feat(github): add user-attributed cloud agent actions

Allow eligible Cloud Agent work to use connected GitHub identities while retaining installation fallback and bot co-authoring. Keep persisted user credentials in Worker-owned keyed envelopes and route disconnect revocation through the established internal API boundary.

Author: eshurakov

.env.local.example

@@ -93,6 +93,8 @@ STRIPE_KILOCLAW_2026_05_10_COMMIT_PRICE_ID=price_test_kiloclaw_2026_05_10_commit
 # ============================================================================
 # Internal API secret (generate: openssl rand -base64 32)
 INTERNAL_API_SECRET=changeme
+# Git token service persisted-authorization disconnect (uses INTERNAL_API_SECRET)
+GIT_TOKEN_SERVICE_API_URL=http://localhost:8802
 # Worker URLs (defaults shown, workers are optional)
 CLOUD_AGENT_API_URL=http://localhost:8788
 WEBHOOK_AGENT_URL=http://localhost:8793
@@ -131,6 +133,10 @@ NEXT_PUBLIC_SENTRY_DSN=
 # Encryption keys (generate if needed)
 BYOK_ENCRYPTION_KEY=
 CREDIT_CATEGORIES_ENCRYPTION_KEY=
+# Connected GitHub user token envelope encryption (dedicated RSA public key only in Web)
+USER_GITHUB_APP_TOKEN_ACTIVE_KEY_ID=
+# Base64-encoded PEM public key; keep the matching private key only in git-token-service
+USER_GITHUB_APP_TOKEN_ACTIVE_PUBLIC_KEY=
 # Agent environment vars encryption (RSA public key, base64 encoded)
 AGENT_ENV_VARS_PUBLIC_KEY=
 # User deployments

apps/web/src/app/(app)/organizations/[id]/integrations/components/PlatformCard.tsx

@@ -6,10 +6,13 @@ import { Button } from '@/components/ui/button';
 import { CheckCircle2, XCircle, Clock, ArrowRight, GitBranch } from 'lucide-react';
 import type { Platform } from '@/lib/integrations/platform-definitions';
 
-interface PlatformCardProps {
+export type GitHubIdentityStatus = 'connected' | 'revoked';
+
+type PlatformCardProps = {
   platform: Platform;
+  githubIdentityStatus?: GitHubIdentityStatus;
   onNavigate?: (platformId: string) => void;
-}
+};
 
 const PlatformIcon = () => {
   // Using GitBranch as placeholder for all, we can add specific icons later
@@ -42,13 +45,40 @@ const StatusBadge = ({ status }: { status: Platform['status'] }) => {
   }
 };
 
-export function PlatformCard({ platform, onNavigate }: PlatformCardProps) {
+const GitHubIdentityBadge = ({ status }: { status: GitHubIdentityStatus }) => {
+  if (status === 'connected') {
+    return (
+      <Badge variant="default" className="flex items-center gap-1">
+        <CheckCircle2 className="h-3 w-3" />
+        Identity connected
+      </Badge>
+    );
+  }
+
+  return (
+    <Badge variant="secondary" className="flex items-center gap-1">
+      <XCircle className="h-3 w-3" />
+      Reconnect identity
+    </Badge>
+  );
+};
+
+export function PlatformCard({ platform, githubIdentityStatus, onNavigate }: PlatformCardProps) {
   const handleClick = () => {
     if (platform.enabled && onNavigate) {
       onNavigate(platform.id);
     }
   };
 
+  const description =
+    githubIdentityStatus === 'connected'
+      ? platform.status === 'installed'
+        ? 'Your GitHub identity is connected and personal repository access is set up.'
+        : 'Your GitHub identity is connected. Set up personal repository access here, or use access from an organization.'
+      : githubIdentityStatus === 'revoked'
+        ? 'Reconnect your GitHub identity to let Cloud Agent act as you. Repository access is managed separately.'
+        : platform.description;
+
   return (
     <Card
       className={`transition-all ${
@@ -64,16 +94,22 @@ export function PlatformCard({ platform, onNavigate }: PlatformCardProps) {
           <div className="min-w-0 flex-1">
             <div className="flex flex-wrap items-center gap-2">
               <CardTitle>{platform.name}</CardTitle>
-              <StatusBadge status={platform.status} />
+              {githubIdentityStatus ? (
+                <GitHubIdentityBadge status={githubIdentityStatus} />
+              ) : (
+                <StatusBadge status={platform.status} />
+              )}
             </div>
-            <CardDescription className="mt-2">{platform.description}</CardDescription>
+            <CardDescription className="mt-2">{description}</CardDescription>
           </div>
         </div>
       </CardHeader>
       <CardContent>
         {platform.enabled ? (
           <Button variant="outline" className="group w-full" onClick={handleClick}>
-            {platform.status === 'installed' ? 'Manage Integration' : 'Configure'}
+            {platform.status === 'installed' || githubIdentityStatus
+              ? 'Manage Integration'
+              : 'Configure'}
             <ArrowRight className="ml-2 h-4 w-4 transition-transform group-hover:translate-x-1" />
           </Button>
         ) : (

apps/web/src/app/api/integrations/github/user-connect/callback/route.ts

@@ -0,0 +1,91 @@
+import type { NextRequest } from 'next/server';
+import { createHash } from 'node:crypto';
+import { NextResponse } from 'next/server';
+import { captureException, captureMessage } from '@sentry/nextjs';
+import { APP_URL } from '@/lib/constants';
+import { getUserFromAuth } from '@/lib/user/server';
+import { consumeGitHubUserAuthorizationState } from '@/lib/integrations/platforms/github/user-authorization-state';
+import { exchangeAndStoreGitHubUserAuthorization } from '@/lib/integrations/platforms/github/user-authorization';
+
+function redirectWithStatus(key: 'success' | 'error', value: string): NextResponse {
+  const target = new URL('/integrations/github', APP_URL);
+  target.searchParams.set(key, value);
+  return NextResponse.redirect(target);
+}
+
+function safeCallbackContext(searchParams: URLSearchParams) {
+  const state = searchParams.get('state');
+  return {
+    hasCode: Boolean(searchParams.get('code')),
+    hasState: Boolean(state),
+    stateHash: state ? createHash('sha256').update(state).digest('hex').slice(0, 8) : null,
+    providerError: searchParams.get('error'),
+  };
+}
+
+function validOAuthCode(code: string | null): string | null {
+  if (!code || code.length > 2048 || !/^[A-Za-z0-9._~+/-]+$/.test(code)) return null;
+  return code;
+}
+
+function logDevelopmentCallbackFailure(stage: string, searchParams: URLSearchParams): void {
+  if (process.env.NODE_ENV !== 'development') return;
+  const context = safeCallbackContext(searchParams);
+  console.error('[GitHub user authorization callback debug]', {
+    stage,
+    hasCode: context.hasCode,
+    hasState: context.hasState,
+    stateHash: context.stateHash,
+    hasProviderError: Boolean(context.providerError),
+  });
+}
+
+export async function GET(request: NextRequest) {
+  let stage = 'authenticate_user';
+  try {
+    const { user, authFailedResponse } = await getUserFromAuth({ adminOnly: false });
+    if (authFailedResponse) {
+      return NextResponse.redirect(new URL('/users/sign_in', APP_URL));
+    }
+
+    const searchParams = request.nextUrl.searchParams;
+    if (searchParams.get('error')) {
+      return redirectWithStatus('error', 'authorization_cancelled');
+    }
+
+    stage = 'consume_state';
+    const state = await consumeGitHubUserAuthorizationState(searchParams.get('state'), user.id);
+    if (!state) {
+      captureMessage('GitHub user authorization callback invalid state', {
+        level: 'warning',
+        tags: { endpoint: 'github/user-connect/callback' },
+        extra: safeCallbackContext(searchParams),
+      });
+      return redirectWithStatus('error', 'invalid_state');
+    }
+
+    const code = validOAuthCode(searchParams.get('code'));
+    if (!code) {
+      return redirectWithStatus('error', 'missing_code');
+    }
+
+    stage = 'exchange_and_store_authorization';
+    const result = await exchangeAndStoreGitHubUserAuthorization({
+      kiloUserId: user.id,
+      code,
+      codeVerifier: state.codeVerifier,
+    });
+    if (result.status !== 'connected') {
+      return redirectWithStatus('error', result.status);
+    }
+
+    return redirectWithStatus('success', 'user_connected');
+  } catch (error) {
+    logDevelopmentCallbackFailure(stage, request.nextUrl.searchParams);
+    captureException(error, {
+      tags: { endpoint: 'github/user-connect/callback' },
+      extra: safeCallbackContext(request.nextUrl.searchParams),
+    });
+    return redirectWithStatus('error', 'connection_failed');
+  }
+}