feat(health): add dedicated octokit GitHub App authentication check

Author: jmbish04

backend/src/health/coordinator.ts

@@ -7,7 +7,7 @@ import { HealthResult, HealthCategory, HealthStepResult } from './types';
 import { analyzeFailure } from '@/ai/utils/diagnostician';
 
 // ─── Import ALL distributed modular checks ──────────────────────────────
-import { checkGitHubAPIHealth, checkWebhooksHealth } from '@/workflows/health';
+import { checkGitHubAPIHealth, checkWebhooksHealth, checkGitHubAppAuthHealth } from '@/workflows/health';
 import { checkHealth as checkAIHealth } from '@/ai/health';
 import { checkHealth as checkAgentsHealth } from '@/ai/agents/health';
 import { checkHealth as checkMCPHealth } from '@/ai/mcp/health';
@@ -29,6 +29,7 @@ const CODE_CHECKS: RegisteredCheck[] = [
     { id: 'agents',   category: 'agents',   fn: checkAgentsHealth },
     { id: 'mcp',      category: 'mcp',      fn: checkMCPHealth },
     { id: 'browser',  category: 'browser',  fn: checkBrowserHealth },
+    { id: 'github_app',category: 'github',  fn: checkGitHubAppAuthHealth },
     { id: 'github',   category: 'github',   fn: checkGitHubAPIHealth },
     { id: 'webhooks', category: 'webhooks', fn: checkWebhooksHealth },
     { id: 'git',      category: 'git',      fn: checkGitHealth },
@@ -346,7 +347,7 @@ export class HealthCoordinator {
         const { limit = 20, onlyFailures = false, since } = options;
 
         try {
-            const conditions = [];
+            const conditions: any[] = [];
             if (onlyFailures) {
                 conditions.push(eq(healthRuns.status, 'unhealthy'));
             }

backend/src/workflows/health.ts

@@ -2,8 +2,10 @@ import { getWebhooksDb } from '@/db';
 import { webhookDeliveries } from '@/db/schemas/github/webhooks';
 import { desc, gt, and, like } from 'drizzle-orm';
 import { createGitHubIssue, createGitHubComment, updateGitHubIssue } from '@/ai/mcp/tools/github/github';
-import { HealthStepResult } from '@/health/health-check';
+import { HealthStepResult } from '@/health/types';
 import { getGithubConfig } from '@utils/github/configs';
+import { getGitHubPrivateKey, getGitHubAppId } from '@/utils/secrets';
+import { App } from 'octokit';
 
 export async function checkGitHubAPIHealth(env: Env): Promise<HealthStepResult> {
     const start = Date.now();
@@ -66,6 +68,51 @@ export async function checkWebhooksHealth(env: Env): Promise<HealthStepResult> {
     }
 }
 
+export async function checkGitHubAppAuthHealth(env: Env): Promise<HealthStepResult> {
+    const start = Date.now();
+    const details: any = { auth: { status: 'pending', test: 'octokit_app_init' } };
+
+    try {
+        const appId = await getGitHubAppId(env);
+        const privateKey = await getGitHubPrivateKey(env);
+
+        if (!appId || !privateKey) {
+            throw new Error("Missing GitHub App ID or Private Key in bindings");
+        }
+
+        // Initialize the Octokit App class. 
+        // If the private key is in PKCS#1 format (invalid), or malformed, 
+        // this instantiation or the subsequent JWT generation will throw.
+        const app = new App({
+            appId,
+            privateKey,
+        });
+
+        // Make an authenticated app-level request to force JWT generation 
+        // to strictly validate the key format internally
+        const response = await app.octokit.request("GET /app");
+        
+        details.auth.status = 'success';
+        details.auth.appName = response.data?.name || "Unknown";
+
+        return {
+            name: 'GitHub App Authentication',
+            status: 'success',
+            message: 'App initialized and JWT generated successfully (PKCS#8 confirmed)',
+            details: details,
+            durationMs: Date.now() - start
+        };
+    } catch (e: any) {
+        return {
+            name: 'GitHub App Authentication',
+            status: 'failure',
+            message: e.message || 'Failed to initialize Octokit App or generate JWT',
+            details: { ...details, stack: e.stack, name: e.name },
+            durationMs: Date.now() - start
+        };
+    }
+}
+
 async function checkWebhookGaps(env: Env) {
     const db = getWebhooksDb(env.DB_WEBHOOKS);
     const lastEvents = await db.select().from(webhookDeliveries).orderBy(desc(webhookDeliveries.created_at)).limit(1);
@@ -81,7 +128,7 @@ async function checkWebhookGaps(env: Env) {
 async function runApiChecks(env: Env) {
     const owner = getGithubConfig(env, 'owner');
     const repo = env.HEALTH_TEST_REPO_NAME;
-    const steps = [];
+    const steps: any[] = [];
     let issueNumber: number | null = null;
 
     try {