hippo-memory 1.2.1 → 1.3.1

package/dist/connectors/github/deletion.js

@@ -0,0 +1,83 @@
+import { openHippoDb, closeHippoDb } from '../../db.js';
+import { archiveRawMemory } from '../../raw-archive.js';
+import { hasSeenKey, markKeySeen } from './idempotency.js';
+/**
+ * Handle GitHub `issue_comment.deleted` and `pull_request_review_comment.deleted`.
+ *
+ * Codex round 1 P0 #5: filter by tenant_id + kind='raw'. Multi-row archive:
+ * GitHub edits keep the same artifact_ref, so multiple active raw rows can
+ * match a single deletion event. Archive ALL of them.
+ *
+ * Claude round 2 P0 #2 (v1.3.1 hotfix): the v1.3.0 implementation called
+ * archiveRaw N times in a loop, each opening its own DB handle and SAVEPOINT.
+ * The first archive's afterArchive committed the idempotency mark. If archive
+ * 2..N threw, idempotency was already committed and retry returned 'duplicate'
+ * with archivedCount=0 — survivors stayed searchable, leaking private bodies.
+ *
+ * v1.3.1 fix: ONE shared DB handle wrapping ALL archives + the idempotency
+ * mark in a single outer SAVEPOINT. Any per-row failure rolls back the entire
+ * batch (including idempotency), so retry re-attempts cleanly. archiveRawMemory
+ * (the lower-level function from raw-archive.js) runs its own inner SAVEPOINT
+ * which nests safely inside the outer one.
+ *
+ * Tenant scope and kind='raw' filtering are load-bearing: without them a
+ * deletion event from tenant A could archive tenant B's row sharing the same
+ * artifact_ref, or accidentally target a distilled row.
+ */
+export function handleCommentDeleted(ctx, input) {
+    const db = openHippoDb(ctx.hippoRoot);
+    try {
+        if (hasSeenKey(db, input.idempotencyKey)) {
+            return { status: 'duplicate', archivedCount: 0 };
+        }
+        const rows = db
+            .prepare(`SELECT id FROM memories WHERE artifact_ref = ? AND tenant_id = ? AND kind = 'raw'`)
+            .all(input.artifactRef, ctx.tenantId);
+        const memoryIds = rows.map((r) => r.id);
+        if (memoryIds.length === 0) {
+            // Nothing to archive — still mark idempotency so a retry returns 'duplicate'.
+            // Independent INSERT, no rollback needed.
+            markKeySeen(db, {
+                idempotencyKey: input.idempotencyKey,
+                deliveryId: input.deliveryId,
+                eventName: input.eventName,
+                memoryId: null,
+            });
+            return { status: 'archive_skipped_not_found', archivedCount: 0 };
+        }
+        // Outer SAVEPOINT wrapping all archives + the idempotency mark. Any throw
+        // rolls back the whole batch so retry sees neither archive nor mark — and
+        // re-attempts the full set.
+        db.exec('SAVEPOINT github_delete_all');
+        try {
+            for (const id of memoryIds) {
+                archiveRawMemory(db, id, {
+                    reason: `source_deleted:github:${input.eventName}:${input.deliveryId}`,
+                    who: ctx.actor || 'connector:github',
+                });
+            }
+            markKeySeen(db, {
+                idempotencyKey: input.idempotencyKey,
+                deliveryId: input.deliveryId,
+                eventName: input.eventName,
+                memoryId: memoryIds[0],
+            });
+            db.exec('RELEASE SAVEPOINT github_delete_all');
+        }
+        catch (e) {
+            try {
+                db.exec('ROLLBACK TO SAVEPOINT github_delete_all');
+                db.exec('RELEASE SAVEPOINT github_delete_all');
+            }
+            catch {
+                // Best effort. Surface the original error.
+            }
+            throw e;
+        }
+        return { status: 'archived', archivedCount: memoryIds.length };
+    }
+    finally {
+        closeHippoDb(db);
+    }
+}
+//# sourceMappingURL=deletion.js.map

package/dist/connectors/github/deletion.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deletion.js","sourceRoot":"","sources":["../../../src/connectors/github/deletion.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAsB3D;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,oBAAoB,CAAC,GAAY,EAAE,KAAoB;IACrE,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACtC,IAAI,CAAC;QACH,IAAI,UAAU,CAAC,EAAE,EAAE,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;YACzC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,aAAa,EAAE,CAAC,EAAE,CAAC;QACnD,CAAC;QAED,MAAM,IAAI,GAAG,EAAE;aACZ,OAAO,CACN,mFAAmF,CACpF;aACA,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,GAAG,CAAC,QAAQ,CAA0B,CAAC;QACjE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAExC,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3B,8EAA8E;YAC9E,0CAA0C;YAC1C,WAAW,CAAC,EAAE,EAAE;gBACd,cAAc,EAAE,KAAK,CAAC,cAAc;gBACpC,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;YACH,OAAO,EAAE,MAAM,EAAE,2BAA2B,EAAE,aAAa,EAAE,CAAC,EAAE,CAAC;QACnE,CAAC;QAED,0EAA0E;QAC1E,0EAA0E;QAC1E,4BAA4B;QAC5B,EAAE,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;QACvC,IAAI,CAAC;YACH,KAAK,MAAM,EAAE,IAAI,SAAS,EAAE,CAAC;gBAC3B,gBAAgB,CAAC,EAAE,EAAE,EAAE,EAAE;oBACvB,MAAM,EAAE,yBAAyB,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,UAAU,EAAE;oBACtE,GAAG,EAAE,GAAG,CAAC,KAAK,IAAI,kBAAkB;iBACrC,CAAC,CAAC;YACL,CAAC;YACD,WAAW,CAAC,EAAE,EAAE;gBACd,cAAc,EAAE,KAAK,CAAC,cAAc;gBACpC,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAE;aACxB,CAAC,CAAC;YACH,EAAE,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;QACjD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC;gBACH,EAAE,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;gBACnD,EAAE,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;YACjD,CAAC;YAAC,MAAM,CAAC;gBACP,2CAA2C;YAC7C,CAAC;YACD,MAAM,CAAC,CAAC;QACV,CAAC;QACD,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,EAAE,SAAS,CAAC,MAAM,EAAE,CAAC;IACjE,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;AACH,CAAC"}

package/dist/connectors/github/dlq.d.ts

@@ -0,0 +1,108 @@
+import type { DatabaseSyncLike } from '../../db.js';
+import type { Context } from '../../api.js';
+/**
+ * GitHub webhook DLQ. Mirrors the Slack DLQ shape (src/connectors/slack/dlq.ts)
+ * but carries GitHub-specific metadata: event_name, delivery_id, signature,
+ * installation_id, repo_full_name. Codex P1 #5 mandates this rich context
+ * so a `hippo gh dlq replay` operator can triage without re-deriving anything
+ * from the raw payload.
+ *
+ * Buckets:
+ *   - parse_error     — raw_payload was not valid JSON
+ *   - unroutable      — no tenant resolved for installation_id / repo_full_name
+ *   - signature_failed — HMAC did not verify against the active webhook secret
+ *   - unhandled       — parsed but no handler matched the event
+ */
+export type DlqBucket = 'parse_error' | 'unroutable' | 'signature_failed' | 'unhandled';
+export interface DlqItem {
+    id: number;
+    tenantId: string;
+    rawPayload: string;
+    error: string;
+    eventName: string | null;
+    deliveryId: string | null;
+    signature: string | null;
+    installationId: string | null;
+    repoFullName: string | null;
+    retryCount: number;
+    receivedAt: string;
+    retriedAt: string | null;
+    bucket: DlqBucket | string;
+}
+/**
+ * `tenantId: null` means the connector could not resolve a tenant for the
+ * envelope (unroutable installation/repo). Stored as the sentinel
+ * `'__unroutable__'` so the NOT NULL column is honored — same convention as
+ * Slack DLQ.
+ */
+export interface WriteDlqOpts {
+    tenantId: string | null;
+    rawPayload: string;
+    error: string;
+    bucket?: DlqBucket;
+    eventName?: string | null;
+    deliveryId?: string | null;
+    signature?: string | null;
+    installationId?: string | null;
+    repoFullName?: string | null;
+}
+export declare function writeToDlq(db: DatabaseSyncLike, opts: WriteDlqOpts): number;
+export declare function listDlq(db: DatabaseSyncLike, opts: {
+    tenantId: string;
+    limit?: number;
+}): DlqItem[];
+export declare function getDlqEntry(db: DatabaseSyncLike, id: number): DlqItem | null;
+export interface ReplayDlqOpts {
+    /** Current webhook secret. If omitted, signature check is skipped (force-only path). */
+    webhookSecret?: string;
+    /**
+     * Previous webhook secret during rotation (v1.3.1 hotfix — claude P1).
+     * Operators rotating GITHUB_WEBHOOK_SECRET would otherwise be forced into
+     * --force on DLQ rows written under the old secret. Plumbed through to
+     * verifyGitHubSignature.previousSecret.
+     */
+    previousSecret?: string;
+    /** When true, skip signature verification (used for legacy entries after secret rotation). */
+    force?: boolean;
+}
+export type ReplayStatus = 'replayed' | 'parse_error' | 'sig_fail' | 'sig_missing' | 'unhandled' | 'not_found';
+export interface ReplayResult {
+    ok: boolean;
+    status: ReplayStatus;
+    memoryId: string | null;
+    retryCount: number;
+    reason?: string;
+}
+/**
+ * Hook the webhook route injects to actually re-ingest a row. Decoupling
+ * the dispatch keeps this module free of every event-type handler — the
+ * route already knows how to route an envelope, so it passes that capability
+ * back in.
+ */
+export type IngestHook = (ctx: Context, args: {
+    rawPayload: string;
+    eventName: string;
+    idempotencyKey: string;
+    deliveryId: string;
+}) => Promise<{
+    memoryId: string | null;
+}>;
+/**
+ * Replay a DLQ row through the normal ingest path. Behavior:
+ *   1. Fetch row by id. Not found → `not_found`.
+ *   2. If !force and webhookSecret provided, verify signature with the
+ *      current secret. Fail → bump retry_count, `sig_fail`.
+ *      Missing signature on the row → `sig_missing` (no bump; --force required).
+ *   3. JSON.parse the raw payload. Fail → bump, `parse_error`.
+ *   4. Type-guard the envelope. Fail → bump, `unhandled`.
+ *   5. If an `ingestHook` is supplied, call it and return its memoryId.
+ *      If not (dry-run path), bump retry_count and return status `replayed`
+ *      with memoryId=null. The webhook route wires the real hook in Task 14.
+ *
+ * Mirrors Slack's "always use current routing" policy: replays use the
+ * deployment state NOW, not at the time of original DLQing.
+ */
+export declare function replayDlqEntry(ctx: Context, id: number, opts?: ReplayDlqOpts & {
+    ingestHook?: IngestHook;
+}): Promise<ReplayResult>;
+//# sourceMappingURL=dlq.d.ts.map

package/dist/connectors/github/dlq.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dlq.d.ts","sourceRoot":"","sources":["../../../src/connectors/github/dlq.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAK5C;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,YAAY,GAAG,kBAAkB,GAAG,WAAW,CAAC;AAExF,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE,SAAS,GAAG,MAAM,CAAC;CAC5B;AAED;;;;;GAKG;AACH,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,SAAS,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B;AAED,wBAAgB,UAAU,CAAC,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE,YAAY,GAAG,MAAM,CAqB3E;AAMD,wBAAgB,OAAO,CACrB,EAAE,EAAE,gBAAgB,EACpB,IAAI,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GACzC,OAAO,EAAE,CAWX;AAED,wBAAgB,WAAW,CAAC,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,GAAG,IAAI,CAU5E;AAkCD,MAAM,WAAW,aAAa;IAC5B,wFAAwF;IACxF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;;OAKG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,8FAA8F;IAC9F,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,MAAM,YAAY,GACpB,UAAU,GACV,aAAa,GACb,UAAU,GACV,aAAa,GACb,WAAW,GACX,WAAW,CAAC;AAEhB,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,OAAO,CAAC;IACZ,MAAM,EAAE,YAAY,CAAC;IACrB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;GAKG;AACH,MAAM,MAAM,UAAU,GAAG,CACvB,GAAG,EAAE,OAAO,EACZ,IAAI,EAAE;IACJ,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;CACpB,KACE,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAAC,CAAC;AAE1C;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,OAAO,EACZ,EAAE,EAAE,MAAM,EACV,IAAI,GAAE,aAAa,GAAG;IAAE,UAAU,CAAC,EAAE,UAAU,CAAA;CAAO,GACrD,OAAO,CAAC,YAAY,CAAC,CA2GvB"}

package/dist/connectors/github/dlq.js

@@ -0,0 +1,182 @@
+import { openHippoDb, closeHippoDb } from '../../db.js';
+import { verifyGitHubSignature } from './signature.js';
+import { isGitHubWebhookEnvelope } from './types.js';
+export function writeToDlq(db, opts) {
+    const result = db
+        .prepare(`INSERT INTO github_dlq
+        (tenant_id, raw_payload, error, event_name, delivery_id, signature,
+         installation_id, repo_full_name, received_at, bucket)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`)
+        .run(opts.tenantId ?? '__unroutable__', opts.rawPayload, opts.error, opts.eventName ?? null, opts.deliveryId ?? null, opts.signature ?? null, opts.installationId ?? null, opts.repoFullName ?? null, new Date().toISOString(), opts.bucket ?? 'parse_error');
+    return Number(result.lastInsertRowid);
+}
+const SELECT_COLUMNS = `id, tenant_id, raw_payload, error, event_name, delivery_id,
+            signature, installation_id, repo_full_name, retry_count,
+            received_at, retried_at, bucket`;
+export function listDlq(db, opts) {
+    const rows = db
+        .prepare(`SELECT ${SELECT_COLUMNS}
+         FROM github_dlq
+        WHERE tenant_id = ?
+        ORDER BY received_at ASC
+        LIMIT ?`)
+        .all(opts.tenantId, opts.limit ?? 100);
+    return rows.map(rowToItem);
+}
+export function getDlqEntry(db, id) {
+    const row = db
+        .prepare(`SELECT ${SELECT_COLUMNS}
+         FROM github_dlq
+        WHERE id = ?`)
+        .get(id);
+    if (!row)
+        return null;
+    return rowToItem(row);
+}
+function rowToItem(r) {
+    return {
+        id: Number(r.id),
+        tenantId: String(r.tenant_id),
+        rawPayload: String(r.raw_payload),
+        error: String(r.error),
+        eventName: r.event_name == null ? null : String(r.event_name),
+        deliveryId: r.delivery_id == null ? null : String(r.delivery_id),
+        signature: r.signature == null ? null : String(r.signature),
+        installationId: r.installation_id == null ? null : String(r.installation_id),
+        repoFullName: r.repo_full_name == null ? null : String(r.repo_full_name),
+        retryCount: Number(r.retry_count ?? 0),
+        receivedAt: String(r.received_at),
+        retriedAt: r.retried_at == null ? null : String(r.retried_at),
+        bucket: r.bucket == null ? 'parse_error' : String(r.bucket),
+    };
+}
+function bumpRetryCount(hippoRoot, id) {
+    const db = openHippoDb(hippoRoot);
+    try {
+        db.prepare(`UPDATE github_dlq
+          SET retry_count = retry_count + 1,
+              retried_at = ?
+        WHERE id = ?`).run(new Date().toISOString(), id);
+    }
+    finally {
+        closeHippoDb(db);
+    }
+}
+/**
+ * Replay a DLQ row through the normal ingest path. Behavior:
+ *   1. Fetch row by id. Not found → `not_found`.
+ *   2. If !force and webhookSecret provided, verify signature with the
+ *      current secret. Fail → bump retry_count, `sig_fail`.
+ *      Missing signature on the row → `sig_missing` (no bump; --force required).
+ *   3. JSON.parse the raw payload. Fail → bump, `parse_error`.
+ *   4. Type-guard the envelope. Fail → bump, `unhandled`.
+ *   5. If an `ingestHook` is supplied, call it and return its memoryId.
+ *      If not (dry-run path), bump retry_count and return status `replayed`
+ *      with memoryId=null. The webhook route wires the real hook in Task 14.
+ *
+ * Mirrors Slack's "always use current routing" policy: replays use the
+ * deployment state NOW, not at the time of original DLQing.
+ */
+export async function replayDlqEntry(ctx, id, opts = {}) {
+    const db = openHippoDb(ctx.hippoRoot);
+    let row;
+    try {
+        row = getDlqEntry(db, id);
+    }
+    finally {
+        closeHippoDb(db);
+    }
+    if (!row) {
+        return {
+            ok: false,
+            status: 'not_found',
+            memoryId: null,
+            retryCount: 0,
+            reason: `dlq id ${id} not found`,
+        };
+    }
+    // Signature verification (current secret, not the one in effect when DLQed).
+    if (!opts.force && opts.webhookSecret) {
+        if (!row.signature) {
+            return {
+                ok: false,
+                status: 'sig_missing',
+                memoryId: null,
+                retryCount: row.retryCount,
+                reason: 'legacy row without signature; pass --force to replay',
+            };
+        }
+        const sigOk = verifyGitHubSignature({
+            rawBody: row.rawPayload,
+            signature: row.signature,
+            webhookSecret: opts.webhookSecret,
+            previousSecret: opts.previousSecret,
+        });
+        if (!sigOk) {
+            bumpRetryCount(ctx.hippoRoot, id);
+            return {
+                ok: false,
+                status: 'sig_fail',
+                memoryId: null,
+                retryCount: row.retryCount + 1,
+                reason: 'signature did not verify against current GITHUB_WEBHOOK_SECRET; pass --force to replay anyway',
+            };
+        }
+    }
+    // Parse + envelope guard.
+    let parsed;
+    try {
+        parsed = JSON.parse(row.rawPayload);
+    }
+    catch (e) {
+        bumpRetryCount(ctx.hippoRoot, id);
+        return {
+            ok: false,
+            status: 'parse_error',
+            memoryId: null,
+            retryCount: row.retryCount + 1,
+            reason: `still unparseable: ${e.message}`,
+        };
+    }
+    if (!isGitHubWebhookEnvelope(parsed)) {
+        bumpRetryCount(ctx.hippoRoot, id);
+        return {
+            ok: false,
+            status: 'unhandled',
+            memoryId: null,
+            retryCount: row.retryCount + 1,
+            reason: 'not a GitHub webhook envelope',
+        };
+    }
+    // Without an ingest hook this is a dry-run validation. Bump and report.
+    if (!opts.ingestHook) {
+        bumpRetryCount(ctx.hippoRoot, id);
+        return {
+            ok: true,
+            status: 'replayed',
+            memoryId: null,
+            retryCount: row.retryCount + 1,
+            reason: 'dry-run: no ingest hook supplied',
+        };
+    }
+    // Real replay path. The route's IngestHook is responsible for routing,
+    // idempotency, and writing the memory. The DLQ module only validates the
+    // surface and bumps the retry counter.
+    const eventName = row.eventName ?? '';
+    const deliveryId = row.deliveryId ?? '';
+    const idempotencyKey = (await import('./signature.js')).computeIdempotencyKey(eventName, row.rawPayload);
+    const { memoryId } = await opts.ingestHook(ctx, {
+        rawPayload: row.rawPayload,
+        eventName,
+        idempotencyKey,
+        deliveryId,
+    });
+    bumpRetryCount(ctx.hippoRoot, id);
+    return {
+        ok: true,
+        status: 'replayed',
+        memoryId,
+        retryCount: row.retryCount + 1,
+    };
+}
+//# sourceMappingURL=dlq.js.map

package/dist/connectors/github/dlq.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dlq.js","sourceRoot":"","sources":["../../../src/connectors/github/dlq.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,uBAAuB,EAAE,MAAM,YAAY,CAAC;AAmDrD,MAAM,UAAU,UAAU,CAAC,EAAoB,EAAE,IAAkB;IACjE,MAAM,MAAM,GAAG,EAAE;SACd,OAAO,CACN;;;6CAGuC,CACxC;SACA,GAAG,CACF,IAAI,CAAC,QAAQ,IAAI,gBAAgB,EACjC,IAAI,CAAC,UAAU,EACf,IAAI,CAAC,KAAK,EACV,IAAI,CAAC,SAAS,IAAI,IAAI,EACtB,IAAI,CAAC,UAAU,IAAI,IAAI,EACvB,IAAI,CAAC,SAAS,IAAI,IAAI,EACtB,IAAI,CAAC,cAAc,IAAI,IAAI,EAC3B,IAAI,CAAC,YAAY,IAAI,IAAI,EACzB,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EACxB,IAAI,CAAC,MAAM,IAAI,aAAa,CAC7B,CAAC;IACJ,OAAO,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,cAAc,GAAG;;4CAEqB,CAAC;AAE7C,MAAM,UAAU,OAAO,CACrB,EAAoB,EACpB,IAA0C;IAE1C,MAAM,IAAI,GAAG,EAAE;SACZ,OAAO,CACN,UAAU,cAAc;;;;gBAId,CACX;SACA,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,KAAK,IAAI,GAAG,CAAmC,CAAC;IAC3E,OAAO,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,EAAoB,EAAE,EAAU;IAC1D,MAAM,GAAG,GAAG,EAAE;SACX,OAAO,CACN,UAAU,cAAc;;qBAET,CAChB;SACA,GAAG,CAAC,EAAE,CAAwC,CAAC;IAClD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC;AACxB,CAAC;AAED,SAAS,SAAS,CAAC,CAA0B;IAC3C,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;QAC7B,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC;QACjC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;QACtB,SAAS,EAAE,CAAC,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;QAC7D,UAAU,EAAE,CAAC,CAAC,WAAW,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC;QAChE,SAAS,EAAE,CAAC,CAAC,SAAS,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;QAC3D,cAAc,EAAE,CAAC,CAAC,eAAe,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC;QAC5E,YAAY,EAAE,CAAC,CAAC,cAAc,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC;QACxE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC;QACtC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC;QACjC,SAAS,EAAE,CAAC,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;QAC7D,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,IAAI,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;KAC5D,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,SAAiB,EAAE,EAAU;IACnD,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAClC,IAAI,CAAC;QACH,EAAE,CAAC,OAAO,CACR;;;qBAGe,CAChB,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,EAAE,CAAC,CAAC;IACtC,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;AACH,CAAC;AAgDD;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,GAAY,EACZ,EAAU,EACV,OAAoD,EAAE;IAEtD,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACtC,IAAI,GAAmB,CAAC;IACxB,IAAI,CAAC;QACH,GAAG,GAAG,WAAW,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAC5B,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;IACD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,CAAC;YACb,MAAM,EAAE,UAAU,EAAE,YAAY;SACjC,CAAC;IACJ,CAAC;IAED,6EAA6E;IAC7E,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;QACtC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,aAAa;gBACrB,QAAQ,EAAE,IAAI;gBACd,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,MAAM,EAAE,sDAAsD;aAC/D,CAAC;QACJ,CAAC;QACD,MAAM,KAAK,GAAG,qBAAqB,CAAC;YAClC,OAAO,EAAE,GAAG,CAAC,UAAU;YACvB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,cAAc,EAAE,IAAI,CAAC,cAAc;SACpC,CAAC,CAAC;QACH,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YAClC,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,UAAU;gBAClB,QAAQ,EAAE,IAAI;gBACd,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,CAAC;gBAC9B,MAAM,EACJ,+FAA+F;aAClG,CAAC;QACJ,CAAC;IACH,CAAC;IAED,0BAA0B;IAC1B,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACtC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAClC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,aAAa;YACrB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,CAAC;YAC9B,MAAM,EAAE,sBAAuB,CAAW,CAAC,OAAO,EAAE;SACrD,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,uBAAuB,CAAC,MAAM,CAAC,EAAE,CAAC;QACrC,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAClC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,CAAC;YAC9B,MAAM,EAAE,+BAA+B;SACxC,CAAC;IACJ,CAAC;IAED,wEAAwE;IACxE,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;QACrB,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAClC,OAAO;YACL,EAAE,EAAE,IAAI;YACR,MAAM,EAAE,UAAU;YAClB,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,CAAC;YAC9B,MAAM,EAAE,kCAAkC;SAC3C,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,yEAAyE;IACzE,uCAAuC;IACvC,MAAM,SAAS,GAAG,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC;IACtC,MAAM,UAAU,GAAG,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC;IACxC,MAAM,cAAc,GAAG,CAAC,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAC,qBAAqB,CAC3E,SAAS,EACT,GAAG,CAAC,UAAU,CACf,CAAC;IACF,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE;QAC9C,UAAU,EAAE,GAAG,CAAC,UAAU;QAC1B,SAAS;QACT,cAAc;QACd,UAAU;KACX,CAAC,CAAC;IACH,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IAClC,OAAO;QACL,EAAE,EAAE,IAAI;QACR,MAAM,EAAE,UAAU;QAClB,QAAQ;QACR,UAAU,EAAE,GAAG,CAAC,UAAU,GAAG,CAAC;KAC/B,CAAC;AACJ,CAAC"}

package/dist/connectors/github/idempotency.d.ts

@@ -0,0 +1,19 @@
+import type { DatabaseSyncLike } from '../../db.js';
+/**
+ * Thrown by ingest's afterWrite hook when a concurrent worker has already
+ * inserted github_event_log for the same idempotency_key. Roll back the
+ * SAVEPOINT so exactly one memory row exists per key.
+ */
+export declare class DuplicateIdempotencyError extends Error {
+    readonly idempotencyKey: string;
+    constructor(idempotencyKey: string);
+}
+export declare function hasSeenKey(db: DatabaseSyncLike, idempotencyKey: string): boolean;
+export declare function markKeySeen(db: DatabaseSyncLike, args: {
+    idempotencyKey: string;
+    deliveryId: string;
+    eventName: string;
+    memoryId: string | null;
+}): void;
+export declare function lookupMemoryByKey(db: DatabaseSyncLike, idempotencyKey: string): string | null;
+//# sourceMappingURL=idempotency.d.ts.map

package/dist/connectors/github/idempotency.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"idempotency.d.ts","sourceRoot":"","sources":["../../../src/connectors/github/idempotency.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAEpD;;;;GAIG;AACH,qBAAa,yBAA0B,SAAQ,KAAK;IAClD,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;gBACpB,cAAc,EAAE,MAAM;CAKnC;AAED,wBAAgB,UAAU,CAAC,EAAE,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAGhF;AAED,wBAAgB,WAAW,CACzB,EAAE,EAAE,gBAAgB,EACpB,IAAI,EAAE;IAAE,cAAc,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,GAC/F,IAAI,CAIN;AAED,wBAAgB,iBAAiB,CAAC,EAAE,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAK7F"}

package/dist/connectors/github/idempotency.js

@@ -0,0 +1,25 @@
+/**
+ * Thrown by ingest's afterWrite hook when a concurrent worker has already
+ * inserted github_event_log for the same idempotency_key. Roll back the
+ * SAVEPOINT so exactly one memory row exists per key.
+ */
+export class DuplicateIdempotencyError extends Error {
+    idempotencyKey;
+    constructor(idempotencyKey) {
+        super(`duplicate github idempotency_key: ${idempotencyKey}`);
+        this.name = 'DuplicateIdempotencyError';
+        this.idempotencyKey = idempotencyKey;
+    }
+}
+export function hasSeenKey(db, idempotencyKey) {
+    const row = db.prepare(`SELECT 1 FROM github_event_log WHERE idempotency_key = ?`).get(idempotencyKey);
+    return !!row;
+}
+export function markKeySeen(db, args) {
+    db.prepare(`INSERT OR IGNORE INTO github_event_log (idempotency_key, delivery_id, event_name, ingested_at, memory_id) VALUES (?, ?, ?, ?, ?)`).run(args.idempotencyKey, args.deliveryId, args.eventName, new Date().toISOString(), args.memoryId);
+}
+export function lookupMemoryByKey(db, idempotencyKey) {
+    const row = db.prepare(`SELECT memory_id FROM github_event_log WHERE idempotency_key = ?`).get(idempotencyKey);
+    return row?.memory_id ?? null;
+}
+//# sourceMappingURL=idempotency.js.map

package/dist/connectors/github/idempotency.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"idempotency.js","sourceRoot":"","sources":["../../../src/connectors/github/idempotency.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,MAAM,OAAO,yBAA0B,SAAQ,KAAK;IACzC,cAAc,CAAS;IAChC,YAAY,cAAsB;QAChC,KAAK,CAAC,qCAAqC,cAAc,EAAE,CAAC,CAAC;QAC7D,IAAI,CAAC,IAAI,GAAG,2BAA2B,CAAC;QACxC,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;IACvC,CAAC;CACF;AAED,MAAM,UAAU,UAAU,CAAC,EAAoB,EAAE,cAAsB;IACrE,MAAM,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,0DAA0D,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACvG,OAAO,CAAC,CAAC,GAAG,CAAC;AACf,CAAC;AAED,MAAM,UAAU,WAAW,CACzB,EAAoB,EACpB,IAAgG;IAEhG,EAAE,CAAC,OAAO,CACR,kIAAkI,CACnI,CAAC,GAAG,CAAC,IAAI,CAAC,cAAc,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;AACvG,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,EAAoB,EAAE,cAAsB;IAC5E,MAAM,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,kEAAkE,CAAC,CAAC,GAAG,CAAC,cAAc,CAEhG,CAAC;IACd,OAAO,GAAG,EAAE,SAAS,IAAI,IAAI,CAAC;AAChC,CAAC"}

package/dist/connectors/github/ingest.d.ts

@@ -0,0 +1,67 @@
+/**
+ * GitHub event ingest with afterWrite race-safe idempotency.
+ *
+ * Mirrors src/connectors/slack/ingest.ts. The dedupe key is sha256(eventName +
+ * ':' + rawBody) (codex P0 #3) — derived from the signed body, not from the
+ * unsigned X-GitHub-Delivery header, so a replay attacker cannot bypass
+ * idempotency by rotating the delivery UUID.
+ *
+ * Race semantics (codex P1 #6):
+ *   - Fast path: hasSeenKey pre-check returns 'duplicate' for the common case.
+ *   - Slow path: hasSeenKey passes (no row yet). Two workers may race into
+ *     remember() concurrently. Inside the writeEntry SAVEPOINT, INSERT OR
+ *     IGNORE on github_event_log either inserts (changes=1, commit) or
+ *     collides (changes=0, throw DuplicateIdempotencyError -> SAVEPOINT
+ *     rolls back this worker's memory row). Exactly one memory exists per
+ *     idempotency_key.
+ *
+ * The Slack precedent's race test was insufficient — it tested the fast path,
+ * not the SAVEPOINT collision. The `__testInjectBeforeLog` hook below lets
+ * tests pre-populate github_event_log inside the SAVEPOINT to actually
+ * exercise the changes=0 -> rollback path.
+ */
+import { type Context } from '../../api.js';
+import { type DatabaseSyncLike } from '../../db.js';
+import type { GitHubIssueEvent, GitHubIssueCommentEvent, GitHubPullRequestEvent, GitHubPullRequestReviewCommentEvent } from './types.js';
+export type IngestStatus = 'ingested' | 'duplicate' | 'skipped' | 'skipped_duplicate';
+export interface IngestResult {
+    status: IngestStatus;
+    memoryId: string | null;
+}
+/**
+ * Discriminated union of the four event shapes V1 ingests. The eventName
+ * field MUST equal the X-GitHub-Event header value; computeIdempotencyKey
+ * folds it into the dedupe key so the same body posted under two different
+ * X-GitHub-Event headers produces two distinct keys (test 7).
+ */
+export type IngestEvent = {
+    eventName: 'issues';
+    payload: GitHubIssueEvent;
+} | {
+    eventName: 'issue_comment';
+    payload: GitHubIssueCommentEvent;
+} | {
+    eventName: 'pull_request';
+    payload: GitHubPullRequestEvent;
+} | {
+    eventName: 'pull_request_review_comment';
+    payload: GitHubPullRequestReviewCommentEvent;
+};
+export interface IngestInput {
+    /** The X-GitHub-Event header value + parsed body, discriminated. */
+    event: IngestEvent;
+    /** The raw HTTP body — used for the idempotency key (replay-safe per codex P0 #3). */
+    rawBody: string;
+    /** X-GitHub-Delivery header value, audit metadata only. */
+    deliveryId: string;
+    /**
+     * Test-only hook fired inside the SAVEPOINT, AFTER the memory row is
+     * inserted but BEFORE the github_event_log INSERT OR IGNORE. Tests pass
+     * a function that pre-inserts the github_event_log row using the
+     * provided db handle to simulate a concurrent worker winning the race.
+     * Production callers leave this undefined.
+     */
+    __testInjectBeforeLog?: (db: DatabaseSyncLike, idempotencyKey: string) => void;
+}
+export declare function ingestEvent(ctx: Context, input: IngestInput): IngestResult;
+//# sourceMappingURL=ingest.d.ts.map

package/dist/connectors/github/ingest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ingest.d.ts","sourceRoot":"","sources":["../../../src/connectors/github/ingest.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAAY,KAAK,OAAO,EAAqB,MAAM,cAAc,CAAC;AACzE,OAAO,EAA6B,KAAK,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAS/E,OAAO,KAAK,EACV,gBAAgB,EAChB,uBAAuB,EACvB,sBAAsB,EACtB,mCAAmC,EACpC,MAAM,YAAY,CAAC;AAEpB,MAAM,MAAM,YAAY,GAAG,UAAU,GAAG,WAAW,GAAG,SAAS,GAAG,mBAAmB,CAAC;AAEtF,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,YAAY,CAAC;IACrB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAED;;;;;GAKG;AACH,MAAM,MAAM,WAAW,GACnB;IAAE,SAAS,EAAE,QAAQ,CAAC;IAAC,OAAO,EAAE,gBAAgB,CAAA;CAAE,GAClD;IAAE,SAAS,EAAE,eAAe,CAAC;IAAC,OAAO,EAAE,uBAAuB,CAAA;CAAE,GAChE;IAAE,SAAS,EAAE,cAAc,CAAC;IAAC,OAAO,EAAE,sBAAsB,CAAA;CAAE,GAC9D;IAAE,SAAS,EAAE,6BAA6B,CAAC;IAAC,OAAO,EAAE,mCAAmC,CAAA;CAAE,CAAC;AAE/F,MAAM,WAAW,WAAW;IAC1B,oEAAoE;IACpE,KAAK,EAAE,WAAW,CAAC;IACnB,sFAAsF;IACtF,OAAO,EAAE,MAAM,CAAC;IAChB,2DAA2D;IAC3D,UAAU,EAAE,MAAM,CAAC;IACnB;;;;;;OAMG;IACH,qBAAqB,CAAC,EAAE,CAAC,EAAE,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,KAAK,IAAI,CAAC;CAChF;AAgDD,wBAAgB,WAAW,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,WAAW,GAAG,YAAY,CAkF1E"}

package/dist/connectors/github/ingest.js

@@ -0,0 +1,138 @@
+/**
+ * GitHub event ingest with afterWrite race-safe idempotency.
+ *
+ * Mirrors src/connectors/slack/ingest.ts. The dedupe key is sha256(eventName +
+ * ':' + rawBody) (codex P0 #3) — derived from the signed body, not from the
+ * unsigned X-GitHub-Delivery header, so a replay attacker cannot bypass
+ * idempotency by rotating the delivery UUID.
+ *
+ * Race semantics (codex P1 #6):
+ *   - Fast path: hasSeenKey pre-check returns 'duplicate' for the common case.
+ *   - Slow path: hasSeenKey passes (no row yet). Two workers may race into
+ *     remember() concurrently. Inside the writeEntry SAVEPOINT, INSERT OR
+ *     IGNORE on github_event_log either inserts (changes=1, commit) or
+ *     collides (changes=0, throw DuplicateIdempotencyError -> SAVEPOINT
+ *     rolls back this worker's memory row). Exactly one memory exists per
+ *     idempotency_key.
+ *
+ * The Slack precedent's race test was insufficient — it tested the fast path,
+ * not the SAVEPOINT collision. The `__testInjectBeforeLog` hook below lets
+ * tests pre-populate github_event_log inside the SAVEPOINT to actually
+ * exercise the changes=0 -> rollback path.
+ */
+import { remember } from '../../api.js';
+import { openHippoDb, closeHippoDb } from '../../db.js';
+import { hasSeenKey, lookupMemoryByKey, DuplicateIdempotencyError } from './idempotency.js';
+import { computeIdempotencyKey } from './signature.js';
+import { issueEventToRememberOpts, issueCommentEventToRememberOpts, pullRequestEventToRememberOpts, prReviewCommentEventToRememberOpts, } from './transform.js';
+function transformEvent(event) {
+    switch (event.eventName) {
+        case 'issues':
+            return issueEventToRememberOpts(event.payload);
+        case 'issue_comment':
+            return issueCommentEventToRememberOpts(event.payload);
+        case 'pull_request':
+            return pullRequestEventToRememberOpts(event.payload);
+        case 'pull_request_review_comment':
+            return prReviewCommentEventToRememberOpts(event.payload);
+    }
+}
+/**
+ * v1.3.1: extract the source-normalized identifier the idempotency key needs.
+ * Backfill and webhook both produce IngestEvent objects describing the same
+ * source revision, so deriving the key from these fields collapses both paths
+ * onto the same dedupe row. Mirrors the artifactRef strings in transform.ts.
+ */
+function eventArtifactRef(event) {
+    const repo = event.payload.repository?.full_name ?? 'unknown/unknown';
+    switch (event.eventName) {
+        case 'issues':
+            return `github://${repo}/issue/${event.payload.issue.number}`;
+        case 'issue_comment':
+            return `github://${repo}/issue/${event.payload.issue.number}/comment/${event.payload.comment.id}`;
+        case 'pull_request':
+            return `github://${repo}/pull/${event.payload.pull_request.number}`;
+        case 'pull_request_review_comment':
+            return `github://${repo}/pull/${event.payload.pull_request.number}/review_comment/${event.payload.comment.id}`;
+    }
+}
+function eventUpdatedAt(event) {
+    switch (event.eventName) {
+        case 'issues':
+            return event.payload.issue.updated_at ?? null;
+        case 'issue_comment':
+            return event.payload.comment.updated_at ?? null;
+        case 'pull_request':
+            return event.payload.pull_request.updated_at ?? null;
+        case 'pull_request_review_comment':
+            return event.payload.comment.updated_at ?? null;
+    }
+}
+export function ingestEvent(ctx, input) {
+    const idempotencyKey = computeIdempotencyKey(eventArtifactRef(input.event), eventUpdatedAt(input.event));
+    // Fast path: pre-check. Avoids running the transform / opening a write tx
+    // for the common already-seen case (GitHub auto-retries with the same body).
+    const db = openHippoDb(ctx.hippoRoot);
+    try {
+        if (hasSeenKey(db, idempotencyKey)) {
+            return { status: 'duplicate', memoryId: lookupMemoryByKey(db, idempotencyKey) };
+        }
+    }
+    finally {
+        closeHippoDb(db);
+    }
+    const opts = transformEvent(input.event);
+    if (!opts) {
+        // Empty body: no memory to write, but mark seen so a retry of the same
+        // empty event returns 'duplicate' (not 'skipped' again — that would
+        // re-run the transform on every retry).
+        const db2 = openHippoDb(ctx.hippoRoot);
+        try {
+            db2
+                .prepare(`INSERT OR IGNORE INTO github_event_log (idempotency_key, delivery_id, event_name, ingested_at, memory_id) VALUES (?, ?, ?, ?, ?)`)
+                .run(idempotencyKey, input.deliveryId, input.event.eventName, new Date().toISOString(), null);
+        }
+        finally {
+            closeHippoDb(db2);
+        }
+        return { status: 'skipped', memoryId: null };
+    }
+    // Atomic write via afterWrite. Inside writeEntry's SAVEPOINT:
+    //   1. memories row INSERT lands.
+    //   2. (test-only) __testInjectBeforeLog can race-inject a colliding key.
+    //   3. INSERT OR IGNORE on github_event_log; if a concurrent worker (or
+    //      the test injection) beat us, changes=0 -> throw -> SAVEPOINT rolls
+    //      back our memory row. Other worker's commit stands.
+    try {
+        const result = remember({ ...ctx, actor: ctx.actor || 'connector:github' }, {
+            ...opts,
+            afterWrite: (innerDb, memoryId) => {
+                if (input.__testInjectBeforeLog) {
+                    input.__testInjectBeforeLog(innerDb, idempotencyKey);
+                }
+                const inserted = innerDb
+                    .prepare(`INSERT OR IGNORE INTO github_event_log (idempotency_key, delivery_id, event_name, ingested_at, memory_id) VALUES (?, ?, ?, ?, ?)`)
+                    .run(idempotencyKey, input.deliveryId, input.event.eventName, new Date().toISOString(), memoryId);
+                if (Number(inserted.changes ?? 0) === 0) {
+                    throw new DuplicateIdempotencyError(idempotencyKey);
+                }
+            },
+        });
+        return { status: 'ingested', memoryId: result.id };
+    }
+    catch (e) {
+        if (e instanceof DuplicateIdempotencyError) {
+            // Other worker's row is committed. Return its memory_id so callers
+            // behave identically to the fast-path 'duplicate' branch.
+            const db3 = openHippoDb(ctx.hippoRoot);
+            try {
+                return { status: 'skipped_duplicate', memoryId: lookupMemoryByKey(db3, idempotencyKey) };
+            }
+            finally {
+                closeHippoDb(db3);
+            }
+        }
+        throw e;
+    }
+}
+//# sourceMappingURL=ingest.js.map