Skip to content

feat: GitHub service — scoped token minting and credential helper#22

Merged
pranavpatilsce merged 1 commit intomainfrom
feat/github-service
Mar 25, 2026
Merged

feat: GitHub service — scoped token minting and credential helper#22
pranavpatilsce merged 1 commit intomainfrom
feat/github-service

Conversation

@pranavpatilsce
Copy link
Copy Markdown
Contributor

@pranavpatilsce pranavpatilsce commented Mar 24, 2026

Summary

Adds a github reef service that gives agents programmatic access to the org's GitHub repositories via short-lived, scoped installation tokens. Uses the Vers API key (already injected into all VMs) to mint tokens through vers-landing's POST /api/github/installation-token endpoint (vers-landing PR #264).

Two layers:

  • Credential helper (git-credential-vers) — transparent git clone/git push using full-org tokens, installed at build time on root and golden images
  • Reef service (services/github/) — scoped tokens for in-repo work via API routes and reef_github_token tool

Also surfaces LLM errors (e.g. 429 no credits) in agent chat responses instead of showing blank output.

New files

File Purpose
services/github/index.ts ServiceModule — routes, tools, token cache, profiles
services/github/credential-helper.sh Shell script for git credential protocol, reads VERS_API_KEY from env at runtime

Token profiles

Profile Permissions Use case
read admin:read, contents:read, PRs:read, issues:read, checks:read, statuses:read, actions:read Research, triage, review PRs, check CI
develop admin:read, contents:write, PRs:write, issues:write, checks:read, statuses:read, actions:read Full dev cycle — push branches, create PRs, monitor CI
clone contents:read Clone repos (credential helper preferred)
ci actions:write, checks:read, statuses:read, contents:read Trigger workflows, re-run checks, monitor results

Agents can also pass custom repositories and permissions for fine-grained control beyond profiles.

Behavioral guardrails

Enforced via tool descriptions injected into every agent (root + golden child VMs):

  • Never delete repositories
  • Never merge or push directly to main
  • Always create pull requests and keep descriptions updated
  • Use credential helper only for clone/create
  • Use reef_github_token with scoped profiles for all in-repo work

Security

  • No secrets in images — credential helper reads VERS_API_KEY from env at runtime
  • Tokens are short-lived (~1 hour), cached in memory, auto-refreshed before expiry
  • No profile grants administration:write — agents cannot delete repos

Routes

Method Path Description
POST /github/token Mint a scoped token (profile or custom permissions)
GET /github/profiles List available profiles
GET /github/status Integration status (configured, cached tokens)
GET /github/_panel HTML debug view

Verified end-to-end

Tested on a provisioned fleet against hdresearch/reef and hdresearch/vers-landing:

  • read — list PRs, issues, workflow runs, branch protection
  • develop — create branch, push commit, create/update PR, write comments
  • ci — read check runs and workflow status
  • ✅ Cross-repo tokens (reef + vers-landing in one session)
  • ✅ PR lifecycle (create, update description, close, delete branch)

Companion PR

  • vers-fleets — adds github to shared operational DNA, installs credential helper in root + golden image build scripts

Test plan

  • Verify bun test passes (329 tests, 0 failures)
  • Provision a fleet with --reef-path pointing to this branch
  • Mint tokens via all 4 profiles, confirm permissions match
  • Clone a repo using credential helper on the VM
  • Create a test branch + PR using develop token, verify CI runs

@pranavpatilsce
feat: GitHub service — scoped token minting and credential helper
7db23fe 
Add services/github/ with:
- Token minting via Vers API (POST /api/github/installation-token)
- 4 profiles: read, develop, clone, ci — each with scoped permissions
- In-memory token cache with auto-refresh before expiry
- Credential helper script for transparent git clone/push
- reef_github_token tool with behavioral guardrails (no repo deletion,
  no direct push to main, always create PRs)

Also surface LLM errors (e.g. 429 no credits) in reef agent responses
instead of returning empty output.

Verified end-to-end on provisioned fleet: create branches, push commits,
create/close PRs, read CI status — across reef and vers-landing repos.
@pranavpatilsce pranavpatilsce mentioned this pull request Mar 24, 2026
Merged
5 tasks
@pranavpatilsce pranavpatilsce merged commit 3d41783 into main Mar 25, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nsluss nsluss nsluss approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pranavpatilsce @nsluss