feat: add github-dev-assistant plugin — full GitHub workflow automation

[konard]

Summary

Implements the github-dev-assistant plugin as specified in issue #1, providing full-scale GitHub development workflow automation via the Teleton AI agent.

15 Tools Implemented

Category	Tools
Authorization (2)	github_auth (OAuth 2.0 + CSRF), github_check_auth
Repositories (2)	github_list_repos, github_create_repo
Files & Branches (3)	github_get_file, github_update_file, github_create_branch
Pull Requests (3)	github_create_pr, github_list_prs, github_merge_pr
Issues (4)	github_create_issue, github_list_issues, github_comment_issue, github_close_issue
GitHub Actions (1)	github_trigger_workflow

Architecture

plugins/github-dev-assistant/
├── index.js                     # Entry: exports tools(sdk), assembles all 15 tools
├── manifest.json                # Plugin metadata, secrets schema, tools list
├── lib/
│   ├── github-client.js         # GitHub REST API client (auth injection, error mapping)
│   ├── auth.js                  # OAuth 2.0 manager (CSRF state, code exchange, revoke)
│   ├── repo-ops.js              # Repository & file tools (5 tools)
│   ├── pr-manager.js            # Pull request tools (3 tools)
│   ├── issue-tracker.js         # Issue & workflow tools (5 tools)
│   └── utils.js                 # Shared utilities (base64, validation, rate limiting)
├── web-ui/
│   ├── config-panel.jsx         # OAuth connect UI + settings form (en/ru i18n)
│   └── oauth-callback.html      # OAuth redirect handler (postMessage to parent)
├── tests/
│   ├── github-client.test.js    # Unit tests: request handling, auth, error mapping
│   ├── auth.test.js             # Unit tests: OAuth flow, CSRF protection, revoke
│   └── integration.test.js      # Integration tests: all tools with mocked GitHub API
├── README.md
├── CHANGELOG.md
└── package.json                 # Vitest test runner

Security

• Tokens only in sdk.secrets — never in config, logs, or code
• OAuth CSRF protection — cryptographically random 64-char state with 10-minute TTL, consumed on first use (prevents replay)
• Token redaction — formatError() strips ghp_*, ghs_*, and Bearer patterns from error messages
• require_pr_review policy — when enabled, github_merge_pr calls sdk.llm.confirm() before merging; skip_review_check allows pre-approved bypasses
• Rate limiting — 100ms minimum between API calls to avoid secondary rate limits

Tests

• 30+ test cases covering: auth flow, CSRF protection, token lifecycle, request construction, error mapping, require_pr_review policy, base64 encoding/decoding, input validation, and token redaction in errors

Test plan

• Plugin loads without errors (15 tools registered)
• github_auth returns a valid GitHub OAuth URL
• OAuth flow completes: code + state exchange → token stored in sdk.secrets
• github_check_auth returns authenticated: true with user login after auth
• github_list_repos lists repositories
• github_get_file reads and decodes base64 file content
• github_update_file base64-encodes content before committing
• github_create_branch resolves source SHA before creating ref
• github_create_pr uses default_branch from plugin config
• github_merge_pr checks require_pr_review config before merging
• github_trigger_workflow sends workflow_dispatch event
• Logs contain no tokens or secrets
• Web UI config panel renders and handles OAuth popup flow
• npm test passes locally (Vitest)
• CI checks pass

Closes #1

🤖 Generated with Claude Code

[konard]

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

• Public pricing estimate: $2.919834
• Calculated by Anthropic: $2.490884 USD
• Difference: $-0.428949 (-14.69%)

🤖 Models used:

• Tool: Claude
• Requested: sonnet
• Main model: Claude Sonnet 4.6 (ID: claude-sonnet-4-6, Anthropic, cutoff: 2025-08)
  📎 Log file uploaded as Gist (1393KB)
  🔗 View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.