Harden GitHub connector: distributed token cache, error classification, write operations #12
Description
Summary
The GitHub connector works for basic read-only proxy flows but has several gaps for production use.
Current state
internal/connectors/github/connector.go— 4 read-only operations allowlistedinternal/connectors/github/executor.go— in-memory token cache, basic error handlinginternal/connectors/github/app_token_source.go— in-memory installation→token cache with no distributed backing
Required work
- Distributed token cache: move GitHub App installation-token cache from in-memory to Redis so multiple API replicas share cached tokens and don't each hit GitHub's token creation endpoint
- Error classification: distinguish GitHub API rate limits (429), permission errors (403), transient failures (5xx), and not-found (404) — return appropriate broker error codes for each
- Token pre-refresh: if a cached token has < 5 minutes remaining, refresh proactively before the next request uses it
- Write operations (when needed): add allowlisted operations for
create_issue,create_pull_request_comment,create_check_run— each with appropriate permission scoping - Per-repository permission scoping: ensure installation tokens are minted with only the permissions needed for the specific operation, not the full app permission set
- Fallback logic: if GitHub App token exchange fails (misconfigured app, installation removed), fall back to static token if available, or return a clear error
Files
internal/connectors/github/connector.go— add operationsinternal/connectors/github/executor.go— error classificationinternal/connectors/github/app_token_source.go— Redis-backed cache, pre-refresh
Priority
Medium.
🤖 Generated with Claude Code