feat(agentos-server): inject group-scoped git PAT into harness clone (private GAP repos via UI)

UI live-chat dispatches through the TS harness, whose GAP loader cloned
private repos with no auth — git fell back to an interactive username read
and failed with "could not read Username ... No such device or address".
The §2.6c credential store was only wired into the Python SDK.

agentos-server now resolves the group-scoped PAT (agent.ownerGroup → host,
falling back to the actor's groups for legacy unowned agents) and injects
the same GIT_CONFIG_* http extraHeader the Python substrate uses. The
harness subprocess inherits these envs (runtime-local spawns it with
{...process.env, ...envs}), so the spawned git authenticates with no
harness-side change. The token rides an env-based extraHeader, never the
clone URL — so unlike the legacy gitToken path it never lands in
.git/config (and therefore never in the workdir's S3 snapshot).

Skips injection when an explicit gitToken is set, for SSH/local sources,
when AGENTOS_CREDENTIALS_KEY is unset, or when no credential matches —
all degrade to the unchanged unauthenticated clone. Never throws on a
store hiccup. sandboxBodyFor/runBodyFor are now async; all four callers
await.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: abhi-bhat-lyzr

packages/agentos-server/src/agent-defs.ts

@@ -14,6 +14,8 @@ import { IdentitySource, type IdentitySource as IdentitySourceT } from "@open-gi
 import { agentPoliciesColl, registryColl, type RegistryDoc } from "./mongo.js";
 import { canRead, isSuperuser } from "./auth/ownership.js";
 import type { Principal } from "./auth/principal.js";
+import { gitCredentialStore, normalizeGitHost } from "./stores/git-credential-store.js";
+import { credentialsKeyConfigured } from "./crypto/secret-box.js";
 
 export interface AgentDef {
   /** Surrogate key — the registry doc's ObjectId, stringified. The public
@@ -220,11 +222,82 @@ export function normalizeSource(raw: unknown): { source: IdentitySourceT | strin
   return { source: str, sourceUrl: str || null };
 }
 
+/**
+ * Bare host for an https git clone, or null when no http extraHeader applies.
+ *
+ * Returns null for SSH (`git@…` / `ssh://` — authenticates by key, not token),
+ * for local paths, and for anything without a real `host.tld`. The harness's
+ * own `normalizeGitUrl` turns bare `github.com/o/r` and `https://…` into an
+ * `https://…` clone URL, so the extraHeader we key on (`http.https://<host>/`)
+ * matches both forms.
+ */
+function gitCloneHttpsHost(raw: string): string | null {
+  const s = (raw ?? "").trim();
+  if (!s) return null;
+  if (s.startsWith("git@") || s.startsWith("ssh://") || s.startsWith("git://")) return null;
+  if (s.startsWith("/") || s.startsWith(".") || s.startsWith("~")) return null;
+  const host = normalizeGitHost(s);
+  return host.includes(".") ? host : null;
+}
+
+/**
+ * Resolve a group-scoped git PAT for the agent's private GAP repo and return the
+ * `GIT_CONFIG_*` env that makes `git clone` send it as an http `extraHeader`.
+ *
+ * The token is injected via env (never the clone URL), so — unlike the legacy
+ * `gitToken` URL-embed path — it never lands in `.git/config` and therefore
+ * never in the workdir's S3 snapshot. This mirrors the Python SDK's
+ * `substrates/local.py` credential injection exactly, and the harness subprocess
+ * inherits these vars (runtime-local spawns it with `{ ...process.env, ...envs }`),
+ * so the spawned `git` honours them with no harness-side code change.
+ *
+ * Returns `{}` (→ unauthenticated clone, unchanged public-repo behaviour) when:
+ * the agent already carries an explicit `gitToken`, `AGENTOS_CREDENTIALS_KEY`
+ * is unset, the source isn't an https git URL, there's no owning group, or no
+ * credential matches the (group, host). Never throws — a credential lookup
+ * failure must not block dispatch.
+ */
+export async function gitCredentialEnvsFor(
+  agent: AgentDef,
+  actor?: Principal,
+): Promise<Record<string, string>> {
+  // The legacy gitToken path already injects auth (URL-embedded). Don't double up.
+  if (agent.gitToken) return {};
+  if (!credentialsKeyConfigured()) return {};
+
+  const { sourceUrl } = normalizeSource(agent.source);
+  const host = sourceUrl ? gitCloneHttpsHost(sourceUrl) : null;
+  if (!host) return {};
+
+  // Scope to the group that owns the agent (the group that configured the PAT);
+  // fall back to the chatting actor's groups for legacy unowned agents.
+  const ownerGroups = agent.ownerGroup ? [agent.ownerGroup] : actor?.groups ?? [];
+  if (ownerGroups.length === 0) return {};
+
+  let found: Awaited<ReturnType<typeof gitCredentialStore.resolve>> = null;
+  try {
+    found = await gitCredentialStore.resolve({ ownerGroups, host });
+  } catch {
+    return {}; // never fail a run on a credential-store hiccup
+  }
+  if (!found) return {};
+
+  const username = found.doc.username || "x-access-token";
+  const basic = Buffer.from(`${username}:${found.token}`).toString("base64");
+  return {
+    GIT_TERMINAL_PROMPT: "0",
+    GIT_CONFIG_NOSYSTEM: "1",
+    GIT_CONFIG_COUNT: "1",
+    GIT_CONFIG_KEY_0: `http.https://${host}/.extraHeader`,
+    GIT_CONFIG_VALUE_0: `Authorization: Basic ${basic}`,
+  };
+}
+
 /** Build the POST /sandboxes body the harness expects. Mirrors the contract
  *  from examples/slack-bot.ts:sandboxBodyForBot so Slack and the dashboard
  *  create identically-configured sandboxes. */
-export function sandboxBodyFor(agent: AgentDef, sessionId: string, actor?: Principal): Record<string, unknown> {
-  const envs = { ...defaultEnvsFor(agent.harness), ...(agent.envs ?? {}) };
+export async function sandboxBodyFor(agent: AgentDef, sessionId: string, actor?: Principal): Promise<Record<string, unknown>> {
+  const envs = { ...defaultEnvsFor(agent.harness), ...(agent.envs ?? {}), ...(await gitCredentialEnvsFor(agent, actor)) };
   const body: Record<string, unknown> = {
     source: agent.source,
     harness: agent.harness,
@@ -251,8 +324,8 @@ export function sandboxBodyFor(agent: AgentDef, sessionId: string, actor?: Princ
 }
 
 /** Build the POST /run body for one-shot runs. */
-export function runBodyFor(agent: AgentDef, message: string, actor?: Principal): Record<string, unknown> {
-  const envs = { ...defaultEnvsFor(agent.harness), ...(agent.envs ?? {}) };
+export async function runBodyFor(agent: AgentDef, message: string, actor?: Principal): Promise<Record<string, unknown>> {
+  const envs = { ...defaultEnvsFor(agent.harness), ...(agent.envs ?? {}), ...(await gitCredentialEnvsFor(agent, actor)) };
   const body: Record<string, unknown> = {
     source: agent.source,
     harness: agent.harness,

packages/agentos-server/src/eval-runner.ts

@@ -184,7 +184,7 @@ export async function runAgainstHarness(
   agent: NonNullable<Awaited<ReturnType<typeof resolveAgent>>>,
   prompt: string,
 ): Promise<Captured> {
-  const body = runBodyFor(agent, prompt) as Record<string, unknown>;
+  const body = (await runBodyFor(agent, prompt)) as Record<string, unknown>;
   const policy = await srsPolicyForAgent(agent.name);
   if (policy) body.policy = policy;
 

packages/agentos-server/src/git-credential-envs.test.ts

@@ -0,0 +1,128 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { gitCredentialEnvsFor, type AgentDef } from "./agent-defs.js";
+import { gitCredentialStore } from "./stores/git-credential-store.js";
+import { resetKeyringForTests } from "./crypto/secret-box.js";
+import type { Principal } from "./auth/principal.js";
+
+// A valid 32-byte base64 key so credentialsKeyConfigured() returns true.
+const KEY = Buffer.alloc(32, 7).toString("base64");
+
+function agent(over: Partial<AgentDef>): AgentDef {
+  return {
+    id: "a1",
+    name: "Docs Agent",
+    label: "Docs Agent",
+    harness: "claude-agent-sdk",
+    source: "github.com/acme/private-docs",
+    ownerGroup: "acme",
+    ...over,
+  };
+}
+
+function resolveReturns(doc: { username?: string | null } | null, token = "ghp_secret") {
+  return vi
+    .spyOn(gitCredentialStore, "resolve")
+    .mockResolvedValue(doc ? ({ doc: doc as never, token }) : null);
+}
+
+beforeEach(() => {
+  process.env.AGENTOS_CREDENTIALS_KEY = KEY;
+  resetKeyringForTests();
+});
+afterEach(() => {
+  vi.restoreAllMocks();
+  delete process.env.AGENTOS_CREDENTIALS_KEY;
+  resetKeyringForTests();
+});
+
+describe("gitCredentialEnvsFor", () => {
+  it("injects GIT_CONFIG_* extraHeader for a resolvable private https repo", async () => {
+    const spy = resolveReturns({ username: "x-access-token" }, "ghp_abc");
+    const envs = await gitCredentialEnvsFor(agent({}));
+
+    expect(spy).toHaveBeenCalledWith({ ownerGroups: ["acme"], host: "github.com" });
+    expect(envs.GIT_TERMINAL_PROMPT).toBe("0");
+    expect(envs.GIT_CONFIG_NOSYSTEM).toBe("1");
+    expect(envs.GIT_CONFIG_COUNT).toBe("1");
+    expect(envs.GIT_CONFIG_KEY_0).toBe("http.https://github.com/.extraHeader");
+    const expected = Buffer.from("x-access-token:ghp_abc").toString("base64");
+    expect(envs.GIT_CONFIG_VALUE_0).toBe(`Authorization: Basic ${expected}`);
+    // The raw token never appears verbatim in any env value.
+    expect(JSON.stringify(envs)).not.toContain("ghp_abc");
+  });
+
+  it("defaults the basic-auth username to x-access-token when the cred has none", async () => {
+    resolveReturns({ username: null }, "tok");
+    const envs = await gitCredentialEnvsFor(agent({}));
+    const expected = Buffer.from("x-access-token:tok").toString("base64");
+    expect(envs.GIT_CONFIG_VALUE_0).toBe(`Authorization: Basic ${expected}`);
+  });
+
+  it("honours a custom credential username", async () => {
+    resolveReturns({ username: "oauth2" }, "tok");
+    const envs = await gitCredentialEnvsFor(agent({}));
+    const expected = Buffer.from("oauth2:tok").toString("base64");
+    expect(envs.GIT_CONFIG_VALUE_0).toBe(`Authorization: Basic ${expected}`);
+  });
+
+  it("scopes resolution to the agent's owner group", async () => {
+    const spy = resolveReturns({ username: "x-access-token" });
+    await gitCredentialEnvsFor(agent({ ownerGroup: "team-x" }));
+    expect(spy).toHaveBeenCalledWith({ ownerGroups: ["team-x"], host: "github.com" });
+  });
+
+  it("falls back to the actor's groups for a legacy unowned agent", async () => {
+    const spy = resolveReturns({ username: "x-access-token" });
+    const actor = { id: "u1", groups: ["g1", "g2"] } as Principal;
+    await gitCredentialEnvsFor(agent({ ownerGroup: null }), actor);
+    expect(spy).toHaveBeenCalledWith({ ownerGroups: ["g1", "g2"], host: "github.com" });
+  });
+
+  it("returns {} (unauthenticated) when no credential matches", async () => {
+    resolveReturns(null);
+    expect(await gitCredentialEnvsFor(agent({}))).toEqual({});
+  });
+
+  it("returns {} when the agent already carries a legacy gitToken", async () => {
+    const spy = resolveReturns({ username: "x" });
+    expect(await gitCredentialEnvsFor(agent({ gitToken: "ghp_legacy" }))).toEqual({});
+    expect(spy).not.toHaveBeenCalled();
+  });
+
+  it("returns {} when AGENTOS_CREDENTIALS_KEY is unset", async () => {
+    delete process.env.AGENTOS_CREDENTIALS_KEY;
+    resetKeyringForTests();
+    const spy = resolveReturns({ username: "x" });
+    expect(await gitCredentialEnvsFor(agent({}))).toEqual({});
+    expect(spy).not.toHaveBeenCalled();
+  });
+
+  it("skips SSH sources (key auth, no http extraHeader)", async () => {
+    const spy = resolveReturns({ username: "x" });
+    expect(await gitCredentialEnvsFor(agent({ source: "git@github.com:acme/private-docs.git" }))).toEqual({});
+    expect(spy).not.toHaveBeenCalled();
+  });
+
+  it("skips local-path sources", async () => {
+    const spy = resolveReturns({ username: "x" });
+    expect(await gitCredentialEnvsFor(agent({ source: "/srv/agents/docs" }))).toEqual({});
+    expect(spy).not.toHaveBeenCalled();
+  });
+
+  it("returns {} when there is no owning group and no actor", async () => {
+    const spy = resolveReturns({ username: "x" });
+    expect(await gitCredentialEnvsFor(agent({ ownerGroup: null }))).toEqual({});
+    expect(spy).not.toHaveBeenCalled();
+  });
+
+  it("never throws — a store error degrades to an unauthenticated clone", async () => {
+    vi.spyOn(gitCredentialStore, "resolve").mockRejectedValue(new Error("mongo down"));
+    expect(await gitCredentialEnvsFor(agent({}))).toEqual({});
+  });
+
+  it("resolves an https:// URL form to the same host", async () => {
+    const spy = resolveReturns({ username: "x-access-token" });
+    await gitCredentialEnvsFor(agent({ source: "https://github.com/acme/private-docs.git" }));
+    expect(spy).toHaveBeenCalledWith({ ownerGroups: ["acme"], host: "github.com" });
+  });
+});

packages/agentos-server/src/routes/chat.ts

@@ -64,7 +64,7 @@ chatRouter.post("/agents/:id/chat-sandbox", authorize("agents:run"), async (req,
     const tryCreate = async (sid: string) => {
       let body: Record<string, unknown>;
       try {
-        body = sandboxBodyFor(agent, sid, res.locals.principal);
+        body = await sandboxBodyFor(agent, sid, res.locals.principal);
       } catch (err) {
         // defaultEnvsFor throws if ANTHROPIC_API_KEY missing for Claude.
         const status = (err as any)?.status ?? 503;

packages/agentos-server/src/routes/run.ts

@@ -21,7 +21,7 @@ runRouter.post("/agents/:id/run", authorize("agents:run"), async (req, res, next
 
     let body: Record<string, unknown>;
     try {
-      body = runBodyFor(agent, message, res.locals.principal);
+      body = await runBodyFor(agent, message, res.locals.principal);
     } catch (err) {
       const status = (err as any)?.status ?? 503;
       return res.status(status).json({ error: { code: "AGENT_CONFIG", message: (err as Error).message } });

packages/agentos-server/src/scheduler.ts

@@ -15,7 +15,7 @@ import { resolveAgent, runBodyFor, type AgentDef } from "./agent-defs.js";
 export async function runAgentOnce(agent: AgentDef, prompt: string): Promise<{ ok: boolean; text: string }> {
   let body: Record<string, unknown>;
   try {
-    body = runBodyFor(agent, prompt);
+    body = await runBodyFor(agent, prompt);
   } catch (err) {
     return { ok: false, text: `bad agent config: ${(err as Error).message}` };
   }