feat(apps): declare envMappings for every app; make field required#18
Merged
matoushavlena merged 1 commit intomainfrom Apr 22, 2026
Merged
feat(apps): declare envMappings for every app; make field required#18matoushavlena merged 1 commit intomainfrom
matoushavlena merged 1 commit intomainfrom
Conversation
Previously only the Google Workspace family declared envMappings, so granting GitHub, YouTube, Resend, or Spotify in a consumer (e.g. Humr) produced no pod env — the consumer would run the agent with no env contract, despite the gateway already knowing how to inject auth for those hosts. The omission was easy to miss because the field was optional. - Make `envMappings` required on `AppDefinition` so a new app cannot ship without declaring the env contract its CLI/SDK consumers expect. - Add `githubEnvMappings` (GH_TOKEN) shared by github + github-enterprise. - YouTube reuses googleWorkspaceEnvMappings (same Google OAuth token). - Resend declares RESEND_API_KEY; Spotify declares SPOTIFY_ACCESS_TOKEN. No route changes — `/api/connections` already joins `envMappings` from the registry, so every connection row will now carry a non-null value for known providers. Signed-off-by: Tomas Dvorak <toomas2d@gmail.com>
4 tasks
Tomas2D
added a commit
to kagenti/humr
that referenced
this pull request
Apr 22, 2026
When a user granted an app connection (GitHub, Google, etc.), there was no indication in the dialog that doing so would inject env vars into the agent pod — only granted *secrets* contributed to the "Inherited" list, and app rows didn't show their declared env names at all. Users had to exec into the pod to discover the contract. - ConnectionsPicker: app rows now render their declared env names under the label, matching how secret rows display them. - EditAgentSecretsDialog: granted-app envMappings flow into the Environment tab's "Inherited · managed elsewhere" list, deduped against user-edited entries so the "Custom" override path still wins. Depends on kagenti/onecli#18 — once that ships, every app connection returns a non-null envMappings array and the UI lights up for all of them (not just Google Workspace). Signed-off-by: Tomas Dvorak <toomas2d@gmail.com>
matoushavlena
approved these changes
Apr 22, 2026
github-project-automation
Bot
moved this from Backlog
to Done
in Kagenti Issue Prioritization
This was referenced Apr 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
envMappingsonAppDefinitionwas optional, and only the Google Workspace family (gmail + the google-* apps) declared one. Granting any other connection — GitHub, GitHub Enterprise, YouTube, Resend, Spotify — through/api/connectionsreturnedenvMappings: null, so the consuming platform (e.g. Humr) had no env contract to inject into the agent pod. The gateway already knew how to authenticate requests to those hosts (seeapps/gateway/src/apps.rs), but agents ran with no credential env set, so tools likeghnever picked up the token.The omission was easy to miss because the field was optional — a new provider could ship without anyone noticing there was no env wired up.
Changes
AppDefinition.envMappingsis now required, so a new app cannot ship without declaring the env contract its CLI/SDK consumers expect.githubEnvMappings→GH_TOKEN, shared bygithubandgithub-enterprise(mirrors thegoogleWorkspaceEnvMappingspattern).youtubereusesgoogleWorkspaceEnvMappings(same Google OAuth token).resend→RESEND_API_KEY.spotify→SPOTIFY_ACCESS_TOKEN.No route changes needed —
/api/connectionsalready joinsenvMappingsfrom the registry, so every row will now carry a non-null array for known providers.Test plan
pnpm check(lint + types + prettier + cargo fmt)pnpm test(gateway Rust tests, 192 passing)GH_TOKEN=humr:sentinelis injected into the agent pod andgh auth statusworks through the gateway