feat: GitHub-backed devcontainer config dropdown for project chat

[simple-agent-manager]

Summary

• Add GET /api/projects/:projectId/devcontainer-configs endpoint that discovers devcontainer configs from the project's GitHub repository using the git tree API, with contents API fallback for truncated trees.
• Replace the free-text devcontainer config input in project chat with a dropdown populated from discovered configs.
• Add reusable DevcontainerConfigSelect and useDevcontainerConfigs surfaces for future reuse in task/profile/settings forms.
• Address SonarCloud findings by splitting fallback discovery helpers and removing duplicate test imports.
• Fix staging deploy order so Worker secret updates cannot regress the app.sammy.party web asset bundle after a Pages/API deploy.

Details

API Endpoint

• Project-scoped with ownership enforcement via requireOwnedProject.
• Loads GitHub installation from project.installationId -> githubInstallations.id -> external installationId for token generation.
• Detects default configs (.devcontainer/devcontainer.json, root .devcontainer.json) as auto-detect support.
• Detects named configs from .devcontainer/<name>/devcontainer.json, filtered by DEVCONTAINER_CONFIG_NAME_REGEX and max length.
• Non-GitHub projects return { unsupported: true, configs: [] }.
• GitHub API failures return 502 without leaking tokens.
• Falls back to GitHub contents API when tree response is truncated.

Frontend

• DevcontainerConfigSelect always includes "Auto-detect" as first option.
• Discovered named configs are rendered as dropdown options.
• Saved values not found in discovery are shown as <name> (saved, not found).
• Loading/error states are non-blocking and do not prevent chat submission.
• ChatInput uses the dropdown on both mobile and desktop when the workspace profile is not lightweight.

Not in scope

• Replacing the same text field in TaskSubmitForm, ProfileFormDialog, and SettingsDrawer.
• Cloudflare Artifacts provider support; unsupported response is returned for now.

Test plan

• API unit tests: pnpm --filter @simple-agent-manager/api test -- devcontainer-configs (18 passing).
• Frontend component tests: pnpm --filter @simple-agent-manager/web test -- devcontainer-config-select (9 passing).
• pnpm lint exits 0 (existing warnings only).
• pnpm typecheck.
• CI rerun after PR body/Sonar/deploy workflow fixes: all PR checks passed on 9ea499d4.
• Staging deployment and end-to-end verification: deploy-staging run 25957699022 passed; authenticated Playwright on https://app.sammy.party/projects/01KJNR9R3TEN3KX1ETE33852R8/chat verified Config renders as a <select> with Auto-detect, and GET https://api.sammy.party/api/projects/01KJNR9R3TEN3KX1ETE33852R8/devcontainer-configs returned the GitHub-backed CrewAI response.

Linked Idea

01KRNJTR9T4XZ2RMZWRZCGP88F — GitHub-backed devcontainer config dropdown for project chat

Specialist Review Evidence (Required for agent-authored PRs)

• All dispatched reviewers completed and findings addressed before merge
• If any reviewer did NOT complete: needs-human-review label added and merge deferred to human

Reviewer	Status	Outcome
task-completion-validator	PASS	No PR-specific task file was present, so validation used PR body, diff, tests, and UI-to-backend trace. New dropdown value flows through existing selectedDevcontainerConfigName submission path; discovery endpoint and component have focused tests.
cloudflare-specialist	PASS	Worker route uses existing Hono/project auth patterns, D1 via Drizzle only for ownership/install lookup, no migrations or binding changes, GitHub failures return sanitized 502 responses, and staging deploy order now preserves current web assets after secret writes.
ui-ux-specialist	PASS	Dropdown follows existing chat input select styling, keeps mobile 44px touch target via compact mode, labels/ARIA are present, CI Playwright visual tests passed, and authenticated staging verification confirmed the custom-domain dropdown renders as a select.
security-auditor	PASS	Endpoint requires authenticated approved project access, verifies owned project/installation, uses installation token only server-side, and response/error bodies do not expose the GitHub token.
test-engineer	PASS	API tests cover parser edge cases, ownership/unsupported/error behavior, token non-leakage, and invalid names; web tests cover dropdown options, loading/error/disabled states, and saved-not-found values.

Exceptions (If any)

• Scope: No exceptions.
• Rationale: N/A.
• Expiration: N/A.

Agent Preflight (Required)

• Preflight completed before code changes

Classification

• external-api-change
• cross-component-change
• business-logic-change
• public-surface-change
• docs-sync-change
• security-sensitive-change
• ui-change
• infra-change

External References

Official documentation for the GitHub REST API was consulted for repository tree and contents discovery behavior:

• https://docs.github.com/en/rest/git/trees
• https://docs.github.com/en/rest/repos/contents

Codebase Impact Analysis

Affected code paths are apps/api/src/routes/projects/devcontainer-configs.ts and apps/api/src/routes/projects/index.ts for the new project-scoped endpoint, apps/web/src/hooks/useDevcontainerConfigs.ts and apps/web/src/components/devcontainer/DevcontainerConfigSelect.tsx for discovery UI state, apps/web/src/lib/api/projects.ts and apps/web/src/lib/api/index.ts for client API wiring, and apps/web/src/pages/project-chat/ChatInput.tsx / index.tsx for the chat submission surface. Tests were added under apps/api/tests/unit/routes/devcontainer-configs.test.ts and apps/web/tests/unit/components/devcontainer-config-select.test.tsx. The reusable staging deploy workflow also re-deploys the API Worker once after secret configuration so the custom-domain Worker ends with the current built asset bundle.

Documentation & Specs

N/A: this change is a small product surface addition for an already-supported devcontainer config field. The API and UI behavior are documented in this PR body, and follow-up surfaces are explicitly out of scope.

Constitution & Risk Check

Checked Principle XI/no hardcoded values by reusing shared DEVCONTAINER_CONFIG_NAME_REGEX and DEVCONTAINER_CONFIG_NAME_MAX_LENGTH instead of duplicating validation rules. Main risks are GitHub API failure, token leakage, and UI/backend drift; the implementation returns sanitized 502 responses, never sends installation tokens to the browser, and keeps chat submission on the existing devcontainerConfigName request path.

🤖 Generated with Claude Code

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
1.3% Duplication on New Code

See analysis details on SonarQube Cloud