6d25adfd1a
* agent & model refactor with ASKPASS git auth, UI restructure, clerk v7 Made-with: Cursor * fix stale agent/effort refs, add tests for askpass + model resolution - reviewCleanup.ts: payload.agent -> payload.model, remove effort - selectMode.ts PlanEdit: remove delegation/subagent/effort references - pullfrog.yml.ts: update env vars (drop GOOGLE_API_KEY/CURSOR_API_KEY, add GOOGLE_GENERATIVE_AI_API_KEY/XAI_API_KEY/MOONSHOT_API_KEY/OPENCODE_API_KEY) - FlagsSettings/RepoInstructionsSection: remove stale effort/timeout copy - new: gitAuthServer.test.ts (10 tests — lifecycle, token delivery, tamper detection, script gen) - new: agent.test.ts (4 tests — default opentoad, AGENT_OVERRIDE, invalid override) - new: models.test.ts (19 tests — parseModel, resolution, registry invariants) - update models.dev snapshot Made-with: Cursor * fix changed-agents.sh to filter legacy agent files from CI matrix legacy agent files (claude.ts, codex.ts, etc.) are @ts-nocheck and not exported from index.ts. changed-agents.sh now reads index.ts imports to build the active agent set and treats changes to inactive files as non-agent changes (opentoad canary only). Made-with: Cursor * remove MCP file tools, old agent harnesses, and obsolete security tests ASKPASS-based git auth makes the old MCP file tool security layer unnecessary: - token never in subprocess env, so symlink/gitattributes/hook attacks can't exfiltrate it - agents now use native file tools (OpenCode builtin read/edit) deleted: - action/mcp/file.ts (file_read, file_write, file_edit, file_delete, list_directory) - action/mcp/index.ts (dead re-export) - agent harnesses: claude.ts, codex.ts, cursor.ts, gemini.ts, opencode.ts - opencode-runner.ts (inlined into opentoad.ts) - security tests that validated MCP file tool restrictions - commented-out three-step review flow (~300 lines) - sanitizeSchema/wrapSchema dead code from mcp/shared.ts - OPENCODE_MODEL_MINI/MAX env vars (effort-level model overrides removed) updated test prompts to use generic file ops instead of MCP tool names. restored pkg-json-scripts + requirements-txt-attack (test --ignore-scripts defense). Made-with: Cursor * bump actions/checkout v4 → v6 (node 24) node 20 actions deprecated june 2, 2026. Made-with: Cursor * temporarily disable fail-fast on agnostic tests to debug checkout@v6 Made-with: Cursor * re-enable fail-fast on agnostic tests Made-with: Cursor * fix test token mismatch: mint OIDC tokens scoped to target repo CI tests override GITHUB_REPOSITORY to pullfrog/test-repo but inherit the runner's GITHUB_TOKEN (scoped to pullfrog/app), causing 401s on every run-context fetch. Clear GITHUB_TOKEN in the test subprocess so ensureGitHubToken() mints a properly scoped token via OIDC. Also centralizes the default GITHUB_REPOSITORY in runAgentStreaming instead of repeating it in every test file, and fixes preview-cleanup to remove workers from all queues (not just name-matching ones). Made-with: Cursor * fix ensureGitHubToken to try OIDC when app credentials are absent ensureGitHubToken only attempted token minting when GITHUB_APP_ID and GITHUB_PRIVATE_KEY were set. In CI, OIDC is available but app creds aren't exposed — so the guard prevented minting entirely. Made-with: Cursor * dead code cleanup: remove remnants of deleted agents, file tools, effort system remove unused @anthropic-ai/claude-agent-sdk and @openai/codex-sdk deps, orphaned file-tool security tests, dead GEMINI_MODEL passthrough, stale opencode-runner wiki refs, deleted test file references, and MCP file tool docs. rename docs/effort → docs/models. fix vitest setup: move dotenv to globalSetup (runs once before forks instead of per-file, 19s → 200ms). Made-with: Cursor * address review feedback: remove dead code, update stale references - remove AGENT_OVERRIDE (only opentoad exists) - remove shellToolName plumbing (always restricted shell) - bump action version to 0.0.179 - remove CURSOR_API_KEY from all workflows/configs - remove OPENCODE_MODEL_MINI/MAX from workflows/docs - delete wiki/effort.md, rewrite docs/effort.mdx as "Models" - rewrite wiki/modes.md: orchestrator/subagent → single agent - simplify flag system: drop builtin flag extraction (debug, effort, timeout, agent), keep custom flag replacement only - reserve all legacy flag names to prevent custom flag conflicts Made-with: Cursor * regenerate lockfile after removing claude-agent-sdk and codex-sdk Made-with: Cursor * fix import ordering, add lockfile check to pre-push hook Made-with: Cursor * remove dead debug payload field, stale packageExtensions Made-with: Cursor * merge proc-sandbox and token-exfil into a single test proc-sandbox and token-exfil were duplicative — both tested that SANDBOX_TEST_TOKEN couldn't be exfiltrated. consolidated into token-exfil with shell:restricted (which actually exercises filterEnv) and the /proc attack vector hints from proc-sandbox. Made-with: Cursor * fix wiki adversarial.md to match actual tokenExfil validator Made-with: Cursor
185 lines
5.5 KiB
TypeScript
185 lines
5.5 KiB
TypeScript
import assert from "node:assert/strict";
|
|
import * as core from "@actions/core";
|
|
import type { PushPermission } from "../external.ts";
|
|
import { log } from "./cli.ts";
|
|
import { onExitSignal } from "./exitHandler.ts";
|
|
import { acquireNewToken } from "./github.ts";
|
|
import { isGitHubActions } from "./globals.ts";
|
|
|
|
// re-export for get-installation-token action
|
|
export { acquireNewToken as acquireInstallationToken };
|
|
export { revokeGitHubInstallationToken as revokeInstallationToken };
|
|
|
|
// store MCP token in memory for getGitHubInstallationToken()
|
|
let mcpTokenValue: string | undefined;
|
|
|
|
/**
|
|
* get the job-scoped token from action input.
|
|
* this token has permissions defined by the workflow's permissions block.
|
|
*
|
|
* fallback order:
|
|
* 1. INPUT_TOKEN (from workflow `with: token:`)
|
|
* 2. GH_TOKEN (external token override)
|
|
* 3. GITHUB_TOKEN (pre-acquired in tests or from GHA env)
|
|
*/
|
|
export function getJobToken(): string {
|
|
const inputToken = core.getInput("token");
|
|
if (inputToken) {
|
|
return inputToken;
|
|
}
|
|
|
|
// fallback for test environment and local dev
|
|
const fallbackToken = process.env.GH_TOKEN || process.env.GITHUB_TOKEN;
|
|
if (fallbackToken) {
|
|
return fallbackToken;
|
|
}
|
|
|
|
throw new Error("token input is required");
|
|
}
|
|
|
|
export type TokenRef = {
|
|
gitToken: string;
|
|
mcpToken: string;
|
|
[Symbol.asyncDispose]: () => Promise<void>;
|
|
};
|
|
|
|
type ResolveTokensParams = {
|
|
push: PushPermission;
|
|
};
|
|
|
|
/**
|
|
* resolve tokens for the action run.
|
|
*
|
|
* creates two separate tokens:
|
|
* - gitToken: contents permission based on `push` setting (assumed exfiltratable)
|
|
* - push: enabled → contents:write (can push)
|
|
* - push: disabled → contents:read (read-only)
|
|
* - mcpToken: full installation token - used for GitHub API calls in MCP tools (not exfiltratable)
|
|
*
|
|
* security-conscious users can pass their own token via GH_TOKEN env var or inputs.token.
|
|
*/
|
|
export async function resolveTokens(params: ResolveTokensParams): Promise<TokenRef> {
|
|
assert(!mcpTokenValue, "tokens are already resolved");
|
|
|
|
const externalToken = process.env.GH_TOKEN;
|
|
|
|
// external token takes precedence - use for both git and MCP
|
|
if (externalToken) {
|
|
mcpTokenValue = externalToken;
|
|
|
|
if (isGitHubActions) {
|
|
core.setSecret(externalToken);
|
|
}
|
|
|
|
log.info("» using external GH_TOKEN for both git and MCP");
|
|
|
|
return {
|
|
gitToken: externalToken,
|
|
mcpToken: externalToken,
|
|
async [Symbol.asyncDispose]() {
|
|
mcpTokenValue = undefined;
|
|
// GH_TOKEN isn't acquired here, so it's not revoked here either
|
|
},
|
|
};
|
|
}
|
|
|
|
// create git token based on push permission (assumed exfiltratable)
|
|
// disabled = read-only, restricted/enabled = write (MCP tools enforce branch restrictions)
|
|
// workflows permission is write-only in the API, so only requested when pushing is allowed
|
|
const gitPermissions =
|
|
params.push === "disabled"
|
|
? { contents: "read" as const }
|
|
: { contents: "write" as const, workflows: "write" as const };
|
|
const gitToken = await acquireNewToken({ permissions: gitPermissions });
|
|
if (isGitHubActions) {
|
|
core.setSecret(gitToken);
|
|
}
|
|
log.info(
|
|
`» acquired git token (${Object.entries(gitPermissions)
|
|
.map((e) => e.join(":"))
|
|
.join(", ")})`
|
|
);
|
|
|
|
// MCP token scoped to only what MCP tools actually need.
|
|
// not exfiltratable (only accessible via MCP tools), but scoped as defense-in-depth
|
|
// so even a compromised tool context can't touch secrets, admin, etc.
|
|
const mcpPermissions = {
|
|
contents: "write",
|
|
pull_requests: "write",
|
|
issues: "write",
|
|
checks: "read",
|
|
actions: "read",
|
|
} as const;
|
|
const mcpToken = await acquireNewToken({ permissions: mcpPermissions });
|
|
if (isGitHubActions) {
|
|
core.setSecret(mcpToken);
|
|
}
|
|
log.info(
|
|
`» acquired scoped MCP token (${Object.entries(mcpPermissions)
|
|
.map((e) => e.join(":"))
|
|
.join(", ")})`
|
|
);
|
|
|
|
mcpTokenValue = mcpToken;
|
|
|
|
let disposingRef: PromiseWithResolvers<void> | undefined;
|
|
|
|
const dispose = async () => {
|
|
if (disposingRef) {
|
|
// this can happen if the signal arrives when disposing tokens
|
|
// we make sure to wait for the current dispose to complete
|
|
return disposingRef.promise;
|
|
}
|
|
disposingRef = Promise.withResolvers();
|
|
try {
|
|
mcpTokenValue = undefined;
|
|
// revoke both tokens
|
|
await Promise.all([
|
|
revokeGitHubInstallationToken(gitToken),
|
|
revokeGitHubInstallationToken(mcpToken),
|
|
]);
|
|
} finally {
|
|
removeSignalHandler();
|
|
disposingRef.resolve();
|
|
disposingRef = undefined;
|
|
}
|
|
};
|
|
|
|
const removeSignalHandler = onExitSignal(dispose);
|
|
|
|
return {
|
|
gitToken,
|
|
mcpToken,
|
|
[Symbol.asyncDispose]: dispose,
|
|
};
|
|
}
|
|
|
|
/**
|
|
* get the MCP token from memory.
|
|
* this is the token used for GitHub API calls in MCP tools.
|
|
*/
|
|
export function getGitHubInstallationToken(): string {
|
|
assert(mcpTokenValue, "tokens not set. call resolveTokens first.");
|
|
return mcpTokenValue;
|
|
}
|
|
|
|
export async function revokeGitHubInstallationToken(token: string): Promise<void> {
|
|
const apiUrl = process.env.GITHUB_API_URL || "https://api.github.com";
|
|
|
|
try {
|
|
await fetch(`${apiUrl}/installation/token`, {
|
|
method: "DELETE",
|
|
headers: {
|
|
Accept: "application/vnd.github+json",
|
|
Authorization: `Bearer ${token}`,
|
|
"X-GitHub-Api-Version": "2022-11-28",
|
|
},
|
|
});
|
|
log.debug("» installation token revoked");
|
|
} catch (error) {
|
|
log.info(
|
|
`Failed to revoke installation token: ${error instanceof Error ? error.message : String(error)}`
|
|
);
|
|
}
|
|
}
|