hermes-github-app-plugin 0.1.1__tar.gz → 0.1.2__tar.gz

{hermes_github_app_plugin-0.1.1 → hermes_github_app_plugin-0.1.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: hermes-github-app-plugin
-Version: 0.1.1
+Version: 0.1.2
 Summary: Hermes plugin for per-agent GitHub App identity, gh/git wrappers, and GitHub App-aware tools.
 Author: Hermes GitHub App Plugin Contributors
 License: MIT
@@ -127,8 +127,8 @@ Before the first release, configure PyPI Trusted Publishing for this repository
 Release example:
 
 ```bash
-git tag 0.1.1
-git push origin 0.1.1
+git tag 0.1.2
+git push origin 0.1.2
 ```
 
 Tags like `v0.1.0`, `0.1`, or `0.1.0rc1` will not publish.

{hermes_github_app_plugin-0.1.1 → hermes_github_app_plugin-0.1.2}/README.md

@@ -108,8 +108,8 @@ Before the first release, configure PyPI Trusted Publishing for this repository
 Release example:
 
 ```bash
-git tag 0.1.1
-git push origin 0.1.1
+git tag 0.1.2
+git push origin 0.1.2
 ```
 
 Tags like `v0.1.0`, `0.1`, or `0.1.0rc1` will not publish.

{hermes_github_app_plugin-0.1.1 → hermes_github_app_plugin-0.1.2}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "hermes-github-app-plugin"
-version = "0.1.1"
+version = "0.1.2"
 description = "Hermes plugin for per-agent GitHub App identity, gh/git wrappers, and GitHub App-aware tools."
 readme = "README.md"
 requires-python = ">=3.10"

{hermes_github_app_plugin-0.1.1 → hermes_github_app_plugin-0.1.2}/src/hermes_github_app_plugin/auth.py

@@ -6,6 +6,7 @@ import time
 from dataclasses import dataclass
 from datetime import datetime, timedelta, timezone
 from typing import Any
+from urllib.parse import urlparse
 
 import httpx
 import jwt
@@ -84,6 +85,46 @@ class GitHubAppAuth:
         self._cached_token = token
         return token
 
+    def app_request(
+        self,
+        method: str,
+        path: str,
+        *,
+        json_body: dict[str, Any] | None = None,
+        params: dict[str, Any] | None = None,
+    ) -> dict[str, Any]:
+        """Call a GitHub App endpoint using the app JWT.
+
+        Endpoints like `GET /app` authenticate as the GitHub App itself and
+        reject installation access tokens. Repository and user endpoints should
+        continue to use `request()`, which authenticates as the installation.
+        """
+        url = (
+            path if path.startswith("http") else f"{self._config.github_api_url}/{path.lstrip('/')}"
+        )
+        response = self._client.request(
+            method.upper(),
+            url,
+            headers={
+                "Accept": "application/vnd.github+json",
+                "Authorization": f"Bearer {self.create_jwt()}",
+                "X-GitHub-Api-Version": "2022-11-28",
+            },
+            json=json_body,
+            params=params,
+        )
+        response.raise_for_status()
+        return {
+            "auth": {
+                "auth_mode": "github_app_jwt",
+                "client_id": self._config.client_id,
+                "app_slug": self._config.app_slug,
+                "installation_id": self._config.installation_id,
+            },
+            "status_code": response.status_code,
+            "result": response.json() if response.content else {"ok": True},
+        }
+
     def request(
         self,
         method: str,
@@ -150,3 +191,15 @@ def auth_metadata(token: InstallationToken, *, repo: str | None = None) -> dict[
         "token": token.redacted,
         "expires_at": token.expires_at.isoformat(),
     }
+
+
+def requires_app_jwt(path: str) -> bool:
+    """Return True for GitHub App endpoints that require app JWT auth."""
+    path_only = path.split("?", 1)[0]
+    if path_only.startswith("http"):
+        try:
+            path_only = urlparse(path_only).path
+        except ValueError:
+            return False
+    normalized = "/" + path_only.lstrip("/")
+    return normalized == "/app" or normalized.startswith("/app/")

{hermes_github_app_plugin-0.1.1 → hermes_github_app_plugin-0.1.2}/src/hermes_github_app_plugin/cli.py

@@ -15,7 +15,7 @@ from typing import Any, NoReturn
 
 import httpx
 
-from .auth import GitHubAppAuth, auth_metadata
+from .auth import GitHubAppAuth, auth_metadata, requires_app_jwt
 from .config import ConfigurationError, load_config, write_github_app_config
 
 
@@ -196,7 +196,7 @@ def _doctor(repo: str | None, *, skip_network: bool) -> int:
             auth = GitHubAppAuth(config)
             token = auth.get_installation_token(force_refresh=True)
             checks.append(("installation token minted", True, token.redacted))
-            app_result = auth.request("GET", "/app")["result"]
+            app_result = auth.app_request("GET", "/app")["result"]
             checks.append(("/app API reachable", True, str(app_result.get("slug", "ok"))))
             if repo:
                 repo_result = auth.request("GET", f"/repos/{repo}", repo=repo)["result"]
@@ -225,7 +225,7 @@ def _status(repo: str | None) -> int:
     config = load_config()
     auth = GitHubAppAuth(config)
     token = auth.get_installation_token(force_refresh=True)
-    app = auth.request("GET", "/app")["result"]
+    app = auth.app_request("GET", "/app")["result"]
     repo_probe = auth.request("GET", f"/repos/{repo}", repo=repo)["result"] if repo else None
     print(
         json.dumps(
@@ -253,7 +253,11 @@ def _token(repo: str | None, *, json_output: bool) -> int:
 
 
 def _api(method: str, path: str, *, repo: str | None, body: dict[str, Any] | None) -> int:
-    result = GitHubAppAuth(load_config()).request(method, path, repo=repo, json_body=body)
+    auth = GitHubAppAuth(load_config())
+    if requires_app_jwt(path):
+        result = auth.app_request(method, path, json_body=body)
+    else:
+        result = auth.request(method, path, repo=repo, json_body=body)
     print(json.dumps(result, indent=2, sort_keys=True))
     return 0
 

{hermes_github_app_plugin-0.1.1 → hermes_github_app_plugin-0.1.2}/src/hermes_github_app_plugin/tools.py

@@ -7,7 +7,7 @@ from typing import Any
 
 import httpx
 
-from .auth import GitHubAppAuth, auth_metadata
+from .auth import GitHubAppAuth, auth_metadata, requires_app_jwt
 from .config import ConfigurationError, load_config
 
 
@@ -55,7 +55,7 @@ def github_app_verify_identity(params: dict[str, Any], **_: Any) -> str:
         repo = _repo(params)
         auth = _auth()
         token = auth.get_installation_token(force_refresh=True)
-        app = auth.request("GET", "/app")
+        app = auth.app_request("GET", "/app")
         repo_probe = auth.request("GET", f"/repos/{repo}", repo=repo) if repo else None
         return {
             "auth": auth_metadata(token, repo=repo),
@@ -75,7 +75,12 @@ def github_app_api(params: dict[str, Any], **_: Any) -> str:
         repo = _repo(params)
         body = params.get("json_body")
         json_body = body if isinstance(body, dict) else None
-        result = _auth().request(method, path, repo=repo, json_body=json_body)
+        auth = _auth()
+        result = (
+            auth.app_request(method, path, json_body=json_body)
+            if requires_app_jwt(path)
+            else auth.request(method, path, repo=repo, json_body=json_body)
+        )
         return result
 
     return _handle_errors(run)

{hermes_github_app_plugin-0.1.1 → hermes_github_app_plugin-0.1.2}/tests/test_auth.py

@@ -7,7 +7,12 @@ from datetime import datetime, timezone
 
 import httpx
 
-from hermes_github_app_plugin.auth import GitHubAppAuth, InstallationToken, auth_metadata
+from hermes_github_app_plugin.auth import (
+    GitHubAppAuth,
+    InstallationToken,
+    auth_metadata,
+    requires_app_jwt,
+)
 from hermes_github_app_plugin.config import GitHubAppConfig
 
 PRIVATE_KEY = "[REDACTED PRIVATE KEY]\n"
@@ -59,3 +64,35 @@ def test_request_includes_installation_token(monkeypatch) -> None:  # type: igno
     assert seen[0].headers["authorization"] == "Bearer jwt-token"
     assert seen[1].headers["authorization"] == "Bearer ghu_installation_token"
     assert json.loads(json.dumps(result))["auth"]["auth_mode"] == "github_app"
+
+
+def test_app_request_uses_app_jwt(monkeypatch) -> None:  # type: ignore[no-untyped-def]
+    monkeypatch.setattr("jwt.encode", lambda *_, **__: "jwt-token")
+    seen: list[httpx.Request] = []
+
+    def handler(request: httpx.Request) -> httpx.Response:
+        seen.append(request)
+        return httpx.Response(200, json={"slug": "hermes-test-agent"})
+
+    client = httpx.Client(transport=httpx.MockTransport(handler))
+    config = GitHubAppConfig(
+        client_id="123",
+        installation_id="456",
+        private_key=PRIVATE_KEY,
+        private_key_source="env",
+        app_slug="hermes-test-agent",
+    )
+
+    result = GitHubAppAuth(config, client=client).app_request("GET", "/app")
+
+    assert result["result"] == {"slug": "hermes-test-agent"}
+    assert seen[0].url.path == "/app"
+    assert seen[0].headers["authorization"] == "Bearer jwt-token"
+    assert result["auth"]["auth_mode"] == "github_app_jwt"
+
+
+def test_requires_app_jwt_detects_app_endpoints() -> None:
+    assert requires_app_jwt("/app")
+    assert requires_app_jwt("/app/installations")
+    assert requires_app_jwt("https://api.github.com/app")
+    assert not requires_app_jwt("/repos/OWNER/REPO")

{hermes_github_app_plugin-0.1.1 → hermes_github_app_plugin-0.1.2}/tests/test_cli.py

@@ -88,7 +88,7 @@ def test_doctor_skip_network_reports_local_checks(
     key_path.write_text(PRIVATE_KEY, encoding="utf-8")
     key_path.chmod(0o600)
     monkeypatch.setenv("HERMES_HOME", str(hermes_home))
-    (hermes_home).mkdir()
+    hermes_home.mkdir()
     (hermes_home / "config.yaml").write_text(
         f"""
 github_app:
@@ -106,3 +106,55 @@ github_app:
     assert "✓ GitHub App config loaded" in output
     assert "✓ private key file permissions: 0o600" in output
     assert "Local doctor passed" in output
+
+
+def test_api_routes_app_paths_to_app_jwt(
+    monkeypatch: pytest.MonkeyPatch, capsys: pytest.CaptureFixture[str]
+) -> None:
+    class FakeAuth:
+        def __init__(self, config: object) -> None:
+            self.config = config
+
+        def app_request(
+            self, method: str, path: str, json_body: dict[str, object] | None = None
+        ) -> dict[str, object]:
+            return {"status_code": 200, "result": {"path": path, "method": method}}
+
+        def request(self, *args: object, **kwargs: object) -> dict[str, object]:
+            raise AssertionError("installation-token request should not be used for /app")
+
+    monkeypatch.setattr(cli, "load_config", object)
+    monkeypatch.setattr(cli, "GitHubAppAuth", FakeAuth)
+
+    assert cli._api("GET", "/app", repo=None, body=None) == 0
+
+    output = capsys.readouterr().out
+    assert '"status_code": 200' in output
+
+
+def test_api_routes_repo_paths_to_installation_token(
+    monkeypatch: pytest.MonkeyPatch, capsys: pytest.CaptureFixture[str]
+) -> None:
+    class FakeAuth:
+        def __init__(self, config: object) -> None:
+            self.config = config
+
+        def app_request(self, *args: object, **kwargs: object) -> dict[str, object]:
+            raise AssertionError("app JWT request should not be used for repo APIs")
+
+        def request(
+            self,
+            method: str,
+            path: str,
+            repo: str | None = None,
+            json_body: dict[str, object] | None = None,
+        ) -> dict[str, object]:
+            return {"status_code": 200, "result": {"path": path, "repo": repo, "method": method}}
+
+    monkeypatch.setattr(cli, "load_config", object)
+    monkeypatch.setattr(cli, "GitHubAppAuth", FakeAuth)
+
+    assert cli._api("GET", "/repos/OWNER/REPO", repo="OWNER/REPO", body=None) == 0
+
+    output = capsys.readouterr().out
+    assert '"repo": "OWNER/REPO"' in output