add GitHub App + OAuth delegated auth, scope-aware credential resolution, and 5 new API runners (v0.3.0)

[Esity]

Summary

• GitHub App authentication: JWT generation, installation tokens, manifest registration flow, webhook signature verification, full installation management
• OAuth delegated auth: Authorization Code + PKCE, device code fallback, browser-based login via CLI::Auth / CLI::App
• Scope-aware credential resolution: 8-source chain (Vault delegated → Settings delegated → Vault App → Settings App → Vault PAT → Settings PAT → GH CLI → ENV) with rate-limit and scope-denied fallback via CredentialFallback Faraday middleware
• New Faraday middleware: RateLimit (tracks exhaustion), ScopeProbe (passive scope learning from 403/404), CredentialFallback (transparent 403/429 retry with next credential)
• New helpers: Helpers::Cache (two-tier Redis + in-memory caching), Helpers::TokenCache (per-installation keying), Helpers::ScopeRegistry, Helpers::CallbackServer, Helpers::BrowserAuth
• 5 new runners: Actions (CI/CD workflow management), Checks, Releases, Deployments, RepositoryWebhooks
• Webhook-driven scope invalidation: installation.* and installation_repositories.* events clear ScopeRegistry
• Error classes: RateLimitError, AuthorizationError, ScopeDeniedError
• All 12 existing runners retrofitted with two-tier caching and scope-aware connection(owner:, repo:) forwarding
• Version bump: 0.2.5 → 0.3.0
• 225 specs across 35 spec files (up from 57 across 14)

Test Plan

• bundle exec rspec — 225 examples, 0 failures
• bundle exec rubocop — 0 offenses
• Standalone client: Legion::Extensions::Github::Client.new resolves credentials from ENV/settings without explicit token
• GitHub App flow: set github.app.{app_id,private_key_path,installation_id} in settings, verify auto-token generation
• OAuth flow: legion lex exec github auth login opens browser or falls back to device code
• Rate limit fallback: verify 429 triggers credential rotation without caller awareness

[Copilot]

Pull request overview

This PR introduces a major v0.3.0 expansion of lex-github, adding GitHub App + OAuth delegated authentication, scope-aware credential resolution with automatic fallback, new Faraday middleware, and several new API runners—while retrofitting existing runners with caching and owner/repo-aware connections.

Changes:

• Add GitHub App + OAuth (PKCE + device code) authentication flows, plus CLI helpers and callback server support.
• Implement scope/rate-limit-aware credential resolution with Faraday middleware for probing and transparent fallback retries.
• Add new runners (Actions, Checks, Releases, Deployments, RepositoryWebhooks) and introduce a caching helper used across many runners.

Reviewed changes

Copilot reviewed 80 out of 80 changed files in this pull request and generated 21 comments.

Show a summary per file

File	Description
spec/legion/extensions/github/runners/repository_webhooks_spec.rb	Adds specs for new RepositoryWebhooks runner endpoints.
spec/legion/extensions/github/runners/repositories_spec.rb	Adds coverage for owner/repo forwarding into connection (scope-aware resolution).
spec/legion/extensions/github/runners/releases_spec.rb	Adds specs for new Releases runner.
spec/legion/extensions/github/runners/deployments_spec.rb	Adds specs for new Deployments runner.
spec/legion/extensions/github/runners/checks_spec.rb	Adds specs for new Checks runner.
spec/legion/extensions/github/runners/actions_spec.rb	Adds specs for new Actions runner.
spec/legion/extensions/github/oauth/runners/auth_spec.rb	Adds specs for OAuth runner behavior (PKCE/device code/etc).
spec/legion/extensions/github/middleware/scope_probe_spec.rb	Adds specs for scope learning middleware.
spec/legion/extensions/github/middleware/rate_limit_spec.rb	Adds specs for rate limit tracking middleware.
spec/legion/extensions/github/middleware/credential_fallback_spec.rb	Adds specs for credential-rotation retry middleware.
spec/legion/extensions/github/helpers/token_cache_spec.rb	Adds specs for token caching / expiry and per-installation keys.
spec/legion/extensions/github/helpers/scope_registry_spec.rb	Adds specs for scope authorization/denial and rate-limit registry.
spec/legion/extensions/github/helpers/client_spec.rb	Adds specs for the credential resolution chain and owner/repo-aware connection.
spec/legion/extensions/github/helpers/callback_server_spec.rb	Adds specs for local callback server used in browser OAuth.
spec/legion/extensions/github/helpers/cache_spec.rb	Adds specs for cache helper behavior.
spec/legion/extensions/github/helpers/browser_auth_spec.rb	Adds specs for browser/device-code OAuth helper.
spec/legion/extensions/github/errors_spec.rb	Adds specs for new error classes.
spec/legion/extensions/github/client_spec.rb	Verifies inclusion of App/OAuth runners on the client.
spec/legion/extensions/github/cli/auth_spec.rb	Adds specs for CLI auth login/status flow.
spec/legion/extensions/github/cli/app_spec.rb	Adds specs for CLI GitHub App manifest setup flow.
spec/legion/extensions/github/app/runners/webhooks_spec.rb	Adds specs for App webhook signature verification/parsing.
spec/legion/extensions/github/app/runners/webhooks_scope_invalidation_spec.rb	Adds specs for scope invalidation driven by installation events.
spec/legion/extensions/github/app/runners/manifest_spec.rb	Adds specs for manifest generation/exchange and manifest URL building.
spec/legion/extensions/github/app/runners/installations_spec.rb	Adds specs for installation management endpoints.
spec/legion/extensions/github/app/runners/credential_store_spec.rb	Adds specs for persisting app/oauth credentials to Vault.
spec/legion/extensions/github/app/runners/auth_spec.rb	Adds specs for JWT generation and installation token exchange.
README.md	Documents new auth modes, credential chain, runners, and error handling.
lib/legion/extensions/github/version.rb	Bumps gem version to 0.3.0.
lib/legion/extensions/github/runners/users.rb	Adds caching to Users runner methods.
lib/legion/extensions/github/runners/search.rb	Adds caching to Search runner.
lib/legion/extensions/github/runners/repository_webhooks.rb	Adds RepositoryWebhooks runner implementation.
lib/legion/extensions/github/runners/repositories.rb	Adds caching + owner/repo-aware connection forwarding and cache write/invalidate hooks.
lib/legion/extensions/github/runners/releases.rb	Adds Releases runner implementation.
lib/legion/extensions/github/runners/pull_requests.rb	Adds caching + owner/repo-aware connection forwarding and cache write/invalidate hooks.
lib/legion/extensions/github/runners/organizations.rb	Adds caching + owner-aware connection forwarding.
lib/legion/extensions/github/runners/labels.rb	Adds caching + owner/repo-aware connection forwarding and cache write/invalidate hooks.
lib/legion/extensions/github/runners/issues.rb	Adds caching + owner/repo-aware connection forwarding and cache write hooks.
lib/legion/extensions/github/runners/gists.rb	Adds caching and cache write/invalidate hooks for gists.
lib/legion/extensions/github/runners/deployments.rb	Adds Deployments runner implementation.
lib/legion/extensions/github/runners/contents.rb	Updates to forward owner/repo into connection (scope-aware).
lib/legion/extensions/github/runners/commits.rb	Adds caching + owner/repo-aware connection forwarding.
lib/legion/extensions/github/runners/comments.rb	Adds caching + owner/repo-aware connection forwarding and cache write/invalidate hooks.
lib/legion/extensions/github/runners/checks.rb	Adds Checks runner implementation.
lib/legion/extensions/github/runners/branches.rb	Updates to forward owner/repo into connection (scope-aware).
lib/legion/extensions/github/runners/actions.rb	Adds Actions runner implementation.
lib/legion/extensions/github/oauth/transport/queues/auth.rb	Adds OAuth transport queue definition.
lib/legion/extensions/github/oauth/transport/exchanges/oauth.rb	Adds OAuth transport exchange definition.
lib/legion/extensions/github/oauth/runners/auth.rb	Adds OAuth runner (PKCE, auth code exchange, device code, refresh, revoke).
lib/legion/extensions/github/oauth/hooks/callback.rb	Adds OAuth callback hook routing.
lib/legion/extensions/github/oauth/actor/token_refresh.rb	Adds periodic OAuth token refresh actor.
lib/legion/extensions/github/middleware/scope_probe.rb	Adds middleware for passive scope learning from responses.
lib/legion/extensions/github/middleware/rate_limit.rb	Adds middleware for rate-limit exhaustion tracking.
lib/legion/extensions/github/middleware/credential_fallback.rb	Adds middleware for transparent credential rotation on 403/429.
lib/legion/extensions/github/helpers/token_cache.rb	Adds token cache helper (expiry buffer, rate-limit markers, installation keys).
lib/legion/extensions/github/helpers/scope_registry.rb	Adds scope registry helper (authorized/denied per owner/repo + rate-limit markers).
lib/legion/extensions/github/helpers/client.rb	Replaces basic token auth with credential resolution chain + middleware integration.
lib/legion/extensions/github/helpers/callback_server.rb	Adds local TCP callback server for OAuth browser redirects.
lib/legion/extensions/github/helpers/cache.rb	Adds cache helper for read-through/write-through caching with TTL mapping.
lib/legion/extensions/github/helpers/browser_auth.rb	Adds browser + device-code OAuth helper.
lib/legion/extensions/github/errors.rb	Adds new error classes (RateLimitError, AuthorizationError, ScopeDeniedError).
lib/legion/extensions/github/client.rb	Includes new runners + cache helper in the top-level client.
lib/legion/extensions/github/cli/auth.rb	Adds CLI auth module (login/status).
lib/legion/extensions/github/cli/app.rb	Adds CLI module for GitHub App manifest setup.
lib/legion/extensions/github/app/transport/queues/webhooks.rb	Adds App webhooks queue definition.
lib/legion/extensions/github/app/transport/queues/auth.rb	Adds App auth queue definition.
lib/legion/extensions/github/app/transport/messages/event.rb	Adds App event message for transport publishing.
lib/legion/extensions/github/app/transport/exchanges/app.rb	Adds App transport exchange definition.
lib/legion/extensions/github/app/runners/webhooks.rb	Adds webhook signature verification, event parsing, and scope invalidation.
lib/legion/extensions/github/app/runners/manifest.rb	Adds manifest generation/exchange and manifest URL builder.
lib/legion/extensions/github/app/runners/installations.rb	Adds installation management runner.
lib/legion/extensions/github/app/runners/credential_store.rb	Adds Vault persistence helpers for app creds + delegated tokens.
lib/legion/extensions/github/app/runners/auth.rb	Adds GitHub App JWT + installation token runner.
lib/legion/extensions/github/app/hooks/webhook.rb	Adds App webhook hook routing.
lib/legion/extensions/github/app/hooks/setup.rb	Adds App setup callback hook routing.
lib/legion/extensions/github/app/actor/webhook_poller.rb	Adds polling actor intended to publish events to transport.
lib/legion/extensions/github/app/actor/token_refresh.rb	Adds periodic app installation token refresh actor.
lib/legion/extensions/github.rb	Updates extension entrypoint requires to include new modules/middleware/runners.
lex-github.gemspec	Adds runtime dependencies for OAuth/App auth support (jwt/base64).
CLAUDE.md	Updates architecture and version documentation.
CHANGELOG.md	Adds v0.3.0 changelog entries for the new features.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 80 out of 80 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 80 out of 80 changed files in this pull request and generated 15 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.