feat(db): add user_github_app_tokens schema and migration

[kilo-code-bot]

Summary

Add the user_github_app_tokens table to support GitHub App user-to-server tokens for commit attribution (MVP-1). This is the schema-only bead; refresh logic and GDPR extensions are explicitly deferred to v2.

What changed:

• New user_github_app_tokens table in packages/db/src/schema.ts with:
  • pgEnum types: github_app_type (standard | lite) and revocation_reason (user_revoked | refresh_failed | admin)
  • One row per (kilo_user_id, github_app_type) with a unique index
  • Columns for GitHub identity (github_user_id, github_login, github_email), encrypted access token, expiry, revocation state, and timestamps
  • Foreign key to kilocode_users.id with onDelete: cascade
  • Index on github_user_id
• Migration generated cleanly via pnpm drizzle generate (0124_past_domino.sql)
• New dedicated encryption key env var USER_GH_APP_TOKEN_ENCRYPTION_KEY plumbed into:
  • apps/web server config and .env.development.local.example
  • services/git-token-service wrangler.jsonc vars and .dev.vars.example
• Token redaction patterns for ghu_ and ghr_ tokens added to @kilocode/worker-utils/redact-headers with unit tests

Verification

• pnpm drizzle generate produced a clean migration with no checksum errors
• @kilocode/worker-utils unit tests pass (119 tests, including new redactGitHubTokens coverage)

Visual Changes

N/A

Reviewer Notes

Explicitly deferred to v2 (known gaps documented per plan)

• Refresh-token columns (refresh_token_encrypted, refresh_token_expires_at) and refresh logic
• softDeleteUser GDPR extension for user_github_app_tokens rows
  • The MVP is internal-dogfood only and the env-var gate (ENABLE_GITHUB_USER_TOKENS, MVP-3) will be set to false until GDPR work lands.
• Webhook handler for github_app_authorization revocation events
• SAML SSO recovery affordance

Other notes

• Do NOT reuse USER_DEPLOYMENTS_GIT_TOKEN_ENCRYPTION_KEY; a dedicated key is required per the encryption boundary spec
• The snapshot JSON generated by drizzle-kit is large (~21 MB); this is expected

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

✅ All issues resolved

File	Issue	Status
apps/web/src/lib/user.test.ts	Wrong column name app_type → github_app_type	Fixed ✅
apps/web/src/lib/user.ts	GDPR gap: softDeleteUser missing user_github_app_tokens delete	Fixed ✅
packages/db/src/migrations/0124_past_domino.sql	GDPR gap: PII not removed by softDeleteUser	Fixed ✅
services/git-token-service/wrangler.jsonc	Encryption key placed in vars (plaintext)	Fixed ✅

Files Reviewed (14 files)

• apps/web/.env.development.local.example — no issues
• apps/web/src/lib/config.server.ts — no issues
• apps/web/src/lib/user.test.ts — fixed ✅
• apps/web/src/lib/user.ts — fixed ✅
• packages/db/src/migrations/0124_past_domino.sql — fixed ✅
• packages/db/src/migrations/meta/0124_snapshot.json — generated, skipped
• packages/db/src/migrations/meta/_journal.json — generated, skipped
• packages/db/src/schema.ts — no issues
• packages/worker-utils/src/index.ts — no issues
• packages/worker-utils/src/redact-headers.test.ts — no issues
• packages/worker-utils/src/redact-headers.ts — no issues
• services/git-token-service/.dev.vars.example — no issues
• services/git-token-service/wrangler.jsonc — fixed ✅

---

_{Reviewed by claude-sonnet-4.6 · 270,128 tokens}

[kilo-code-bot]

Refinery code review: changes requested

The schema and migration look correct, and the token redaction is a good addition. However, there's a required GDPR compliance issue that must be addressed before this can land.

Issue

The new table stores PII (, , ). Per the project's GDPR rules (see ), any new table or column containing PII must be handled in the flow.

anonymizes the row rather than deleting it, so the FK on will not fire. The token row (including login, email, and user ID) would remain in the database after a user requests deletion.

Required changes

1. Add to the hard-delete list in (). Add:

   (Import from if not already imported.)

2. Add a corresponding test in asserting that rows are removed when is called.

[kilo-code-bot]

Refinery code review: changes requested

The schema and migration look correct, and the token redaction is a good addition. However, there's a required GDPR compliance issue that must be addressed before this can land.

Issue

The new user_github_app_tokens table stores PII (github_login, github_email, github_user_id). Per the project's GDPR rules (see .kilo/rules/gdpr-pii.md), any new table or column containing PII must be handled in the softDeleteUser flow.

softDeleteUser anonymizes the kilocode_users row rather than deleting it, so the ON DELETE cascade FK on user_github_app_tokens will not fire. The token row (including login, email, and user ID) would remain in the database after a user requests deletion.

Required changes

1. Add user_github_app_tokens to the hard-delete list in apps/web/src/lib/user.ts (softDeleteUser). Add:

   await tx.delete(user_github_app_tokens).where(eq(user_github_app_tokens.kilo_user_id, userId));

   (Import user_github_app_tokens from @kilocode/db/schema if not already imported.)

2. Add a corresponding test in apps/web/src/lib/user.test.ts asserting that user_github_app_tokens rows are removed when softDeleteUser is called.