feat(auth): validate github status tokens live

Author: skulidropek

packages/lib/src/usecases/auth-github.ts

@@ -3,7 +3,7 @@ import type * as CommandExecutor from "@effect/platform/CommandExecutor"
 import type { PlatformError } from "@effect/platform/Error"
 import type * as FileSystem from "@effect/platform/FileSystem"
 import type * as Path from "@effect/platform/Path"
-import { Duration, Effect, Schedule } from "effect"
+import { Duration, Effect, Match, Schedule } from "effect"
 
 import type { AuthGithubLoginCommand, AuthGithubLogoutCommand, AuthGithubStatusCommand } from "../core/domain.js"
 import { defaultTemplateConfig } from "../core/domain.js"
@@ -15,6 +15,8 @@ import { buildDockerAuthSpec, normalizeAccountLabel } from "./auth-helpers.js"
 import { migrateLegacyOrchLayout } from "./auth-sync.js"
 import { ensureEnvFile, parseEnvEntries, readEnvText, removeEnvKey, upsertEnvKey } from "./env-file.js"
 import { ensureGhAuthImage, ghAuthDir, ghAuthRoot, ghImageName } from "./github-auth-image.js"
+import type { GithubTokenValidationResult } from "./github-token-validation.js"
+import { validateGithubToken } from "./github-token-validation.js"
 import { resolvePathFromCwd } from "./path-helpers.js"
 import { withFsPathContext } from "./runtime.js"
 import { ensureStateDotDockerGitRepo } from "./state-repo-github.js"
@@ -35,6 +37,8 @@ type EnvContext = {
   readonly current: string
 }
 
+type GithubTokenStatusEntry = GithubTokenEntry & GithubTokenValidationResult
+
 const ensureGithubOrchLayout = (
   cwd: string,
   envGlobalPath: string
@@ -116,6 +120,21 @@ const withEnvContext = <A, E, R>(
     })
   )
 
+const renderGithubTokenStatusLine = (entry: GithubTokenStatusEntry): string =>
+  Match.value(entry.status).pipe(
+    Match.when("valid", () =>
+      entry.login === null
+        ? `- ${entry.label}: valid (owner unavailable)`
+        : `- ${entry.label}: valid (owner: ${entry.login})`
+    ),
+    Match.when("invalid", () => `- ${entry.label}: invalid`),
+    Match.when("unknown", () => `- ${entry.label}: unknown (validation unavailable)`),
+    Match.exhaustive
+  )
+
+const renderGithubTokenStatusReport = (entries: ReadonlyArray<GithubTokenStatusEntry>): string =>
+  [`GitHub tokens (${entries.length}):`, ...entries.map(renderGithubTokenStatusLine)].join("\n")
+
 const resolveGithubTokenFromGh = (
   cwd: string,
   accountPath: string
@@ -251,16 +270,16 @@ export const authGithubLogin = (
     })
   )
 
-// CHANGE: show GitHub auth status from the shared env file
-// WHY: surface current account labels without leaking tokens
+// CHANGE: show GitHub auth status with live token validation and owner login
+// WHY: presence in the env file is weaker than actual GitHub validity for operator diagnostics
 // QUOTE(ТЗ): "система авторизации"
-// REF: user-request-2026-01-28-auth
+// REF: user-request-2026-03-19-github-token-status-owner
 // SOURCE: n/a
-// FORMAT THEOREM: forall env: status(env) -> labels(env)
+// FORMAT THEOREM: forall env: status(env) -> validated(labels(env))
 // PURITY: SHELL
 // EFFECT: Effect<void, PlatformError, FileSystem | Path>
 // INVARIANT: tokens are never logged
-// COMPLEXITY: O(n) where n = |env|
+// COMPLEXITY: O(n) env scan + O(n) network round-trips where n = |tokens|
 export const authGithubStatus = (
   command: AuthGithubStatusCommand
 ): Effect.Effect<void, PlatformError, GithubFsRuntime> =>
@@ -271,10 +290,22 @@ export const authGithubStatus = (
         yield* _(Effect.log(`GitHub not connected (no tokens in ${envPath}).`))
         return
       }
-      const sample = tokens.slice(0, 20).map((entry) => entry.label).join(", ")
-      const remaining = tokens.length - Math.min(tokens.length, 20)
-      const suffix = remaining > 0 ? ` ... (+${remaining} more)` : ""
-      yield* _(Effect.log(`GitHub tokens (${tokens.length}): ${sample}${suffix}`))
+
+      const statuses = yield* _(
+        Effect.forEach(tokens, (entry) =>
+          validateGithubToken(entry.token).pipe(
+            Effect.map((validation) => ({
+              key: entry.key,
+              label: entry.label,
+              token: entry.token,
+              status: validation.status,
+              login: validation.login
+            }))
+          )
+        )
+      )
+
+      yield* _(Effect.log(renderGithubTokenStatusReport(statuses)))
     }))
 
 // CHANGE: remove GitHub auth token from the shared env file

packages/lib/src/usecases/github-token-preflight.ts

@@ -1,18 +1,19 @@
-import { FetchHttpClient, HttpClient } from "@effect/platform"
 import type { PlatformError } from "@effect/platform/Error"
 import * as FileSystem from "@effect/platform/FileSystem"
-import { Effect } from "effect"
+import { Effect, Match } from "effect"
 
 import type { TemplateConfig } from "../core/domain.js"
 import { parseGithubRepoUrl } from "../core/repo.js"
 import { normalizeGitTokenLabel } from "../core/token-labels.js"
 import { AuthError } from "../shell/errors.js"
 import { findEnvValue, readEnvText } from "./env-file.js"
+import {
+  githubInvalidTokenMessage,
+  githubTokenValidationWarning,
+  validateGithubToken
+} from "./github-token-validation.js"
 
-const githubTokenValidationUrl = "https://api.github.com/user"
-const githubTokenValidationWarning = "Unable to validate GitHub token before start; continuing."
-export const githubInvalidTokenMessage =
-  "GitHub token is invalid. Register GitHub again: docker-git auth github login --web"
+export { githubInvalidTokenMessage } from "./github-token-validation.js"
 
 const defaultGithubTokenKeys: ReadonlyArray<string> = [
   "GIT_AUTH_TOKEN",
@@ -75,37 +76,6 @@ export const resolveGithubCloneAuthToken = (
   return findFirstEnvValue(envText, defaultGithubTokenKeys)
 }
 
-type GithubTokenValidationStatus = "valid" | "invalid" | "unknown"
-
-const unknownGithubTokenValidationStatus = (): GithubTokenValidationStatus => "unknown"
-
-const mapGithubTokenValidationStatus = (status: number): GithubTokenValidationStatus => {
-  if (status === 401) {
-    return "invalid"
-  }
-  return status >= 200 && status < 300 ? "valid" : "unknown"
-}
-
-const validateGithubTokenStatus = (token: string): Effect.Effect<GithubTokenValidationStatus> =>
-  Effect.gen(function*(_) {
-    const client = yield* _(HttpClient.HttpClient)
-    const response = yield* _(
-      client.get(githubTokenValidationUrl, {
-        headers: {
-          Authorization: `Bearer ${token}`,
-          Accept: "application/vnd.github+json"
-        }
-      })
-    )
-    return mapGithubTokenValidationStatus(response.status)
-  }).pipe(
-    Effect.provide(FetchHttpClient.layer),
-    Effect.match({
-      onFailure: unknownGithubTokenValidationStatus,
-      onSuccess: (status) => status
-    })
-  )
-
 // CHANGE: validate GitHub auth token before clone/create starts mutating the project
 // WHY: dead tokens make git clone fail later with a misleading branch/auth error inside the container
 // QUOTE(ТЗ): "Если токен мёртв то пусть пишет что надо зарегистрировать github используй docker-git auth github login --web"
@@ -128,11 +98,13 @@ export const validateGithubCloneAuthTokenPreflight = (
       return
     }
 
-    const status = yield* _(validateGithubTokenStatus(token))
-    if (status === "invalid") {
-      return yield* _(Effect.fail(new AuthError({ message: githubInvalidTokenMessage })))
-    }
-    if (status === "unknown") {
-      yield* _(Effect.logWarning(githubTokenValidationWarning))
-    }
+    const validation = yield* _(validateGithubToken(token))
+    yield* _(
+      Match.value(validation.status).pipe(
+        Match.when("valid", () => Effect.void),
+        Match.when("invalid", () => Effect.fail(new AuthError({ message: githubInvalidTokenMessage }))),
+        Match.when("unknown", () => Effect.logWarning(githubTokenValidationWarning)),
+        Match.exhaustive
+      )
+    )
   })

packages/lib/src/usecases/github-token-validation.ts

@@ -0,0 +1,86 @@
+import { FetchHttpClient, HttpClient } from "@effect/platform"
+import * as ParseResult from "@effect/schema/ParseResult"
+import * as Schema from "@effect/schema/Schema"
+import { Either, Effect } from "effect"
+
+const githubTokenValidationUrl = "https://api.github.com/user"
+
+export const githubTokenValidationWarning = "Unable to validate GitHub token before start; continuing."
+export const githubInvalidTokenMessage =
+  "GitHub token is invalid. Register GitHub again: docker-git auth github login --web"
+
+type GithubUser = {
+  readonly login: string
+}
+
+export type GithubTokenValidationStatus = "valid" | "invalid" | "unknown"
+
+export type GithubTokenValidationResult = {
+  readonly status: GithubTokenValidationStatus
+  readonly login: string | null
+}
+
+const GithubUserSchema: Schema.Schema<GithubUser> = Schema.Struct({
+  login: Schema.String
+})
+
+const unknownGithubTokenValidationResult = (): GithubTokenValidationResult => ({
+  status: "unknown",
+  login: null
+})
+
+const decodeGithubUserLogin = (input: unknown): string | null =>
+  Either.match(ParseResult.decodeUnknownEither(GithubUserSchema)(input), {
+    onLeft: () => null,
+    onRight: (user) => user.login
+  })
+
+const mapGithubTokenValidationStatus = (status: number): GithubTokenValidationStatus => {
+  if (status === 401) {
+    return "invalid"
+  }
+  return status >= 200 && status < 300 ? "valid" : "unknown"
+}
+
+// CHANGE: validate GitHub token and decode the authenticated account login on success
+// WHY: auth status and create preflight must share one live GitHub validation boundary
+// QUOTE(ТЗ): "status проверял валидность токена и если он валидный то писал бы кто овнер"
+// REF: user-request-2026-03-19-github-token-status-owner
+// SOURCE: n/a
+// FORMAT THEOREM: ∀t: probe(t).status = valid → probe(t).login ∈ String ∪ null
+// PURITY: SHELL
+// EFFECT: Effect<GithubTokenValidationResult, never, never>
+// INVARIANT: token is never logged; unknown/transport failures degrade to `unknown`
+// COMPLEXITY: O(1) network round-trip
+export const validateGithubToken = (token: string): Effect.Effect<GithubTokenValidationResult> =>
+  Effect.gen(function*(_) {
+    const client = yield* _(HttpClient.HttpClient)
+    const response = yield* _(
+      client.get(githubTokenValidationUrl, {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: "application/vnd.github+json"
+        }
+      })
+    )
+
+    const status = mapGithubTokenValidationStatus(response.status)
+    if (status !== "valid") {
+      return {
+        status,
+        login: null
+      } satisfies GithubTokenValidationResult
+    }
+
+    const body = yield* _(response.json)
+    return {
+      status,
+      login: decodeGithubUserLogin(body)
+    } satisfies GithubTokenValidationResult
+  }).pipe(
+    Effect.provide(FetchHttpClient.layer),
+    Effect.match({
+      onFailure: unknownGithubTokenValidationResult,
+      onSuccess: (result) => result
+    })
+  )