paperclip-github-plugin 0.9.0 → 0.9.2

package/README.md

@@ -196,6 +196,7 @@ The plugin is designed to avoid persisting raw credentials in plugin state.
 - The settings UI also keeps lightweight non-secret identity labels for those saved connections, so later visits can still show who each company GitHub token and board access are connected as.
 - On authenticated deployments, any selected propagation agents receive `GITHUB_TOKEN` as an agent env secret-ref binding that points at the same saved GitHub token secret instead of a copied raw token.
 - The worker resolves those secret references at runtime instead of storing raw tokens in plugin state.
+- When the current Paperclip host rejects plugin secret refs, GitHub Sync keeps company-scoped worker-local compatibility copies for GitHub tokens and Paperclip board-access tokens in `${PAPERCLIP_HOME:-~/.paperclip}/plugins/github-sync/config.json`. Reconnect board access once after upgrading if sync still cannot authenticate Paperclip label or issue REST calls.
 - On authenticated Paperclip deployments, sync is blocked until the relevant company has connected Paperclip board access.
 - KPI API route requests must include `Authorization: Bearer <PAPERCLIP_API_KEY>` from an agent run; the Paperclip host authenticates the token and supplies the agent company before the worker records any metric event.
 
@@ -205,7 +206,13 @@ If Paperclip-managed secrets are not available, the worker can read a local fall
 
 ```json
 {
-  "githubToken": "ghp_your_token_here"
+  "githubToken": "ghp_your_token_here",
+  "githubTokensByCompanyId": {
+    "company-uuid": "ghp_company_specific_token_here"
+  },
+  "paperclipBoardApiTokensByCompanyId": {
+    "company-uuid": "paperclip_board_api_token_here"
+  }
 }
 ```
 
@@ -213,7 +220,9 @@ Notes:
 
 - This file is read by the worker only.
 - The raw token is never persisted back into plugin state or plugin config.
-- A GitHub token secret saved through the settings UI takes precedence over the local file.
+- A GitHub token secret saved through the settings UI is the primary source. If the current Paperclip host rejects plugin secret-ref resolution while company-scoped plugin config is unavailable, GitHub Sync stores the validated token in `githubTokensByCompanyId` as a worker-local compatibility fallback.
+- A Paperclip board access secret saved through the settings UI is also the primary source. If the host cannot resolve it for plugin workers, reconnecting board access stores the approved board token in `paperclipBoardApiTokensByCompanyId` as a worker-local compatibility fallback for direct Paperclip REST calls.
+- On authenticated deployments, selected agents receive `GITHUB_TOKEN` as a latest-version secret-ref env binding, and the settings UI patches agent adapter config with `replaceAdapterConfig: true` so newer Paperclip hosts persist the merged env map.
 
 ### Worker-facing Paperclip API URL
 

package/dist/manifest.js

@@ -642,7 +642,7 @@ var PULL_REQUEST_ASSET_API_ROUTE_URL_PATH = `/api/plugins/${GITHUB_SYNC_PLUGIN_I
 var require2 = createRequire(import.meta.url);
 var packageJson = require2("../package.json");
 var SCHEDULE_TICK_CRON = "* * * * *";
-var MANIFEST_VERSION = "0.9.0"?.trim() || typeof packageJson.version === "string" && packageJson.version.trim() || process.env.npm_package_version?.trim() || "0.0.0-dev";
+var MANIFEST_VERSION = "0.9.2"?.trim() || typeof packageJson.version === "string" && packageJson.version.trim() || process.env.npm_package_version?.trim() || "0.0.0-dev";
 var manifest = {
   id: GITHUB_SYNC_PLUGIN_ID,
   apiVersion: 1,

package/dist/ui/index.js

@@ -23165,6 +23165,9 @@ function resolveToolbarButtonState(params) {
     syncStartPending
   };
 }
+function clearGitHubTokenConfigSyncAttemptOnFailure(currentAttemptKey, failedAttemptKey) {
+  return currentAttemptKey === failedAttemptKey ? null : currentAttemptKey;
+}
 function getSyncToastTitle(syncState) {
   if (getActiveRateLimitPause(syncState)) {
     return "GitHub sync is paused";
@@ -28394,6 +28397,25 @@ async function resolveOrCreateCompanySecret(companyId, name2, value) {
     })
   });
 }
+function isPluginSecretReferencesDisabledError(error) {
+  return getActionErrorMessage(error, "").toLowerCase().includes("plugin secret references are disabled");
+}
+function stripPluginSecretRefConfig(config) {
+  const {
+    githubTokenRefs: _githubTokenRefs,
+    paperclipBoardApiTokenRefs: _paperclipBoardApiTokenRefs,
+    ...safeConfig
+  } = config;
+  return safeConfig;
+}
+async function writePluginConfig(pluginId, config) {
+  await fetchJson(`/api/plugins/${pluginId}/config`, {
+    method: "POST",
+    body: JSON.stringify({
+      configJson: config
+    })
+  });
+}
 async function patchPluginConfig(pluginId, patch5) {
   const currentConfigResponse = await fetchJson(`/api/plugins/${pluginId}/config`);
   const currentConfig = normalizePluginConfig(currentConfigResponse?.configJson);
@@ -28401,12 +28423,18 @@ async function patchPluginConfig(pluginId, patch5) {
   if (JSON.stringify(nextConfig) === JSON.stringify(currentConfig)) {
     return;
   }
-  await fetchJson(`/api/plugins/${pluginId}/config`, {
-    method: "POST",
-    body: JSON.stringify({
-      configJson: nextConfig
-    })
-  });
+  try {
+    await writePluginConfig(pluginId, nextConfig);
+  } catch (error) {
+    if (!isPluginSecretReferencesDisabledError(error)) {
+      throw error;
+    }
+    const safeConfig = stripPluginSecretRefConfig(nextConfig);
+    if (JSON.stringify(safeConfig) === JSON.stringify(nextConfig)) {
+      throw error;
+    }
+    await writePluginConfig(pluginId, safeConfig);
+  }
 }
 var GITHUB_TOKEN_PROPAGATION_CONCURRENCY_LIMIT = 4;
 function normalizeAgentAdapterConfig(value) {
@@ -28430,7 +28458,8 @@ function getAgentPropagationPatch(params) {
       ...currentEnv,
       GITHUB_TOKEN: {
         type: "secret_ref",
-        secretId: params.githubTokenSecretRef
+        secretId: params.githubTokenSecretRef,
+        version: "latest"
       }
     };
     if (JSON.stringify(nextEnv2) === JSON.stringify(currentEnv)) {
@@ -28485,7 +28514,8 @@ async function applyGitHubTokenPropagationUpdate(params) {
   await fetchJson(`/api/agents/${params.agentId}`, {
     method: "PATCH",
     body: JSON.stringify({
-      adapterConfig: nextAdapterConfig
+      adapterConfig: nextAdapterConfig,
+      replaceAdapterConfig: true
     })
   });
 }
@@ -31968,6 +31998,7 @@ function GitHubSyncSettingsPage() {
   const saveRegistration = usePluginAction("settings.saveRegistration");
   const updateBoardAccess = usePluginAction("settings.updateBoardAccess");
   const validateToken = usePluginAction("settings.validateToken");
+  const ensureGitHubTokenAvailable = usePluginAction("settings.ensureGitHubTokenAvailable");
   const runSyncNow = usePluginAction("sync.runNow");
   const cancelSync = usePluginAction("sync.cancel");
   const [form, setForm] = useState2(EMPTY_SETTINGS);
@@ -31995,6 +32026,7 @@ function GitHubSyncSettingsPage() {
   const themeMode = useResolvedThemeMode();
   const boardAccessRequirement = usePaperclipBoardAccessRequirement();
   const armSyncCompletionToast = useSyncCompletionToast(form.syncState, toast);
+  const githubTokenConfigSyncAttemptRef = useRef(null);
   const boardAccessConfigSyncAttemptRef = useRef(null);
   const assigneeFallbackAttemptRef = useRef(null);
   const currentSettings = settings.data ?? cachedSettings;
@@ -32111,6 +32143,76 @@ function GitHubSyncSettingsPage() {
       cancelled = true;
     };
   }, [currentSettings?.availableAssignees?.length, currentSettings?.updatedAt, hostContext.companyId]);
+  useEffect2(() => {
+    const companyId = hostContext.companyId;
+    const secretRef = settings.data?.githubTokenNeedsConfigSync ? settings.data.githubTokenConfigSyncRef : void 0;
+    if (!companyId || !secretRef) {
+      return;
+    }
+    const attemptKey = `${companyId}:${secretRef}`;
+    if (githubTokenConfigSyncAttemptRef.current === attemptKey) {
+      return;
+    }
+    githubTokenConfigSyncAttemptRef.current = attemptKey;
+    let cancelled = false;
+    void (async () => {
+      try {
+        const pluginId = await resolveCurrentPluginId(pluginIdFromLocation);
+        if (!pluginId) {
+          throw new Error("Plugin id is required to finish syncing the GitHub token into plugin config.");
+        }
+        await patchPluginConfig(pluginId, {
+          githubTokenRefs: {
+            [companyId]: secretRef
+          }
+        });
+        const selectedAgentIds = normalizeAgentIds(settings.data?.advancedSettings?.githubTokenPropagationAgentIds);
+        if (selectedAgentIds.length > 0) {
+          await propagateGitHubTokenToSelectedAgents({
+            selectedAgentIds,
+            previousAgentIds: selectedAgentIds,
+            githubTokenSecretRef: secretRef
+          });
+        }
+        if (cancelled) {
+          return;
+        }
+        notifyGitHubSyncSettingsChanged();
+        try {
+          await settings.refresh();
+        } catch {
+          return;
+        }
+      } catch (error) {
+        githubTokenConfigSyncAttemptRef.current = clearGitHubTokenConfigSyncAttemptOnFailure(
+          githubTokenConfigSyncAttemptRef.current,
+          attemptKey
+        );
+        if (cancelled) {
+          return;
+        }
+        toast({
+          title: "GitHub token needs reconnection",
+          body: getActionErrorMessage(
+            error,
+            "GitHub Sync could not finish migrating the saved GitHub token into plugin config."
+          ),
+          tone: "error"
+        });
+      }
+    })();
+    return () => {
+      cancelled = true;
+    };
+  }, [
+    hostContext.companyId,
+    pluginIdFromLocation,
+    settings.data?.advancedSettings?.githubTokenPropagationAgentIds,
+    settings.data?.githubTokenNeedsConfigSync,
+    settings.data?.githubTokenConfigSyncRef,
+    settings.refresh,
+    toast
+  ]);
   useEffect2(() => {
     const companyId = hostContext.companyId;
     const secretRef = settings.data?.paperclipBoardAccessNeedsConfigSync ? settings.data.paperclipBoardAccessConfigSyncRef : void 0;
@@ -32581,6 +32683,16 @@ function GitHubSyncSettingsPage() {
         },
         githubTokenLogin: validation.login
       });
+      let availabilityWarning = null;
+      try {
+        await ensureGitHubTokenAvailable({
+          companyId,
+          githubTokenRef: secret.id,
+          token: trimmedToken
+        });
+      } catch (error) {
+        availabilityWarning = error;
+      }
       const selectedAgentIds = normalizeAgentIds(currentSettings?.advancedSettings?.githubTokenPropagationAgentIds);
       let propagationError = null;
       try {
@@ -32616,6 +32728,16 @@ function GitHubSyncSettingsPage() {
           tone: "error"
         });
       }
+      if (availabilityWarning) {
+        toast({
+          title: "GitHub token saved, but worker token access needs attention",
+          body: getActionErrorMessage(
+            availabilityWarning,
+            "GitHub Sync could not verify worker access to the saved token."
+          ),
+          tone: "error"
+        });
+      }
       notifyGitHubSyncSettingsChanged();
       try {
         await settings.refresh();
@@ -32672,6 +32794,7 @@ function GitHubSyncSettingsPage() {
       await updateBoardAccess({
         companyId,
         paperclipBoardApiTokenRef: secret.id,
+        paperclipBoardApiToken: boardApiToken,
         paperclipBoardAccessIdentity: boardIdentity.label ?? "",
         paperclipBoardAccessUserId: boardIdentity.userId ?? ""
       });
@@ -35133,7 +35256,9 @@ export {
   GitHubSyncProjectPullRequestsPage,
   GitHubSyncProjectPullRequestsSidebarItem,
   GitHubSyncSettingsPage,
+  clearGitHubTokenConfigSyncAttemptOnFailure,
   index_default as default,
+  patchPluginConfig,
   resolveGitHubIssueDetailTabState,
   resolveOrCreateProject,
   resolvePreviewPersonLabels,