Summary

Why

The staged SCM-containment rollout needs a token-service boundary that can issue short-lived, repository-scoped capabilities without returning raw GitHub or GitLab credentials during session setup. This PR ships that additive Worker slice first so the capability contract can be reviewed and deployed independently before the dependent Cloud Agent caller and outbound broker adopt it.

What was done

• Add encrypted GitHub and GitLab capability issue/redeem RPCs with two-hour legacy and four-hour container-bound lifetimes that return opaque capabilities during issuance and credential-bearing headers only after validating a specific outbound request.
• Restrict redemption to the pinned repository or project and a narrow Git smart HTTP, LFS control, and code-review API allowlist; re-resolve the current credential source and fail closed when its identity drifts or disappears.
• Support container-bound v2 capabilities when outboundContainerId is supplied while retaining unbound v1 issuance as a temporary compatibility path for older callers.
• Tighten self-managed GitLab handling to canonical HTTPS instance URLs across the Web integration boundary and Worker runtime parsing, including nested base-path validation.
• Add the dedicated capability encryption-key binding while preserving the existing plaintext token RPCs for the staged dependent rollout.
• Expose explicit local-only Wrangler bridge routes for manually exercising GitHub and GitLab capability issuance and redemption over the real Worker RPC binding.

High-level architecture

sequenceDiagram
  participant Caller as Future SCM session caller<br/>(not in this PR)
  participant Broker as Future outbound broker<br/>(not in this PR)
  participant Token as git-token-service RPC
  participant Store as Authorized integration storage
  participant SCM as GitHub or GitLab

  rect rgb(245, 245, 245)
    Note over Caller,SCM: Capability issuance
    Caller->>Token: issue...(user, org?, repository, container?)
    Token->>Store: Resolve authorized SCM source
    opt Mint or refresh current credential
      Token->>SCM: Resolve current credential
    end
    Token-->>Caller: Opaque capability + non-secret session metadata
  end

  rect rgb(245, 245, 245)
    Note over Caller,SCM: Per-request redemption
    Broker->>Token: redeem...(capability, container?, method, URL)
    Token->>Token: Check expiry, binding, origin, repository, and allowlist
    Token->>Store: Re-read pinned source and verify identity
    opt Mint or refresh current credential
      Token->>SCM: Resolve current credential
    end
    Token-->>Broker: Credential-bearing header for approved request
    Broker->>SCM: Forward approved request
  end

  Note over Broker,SCM: Broker adoption and redirect re-redemption are follow-up work

Verification

• Started the existing local Wrangler service-binding bridge and called POST /getTokenForRepo against the live local git-token-service Worker for an active organization-owned GitHub App integration; confirmed a successful standard installation-token lookup with the returned token redacted.
• Started an isolated, uniquely named local git-token-service Worker with a throwaway capability key and exercised the local bridge end to end: POST /issueGitHubSessionCapability returned a redacted bound kgh2 capability, then POST /redeemGitHubSessionCapability returned a redacted authorization header for an allowed Git transport URL.

Visual Changes

N/A

Reviewer Notes

• Provision SCM_SESSION_CAPABILITY_ENCRYPTION_KEY_PROD before deploying the production Worker and the DEV counterpart before deploying git-token-service-dev; rotating the key invalidates outstanding capabilities.
• Existing plaintext RPC methods remain available for staged adoption, but self-managed GitLab HTTP instance URLs are intentionally no longer accepted. A production audit found two active HTTP integrations that require migration or reconnection before rollout.
• The local-only Wrangler test bridge now exposes explicit GitHub and GitLab capability issue/redeem routes for manual RPC smoke testing. The dependent Cloud Agent caller and outbound broker remain follow-up work.
• Redemption returns usable authorization headers to the future broker. That broker must avoid logging or persisting them and must redeem redirected URLs again before forwarding credentials.
• Review the temporary unbound v1 capability path and the GitLab Web/Worker trust boundary for self-managed origins; v2 container binding is enforced only when callers supply outboundContainerId.