feat(all): auto-detect GitHub installations for user accounts

Author: Lasim

services/backend/src/routes/teams/deploy/github.ts

@@ -299,10 +299,51 @@ export default async function deployGitHubRoutes(server: FastifyInstance) {
     const installation = await credentialService.getInstallation(teamId, 'github');
 
     if (!installation) {
-      // No database record - team must install the GitHub App via the /install flow
-      const response: ConnectionStatusResponse = { connected: false };
-      const jsonString = JSON.stringify(response);
-      return reply.status(200).type('application/json').send(jsonString);
+      // No database record - try to auto-detect from the current user's personal GitHub account
+      const user = request.user as { githubId?: string | null } | undefined;
+      const githubId = user?.githubId;
+
+      if (!githubId) {
+        // User authenticated via email, not GitHub - cannot auto-detect
+        const response: ConnectionStatusResponse = { connected: false };
+        const jsonString = JSON.stringify(response);
+        return reply.status(200).type('application/json').send(jsonString);
+      }
+
+      try {
+        const userInstallations = await githubService.listUserInstallations(githubId);
+
+        if (userInstallations.length > 0) {
+          const selectedInstallation = userInstallations[0];
+
+          await credentialService.storeInstallation({
+            teamId,
+            source: 'github',
+            installationId: selectedInstallation.id.toString()
+          });
+
+          server.log.info({
+            teamId,
+            githubId,
+            installation_id: selectedInstallation.id,
+            account_login: selectedInstallation.account.login,
+            operation: 'auto_linked_user_installation'
+          }, 'Auto-linked GitHub installation to team (scoped to user)');
+
+          const response: ConnectionStatusResponse = { connected: true };
+          const jsonString = JSON.stringify(response);
+          return reply.status(200).type('application/json').send(jsonString);
+        }
+
+        const response: ConnectionStatusResponse = { connected: false };
+        const jsonString = JSON.stringify(response);
+        return reply.status(200).type('application/json').send(jsonString);
+      } catch (error) {
+        server.log.warn({ error, teamId, githubId }, 'Failed to auto-detect GitHub installation for user');
+        const response: ConnectionStatusResponse = { connected: false };
+        const jsonString = JSON.stringify(response);
+        return reply.status(200).type('application/json').send(jsonString);
+      }
     }
 
     // Step 2: Verify installation still exists on GitHub
@@ -319,7 +360,40 @@ export default async function deployGitHubRoutes(server: FastifyInstance) {
           operation: 'stale_installation_cleaned'
         }, 'Cleaned up stale GitHub installation record');
 
-        // Team must re-install the GitHub App via the /install flow
+        // After cleanup, try user-scoped auto-detection for a valid installation
+        const user = request.user as { githubId?: string | null } | undefined;
+        const githubId = user?.githubId;
+
+        if (githubId) {
+          try {
+            const userInstallations = await githubService.listUserInstallations(githubId);
+
+            if (userInstallations.length > 0) {
+              const selectedInstallation = userInstallations[0];
+
+              await credentialService.storeInstallation({
+                teamId,
+                source: 'github',
+                installationId: selectedInstallation.id.toString()
+              });
+
+              server.log.info({
+                teamId,
+                githubId,
+                installation_id: selectedInstallation.id,
+                account_login: selectedInstallation.account.login,
+                operation: 'auto_linked_user_installation_after_cleanup'
+              }, 'Auto-linked GitHub installation to team after cleaning stale record');
+
+              const response: ConnectionStatusResponse = { connected: true };
+              const jsonString = JSON.stringify(response);
+              return reply.status(200).type('application/json').send(jsonString);
+            }
+          } catch (retryError) {
+            server.log.warn({ error: retryError, teamId, githubId }, 'Failed to auto-detect installation after cleanup');
+          }
+        }
+
         const response: ConnectionStatusResponse = { connected: false };
         const jsonString = JSON.stringify(response);
         return reply.status(200).type('application/json').send(jsonString);

services/backend/src/services/OAuthDiscoveryService.ts

@@ -241,9 +241,67 @@ export class OAuthDiscoveryService {
     // Check for WWW-Authenticate: Bearer header
     const wwwAuthenticate = response.headers.get('www-authenticate');
     if (!wwwAuthenticate || !wwwAuthenticate.toLowerCase().includes('bearer')) {
+      // Server returned 401/403 but without WWW-Authenticate: Bearer header.
+      // Some servers (e.g., Miro) don't include WWW-Authenticate but still expose
+      // RFC 9728/8414 well-known endpoints. Try probing those as a fallback.
+      this.logger.debug(
+        { url, method, status: response.status, wwwAuthenticate },
+        'No Bearer authentication scheme in header, trying well-known endpoints as fallback'
+      );
+
+      const serverOrigin = new URL(url);
+      const origin = `${serverOrigin.protocol}//${serverOrigin.host}`;
+
+      // Try RFC 9728 protected resource metadata first
+      const resourceMetadataUrl = `${origin}/.well-known/oauth-protected-resource`;
+      try {
+        const rmResponse = await fetch(resourceMetadataUrl, {
+          method: 'GET',
+          headers: { Accept: 'application/json', 'User-Agent': OAuthDiscoveryService.USER_AGENT },
+          signal: AbortSignal.timeout(5000)
+        });
+        if (rmResponse.ok) {
+          const rmData = await rmResponse.json();
+          if (rmData.authorization_servers && rmData.authorization_servers.length > 0) {
+            this.logger.info(
+              { url, method, resourceMetadataUrl },
+              'OAuth detected via RFC 9728 protected resource metadata fallback (no WWW-Authenticate header)'
+            );
+            return {
+              requiresOauth: true,
+              resourceMetadataUrl
+            };
+          }
+        }
+      } catch { /* ignore, try next */ }
+
+      // Try RFC 8414 authorization server metadata
+      const rfc8414Url = `${origin}/.well-known/oauth-authorization-server`;
+      try {
+        const asResponse = await fetch(rfc8414Url, {
+          method: 'GET',
+          headers: { Accept: 'application/json', 'User-Agent': OAuthDiscoveryService.USER_AGENT },
+          signal: AbortSignal.timeout(5000)
+        });
+        if (asResponse.ok) {
+          const asData = await asResponse.json();
+          if (asData.authorization_endpoint && asData.token_endpoint) {
+            this.logger.info(
+              { url, method, rfc8414Url },
+              'OAuth detected via RFC 8414 authorization server metadata fallback (no WWW-Authenticate header)'
+            );
+            return {
+              requiresOauth: true,
+              discoveryUrl: rfc8414Url
+            };
+          }
+        }
+      } catch { /* ignore */ }
+
+      // All fallbacks failed — truly no OAuth
       this.logger.debug(
         { url, method, wwwAuthenticate },
-        'No Bearer authentication scheme found'
+        'No Bearer authentication scheme found and no well-known OAuth endpoints detected'
       );
       return { requiresOauth: false };
     }

services/backend/src/services/deploymentGitHubService.ts

@@ -132,6 +132,62 @@ export class DeploymentGitHubService {
     }
   }
 
+  /**
+   * List GitHub App installations belonging to a specific user's personal account.
+   * Queries all app installations via App JWT auth, then filters to only those
+   * where the installation account ID matches the given GitHub user ID.
+   * This prevents cross-tenant leakage — org installations are excluded.
+   */
+  async listUserInstallations(githubId: string): Promise<Array<{
+    id: number;
+    account: {
+      login: string;
+      id: number;
+    };
+    created_at: string;
+    updated_at: string;
+  }>> {
+    if (!githubId) {
+      return [];
+    }
+
+    try {
+      const config = await getGitHubAppConfig();
+
+      const appOctokit = new Octokit({
+        authStrategy: createAppAuth,
+        auth: {
+          appId: config.appId,
+          privateKey: config.privateKey
+        }
+      });
+
+      const { data: installations } = await appOctokit.apps.listInstallations({
+        per_page: 100
+      });
+
+      // Only return installations on this user's personal account
+      return installations
+        .filter(installation =>
+          !installation.suspended_at &&
+          installation.account?.id?.toString() === githubId
+        )
+        .map(installation => ({
+          id: installation.id,
+          account: {
+            login: installation.account?.login || 'unknown',
+            id: installation.account?.id || 0
+          },
+          created_at: installation.created_at,
+          updated_at: installation.updated_at
+        }))
+        .sort((a, b) => new Date(b.updated_at).getTime() - new Date(a.updated_at).getTime());
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : 'Unknown error';
+      throw new Error(`Failed to list GitHub installations: ${message}`);
+    }
+  }
+
   /**
    * Get repository details
    */

services/satellite/src/config/nsjail.ts

@@ -1,3 +1,24 @@
+/**
+ * Parse human-readable size string to bytes for nsjail tmpfs mounts.
+ * nsjail's -T flag hardcodes 4MB; we use -m with explicit byte size instead.
+ */
+function parseSizeToBytes(sizeStr: string): number {
+  const match = sizeStr.match(/^(\d+)\s*([KMGT])?$/i);
+  if (!match) {
+    throw new Error(`Invalid size format: ${sizeStr}`);
+  }
+  const value = parseInt(match[1], 10);
+  const unit = (match[2] || '').toUpperCase();
+  const multipliers: Record<string, number> = {
+    '': 1,
+    'K': 1024,
+    'M': 1024 * 1024,
+    'G': 1024 * 1024 * 1024,
+    'T': 1024 * 1024 * 1024 * 1024
+  };
+  return value * (multipliers[unit] || 1);
+}
+
 /**
  * nsjail Resource Limits Configuration
  * These limits apply only in production on Linux platforms when nsjail isolation is enabled
@@ -32,11 +53,14 @@ export const nsjailConfig = {
   /** Maximum file size in MB (default: 50, prevents oversized package downloads) */
   maxFileSizeMB: parseInt(process.env.NSJAIL_RLIMIT_FSIZE || '50', 10),
 
-  /** Tmpfs size for /tmp directory (default: 100M) */
-  tmpfsSize: process.env.NSJAIL_TMPFS_SIZE || '100M',
+  /** Tmpfs size for /tmp directory in bytes (default: 100M = 104857600) */
+  tmpfsSizeBytes: parseSizeToBytes(process.env.NSJAIL_TMPFS_SIZE || '100M'),
+
+  /** Tmpfs size for GitHub deployment working directories (human-readable, for mount syscall) */
+  deploymentTmpfsSize: process.env.NSJAIL_DEPLOYMENT_TMPFS_SIZE || '300M',
 
-  /** Tmpfs size for GitHub deployment working directories (default: 300M) */
-  deploymentTmpfsSize: process.env.NSJAIL_DEPLOYMENT_TMPFS_SIZE || '300M'
+  /** Tmpfs size for GitHub deployment working directories in bytes (for nsjail -m flag) */
+  deploymentTmpfsSizeBytes: parseSizeToBytes(process.env.NSJAIL_DEPLOYMENT_TMPFS_SIZE || '300M')
 };
 
 /**