAC,eAAe,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC;QAC5E,YAAY,EAAE,CAAC,CAAC,cAAc,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC;QACxE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC;QACtC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC;QACjC,SAAS,EAAE,CAAC,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;QAC7D,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,IAAI,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;KAC5D,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,SAAiB,EAAE,EAAU;IACnD,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAClC,IAAI,CAAC;QACH,EAAE,CAAC,OAAO,CACR;;;qBAGe,CAChB,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,EAAE,CAAC,CAAC;IACtC,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;AACH,CAAC;AAyCD;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,GAAY,EACZ,EAAU,EACV,OAAoD,EAAE;IAEtD,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACtC,IAAI,GAAmB,CAAC;IACxB,IAAI,CAAC;QACH,GAAG,GAAG,WAAW,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAC5B,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;IACD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,CAAC;YACb,MAAM,EAAE,UAAU,EAAE,YAAY;SACjC,CAAC;IACJ,CAAC;IAED,6EAA6E;IAC7E,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;QACtC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,aAAa;gBACrB,QAAQ,EAAE,IAAI;gBACd,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,MAAM,EAAE,sDAAsD;aAC/D,CAAC;QACJ,CAAC;QACD,MAAM,KAAK,GAAG,qBAAqB,CAAC;YAClC,OAAO,EAAE,GAAG,CAAC,UAAU;YACvB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,aAAa,EAAE,IAAI,CAAC,aAAa;SAClC,CAAC,CAAC;QACH,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YAClC,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,UAAU;gBAClB,QAAQ,EAAE,IAAI;gBACd,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,CAAC;gBAC9B,MAAM,EACJ,+FAA+F;aAClG,CAAC;QACJ,CAAC;IACH,CAAC;IAED,0BAA0B;IAC1B,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACtC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAClC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,aAAa;YACrB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,CAAC;YAC9B,MAAM,EAAE,sBAAuB,CAAW,CAAC,OAAO,EAAE;SACrD,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,uBAAuB,CAAC,MAAM,CAAC,EAAE,CAAC;QACrC,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAClC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,CAAC;YAC9B,MAAM,EAAE,+BAA+B;SACxC,CAAC;IACJ,CAAC;IAED,wEAAwE;IACxE,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;QACrB,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAClC,OAAO;YACL,EAAE,EAAE,IAAI;YACR,MAAM,EAAE,UAAU;YAClB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,CAAC;YAC9B,MAAM,EAAE,kCAAkC;SAC3C,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,yEAAyE;IACzE,uCAAuC;IACvC,MAAM,SAAS,GAAG,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC;IACtC,MAAM,UAAU,GAAG,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC;IACxC,MAAM,cAAc,GAAG,CAAC,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAC,qBAAqB,CAC3E,SAAS,EACT,GAAG,CAAC,UAAU,CACf,CAAC;IACF,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE;QAC9C,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,SAAS;QACT,cAAc;QACd,UAAU;KACX,CAAC,CAAC;IACH,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IAClC,OAAO;QACL,EAAE,EAAE,IAAI;QACR,MAAM,EAAE,UAAU;QAClB,QAAQ;QACR,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,CAAC;KAC/B,CAAC;AACJ,CAAC"}

package/dist/src/connectors/github/idempotency.js

@@ -0,0 +1,25 @@
+/**
+ * Thrown by ingest's afterWrite hook when a concurrent worker has already
+ * inserted github_event_log for the same idempotency_key. Roll back the
+ * SAVEPOINT so exactly one memory row exists per key.
+ */
+export class DuplicateIdempotencyError extends Error {
+    idempotencyKey;
+    constructor(idempotencyKey) {
+        super(`duplicate github idempotency_key: ${idempotencyKey}`);
+        this.name = 'DuplicateIdempotencyError';
+        this.idempotencyKey = idempotencyKey;
+    }
+}
+export function hasSeenKey(db, idempotencyKey) {
+    const row = db.prepare(`SELECT 1 FROM github_event_log WHERE idempotency_key = ?`).get(idempotencyKey);
+    return !!row;
+}
+export function markKeySeen(db, args) {
+    db.prepare(`INSERT OR IGNORE INTO github_event_log (idempotency_key, delivery_id, event_name, ingested_at, memory_id) VALUES (?, ?, ?, ?, ?)`).run(args.idempotencyKey, args.deliveryId, args.eventName, new Date().toISOString(), args.memoryId);
+}
+export function lookupMemoryByKey(db, idempotencyKey) {
+    const row = db.prepare(`SELECT memory_id FROM github_event_log WHERE idempotency_key = ?`).get(idempotencyKey);
+    return row?.memory_id ?? null;
+}
+//# sourceMappingURL=idempotency.js.map

package/dist/src/connectors/github/idempotency.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"idempotency.js","sourceRoot":"","sources":["../../../../src/connectors/github/idempotency.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,MAAM,OAAO,yBAA0B,SAAQ,KAAK;IACzC,cAAc,CAAS;IAChC,YAAY,cAAsB;QAChC,KAAK,CAAC,qCAAqC,cAAc,EAAE,CAAC,CAAC;QAC7D,IAAI,CAAC,IAAI,GAAG,2BAA2B,CAAC;QACxC,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;IACvC,CAAC;CACF;AAED,MAAM,UAAU,UAAU,CAAC,EAAoB,EAAE,cAAsB;IACrE,MAAM,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,0DAA0D,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACvG,OAAO,CAAC,CAAC,GAAG,CAAC;AACf,CAAC;AAED,MAAM,UAAU,WAAW,CACzB,EAAoB,EACpB,IAAgG;IAEhG,EAAE,CAAC,OAAO,CACR,kIAAkI,CACnI,CAAC,GAAG,CAAC,IAAI,CAAC,cAAc,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;AACvG,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,EAAoB,EAAE,cAAsB;IAC5E,MAAM,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,kEAAkE,CAAC,CAAC,GAAG,CAAC,cAAc,CAEhG,CAAC;IACd,OAAO,GAAG,EAAE,SAAS,IAAI,IAAI,CAAC;AAChC,CAAC"}

package/dist/src/connectors/github/ingest.js

@@ -0,0 +1,107 @@
+/**
+ * GitHub event ingest with afterWrite race-safe idempotency.
+ *
+ * Mirrors src/connectors/slack/ingest.ts. The dedupe key is sha256(eventName +
+ * ':' + rawBody) (codex P0 #3) — derived from the signed body, not from the
+ * unsigned X-GitHub-Delivery header, so a replay attacker cannot bypass
+ * idempotency by rotating the delivery UUID.
+ *
+ * Race semantics (codex P1 #6):
+ *   - Fast path: hasSeenKey pre-check returns 'duplicate' for the common case.
+ *   - Slow path: hasSeenKey passes (no row yet). Two workers may race into
+ *     remember() concurrently. Inside the writeEntry SAVEPOINT, INSERT OR
+ *     IGNORE on github_event_log either inserts (changes=1, commit) or
+ *     collides (changes=0, throw DuplicateIdempotencyError -> SAVEPOINT
+ *     rolls back this worker's memory row). Exactly one memory exists per
+ *     idempotency_key.
+ *
+ * The Slack precedent's race test was insufficient — it tested the fast path,
+ * not the SAVEPOINT collision. The `__testInjectBeforeLog` hook below lets
+ * tests pre-populate github_event_log inside the SAVEPOINT to actually
+ * exercise the changes=0 -> rollback path.
+ */
+import { remember } from '../../api.js';
+import { openHippoDb, closeHippoDb } from '../../db.js';
+import { hasSeenKey, lookupMemoryByKey, DuplicateIdempotencyError } from './idempotency.js';
+import { computeIdempotencyKey } from './signature.js';
+import { issueEventToRememberOpts, issueCommentEventToRememberOpts, pullRequestEventToRememberOpts, prReviewCommentEventToRememberOpts, } from './transform.js';
+function transformEvent(event) {
+    switch (event.eventName) {
+        case 'issues':
+            return issueEventToRememberOpts(event.payload);
+        case 'issue_comment':
+            return issueCommentEventToRememberOpts(event.payload);
+        case 'pull_request':
+            return pullRequestEventToRememberOpts(event.payload);
+        case 'pull_request_review_comment':
+            return prReviewCommentEventToRememberOpts(event.payload);
+    }
+}
+export function ingestEvent(ctx, input) {
+    const idempotencyKey = computeIdempotencyKey(input.event.eventName, input.rawBody);
+    // Fast path: pre-check. Avoids running the transform / opening a write tx
+    // for the common already-seen case (GitHub auto-retries with the same body).
+    const db = openHippoDb(ctx.hippoRoot);
+    try {
+        if (hasSeenKey(db, idempotencyKey)) {
+            return { status: 'duplicate', memoryId: lookupMemoryByKey(db, idempotencyKey) };
+        }
+    }
+    finally {
+        closeHippoDb(db);
+    }
+    const opts = transformEvent(input.event);
+    if (!opts) {
+        // Empty body: no memory to write, but mark seen so a retry of the same
+        // empty event returns 'duplicate' (not 'skipped' again — that would
+        // re-run the transform on every retry).
+        const db2 = openHippoDb(ctx.hippoRoot);
+        try {
+            db2
+                .prepare(`INSERT OR IGNORE INTO github_event_log (idempotency_key, delivery_id, event_name, ingested_at, memory_id) VALUES (?, ?, ?, ?, ?)`)
+                .run(idempotencyKey, input.deliveryId, input.event.eventName, new Date().toISOString(), null);
+        }
+        finally {
+            closeHippoDb(db2);
+        }
+        return { status: 'skipped', memoryId: null };
+    }
+    // Atomic write via afterWrite. Inside writeEntry's SAVEPOINT:
+    //   1. memories row INSERT lands.
+    //   2. (test-only) __testInjectBeforeLog can race-inject a colliding key.
+    //   3. INSERT OR IGNORE on github_event_log; if a concurrent worker (or
+    //      the test injection) beat us, changes=0 -> throw -> SAVEPOINT rolls
+    //      back our memory row. Other worker's commit stands.
+    try {
+        const result = remember({ ...ctx, actor: ctx.actor || 'connector:github' }, {
+            ...opts,
+            afterWrite: (innerDb, memoryId) => {
+                if (input.__testInjectBeforeLog) {
+                    input.__testInjectBeforeLog(innerDb, idempotencyKey);
+                }
+                const inserted = innerDb
+                    .prepare(`INSERT OR IGNORE INTO github_event_log (idempotency_key, delivery_id, event_name, ingested_at, memory_id) VALUES (?, ?, ?, ?, ?)`)
+                    .run(idempotencyKey, input.deliveryId, input.event.eventName, new Date().toISOString(), memoryId);
+                if (Number(inserted.changes ?? 0) === 0) {
+                    throw new DuplicateIdempotencyError(idempotencyKey);
+                }
+            },
+        });
+        return { status: 'ingested', memoryId: result.id };
+    }
+    catch (e) {
+        if (e instanceof DuplicateIdempotencyError) {
+            // Other worker's row is committed. Return its memory_id so callers
+            // behave identically to the fast-path 'duplicate' branch.
+            const db3 = openHippoDb(ctx.hippoRoot);
+            try {
+                return { status: 'skipped_duplicate', memoryId: lookupMemoryByKey(db3, idempotencyKey) };
+            }
+            finally {
+                closeHippoDb(db3);
+            }
+        }
+        throw e;
+    }
+}
+//# sourceMappingURL=ingest.js.map

package/dist/src/connectors/github/ingest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ingest.js","sourceRoot":"","sources":["../../../../src/connectors/github/ingest.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAAE,QAAQ,EAAmC,MAAM,cAAc,CAAC;AACzE,OAAO,EAAE,WAAW,EAAE,YAAY,EAAyB,MAAM,aAAa,CAAC;AAC/E,OAAO,EAAE,UAAU,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,MAAM,kBAAkB,CAAC;AAC5F,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EACL,wBAAwB,EACxB,+BAA+B,EAC/B,8BAA8B,EAC9B,kCAAkC,GACnC,MAAM,gBAAgB,CAAC;AA4CxB,SAAS,cAAc,CAAC,KAAkB;IACxC,QAAQ,KAAK,CAAC,SAAS,EAAE,CAAC;QACxB,KAAK,QAAQ;YACX,OAAO,wBAAwB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACjD,KAAK,eAAe;YAClB,OAAO,+BAA+B,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACxD,KAAK,cAAc;YACjB,OAAO,8BAA8B,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACvD,KAAK,6BAA6B;YAChC,OAAO,kCAAkC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC7D,CAAC;AACH,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,GAAY,EAAE,KAAkB;IAC1D,MAAM,cAAc,GAAG,qBAAqB,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;IAEnF,0EAA0E;IAC1E,6EAA6E;IAC7E,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACtC,IAAI,CAAC;QACH,IAAI,UAAU,CAAC,EAAE,EAAE,cAAc,CAAC,EAAE,CAAC;YACnC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,iBAAiB,CAAC,EAAE,EAAE,cAAc,CAAC,EAAE,CAAC;QAClF,CAAC;IACH,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;IAED,MAAM,IAAI,GAAG,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAEzC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,uEAAuE;QACvE,oEAAoE;QACpE,wCAAwC;QACxC,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACvC,IAAI,CAAC;YACH,GAAG;iBACA,OAAO,CACN,kIAAkI,CACnI;iBACA,GAAG,CAAC,cAAc,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,IAAI,CAAC,CAAC;QAClG,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,GAAG,CAAC,CAAC;QACpB,CAAC;QACD,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC/C,CAAC;IAED,8DAA8D;IAC9D,kCAAkC;IAClC,0EAA0E;IAC1E,wEAAwE;IACxE,0EAA0E;IAC1E,0DAA0D;IAC1D,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,QAAQ,CACrB,EAAE,GAAG,GAAG,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,IAAI,kBAAkB,EAAE,EAClD;YACE,GAAG,IAAI;YACP,UAAU,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,EAAE;gBAChC,IAAI,KAAK,CAAC,qBAAqB,EAAE,CAAC;oBAChC,KAAK,CAAC,qBAAqB,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;gBACvD,CAAC;gBACD,MAAM,QAAQ,GAAG,OAAO;qBACrB,OAAO,CACN,kIAAkI,CACnI;qBACA,GAAG,CACF,cAAc,EACd,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,KAAK,CAAC,SAAS,EACrB,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EACxB,QAAQ,CACT,CAAC;gBACJ,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,IAAI,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;oBACxC,MAAM,IAAI,yBAAyB,CAAC,cAAc,CAAC,CAAC;gBACtD,CAAC;YACH,CAAC;SACF,CACF,CAAC;QACF,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC;IACrD,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,CAAC,YAAY,yBAAyB,EAAE,CAAC;YAC3C,mEAAmE;YACnE,0DAA0D;YAC1D,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACvC,IAAI,CAAC;gBACH,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,QAAQ,EAAE,iBAAiB,CAAC,GAAG,EAAE,cAAc,CAAC,EAAE,CAAC;YAC3F,CAAC;oBAAS,CAAC;gBACT,YAAY,CAAC,GAAG,CAAC,CAAC;YACpB,CAAC;QACH,CAAC;QACD,MAAM,CAAC,CAAC;IACV,CAAC;AACH,CAAC"}

package/dist/src/connectors/github/octokit-client.js

@@ -0,0 +1,65 @@
+/**
+ * Octokit-shaped HTTP fetcher for the GitHub connector backfill.
+ *
+ * Production uses `realGitHubFetcher` against `https://api.github.com`.
+ * Tests inject a fake `GitHubFetcher` so they never hit the network.
+ *
+ * Codex P1 #4 mandate: any non-200 response that is NOT a recognized
+ * rate-limit pause MUST throw `GitHubFetchError`. Silently turning
+ * 401/403/404/500 into empty pages produced empty backfills with no
+ * operator signal, so this code path is now load-bearing.
+ */
+import { parseRateLimit } from './ratelimit.js';
+export class GitHubFetchError extends Error {
+    status;
+    bodyExcerpt;
+    url;
+    constructor(status, bodyExcerpt, url) {
+        super(`GitHub ${status} on ${url}: ${bodyExcerpt}`);
+        this.status = status;
+        this.bodyExcerpt = bodyExcerpt;
+        this.url = url;
+        this.name = 'GitHubFetchError';
+    }
+}
+/**
+ * Parse the rel="next" URL from an RFC 5988 `Link` header.
+ *
+ * Header format: `<url1>; rel="next", <url2>; rel="last"`.
+ * Returns the URL whose rel parameter is exactly `"next"`, or null.
+ */
+export function parseNextLink(linkHeader) {
+    if (!linkHeader)
+        return null;
+    const re = /<([^>]+)>\s*;\s*rel="next"/;
+    const m = linkHeader.match(re);
+    return m ? m[1] : null;
+}
+function headersToRecord(h) {
+    const out = {};
+    h.forEach((v, k) => {
+        out[k.toLowerCase()] = v;
+    });
+    return out;
+}
+export const realGitHubFetcher = async ({ url, token }) => {
+    const res = await fetch(url, {
+        headers: {
+            Authorization: `Bearer ${token}`,
+            Accept: 'application/vnd.github+json',
+            'X-GitHub-Api-Version': '2022-11-28',
+        },
+    });
+    const headers = headersToRecord(res.headers);
+    const rateLimit = parseRateLimit(headers, res.status);
+    // Codex P1 #4: don't silently turn 401/403/404/500 into empty pages.
+    if (res.status !== 200 && rateLimit.reason === 'none') {
+        const body = await res.text().catch(() => '');
+        throw new GitHubFetchError(res.status, body.slice(0, 256), url);
+    }
+    const items = res.status === 200 ? (await res.json()) : [];
+    const link = res.headers.get('link') ?? '';
+    const next = parseNextLink(link);
+    return { items, next, rateLimit };
+};
+//# sourceMappingURL=octokit-client.js.map

package/dist/src/connectors/github/octokit-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"octokit-client.js","sourceRoot":"","sources":["../../../../src/connectors/github/octokit-client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,cAAc,EAAsB,MAAM,gBAAgB,CAAC;AAEpE,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAE9B;IACA;IACA;IAHX,YACW,MAAc,EACd,WAAmB,EACnB,GAAW;QAEpB,KAAK,CAAC,UAAU,MAAM,OAAO,GAAG,KAAK,WAAW,EAAE,CAAC,CAAC;QAJ3C,WAAM,GAAN,MAAM,CAAQ;QACd,gBAAW,GAAX,WAAW,CAAQ;QACnB,QAAG,GAAH,GAAG,CAAQ;QAGpB,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AAaD;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,UAAkB;IAC9C,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,MAAM,EAAE,GAAG,4BAA4B,CAAC;IACxC,MAAM,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC/B,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACzB,CAAC;AAED,SAAS,eAAe,CAAC,CAAU;IACjC,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACjB,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;IACH,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,CAAC,MAAM,iBAAiB,GAAkB,KAAK,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE;IACvE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC3B,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,KAAK,EAAE;YAChC,MAAM,EAAE,6BAA6B;YACrC,sBAAsB,EAAE,YAAY;SACrC;KACF,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAC7C,MAAM,SAAS,GAAG,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAEtD,qEAAqE;IACrE,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,IAAI,SAAS,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QACtD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,IAAI,gBAAgB,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,KAAK,GACT,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,CAAC,CAAE,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAoB,CAAC,CAAC,CAAC,EAAE,CAAC;IACnE,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAC3C,MAAM,IAAI,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;IACjC,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;AACpC,CAAC,CAAC"}

package/dist/src/connectors/github/ratelimit.js

@@ -0,0 +1,31 @@
+/**
+ * GitHub rate-limit header parser.
+ *
+ * GitHub returns 403 for primary rate-limit (with `X-RateLimit-Remaining: 0`
+ * and `X-RateLimit-Reset: <epoch>`) and 429 + `Retry-After: <seconds>` for
+ * secondary rate-limit. Backfill must pause and resume rather than error.
+ */
+/**
+ * Parse rate-limit signal from a GitHub HTTP response.
+ *
+ * @param headers Lower-cased HTTP response headers.
+ * @param status  HTTP status code.
+ * @param now     Optional current epoch seconds (for deterministic tests).
+ */
+export function parseRateLimit(headers, status, now) {
+    const _now = now ?? Math.floor(Date.now() / 1000);
+    if (status === 429) {
+        const retry = Number(headers['retry-after'] ?? '60');
+        return {
+            sleepSeconds: Number.isFinite(retry) && retry >= 0 ? retry : 60,
+            reason: 'secondary',
+        };
+    }
+    if (status === 403 && Number(headers['x-ratelimit-remaining'] ?? '1') === 0) {
+        const reset = Number(headers['x-ratelimit-reset'] ?? '0');
+        const diff = reset - _now;
+        return { sleepSeconds: Math.max(diff, 1), reason: 'primary' };
+    }
+    return { sleepSeconds: 0, reason: 'none' };
+}
+//# sourceMappingURL=ratelimit.js.map

package/dist/src/connectors/github/ratelimit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ratelimit.js","sourceRoot":"","sources":["../../../../src/connectors/github/ratelimit.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAOH;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAC5B,OAA2C,EAC3C,MAAc,EACd,GAAY;IAEZ,MAAM,IAAI,GAAG,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAElD,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;QACnB,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC,CAAC;QACrD,OAAO;YACL,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE;YAC/D,MAAM,EAAE,WAAW;SACpB,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,uBAAuB,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5E,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,IAAI,GAAG,CAAC,CAAC;QAC1D,MAAM,IAAI,GAAG,KAAK,GAAG,IAAI,CAAC;QAC1B,OAAO,EAAE,YAAY,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAChE,CAAC;IAED,OAAO,EAAE,YAAY,EAAE,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;AAC7C,CAAC"}

package/dist/src/connectors/github/scope.js

@@ -0,0 +1,13 @@
+/**
+ * Map a GitHub repository to a hippo scope string. Default-private when
+ * privacy is undetermined: cost of leaking public into private (recall returns
+ * nothing) << cost of leaking private into public (data exposure).
+ */
+export function scopeFromRepository(repo) {
+    if (!repo)
+        return 'github:private:unknown';
+    if (repo.private === false)
+        return `github:public:${repo.full_name}`;
+    return `github:private:${repo.full_name}`;
+}
+//# sourceMappingURL=scope.js.map

package/dist/src/connectors/github/scope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope.js","sourceRoot":"","sources":["../../../../src/connectors/github/scope.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAkC;IACpE,IAAI,CAAC,IAAI;QAAE,OAAO,wBAAwB,CAAC;IAC3C,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK;QAAE,OAAO,iBAAiB,IAAI,CAAC,SAAS,EAAE,CAAC;IACrE,OAAO,kBAAkB,IAAI,CAAC,SAAS,EAAE,CAAC;AAC5C,CAAC"}

package/dist/src/connectors/github/signature.js

@@ -0,0 +1,35 @@
+import { createHmac, createHash, timingSafeEqual } from 'crypto';
+function verifyOne(rawBody, signature, secret) {
+    if (!signature.startsWith('sha256='))
+        return false;
+    const expected = `sha256=${createHmac('sha256', secret).update(rawBody).digest('hex')}`;
+    const a = Buffer.from(signature, 'utf8');
+    const b = Buffer.from(expected, 'utf8');
+    if (a.length !== b.length)
+        return false;
+    return timingSafeEqual(a, b);
+}
+export function verifyGitHubSignature(opts) {
+    if (verifyOne(opts.rawBody, opts.signature, opts.webhookSecret))
+        return true;
+    if (opts.previousSecret && verifyOne(opts.rawBody, opts.signature, opts.previousSecret))
+        return true;
+    return false;
+}
+/**
+ * Replay-safe idempotency key (codex P0 #3).
+ *
+ * GitHub does NOT sign X-GitHub-Delivery, so an attacker who captures one
+ * signed payload can replay the body with any new delivery UUID. Deriving
+ * idempotency from the delivery_id is unsafe.
+ *
+ * Key = sha256(eventName + ':' + rawBody). Both inputs are tamper-evident:
+ *   - eventName comes from X-GitHub-Event, gated by upstream type guards.
+ *   - rawBody is signed by the HMAC.
+ * A valid replay of (eventName, body) IS the same event. delivery_id is kept
+ * as audit metadata only, not as the dedupe seam.
+ */
+export function computeIdempotencyKey(eventName, rawBody) {
+    return createHash('sha256').update(`${eventName}:${rawBody}`).digest('hex');
+}
+//# sourceMappingURL=signature.js.map

package/dist/src/connectors/github/signature.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signature.js","sourceRoot":"","sources":["../../../../src/connectors/github/signature.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AAWjE,SAAS,SAAS,CAAC,OAAe,EAAE,SAAiB,EAAE,MAAc;IACnE,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IACnD,MAAM,QAAQ,GAAG,UAAU,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;IACxF,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IACzC,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACxC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,OAAO,eAAe,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AAC/B,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,IAAgB;IACpD,IAAI,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,aAAa,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7E,IAAI,IAAI,CAAC,cAAc,IAAI,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,cAAc,CAAC;QAAE,OAAO,IAAI,CAAC;IACrG,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,qBAAqB,CAAC,SAAiB,EAAE,OAAe;IACtE,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,SAAS,IAAI,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC"}

package/dist/src/connectors/github/tenant-routing.js

@@ -0,0 +1,61 @@
+/**
+ * Resolve the tenant_id for a GitHub webhook envelope.
+ *
+ * Returns:
+ *   - mapped tenant_id when `github_installations` has a row for `installationId`
+ *     (App-mode multi-tenant — primary path)
+ *   - mapped tenant_id when `installation` is absent, `repository.full_name`
+ *     matches a `github_repositories` row (PAT-mode multi-tenant)
+ *   - the deployment's HIPPO_TENANT fallback (or 'default') when BOTH routing
+ *     tables are empty (single-tenant deployment — env fallback is safe)
+ *   - null when:
+ *       - `installationId` is present but unknown AND `github_installations`
+ *         is non-empty (multi-tenant install with foreign installation)
+ *       - `installationId` is missing AND either routing table is non-empty
+ *         AND no `repository.full_name` match (PAT-mode webhook from a foreign
+ *         account — codex P0 #4 regression target)
+ *
+ * Escape hatch: `GITHUB_ALLOW_UNKNOWN_INSTALLATION_FALLBACK=1` restores the
+ * env fallback for emergency rollback only. Mirrors the Slack equivalent
+ * (`SLACK_ALLOW_UNKNOWN_TEAM_FALLBACK`).
+ *
+ * The fail-closed contract lives here so every caller (route handler, CLI
+ * replay, future MCP) gets identical protection.
+ */
+export function resolveTenantForGitHub(db, args) {
+    const envFallback = () => process.env.HIPPO_TENANT?.trim() || 'default';
+    const escapeHatch = process.env.GITHUB_ALLOW_UNKNOWN_INSTALLATION_FALLBACK === '1';
+    const instCount = db
+        .prepare(`SELECT COUNT(*) AS c FROM github_installations`)
+        .get().c;
+    const repoCount = db
+        .prepare(`SELECT COUNT(*) AS c FROM github_repositories`)
+        .get().c;
+    if (args.installationId) {
+        const row = db
+            .prepare(`SELECT tenant_id FROM github_installations WHERE installation_id = ?`)
+            .get(args.installationId);
+        if (row?.tenant_id)
+            return row.tenant_id;
+        if (Number(instCount) === 0) {
+            // Single-tenant install (table empty); env fallback is safe.
+            return envFallback();
+        }
+        // Multi-tenant install with unknown installation_id — fail closed.
+        return escapeHatch ? envFallback() : null;
+    }
+    // No installation.id (PAT-mode webhook).
+    if (Number(instCount) === 0 && Number(repoCount) === 0) {
+        // Single-tenant deployment with no routing tables populated.
+        return envFallback();
+    }
+    if (args.repoFullName) {
+        const row = db
+            .prepare(`SELECT tenant_id FROM github_repositories WHERE repo_full_name = ? ORDER BY added_at, tenant_id LIMIT 1`)
+            .get(args.repoFullName);
+        if (row?.tenant_id)
+            return row.tenant_id;
+    }
+    return escapeHatch ? envFallback() : null;
+}
+//# sourceMappingURL=tenant-routing.js.map

package/dist/src/connectors/github/tenant-routing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant-routing.js","sourceRoot":"","sources":["../../../../src/connectors/github/tenant-routing.ts"],"names":[],"mappings":"AASA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,UAAU,sBAAsB,CACpC,EAAoB,EACpB,IAAiB;IAEjB,MAAM,WAAW,GAAG,GAAW,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;IAChF,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,0CAA0C,KAAK,GAAG,CAAC;IAEnF,MAAM,SAAS,GAAI,EAAE;SAClB,OAAO,CAAC,gDAAgD,CAAC;SACzD,GAAG,EAA6B,CAAC,CAAC,CAAC;IACtC,MAAM,SAAS,GAAI,EAAE;SAClB,OAAO,CAAC,+CAA+C,CAAC;SACxD,GAAG,EAA6B,CAAC,CAAC,CAAC;IAEtC,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,EAAE;aACX,OAAO,CAAC,sEAAsE,CAAC;aAC/E,GAAG,CAAC,IAAI,CAAC,cAAc,CAAuC,CAAC;QAClE,IAAI,GAAG,EAAE,SAAS;YAAE,OAAO,GAAG,CAAC,SAAS,CAAC;QACzC,IAAI,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5B,6DAA6D;YAC7D,OAAO,WAAW,EAAE,CAAC;QACvB,CAAC;QACD,mEAAmE;QACnE,OAAO,WAAW,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IAC5C,CAAC;IAED,yCAAyC;IACzC,IAAI,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;QACvD,6DAA6D;QAC7D,OAAO,WAAW,EAAE,CAAC;IACvB,CAAC;IACD,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,EAAE;aACX,OAAO,CACN,yGAAyG,CAC1G;aACA,GAAG,CAAC,IAAI,CAAC,YAAY,CAAuC,CAAC;QAChE,IAAI,GAAG,EAAE,SAAS;YAAE,OAAO,GAAG,CAAC,SAAS,CAAC;IAC3C,CAAC;IACD,OAAO,WAAW,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AAC5C,CAAC"}