typeclaw 0.3.0 → 0.4.0

package/src/bundled-plugins/security/index.ts

@@ -25,8 +25,9 @@ export { SECURITY_PERMISSIONS, type SecurityPermission } from './permissions'
 // it's the only carrier.
 const BYPASS_ROLE_HINT = {
   [SECURITY_PERMISSIONS.bypassSecretExfilBash]: 'owner and trusted have it by default',
-  [SECURITY_PERMISSIONS.bypassGitExfil]: 'only owner has it by default',
-  [SECURITY_PERMISSIONS.bypassGitRemoteTainted]: 'only owner has it by default',
+  [SECURITY_PERMISSIONS.bypassGitExfil]: 'owner and trusted have it by default',
+  [SECURITY_PERMISSIONS.bypassGitRemoteTainted]:
+    'only owner has it by default (trusted intentionally does not, so the two-step taint defense still fires)',
   [SECURITY_PERMISSIONS.bypassSecretExfilRead]: 'only owner has it by default',
   [SECURITY_PERMISSIONS.bypassSsrf]: 'only owner has it by default',
   [SECURITY_PERMISSIONS.bypassSessionSearchSecrets]: 'only owner has it by default',

package/src/channels/adapters/github/auth-app.ts

@@ -0,0 +1,120 @@
+import { resolveSecret, type Secret } from '@/secrets/resolve'
+
+import type { GithubAuthStrategy, GithubSelfUser } from './auth'
+import { GITHUB_API_BASE, githubJsonHeaders } from './auth-pat'
+
+export class AppAuthStrategy implements GithubAuthStrategy {
+  private readonly appId: number
+  private readonly privateKeyPem: string
+  private readonly installationId: number | null
+  private readonly fetchImpl: typeof fetch
+  private cachedToken: { value: string; expiresAt: number } | null = null
+  private resolvedInstallationId: number | null = null
+  private _selfUser: GithubSelfUser | null = null
+
+  constructor(options: { appId: number; privateKey: Secret; installationId?: number; fetchImpl?: typeof fetch }) {
+    const privateKeyPem = resolveSecret(options.privateKey, undefined, process.env)
+    if (privateKeyPem === undefined || privateKeyPem.trim() === '') throw new Error('GitHub App private key is missing')
+    this.appId = options.appId
+    this.privateKeyPem = privateKeyPem
+    this.installationId = options.installationId ?? null
+    this.fetchImpl = options.fetchImpl ?? fetch
+  }
+
+  async token(): Promise<string> {
+    if (this.cachedToken && Date.now() < this.cachedToken.expiresAt - 5 * 60 * 1000) {
+      return this.cachedToken.value
+    }
+    const jwt = await this.mintJwt()
+    const installId = await this.resolveInstallationId(jwt)
+    const response = await this.fetchImpl(`${GITHUB_API_BASE}/app/installations/${installId}/access_tokens`, {
+      method: 'POST',
+      headers: githubJsonHeaders(jwt),
+    })
+    if (!response.ok) throw new Error(`GitHub App token mint failed: ${response.status}`)
+    const raw = (await response.json()) as { token?: unknown; expires_at?: unknown }
+    if (typeof raw.token !== 'string') throw new Error('GitHub App token response missing token')
+    const expiresAt = typeof raw.expires_at === 'string' ? Date.parse(raw.expires_at) : Date.now() + 60 * 60 * 1000
+    this.cachedToken = { value: raw.token, expiresAt }
+    return raw.token
+  }
+
+  async authHeaders(): Promise<HeadersInit> {
+    return githubJsonHeaders(await this.token())
+  }
+
+  async getSelf(): Promise<GithubSelfUser> {
+    if (this._selfUser) return this._selfUser
+    const jwt = await this.mintJwt()
+    const appResponse = await this.fetchImpl(`${GITHUB_API_BASE}/app`, { headers: githubJsonHeaders(jwt) })
+    if (!appResponse.ok) throw new Error(`GitHub App preflight failed: ${appResponse.status}`)
+    const app = (await appResponse.json()) as { slug?: unknown }
+    if (typeof app.slug !== 'string') throw new Error('GitHub /app response missing slug')
+
+    const botLogin = `${app.slug}[bot]`
+    const userResponse = await this.fetchImpl(`${GITHUB_API_BASE}/users/${encodeURIComponent(botLogin)}`, {
+      headers: githubJsonHeaders(jwt),
+    })
+    if (!userResponse.ok) throw new Error(`GitHub bot user lookup failed: ${userResponse.status}`)
+    const user = (await userResponse.json()) as { id?: unknown; login?: unknown }
+    if (typeof user.id !== 'number' || typeof user.login !== 'string') {
+      throw new Error('GitHub bot user response missing id/login')
+    }
+    this._selfUser = { id: user.id, login: user.login }
+    return this._selfUser
+  }
+
+  async dispose(): Promise<void> {
+    this.cachedToken = null
+  }
+
+  private async mintJwt(): Promise<string> {
+    const now = Math.floor(Date.now() / 1000)
+    const iat = now - 60
+    const exp = iat + 600
+    const header = base64url(JSON.stringify({ alg: 'RS256', typ: 'JWT' }))
+    const payload = base64url(JSON.stringify({ iat, exp, iss: this.appId }))
+    const signingInput = `${header}.${payload}`
+    const key = await importRsaPrivateKey(this.privateKeyPem)
+    const signature = await crypto.subtle.sign(
+      { name: 'RSASSA-PKCS1-v1_5' },
+      key,
+      new TextEncoder().encode(signingInput),
+    )
+    return `${signingInput}.${base64url(Buffer.from(signature))}`
+  }
+
+  private async resolveInstallationId(jwt: string): Promise<number> {
+    if (this.resolvedInstallationId !== null) return this.resolvedInstallationId
+    if (this.installationId !== null) {
+      this.resolvedInstallationId = this.installationId
+      return this.installationId
+    }
+    const response = await this.fetchImpl(`${GITHUB_API_BASE}/app/installations`, { headers: githubJsonHeaders(jwt) })
+    if (!response.ok) throw new Error(`GitHub App installations fetch failed: ${response.status}`)
+    const list = (await response.json()) as Array<{ id?: unknown }>
+    if (list.length === 0) throw new Error('GitHub App has no installations')
+    if (list.length > 1) {
+      const ids = list.map((installation) => installation.id).join(', ')
+      throw new Error(`GitHub App has multiple installations (${ids}); set installationId in secrets.json`)
+    }
+    const id = list[0]?.id
+    if (typeof id !== 'number') throw new Error('GitHub App installation missing id')
+    this.resolvedInstallationId = id
+    return id
+  }
+}
+
+function base64url(input: string | Buffer): string {
+  const buf = typeof input === 'string' ? Buffer.from(input) : input
+  return buf.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
+}
+
+async function importRsaPrivateKey(pem: string): Promise<CryptoKey> {
+  const b64 = pem
+    .replace(/-----BEGIN [^-]+-----/, '')
+    .replace(/-----END [^-]+-----/, '')
+    .replace(/\s/g, '')
+  const der = Buffer.from(b64, 'base64')
+  return await crypto.subtle.importKey('pkcs8', der, { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }, false, ['sign'])
+}

package/src/channels/adapters/github/auth-pat.ts

@@ -0,0 +1,50 @@
+import { resolveSecret, type Secret } from '@/secrets/resolve'
+
+import type { GithubAuthStrategy, GithubSelfUser } from './auth'
+
+export const GITHUB_API_BASE = 'https://api.github.com'
+
+export class PatAuthStrategy implements GithubAuthStrategy {
+  private readonly _token: string
+  private readonly fetchImpl: typeof fetch
+
+  constructor(options: { token: Secret; fetchImpl?: typeof fetch }) {
+    const token = resolveSecret(options.token, undefined, process.env)
+    if (token === undefined || token.trim() === '') throw new Error('GitHub PAT token is missing')
+    this._token = token
+    this.fetchImpl = options.fetchImpl ?? fetch
+  }
+
+  async token(): Promise<string> {
+    return this._token
+  }
+
+  async authHeaders(): Promise<HeadersInit> {
+    return githubJsonHeaders(this._token)
+  }
+
+  async getSelf(): Promise<GithubSelfUser> {
+    const response = await this.fetchImpl(`${GITHUB_API_BASE}/user`, { headers: await this.authHeaders() })
+    if (!response.ok) {
+      const body = await response.text().catch(() => '')
+      throw new Error(`GitHub PAT authentication failed: ${response.status}${body !== '' ? ` ${body}` : ''}`)
+    }
+    const raw = (await response.json()) as { login?: unknown; id?: unknown }
+    if (typeof raw.login !== 'string' || typeof raw.id !== 'number') {
+      throw new Error('GitHub /user response did not include login/id')
+    }
+    return { login: raw.login, id: raw.id }
+  }
+
+  async dispose(): Promise<void> {}
+}
+
+export function githubJsonHeaders(token: string): HeadersInit {
+  return {
+    Authorization: `Bearer ${token}`,
+    Accept: 'application/vnd.github+json',
+    'Content-Type': 'application/json',
+    'X-GitHub-Api-Version': '2022-11-28',
+    'User-Agent': 'typeclaw-github-channel',
+  }
+}

package/src/channels/adapters/github/auth.ts

@@ -0,0 +1,33 @@
+import type { GithubAppAuthBlock, GithubPatAuthBlock } from '@/secrets/schema'
+
+import { AppAuthStrategy } from './auth-app'
+import { PatAuthStrategy } from './auth-pat'
+
+export type GithubAuthStrategy = {
+  token: () => Promise<string>
+  authHeaders: () => Promise<HeadersInit>
+  getSelf: () => Promise<GithubSelfUser>
+  dispose: () => Promise<void>
+}
+
+export type GithubSelfUser = {
+  login: string
+  id: number
+}
+
+export function buildAuthStrategy(options: {
+  auth: GithubPatAuthBlock | GithubAppAuthBlock
+  fetchImpl?: typeof fetch
+}): GithubAuthStrategy {
+  switch (options.auth.type) {
+    case 'pat':
+      return new PatAuthStrategy({ token: options.auth.token, fetchImpl: options.fetchImpl })
+    case 'app':
+      return new AppAuthStrategy({
+        appId: options.auth.appId,
+        privateKey: options.auth.privateKey,
+        installationId: options.auth.installationId,
+        fetchImpl: options.fetchImpl,
+      })
+  }
+}

package/src/channels/adapters/github/channel-resolver.ts

@@ -0,0 +1,30 @@
+import type { ChannelNameResolver, ResolvedChannelNames } from '@/channels/types'
+
+import { GITHUB_API_BASE, githubJsonHeaders } from './auth-pat'
+import { parseChat, parseRepo } from './outbound'
+
+export function createGithubChannelNameResolver(options: {
+  token: () => Promise<string>
+  fetchImpl?: typeof fetch
+}): ChannelNameResolver {
+  const fetchImpl = options.fetchImpl ?? fetch
+  return async (key): Promise<ResolvedChannelNames> => {
+    if (key.adapter !== 'github') return {}
+    const repo = parseRepo(key.workspace)
+    const chat = parseChat(key.chat)
+    if (repo === null || chat === null) return {}
+    const names: ResolvedChannelNames = { workspaceName: key.workspace }
+    if (chat.kind === 'discussion') return names
+    const path = chat.kind === 'issue' ? `issues/${chat.number}` : `pulls/${chat.number}`
+    try {
+      const response = await fetchImpl(`${GITHUB_API_BASE}/repos/${repo.owner}/${repo.name}/${path}`, {
+        headers: githubJsonHeaders(await options.token()),
+      })
+      if (!response.ok) return names
+      const raw = (await response.json()) as { title?: string }
+      return raw.title !== undefined ? { ...names, chatName: raw.title } : names
+    } catch {
+      return names
+    }
+  }
+}

package/src/channels/adapters/github/dedup.ts

@@ -0,0 +1,26 @@
+export type DeliveryDedup = {
+  has: (deliveryId: string) => boolean
+  add: (deliveryId: string) => void
+  size: () => number
+}
+
+export function createDeliveryDedup(limit = 1000): DeliveryDedup {
+  const seen = new Map<string, true>()
+  return {
+    has(deliveryId: string): boolean {
+      return seen.has(deliveryId)
+    },
+    add(deliveryId: string): void {
+      if (seen.has(deliveryId)) seen.delete(deliveryId)
+      seen.set(deliveryId, true)
+      while (seen.size > limit) {
+        const oldest = seen.keys().next().value
+        if (oldest === undefined) break
+        seen.delete(oldest)
+      }
+    },
+    size(): number {
+      return seen.size
+    },
+  }
+}

package/src/channels/adapters/github/event-allowlist.ts

@@ -0,0 +1,8 @@
+export function githubEventKey(event: string, action: unknown): string {
+  return typeof action === 'string' && action.length > 0 ? `${event}.${action}` : event
+}
+
+export function isGithubEventAllowed(allowlist: readonly string[], event: string, action: unknown): boolean {
+  const key = githubEventKey(event, action)
+  return allowlist.includes(key) || allowlist.includes(event)
+}

package/src/channels/adapters/github/fetch-attachment.ts

@@ -0,0 +1,5 @@
+import type { FetchAttachmentCallback } from '@/channels/types'
+
+export function createGithubFetchAttachmentCallback(): FetchAttachmentCallback {
+  return async () => ({ ok: false, error: 'github-bot-does-not-support-attachments' })
+}

package/src/channels/adapters/github/history.ts

@@ -0,0 +1,63 @@
+import type { ChannelHistoryMessage, FetchHistoryArgs, FetchHistoryResult, HistoryCallback } from '@/channels/types'
+
+import { GITHUB_API_BASE, githubJsonHeaders } from './auth-pat'
+import { parseChat, parseRepo } from './outbound'
+
+export function createGithubHistoryCallback(options: {
+  token: () => Promise<string>
+  workspaceForChat: (chat: string) => string | null
+  fetchImpl?: typeof fetch
+}): HistoryCallback {
+  const fetchImpl = options.fetchImpl ?? fetch
+  return async (args: FetchHistoryArgs): Promise<FetchHistoryResult> => {
+    const workspace = options.workspaceForChat(args.chat)
+    if (workspace === null)
+      return { ok: false, error: 'github history unavailable until this chat receives an inbound' }
+    const repo = parseRepo(workspace)
+    const chat = parseChat(args.chat)
+    if (repo === null || chat === null) return { ok: false, error: 'invalid github history target' }
+    if (chat.kind === 'discussion') return { ok: false, error: 'github discussion history not supported yet' }
+    const endpoint =
+      chat.kind === 'pr' && args.thread !== null
+        ? `${GITHUB_API_BASE}/repos/${repo.owner}/${repo.name}/pulls/${chat.number}/comments`
+        : `${GITHUB_API_BASE}/repos/${repo.owner}/${repo.name}/issues/${chat.number}/comments`
+    try {
+      const cursor = args.cursor !== undefined && args.cursor !== '' ? `&page=${encodeURIComponent(args.cursor)}` : ''
+      const response = await fetchImpl(
+        `${endpoint}?per_page=${Math.min(Math.max(args.limit, 1), 100)}&direction=desc${cursor}`,
+        {
+          headers: githubJsonHeaders(await options.token()),
+        },
+      )
+      if (!response.ok) return { ok: false, error: `GitHub history ${response.status}` }
+      const raw = (await response.json()) as GithubComment[]
+      const link = response.headers.get('link') ?? ''
+      const nextCursor = /[?&]page=(\d+)[^>]*>; rel="next"/.exec(link)?.[1]
+      return nextCursor !== undefined
+        ? { ok: true, messages: raw.map(mapComment), nextCursor }
+        : { ok: true, messages: raw.map(mapComment) }
+    } catch (err) {
+      return { ok: false, error: err instanceof Error ? err.message : String(err) }
+    }
+  }
+}
+
+type GithubComment = {
+  id: number
+  body?: string
+  created_at?: string
+  user?: { id?: number; login?: string; type?: string }
+}
+
+function mapComment(comment: GithubComment): ChannelHistoryMessage {
+  const login = comment.user?.login ?? 'unknown'
+  return {
+    externalMessageId: String(comment.id),
+    authorId: String(comment.user?.id ?? login),
+    authorName: login,
+    text: comment.body ?? '',
+    ts: comment.created_at !== undefined ? Date.parse(comment.created_at) || 0 : 0,
+    isBot: comment.user?.type === 'Bot',
+    replyToBotMessageId: null,
+  }
+}

package/src/channels/adapters/github/inbound.ts

@@ -0,0 +1,286 @@
+import { createHmac, timingSafeEqual } from 'node:crypto'
+
+import type { InboundMessage } from '@/channels/types'
+
+import type { DeliveryDedup } from './dedup'
+import { isGithubEventAllowed } from './event-allowlist'
+
+export type GithubInboundLogger = { info: (m: string) => void; warn: (m: string) => void; error: (m: string) => void }
+
+export type GithubWebhookHandlerOptions = {
+  webhookSecret: string
+  dedup: DeliveryDedup
+  allowlist: () => readonly string[]
+  selfId: () => string | null
+  selfLogin: () => string | null
+  route: (message: InboundMessage) => void
+  logger: GithubInboundLogger
+}
+
+export function createGithubWebhookHandler(options: GithubWebhookHandlerOptions): (req: Request) => Promise<Response> {
+  return async (req: Request): Promise<Response> => {
+    if (req.method !== 'POST') return new Response('method not allowed', { status: 405 })
+    const body = await req.text()
+    const signature = req.headers.get('x-hub-signature-256') ?? ''
+    if (!(await verifySignature(body, options.webhookSecret, signature))) {
+      options.logger.warn('[github] webhook rejected: bad signature')
+      return new Response('bad signature', { status: 401 })
+    }
+
+    const delivery = req.headers.get('x-github-delivery') ?? ''
+    if (delivery !== '' && options.dedup.has(delivery)) {
+      options.logger.info(`[github] duplicate delivery ignored id=${delivery}`)
+      return ok()
+    }
+
+    const event = req.headers.get('x-github-event') ?? ''
+    const payload = parseJson(body)
+    if (payload === null) return ok()
+    const action = readString(payload, 'action')
+    if (!isGithubEventAllowed(options.allowlist(), event, action)) return ok()
+
+    const selfId = options.selfId()
+    const author = readAuthor(payload)
+    if (selfId !== null && author !== null && String(author.id) === selfId) return ok()
+
+    const classified = classifyGithubInbound(event, payload, options.selfLogin())
+    if (classified === null) return ok()
+
+    if (delivery !== '') options.dedup.add(delivery)
+    options.route(classified)
+    return ok()
+  }
+}
+
+export async function verifySignature(body: string, secret: string, sigHeader: string): Promise<boolean> {
+  const expected = `sha256=${createHmac('sha256', secret).update(body).digest('hex')}`
+  const a = Buffer.from(expected)
+  const b = Buffer.from(sigHeader)
+  if (a.length !== b.length) return false
+  return timingSafeEqual(a, b)
+}
+
+export function classifyGithubInbound(
+  event: string,
+  payload: Record<string, unknown>,
+  selfLogin: string | null,
+): InboundMessage | null {
+  const repository = readRepository(payload)
+  if (repository === null) return null
+  const base = {
+    adapter: 'github' as const,
+    workspace: `${repository.owner}/${repository.name}`,
+    isDm: false,
+    mentionsOthers: false,
+    replyToOtherMessageId: null,
+  }
+
+  if (event === 'issue_comment') {
+    const issue = readRecord(payload.issue)
+    const comment = readRecord(payload.comment)
+    if (issue === null || comment === null) return null
+    const number = readNumber(issue, 'number')
+    const id = readNumber(comment, 'id')
+    if (number === null || id === null) return null
+    const isPullRequest = readRecord(issue.pull_request) !== null
+    const user = readUser(comment.user)
+    return buildInbound(
+      { ...base, chat: `${isPullRequest ? 'pr' : 'issue'}:${number}`, thread: null },
+      comment.body,
+      id,
+      user,
+      selfLogin,
+      comment.created_at,
+    )
+  }
+
+  if (event === 'pull_request_review_comment') {
+    const pr = readRecord(payload.pull_request)
+    const comment = readRecord(payload.comment)
+    if (pr === null || comment === null) return null
+    const number = readNumber(pr, 'number')
+    const id = readNumber(comment, 'id')
+    if (number === null || id === null) return null
+    const root = readNumber(comment, 'in_reply_to_id') ?? id
+    return buildInbound(
+      { ...base, chat: `pr:${number}`, thread: String(root) },
+      comment.body,
+      id,
+      readUser(comment.user),
+      selfLogin,
+      comment.created_at,
+    )
+  }
+
+  if (event === 'discussion_comment') {
+    const discussion = readRecord(payload.discussion)
+    const comment = readRecord(payload.comment)
+    if (discussion === null || comment === null) return null
+    const number = readNumber(discussion, 'number')
+    const id = readNumber(comment, 'id')
+    if (number === null || id === null) return null
+    return buildInbound(
+      { ...base, chat: `discussion:${number}`, thread: null },
+      comment.body,
+      id,
+      readUser(comment.user),
+      selfLogin,
+      comment.created_at,
+    )
+  }
+
+  if (event === 'issues') {
+    const issue = readRecord(payload.issue)
+    if (issue === null) return null
+    const number = readNumber(issue, 'number')
+    const id = readNumber(issue, 'id') ?? number
+    if (number === null || id === null) return null
+    return buildInbound(
+      { ...base, chat: `issue:${number}`, thread: null },
+      issue.body,
+      id,
+      readUser(issue.user),
+      selfLogin,
+      issue.created_at,
+    )
+  }
+
+  if (event === 'pull_request') {
+    const pr = readRecord(payload.pull_request)
+    if (pr === null) return null
+    const number = readNumber(pr, 'number')
+    const id = readNumber(pr, 'id') ?? number
+    if (number === null || id === null) return null
+    return buildInbound(
+      { ...base, chat: `pr:${number}`, thread: null },
+      pr.body,
+      id,
+      readUser(pr.user),
+      selfLogin,
+      pr.created_at,
+    )
+  }
+
+  if (event === 'pull_request_review') {
+    const pr = readRecord(payload.pull_request)
+    const review = readRecord(payload.review)
+    if (pr === null || review === null) return null
+    const number = readNumber(pr, 'number')
+    const id = readNumber(review, 'id')
+    if (number === null || id === null) return null
+    return buildInbound(
+      { ...base, chat: `pr:${number}`, thread: null },
+      review.body,
+      id,
+      readUser(review.user),
+      selfLogin,
+      review.submitted_at,
+    )
+  }
+
+  if (event === 'discussion') {
+    const discussion = readRecord(payload.discussion)
+    if (discussion === null) return null
+    const number = readNumber(discussion, 'number')
+    const id = readNumber(discussion, 'id') ?? number
+    if (number === null || id === null) return null
+    return buildInbound(
+      { ...base, chat: `discussion:${number}`, thread: null },
+      discussion.body,
+      id,
+      readUser(discussion.user),
+      selfLogin,
+      discussion.created_at,
+    )
+  }
+
+  return null
+}
+
+function buildInbound(
+  key: Pick<
+    InboundMessage,
+    'adapter' | 'workspace' | 'chat' | 'thread' | 'isDm' | 'mentionsOthers' | 'replyToOtherMessageId'
+  >,
+  rawText: unknown,
+  id: number,
+  user: GithubUser | null,
+  selfLogin: string | null,
+  rawTs: unknown,
+): InboundMessage | null {
+  if (user === null) return null
+  const text = typeof rawText === 'string' ? rawText : ''
+  return {
+    ...key,
+    text,
+    externalMessageId: String(id),
+    authorId: String(user.id),
+    authorName: user.login,
+    authorIsBot: user.type === 'Bot',
+    isBotMention: selfLogin !== null && text.includes(`@${selfLogin}`),
+    replyToBotMessageId: null,
+    ts: typeof rawTs === 'string' ? Date.parse(rawTs) || 0 : 0,
+  }
+}
+
+function readRepository(payload: Record<string, unknown>): { owner: string; name: string } | null {
+  const repository = readRecord(payload.repository)
+  const owner = readRecord(repository?.owner)
+  const ownerLogin = readString(owner, 'login')
+  const name = readString(repository, 'name')
+  if (ownerLogin === null || name === null) return null
+  return { owner: ownerLogin, name }
+}
+
+function readAuthor(payload: Record<string, unknown>): GithubUser | null {
+  const candidates = [payload.comment, payload.issue, payload.pull_request, payload.discussion, payload.review]
+  for (const candidate of candidates) {
+    const user = readUser(readRecord(candidate)?.user)
+    if (user !== null) return user
+  }
+  return null
+}
+
+type GithubUser = { login: string; id: number; type?: string }
+
+function readUser(value: unknown): GithubUser | null {
+  const user = readRecord(value)
+  const login = readString(user, 'login')
+  const id = readNumber(user, 'id')
+  if (login === null || id === null) return null
+  const type = readString(user, 'type') ?? undefined
+  return { login, id, ...(type !== undefined ? { type } : {}) }
+}
+
+function parseJson(body: string): Record<string, unknown> | null {
+  try {
+    const parsed = JSON.parse(body) as unknown
+    return readRecord(parsed)
+  } catch {
+    return null
+  }
+}
+
+function readRecord(value: unknown): Record<string, unknown> | null {
+  return typeof value === 'object' && value !== null && !Array.isArray(value)
+    ? (value as Record<string, unknown>)
+    : null
+}
+
+function readString(obj: Record<string, unknown> | null, key: string): string | null {
+  const value = obj?.[key]
+  return typeof value === 'string' ? value : null
+}
+
+function readNumber(obj: Record<string, unknown> | null, key: string): number | null {
+  const value = obj?.[key]
+  return typeof value === 'number' && Number.isFinite(value) ? value : null
+}
+
+function ok(): Response {
+  return new Response('ok', { status: 200 })
+}
+
+function describe(err: unknown): string {
+  return err instanceof Error ? err.message : String(err)
+}