{"id":49986473,"url":"https://github.com/misospace/dispatch","last_synced_at":"2026-06-12T01:01:42.540Z","repository":{"id":357042116,"uuid":"1234926264","full_name":"misospace/dispatch","owner":"misospace","description":"Harness-agnostic Kanban and work dispatch for AI agents working GitHub Issues and PRs.","archived":false,"fork":false,"pushed_at":"2026-05-18T22:05:40.000Z","size":742,"stargazers_count":1,"open_issues_count":8,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-18T22:46:17.923Z","etag":null,"topics":["agent-workflows","ai-agents","ghithub-prs","github-issues","kanban","mcp","nextjs","postgresql","prisma","self-hosted","workflow-automation"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/misospace.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-05-10T20:21:43.000Z","updated_at":"2026-05-18T22:05:32.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/misospace/dispatch","commit_stats":null,"previous_names":["misospace/mission-control","misospace/dispatch"],"tags_count":17,"template":false,"template_full_name":null,"purl":"pkg:github/misospace/dispatch","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/misospace%2Fdispatch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/misospace%2Fdispatch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/misospace%2Fdispatch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/misospace%2Fdispatch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/misospace","download_url":"https://codeload.github.com/misospace/dispatch/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/misospace%2Fdispatch/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33196068,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-18T09:27:30.708Z","status":"ssl_error","status_checked_at":"2026-05-18T09:27:28.300Z","response_time":71,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent-workflows","ai-agents","ghithub-prs","github-issues","kanban","mcp","nextjs","postgresql","prisma","self-hosted","workflow-automation"],"created_at":"2026-05-19T00:00:25.065Z","updated_at":"2026-06-12T01:01:42.498Z","avatar_url":"https://github.com/misospace.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Dispatch\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"public/images/logo.png\" alt=\"Dispatch Logo\" width=\"120\" height=\"120\" /\u003e\n\u003c/p\u003e\n\nKanban for AI agent work.\n\nDispatch is a harness-agnostic Kanban and work dispatch layer for AI agents. It turns GitHub Issues and PR follow-ups into claimable queues, tracks agent runs, manages status transitions, and keeps an audit trail while GitHub remains the source of truth.\n\n## Tech Stack\n\n- **Next.js**: 16.2.6 (App Router)\n- **React**: v19\n- **Prisma**: v7\n- **Node**: v24 (Dockerfile uses `node:24-bookworm-slim`)\n- **TypeScript**: v6\n- **Tailwind CSS**: v4\n\n## Architecture\n\n### Source of Truth Rules\n\n1. **GitHub is the authoritative source** for all issue/PR data\n2. **Dispatch Postgres** stores:\n    - Cached issue metadata (not the authoritative source)\n    - Local project metadata\n    - Agent runs\n    - Audit logs\n3. **Dispatch does NOT**:\n    - Mount agent harness configuration files\n    - Require access to an agent harness local workspace\n    - Use GitHub Projects\n   - Require cluster-admin or broad Kubernetes RBAC\n   - Automatically close or complete tasks\n\n### Data Flow\n\n```\nGitHub API → Dispatch (cache) → UI\nGitHub Labels ↔ Kanban Board ↔ Audit Log\nAgent Runs → Dispatch → Agent Activity Page\n```\n\n## Required Labels\n\n### Status Labels\n- `status/backlog` - Issue needs triage/grooming; not yet ready for agents\n- `status/ready` - Issue is groomed and actionable; available for agents to claim\n- `status/in-progress` - Issue is being worked on\n- `status/in-review` - Issue has an open PR pending review/merge\n- `status/done` - Issue is completed (closed)\n\n### Owner Labels\n- `owner/*` - Issue is owned by a specific person (e.g., `owner/alice`, `owner/bob`). The Board Owner filter is derived only from synced `owner/*` labels, not GitHub assignees.\n\n### Agent Labels\n- `agent/*` - Issue is assigned to or being worked on by an agent (e.g., `agent/alpha`, `agent/beta`). The Board Agent filter is derived only from synced `agent/*` labels, not `AgentRun` names, configured agents, or GitHub assignees.\n\n### Project Labels\n- Optional: `project/*` labels may exist on issues, but Dispatch Projects groups issues by repository by default.\n\n### Priority Labels\n- `priority/p0` - Critical\n- `priority/p1` - High\n- `priority/p2` - Medium\n- `priority/p3` - Low\n\n### Type Labels\n- `type/bug`\n- `type/feature`\n- `type/chore`\n- `type/research`\n- `type/security`\n\n## Environment Variables\n\n### Preferred Variables (v0.2.1+)\n\n| Variable | Required | Description |\n|----------|----------|-------------|\n| `DATABASE_URL` | Yes | PostgreSQL connection string (canonical) |\n| `GITHUB_TOKEN` | Yes | GitHub Personal Access Token or GitHub App token (fallback when GitHub App auth is not configured) |\n| `DISPATCH_AGENT_TOKEN` | Yes | Bearer token for agent API authentication |\n| `GITHUB_REPOSITORIES` | Yes | Bootstrap seed config for repos to track. Accepts comma-separated or newline-separated values (e.g., `myorg/repo1,myorg/repo2` or `myorg/repo1` on separate lines). Repos can also be managed via Dispatch UI or `/api/automation/repos` after initial setup. |\n| `DISPATCH_AUTH_MODE` | No | Authentication mode: `\"basic\"` (HTTP Basic Auth), `\"oidc\"` (OIDC/SSO), `\"disabled\"` (no auth, **local development only** — see [Operational Notes](#operational-notes)), or unset (legacy mode) |\n| `DISPATCH_AUTH_USERNAME` | Conditional | Username for Basic Auth — required when `DISPATCH_AUTH_MODE=basic` |\n| `DISPATCH_AUTH_PASSWORD` | Conditional | Password for Basic Auth — required when `DISPATCH_AUTH_MODE=basic` |\n| `DISPATCH_OIDC_ISSUER` | Conditional | OIDC provider issuer URL (e.g., `https://auth.example.com`). Discovery URLs ending in `/.well-known/openid-configuration` are also accepted for compatibility. Required when `DISPATCH_AUTH_MODE=oidc` |\n| `DISPATCH_OIDC_CLIENT_ID` | Conditional | OIDC client ID — required when `DISPATCH_AUTH_MODE=oidc` |\n| `DISPATCH_OIDC_CLIENT_SECRET` | Conditional | OIDC client secret — required when `DISPATCH_AUTH_MODE=oidc`. Never exposed to the browser. |\n| `DISPATCH_URL` | No | Base URL of your Dispatch instance (used by outbound clients and MCP bridge) |\n| `DISPATCH_DATABASE_URL` | No | Alternative database URL alias — used if `DATABASE_URL` is not set |\n| `NEXTAUTH_SECRET` | Conditional | Secret for NextAuth.js JWT signing — required when `DISPATCH_AUTH_MODE=oidc`. Generate with: `node -e \"console.log(require('crypto').randomBytes(32).toString('hex'))\"` |\n| `NEXTAUTH_URL` | Conditional | Public Dispatch base URL used by NextAuth to derive callback URLs. Set this in OIDC deployments. |\n\n### GitHub App Authentication (Optional)\n\nDispatch supports optional GitHub App authentication to provide a separate identity in GitHub issue timelines. When configured, mutations (label changes, state changes, etc.) appear under the GitHub App bot identity instead of the shared PAT account.\n\n| Variable | Required | Description |\n|----------|----------|-------------|\n| `GITHUB_APP_ID` | Conditional | Your GitHub App's numeric ID |\n| `GITHUB_APP_INSTALLATION_ID` | Conditional | The installation ID for the GitHub App on your org/repo |\n| `GITHUB_APP_PRIVATE_KEY` | Conditional | PEM-formatted private key (supports real newlines and escaped `\\n` form) |\n\n**Behavior:**\n\n- When **all three** GitHub App env vars are present, Dispatch uses GitHub App installation auth with token caching (refreshed ~5 minutes before expiry).\n- When GitHub App env vars are **absent**, Dispatch falls back to the existing `GITHUB_TOKEN` PAT behavior.\n- **Partial** configuration is silently ignored — Dispatch falls back to PAT without error.\n- Secrets, tokens, and private keys are never logged.\n\n**Resolution order:** `DATABASE_URL` \u003e `DISPATCH_DATABASE_URL` (for database URLs). `DISPATCH_AGENT_TOKEN` (for agent tokens). `DISPATCH_URL` (for instance URL).\n\n## First-Run Flow\n\nTo get started with Dispatch:\n\n1. **Configure repos**: Set `GITHUB_REPOSITORIES` env var (comma or newline separated) _or_ add tracked repos via the UI after boot. `GITHUB_REPOSITORIES` is a **one-time bootstrap seed** — it is read only when the tracked-repos table is empty. Once any repo exists (seeded or added via UI), the env var is not consulted again, so updates must go through the UI or canonical API (`POST /api/automation/repos`). Env-seeded repos are tagged `source: \"env\"` and shown with a `seed` badge in `/automation`; user-added repos are tagged `source: \"user\"`.\n2. **Deploy** with your database and GitHub token configured.\n3. **Sync automation data**: `POST /api/automation/sync` (or use the Sync button on the Automation page).\n4. **Sync issues**: `POST /api/sync` (or use the Sync Issues action in the board UI). Agent harnesses or worker heartbeats may also trigger best-effort issue sync automatically.\n5. **View results**: The Kanban Board shows synced issues; the Projects view groups them by repository.\n\nProduction database migrations (`prisma migrate deploy`) run automatically on container startup — no manual intervention needed.\n\n## Security\n\n### Authentication\n\nDispatch supports three authentication models:\n\n1. **Agent/Worker Auth** (`DISPATCH_AGENT_TOKEN`): Bearer token authentication for API calls from agents, MCP clients, and scheduled workers. This is required for all mutating API endpoints.\n\n2. **Operator UI Auth**: Browser-based operator authentication with two modes:\n   - **Basic Auth** (`DISPATCH_AUTH_MODE=basic`): HTTP Basic Auth — the browser prompts for username/password. Mutating API calls from the browser automatically include these credentials via `authedFetch()`.\n   - **OIDC** (`DISPATCH_AUTH_MODE=oidc`): OIDC provider authentication (SSO). Operators sign in via a login page that redirects to the OIDC provider. Session cookies are managed by NextAuth.\n\n3. **Disabled** (`DISPATCH_AUTH_MODE=disabled`): No auth enforcement — full open access. **Local development only — never use in production or any internet-facing deployment.** See [Operational Notes](#operational-notes).\n\n### Auth Modes\n\n| `DISPATCH_AUTH_MODE` | Behavior |\n|---|---|\n| *(not set)* | Legacy mode — no middleware enforcement. Agent routes use Bearer token auth via `DISPATCH_AGENT_TOKEN`. Browser UI has no separate auth model. |\n| `basic` | HTTP Basic Auth required for operator UI routes. API routes also accept `DISPATCH_AGENT_TOKEN` bearer auth for agents and workers. |\n| `oidc` | OIDC session-based authentication for operator UI routes. Route handlers accept either a valid NextAuth session cookie or `DISPATCH_AGENT_TOKEN` bearer auth. |\n| `disabled` | **No auth enforcement — full open access.** All routes are publicly accessible without authentication. **Local development only.** See [Operational Notes](#operational-notes). |\n\n### How it works\n\n- **Middleware** (`src/middleware.ts`) protects operator UI pages. In Basic mode, UI pages require Basic Auth; API routes also allow agent Bearer auth. In OIDC mode, UI pages require a NextAuth session and unauthenticated users are redirected to `/login`; API routes are authorized by route handlers.\n- **Route handlers** use a shared `authorizeRequest(request)` helper from `src/lib/auth.ts` that supports Basic Auth, Bearer token auth, and OIDC session cookies depending on the configured auth mode.\n- **OIDC flow**: Operators visit `/login`, click \"Sign in with SSO\", are redirected to the OIDC provider, and return via `/api/auth/callback/oidc`. NextAuth issues a signed JWT session cookie.\n- **Client components** (`kanban-board.tsx`, `sync-issues-button.tsx`) use `authedFetch()` which automatically attaches stored Basic Auth credentials to outgoing requests. In OIDC mode, cookies are sent automatically by the browser.\n\n\n### Operational Notes\n\n#### DISPATCH_AUTH_MODE=disabled — Security Warnings and Deployment Checks\n\nSetting `DISPATCH_AUTH_MODE=disabled` disables all authentication enforcement for both operator UI routes and API routes. **This means every endpoint is publicly accessible without any credentials.**\n\n**⚠️ CRITICAL: This mode MUST only be used for local development.** The following deployment checks are enforced when `DISPATCH_AUTH_MODE=disabled` is detected:\n\n1. **Startup Warning**: A warning is logged to stdout on every application start, reminding operators that disabled auth mode is active.\n2. **Health Endpoint Exposure**: The `/api/health` endpoint reports the current auth mode in its response (`{ ok: true, database: \"ok\", version: \"...\", authMode: \"disabled\" }`), allowing operators and monitoring tools to verify the configuration at a glance.\n3. **Local-Only Guidance**: When deploying with disabled auth mode, ensure Dispatch is bound to `127.0.0.1` (localhost) only and is NOT exposed to any network interface that could be reached from outside the local machine. Do not set up reverse proxies, load balancers, or ingress rules that forward external traffic to a dispatch instance running with `DISPATCH_AUTH_MODE=disabled`.\n\n**If you need Dispatch without authentication:**\n- Use `DISPATCH_AUTH_MODE=basic` with strong credentials for internal deployments behind a trusted network.\n- Use `DISPATCH_AUTH_MODE=oidc` with a proper OIDC provider for production deployments.\n- Never expose a disabled-auth instance to the internet or untrusted networks.\n\n**Security implications of disabled mode:**\n- All mutating API endpoints (create/update/delete issues, claim work, sync repos, etc.) accept requests from any source.\n- The operator UI is fully accessible — anyone can view and modify all kanban boards, trigger syncs, and manage tracked repositories.\n- Agent tokens (`DISPATCH_AGENT_TOKEN`) are also ignored — there is no distinction between authenticated and unauthenticated requests.\n- Webhook endpoints in `src/app/api/pr-followup/` that conditionally skip signature verification become completely unprotected.\n\n---\n\n### Agent Token vs Operator Auth\n\n| | Agent/Worker Auth | Operator UI Auth (Basic) | Operator UI Auth (OIDC) |\n|---|---|---|---|\n| **Header/Cookie** | `Authorization: Bearer \u003ctoken\u003e` | `Authorization: Basic \u003cbase64(user:pass)\u003e` | Session cookie (NextAuth JWT) |\n| **Config** | `DISPATCH_AGENT_TOKEN` | `DISPATCH_AUTH_USERNAME` + `DISPATCH_AUTH_PASSWORD` | `DISPATCH_OIDC_ISSUER`, `DISPATCH_OIDC_CLIENT_ID`, `DISPATCH_OIDC_CLIENT_SECRET` |\n| **Used by** | Agents, MCP clients, cron workers | Browser UI (human operators) | Browser UI (human operators) |\n| **Protected routes** | Mutating API endpoints | Operator UI + mutating browser API calls | Operator UI + mutating browser API calls |\n\n### OIDC Setup\n\nTo enable OIDC authentication:\n\n1. **Register an OIDC client** with your identity provider (Keycloak, Authentik, Okta, Google, GitHub OAuth, etc.). Configure the redirect URI to point to your Dispatch instance:\n   ```\n   https://your-dispatch-url.example.com/api/auth/callback/oidc\n   ```\n\n2. **Set the required environment variables**:\n   ```bash\n   DISPATCH_AUTH_MODE=\"oidc\"\n   DISPATCH_OIDC_ISSUER=\"https://your-issuer.example.com\"\n   DISPATCH_OIDC_CLIENT_ID=\"your-client-id\"\n   DISPATCH_OIDC_CLIENT_SECRET=\"your-client-secret\"\n   NEXTAUTH_SECRET=\"$(node -e \"console.log(require('crypto').randomBytes(32).toString('hex'))\")\"\n   NEXTAUTH_URL=\"https://your-dispatch-url.example.com\"\n   ```\n\n3. **Restart Dispatch**. Operators will see a login page at `/login` with a \"Sign in with SSO\" button.\n\n4. **Agent tokens continue to work** — agents use `DISPATCH_AGENT_TOKEN` bearer auth regardless of the operator auth mode.\n\n## Required Labels\n\n## Phase 1 Features\n\n### Implemented\n1. **GitHub Repository Configuration**\n   - Support configuring multiple GitHub repos to sync\n   - Use env vars for GitHub auth (PAT support)\n\n2. **Issue Sync**\n   - Fetch open GitHub issues from configured repos\n   - Cache issue metadata in Postgres\n   - Store: number, repo, title, state, labels, assignees, URL, timestamps\n\n3. **Kanban Board**\n   - Columns: Backlog, Ready, In Progress, In Review, Done\n   - Drag-and-drop between columns updates GitHub labels\n   - Audit log entry on every mutation\n   - Visible error on GitHub mutation failure\n\n4. **Filtering**\n   - Filter by repo and priority\n   - Filter by agent and owner labels; empty agent/owner dropdowns mean no synced issues currently carry `agent/*` or `owner/*` labels\n\n5. **Project View**\n   - Group synced issues by repository\n   - Show issues by status per repository project\n\n6. **Agent Activity Ingestion**\n   - `POST /api/agent-runs` with bearer token auth\n   - Store agent name, run type, status, timestamps, summary, touched issues\n\n7. **Overview Page**\n   - Open issues by status\n   - Issues per agent\n   - Stale in-progress issues\n   - Recent agent runs\n   - Recent audit log entries\n\n8. **Audit Log**\n   - Record every board mutation with actor, action, before/after labels, success/failure\n\n9. **Deployment**\n   - Dockerfile for app\n   - Kubernetes manifests (bjw-s/app-template style)\n   - ExternalSecret placeholders for all secrets\n   - Internal-only ingress\n\n### Intentionally Not Included in Phase 1\n\n- GitHub Projects integration\n- Automatic task completion\n- Broad Kubernetes RBAC\n- S3/PVC storage\n- Redis/Dragonfly caching\n- Kanban card editing beyond status\n- Complex project management features\n\n## Local Development\n\n```bash\n# Install dependencies\nnpm install\n\n# Generate Prisma client\nnpm run db:generate\n\n# Push schema to database (local dev only - no migrations exist yet)\nnpm run db:push\n\n# Start development server\nnpm run dev\n```\n\n## Testing\n\nRun the smoke/regression suite locally with:\n\n```bash\nnpm run test\n```\n\nThe tests are intentionally lightweight and do not require Postgres, GitHub API access, or secrets. They cover:\n\n- repository env parsing and validation\n- BigInt-safe JSON serialization for automation API responses\n- critical API route file presence\n- issue sync response shaping and per-repo error handling\n- Kanban status grouping, including no-status issues appearing in Backlog\n- project grouping by repository boundaries\n- dark mode toggle class and localStorage behavior\n\nThe `CI` workflow runs lint, typecheck, tests, and build. The image workflow builds the Docker image, publishes GHCR images on `main` and `v*` tags, and uploads advisory Trivy scan results.\n\nRecommended Renovate flow:\n\n1. Merge the test harness first.\n2. Let Renovate PRs rebase onto the new checks.\n3. Merge low-risk dependency PRs first.\n4. Handle framework, Prisma, and React updates separately.\n\n## Database Setup\n\nDispatch uses Prisma with PostgreSQL. Migrations are used for production; `db push` is for local development only.\n\n### Local Development\n- Use `npm run db:push` to apply schema changes without migrations.\n\n### Production Deployment\n- Production automatically runs `prisma migrate deploy` on container startup.\n- First deploy against an empty database creates all tables automatically.\n- No manual `kubectl exec` or `db push` is required.\n- Set `SKIP_DB_MIGRATIONS=true` to skip migrations if needed.\n\n```bash\n# Production (automatic on startup):\nnpm run db:deploy\n\n# Local dev only:\nnpm run db:push\n```\n\n## Deployment\n\nThe app uses the bjw-s/app-template Helm chart. See `home-ops/kubernetes/apps/base/llm/dispatch/` for manifests.\n\nRequired secrets (via ExternalSecret):\n- `DATABASE_URL` - PostgreSQL connection string (canonical)\n- `GITHUB_TOKEN` - GitHub authentication\n- `DISPATCH_AGENT_TOKEN` - Agent API bearer token\n\n## API Endpoints\n\n### GET /api/issues\nList cached issues. Query params: `repo`, `agent`, `owner`, `project`, `priority`\n\n### POST /api/issues/move\nMove issue between status columns. Body: `{ issueId, repoFullName, issueNumber, oldLabels, newLabels }`\n\n### GET /api/repos\nList configured repositories for the board/issue-sync view (`Repository` rows). This is not the tracked repository management API.\n\n### POST /api/repos\nDeprecated compatibility endpoint for adding a tracked repository. Prefer `POST /api/automation/repos`; this endpoint delegates to the same behavior and returns deprecation headers.\n\n### GET /api/automation/repos\nCanonical tracked repository list for automation. Returns `AutomationRepo` rows with workflow/release summary fields used by `/automation`.\n\n### POST /api/automation/repos\nCanonical tracked repository add endpoint. Body: `{ fullName: \"owner/repo\" }`. Creates an `AutomationRepo` row with `source: \"user\"` **and** a mirror enabled `Repository` row so issue sync and the board see it immediately. Returns 409 if the repo is already tracked. Writes an `add_tracked_repo` AuditLog entry.\n\n### DELETE /api/automation/repos/[repo]\nStop tracking a repository. `[repo]` is the URL-encoded `owner/repo` fullName. Hard-deletes the `AutomationRepo` row (cascading workflow/run/release history) and soft-disables the mirror `Repository` row (`enabled = false`) so cached issues remain visible for history but are excluded from active board filters. Writes a `remove_tracked_repo` AuditLog entry.\n\n`/api/automation/repositories` and `/api/automation/repositories/[id]` were legacy duplicate routes and have been removed. Use `/api/automation/repos` for tracked repository management.\n\n### POST /api/sync\nSync all issues from configured repositories. Intended callers are:\n\n- the board UI's manual **Sync Issues** action\n- agent harness or worker heartbeat best-effort cache refresh (see Scheduled Issue Sync Strategy below)\n\n### GET /api/agent-runs\nList agent runs. Query params: `limit`\n\n### POST /api/agent-runs\nCreate agent run. Requires `DISPATCH_AGENT_TOKEN` bearer auth.\n\n### GET /api/audit\nList audit logs. Query params: `limit`, `repo`\n\n**Note: Issue sync and automation sync are separate concerns.**\n- **Issue sync** (`POST /api/sync`) refreshes GitHub issues into the Kanban board. It is heartbeat-driven (best-effort via agent harness) or manual via UI.\n- **Automation sync** (`POST /api/automation/sync`) refreshes CI/CD, workflow runs, releases, and packages data. It is managed independently on the Automation page.\n- Each sync operates on its own data models and caching layer.\n\n## Automation Section\n\nDispatch includes an Automation section that discovers and visualizes CI/CD, builds, tests, security scans, releases, and scheduled workflows from GitHub repositories.\n\n### Data Sources Used\n\n- GitHub REST API (`/repos`, `/actions/workflows`, `/actions/runs`, `/actions/jobs`, `/releases`, `/pulls`, `/packages`)\n- Local repository scanning (for workflow path discovery)\n\n### GitHub Permissions Required\n\nFor read-only automation visibility:\n- `metadata:read` - Repository metadata\n- `contents:read` - Workflow file access\n- `actions:read` - Workflow runs and jobs\n- `pull_requests:read` - PR associations with runs\n- `packages:read` - Container/package metadata (if applicable)\n\nFor control actions (rerun, dispatch):\n- `actions:write` - Re-run workflows, trigger workflow_dispatch\n\n### New Environment Variables\n\n| Variable | Required | Description |\n|----------|----------|-------------|\n| `GITHUB_REPOSITORIES` | Yes | Bootstrap seed config for tracked repos. Accepts comma-separated or newline-separated values (e.g., `myorg/repo1,myorg/repo2`). Managed repos can also be added/removed via UI at `/automation`. |\n\n### Screens Added\n\n1. **Automation Overview** (`/automation`)\n   - One card per tracked repo\n   - Shows: repo name, default branch, latest commit SHA, workflow status, failing/running counts, latest release, open PR count\n   - Sync button to refresh data\n   - Link to GitHub repo\n   - Add/remove tracked repos via UI\n\n2. **Repo Automation Detail** (`/automation/repos/[repo]`)\n   - Workflow list with recent runs per workflow\n   - Release history\n   - Package/image tags\n   - Recent activity feed\n   - Sync status and error display\n\n3. **Workflow Detail** (`/automation/workflows/[id]`)\n   - Workflow name, path, state\n   - Recent runs with status, branch, SHA, actor, duration\n   - Success rate and average duration\n   - Jobs breakdown for latest run\n   - Link to GitHub workflow page\n\n4. **Activity Feed** (`/automation/activity`)\n   - Unified event feed across all repos\n   - Events include: workflow runs, releases, PRs, sync completions\n   - Filterable by event type\n\n### Control Actions Implemented\n\n- **Re-run failed workflow**: POST to `/api/automation/runs/[runId]?action=rerun`\n  - Audited in AuditLog\n  - Requires: `repoFullName` query param, `runId` path param\n  - Requires GitHub token with `actions:write` permission\n\n- **Trigger workflow dispatch**: POST to `/api/automation/runs/[runId]?action=dispatch`\n  - Audited in AuditLog\n  - Triggers `workflow_dispatch` on the workflow associated with the run's branch\n  - Requires GitHub token with `actions:write` permission\n\n### Cache Behavior\n\n- All GitHub automation state is cached in Postgres\n- `lastSyncedAt` timestamp on `AutomationRepo` shows cache freshness\n- `syncError` field stores last sync failure for visibility\n- UI shows stale warnings when `lastSyncedAt` \u003e 1 hour ago\n- Sync runs are recorded in `AutomationSyncRun` table with stats\n\n## Pre-migration Smoke Checklist\n\nRun this checklist before pointing an agent harness at Dispatch as its task-visibility layer (instead of a GitHub Project board). Every step should pass; stop and investigate on the first failure.\n\nSet `BASE` to your Dispatch URL (e.g. `BASE=https://dispatch.internal`) before running.\n\n| # | Check | Expected |\n|---|-------|----------|\n| 1 | `curl -fsS \"$BASE/api/health\"` | `{\"ok\":true,\"database\":\"ok\",...}` |\n| 2 | `curl -fsS -X POST \"$BASE/api/automation/sync\"` | 2xx, no error body |\n| 3 | `curl -fsS \"$BASE/api/automation/repos\"` | JSON array, non-empty if repos are configured |\n| 4 | `curl -fsS -X POST \"$BASE/api/sync\" -H \"Authorization: Bearer $DISPATCH_AGENT_TOKEN\"` | `syncedCount \u003e 0` |\n| 5 | `curl -fsS \"$BASE/api/issues\"` | JSON array, length \u003e 0 |\n| 6 | Open `/board` in a browser | Issues render — no \"no issues synced yet\" empty state (or auth dialog if Basic Auth is enabled) |\n| 7 | Open `/projects` | Repo groups render |\n| 8 | Open `/agents` | Recent agent heartbeat visible with agent name |\n| 9 | Move a low-risk test issue between columns | GitHub label changes; AuditLog row appears in `GET /api/audit` |\n| 10 | `kubectl logs -n \u003cns\u003e \u003cpod\u003e` (or equivalent) | No Prisma / BigInt / FK errors |\n\nOnly flip the agent's workflow over once all ten steps pass.\n\n**When Basic Auth is enabled**, add `-u \"$DISPATCH_AUTH_USERNAME:$DISPATCH_AUTH_PASSWORD\"` to browser and curl requests, or use the browser's native auth dialog.\n\n## Scheduled Issue Sync Strategy\n\nDispatch keeps GitHub as the source of truth and stores issues only as a local cache. Cache freshness is owned by **agent harness heartbeat sync** rather than by a Dispatch background worker or new cluster CronJob.\n\nDecision:\n- At the start of each heartbeat, the agent harness should make a best-effort `POST` request to Dispatch's `/api/sync` endpoint.\n- The request must be non-blocking for heartbeat work: log/report a warning if the sync fails or times out, then continue the heartbeat.\n- Manual UI sync remains supported for immediate refreshes and troubleshooting.\n\nRationale:\n- Reuses the existing heartbeat that already reports to Dispatch, so no new Kubernetes manifests, images, queues, or background scheduler are required.\n- Keeps cache freshness close to the agent workflow that consumes the board.\n- Preserves Dispatch's simple app model: it serves API/UI requests and does not need long-running in-process scheduling state.\n\nRejected alternatives for the first implementation:\n- **Kubernetes CronJob**: valid later if heartbeat-driven sync is too sparse, but it adds deployment and auth plumbing for little immediate benefit.\n- **Dispatch internal scheduler**: would couple cache freshness to app process lifetime and introduces timer/queue behavior that Phase 1 intentionally avoids.\n\nOperational notes:\n- Configure the agent harness with `DISPATCH_URL` and any required network access to reach Dispatch.\n- `/api/sync` currently does not require `DISPATCH_AGENT_TOKEN`; if auth is added later, update the heartbeat caller and this section together.\n- Treat sync failures as freshness warnings, not heartbeat failures, unless the heartbeat itself cannot complete.\n\n### Known Limitations\n\n1. **No workflow YAML parsing**: Trigger types (push, PR, schedule, manual) are not parsed from workflow files. GitHub shows workflow state (active/inactive) but not trigger configuration.\n2. **No branch-specific runs**: Only the most recent runs per workflow are fetched, not runs across all branches historically.\n3. **No check runs/check suites**: Job-level visibility is limited to Actions jobs; separate status checks from other integrations are not fetched.\n4. **No Secrets scanning**: Secret detection results from GitHub's secret scanning are not fetched (requires additional API endpoint).\n5. **Package visibility**: GitHub packages require the user to have appropriate permissions to view; private packages may not be visible.\n6. **No webhook receiver for real-time updates**: Issue cache refresh is heartbeat-driven and best-effort, not push-based from GitHub.\n7. **No workflow run logs**: Full logs are not stored; only run metadata and job status.\n\n### Deferred Phase 2 Items\n\n1. **Webhook receiver** for real-time automation updates\n2. **Workflow trigger parsing** from YAML to show push/PR/schedule/dispatch triggers\n3. **Branch-specific run history** with filtering\n4. **Check runs integration** for non-Actions status checks\n5. **Secret scanning results** visibility\n6. **Artifact listing** for workflow runs\n7. **Deployment status** correlation (link runs to environments)\n8. **Caching improvements** with Redis if sync load becomes problematic\n9. **Webhook-based issue sync** if heartbeat freshness is not enough\n\n## Container Image\n\nThe Dispatch Docker image is built and published via GitHub Actions CI/CD.\n\n### Image Name\n\n```\nghcr.io/misospace/dispatch\n```\n\n### Workflow\n\n`.github/workflows/image.yaml` - Build Dispatch Image\n\n### Triggers\n\n- Push to `main` branch\n- Pull requests targeting `main`\n- Version tags (`v*`)\n- Manual workflow dispatch\n\n### Tags Generated\n\n| Event | Tags |\n|-------|------|\n| Push to `main` | `main`, `sha-\u003cshortsha\u003e` |\n| Version tag `v1.2.3` | `1.2.3`, `1.2`, `latest`, `sha-\u003cshortsha\u003e` |\n| Pull request | Build only, no push |\n\n### How to Manually Trigger a Build\n\n```bash\n# Via GitHub CLI\ngh workflow run image.yaml\n\n# Via web: Actions \u003e Build Dispatch Image \u003e Run workflow\n```\n\n### Required GitHub Settings\n\n1. **GHCR Package Visibility**: The package is published to `ghcr.io`. Ensure the repository's GHCR package visibility is set to appropriate level (public or private with OCI registry access).\n\n2. **Workflow Permissions**: The workflow requires:\n   - `contents: read` - for checkout\n   - `packages: write` - for pushing to GHCR\n   - `pull-requests: read` - for PR trigger context\n\n   These are set via `GITHUB_TOKEN` which is automatically granted. No additional secrets needed.\n\n3. **OIDC**: No cloud credentials required. Uses `GITHUB_TOKEN` for GHCR authentication.\n\n### Home-ops Image Reference\n\nThe Kubernetes deployment references the image:\n\n```yaml\nspec:\n  containers:\n    - image: ghcr.io/misospace/dispatch:main\n```\n\nThe image tag `main` is updated on each push to the `main` branch via the CI workflow.\n\n### Local Development Image Build\n\n```bash\n# Build locally\ndocker build -t ghcr.io/misospace/dispatch:local .\n\n# Run locally\ndocker run -p 3000:3000 \\\n  -e DATABASE_URL=\"postgresql://...\" \\\n  -e GITHUB_TOKEN=\"ghp_...\" \\\n  -e DISPATCH_AGENT_TOKEN=\"...\" \\\n  # Optional: Enable Basic Auth for browser UI\n  # -e DISPATCH_AUTH_MODE=\"basic\" \\\n  # -e DISPATCH_AUTH_USERNAME=\"admin\" \\\n  # -e DISPATCH_AUTH_PASSWORD=\"secure-password\" \\\n\n  # Or enable OIDC/SSO for browser UI\n  # -e DISPATCH_AUTH_MODE=\"oidc\" \\\n  # -e DISPATCH_OIDC_ISSUER=\"https://auth.example.com\" \\\n  # -e DISPATCH_OIDC_CLIENT_ID=\"your-client-id\" \\\n  # -e DISPATCH_OIDC_CLIENT_SECRET=\"your-client-secret\" \\\n  # -e NEXTAUTH_SECRET=\"$(node -e \"console.log(require('crypto').randomBytes(32).toString('hex'))\")\" \\\n  ghcr.io/misospace/dispatch:local\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmisospace%2Fdispatch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmisospace%2Fdispatch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmisospace%2Fdispatch/lists"}