Add GitHub App auth with OAuth device flow, webhooks, and check runs

- Add GitHub App config: app_id, client_id, client_secret, private_key,
  webhook_secret
- Implement OAuth device flow (POST /api/gh/auth/device, /poll, DELETE)
  so users click "Connect with GitHub" instead of pasting PATs
- Add webhook endpoint (POST /api/webhooks/github) with HMAC-SHA256
  signature verification — auto-starts PR review on opened/synchronize
- Add GitHub Check Runs — posts pass/fail status with annotations
  directly on the PR commit after review completes
- Add installation token support for GitHub App identity (JWT + RS256)
- Frontend: two-tab setup (GitHub App vs PAT fallback), device flow UI
  with code display + copy + polling, webhook status indicator
- Consolidate secret masking into mask_config_secrets() helper
- Simplify update_config masked field skipping (any "***" value skipped)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: haasonsaas

Cargo.lock

@@ -36,6 +36,10 @@ tower-http = { version = "0.6", features = ["cors", "fs"] }
 rust-embed = "8"
 uuid = { version = "1", features = ["v4"] }
 mime_guess = "2"
+hmac = "0.12"
+sha2 = "0.10"
+jsonwebtoken = "9"
+base64 = "0.22"
 
 [dev-dependencies]
 tempfile = "3.8"

Cargo.toml

@@ -201,6 +201,26 @@ pub struct Config {
 
     #[serde(default)]
     pub github_token: Option<String>,
+
+    /// GitHub App ID (from app settings page).
+    #[serde(default)]
+    pub github_app_id: Option<u64>,
+
+    /// GitHub App OAuth client ID (for device flow auth).
+    #[serde(default)]
+    pub github_client_id: Option<String>,
+
+    /// GitHub App OAuth client secret.
+    #[serde(default)]
+    pub github_client_secret: Option<String>,
+
+    /// GitHub App private key (PEM content).
+    #[serde(default)]
+    pub github_private_key: Option<String>,
+
+    /// Webhook secret for verifying GitHub webhook signatures.
+    #[serde(default)]
+    pub github_webhook_secret: Option<String>,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize, Default)]
@@ -327,6 +347,11 @@ impl Default for Config {
             rule_priority: Vec::new(),
             providers: HashMap::new(),
             github_token: None,
+            github_app_id: None,
+            github_client_id: None,
+            github_client_secret: None,
+            github_private_key: None,
+            github_webhook_secret: None,
         }
     }
 }

src/config.rs

@@ -428,7 +428,7 @@ async fn run_review_task(
 
 /// Build a wide event from review results.
 #[allow(clippy::too_many_arguments)]
-fn build_review_event(
+pub(super) fn build_review_event(
     review_id: &str,
     event_type: &str,
     diff_source: &str,
@@ -483,7 +483,7 @@ fn build_review_event(
 }
 
 /// Emit a review wide event via structured tracing.
-fn emit_wide_event(event: &ReviewEvent) {
+pub(super) fn emit_wide_event(event: &ReviewEvent) {
     info!(
         review_id = %event.review_id,
         event_type = %event.event_type,
@@ -685,13 +685,7 @@ pub async fn get_config(State(state): State<Arc<AppState>>) -> Json<serde_json::
     let config = state.config.read().await;
     let mut value = serde_json::to_value(&*config).unwrap_or_default();
     if let Some(obj) = value.as_object_mut() {
-        if obj.contains_key("api_key") {
-            obj.insert("api_key".to_string(), serde_json::json!("***"));
-        }
-        if obj.contains_key("github_token") {
-            obj.insert("github_token".to_string(), serde_json::json!("***"));
-        }
-        mask_provider_api_keys(obj);
+        mask_config_secrets(obj);
     }
     Json(value)
 }
@@ -705,10 +699,8 @@ pub async fn update_config(
     let mut current = serde_json::to_value(&*config).unwrap_or_default();
     if let (Some(current_obj), Some(updates_obj)) = (current.as_object_mut(), updates.as_object()) {
         for (key, value) in updates_obj {
-            if key == "api_key" && value.as_str() == Some("***") {
-                continue;
-            }
-            if key == "github_token" && value.as_str() == Some("***") {
+            // Skip masked secret fields (don't overwrite with "***")
+            if value.as_str() == Some("***") {
                 continue;
             }
             current_obj.insert(key.clone(), value.clone());
@@ -724,13 +716,7 @@ pub async fn update_config(
     // Build response while still holding the write lock
     let mut result = serde_json::to_value(&*config).unwrap_or_default();
     if let Some(obj) = result.as_object_mut() {
-        if obj.contains_key("api_key") {
-            obj.insert("api_key".to_string(), serde_json::json!("***"));
-        }
-        if obj.contains_key("github_token") {
-            obj.insert("github_token".to_string(), serde_json::json!("***"));
-        }
-        mask_provider_api_keys(obj);
+        mask_config_secrets(obj);
     }
 
     drop(config);
@@ -741,6 +727,16 @@ pub async fn update_config(
     Ok(Json(result))
 }
 
+/// Mask all secret fields in a config object for safe serialization.
+fn mask_config_secrets(obj: &mut serde_json::Map<String, serde_json::Value>) {
+    for key in &["api_key", "github_token", "github_client_secret", "github_private_key", "github_webhook_secret"] {
+        if obj.get(*key).and_then(|v| v.as_str()).is_some() {
+            obj.insert(key.to_string(), serde_json::json!("***"));
+        }
+    }
+    mask_provider_api_keys(obj);
+}
+
 /// Mask api_key fields inside the providers map for safe serialization.
 fn mask_provider_api_keys(obj: &mut serde_json::Map<String, serde_json::Value>) {
     if let Some(serde_json::Value::Object(providers)) = obj.get_mut("providers") {
@@ -1803,7 +1799,7 @@ async fn run_pr_review_task(
     AppState::prune_old_reviews(&state).await;
 }
 
-async fn post_pr_review_comments(
+pub(super) async fn post_pr_review_comments(
     client: &reqwest::Client,
     token: &str,
     repo: &str,