WIP - feat(github-import): provision deco.cx site and admin MCP on GitHub i…

[guitavano]

…mport

When importing a GitHub repository, the flow now also:

• Creates a deco.cx site on Supabase with selfHosting metadata
• Creates an admin MCP connection pointing to sites-admin-mcp
• Links both GitHub and admin connections to the Virtual MCP project
• Sets up pinned views (Preview, Assets, Monitor) when admin conn is available

Also:

• Extracts shared Supabase helpers into deco-supabase.ts
• Adds "Manage" link to GitHub connected accounts (org-aware URL)
• Gracefully skips deco.cx provisioning when Supabase is not configured

Made-with: Cursor

What is this contribution about?

Describe your changes and why they're needed.

Screenshots/Demonstration

Add screenshots or a Loom video if your changes affect the UI.

How to Test

Provide step-by-step instructions for reviewers to test your changes:

1. Step one
2. Step two
3. Expected outcome

Migration Notes

If this PR requires database migrations, configuration changes, or other setup steps, document them here. Remove this section if not applicable.

Review Checklist

• PR title is clear and descriptive
• Changes are tested and working
• Documentation is updated (if needed)
• No breaking changes

---

Summary by cubic

Adds GitHub repository import via a GitHub App and auto‑provisions a matching deco.cx site with an admin MCP, linking both connections to the new Virtual MCP project for a ready-to-use workflow.

• New Features

  • GitHub App flow: install, check status, disconnect; list repos and create a GitHub connection via /api/github-repos; “Manage” link in account popover uses org-aware URL.
  • On import (when Supabase is configured): create a deco.cx site with selfHosting metadata, create an admin MCP connection to ADMIN_MCP, link both connections to the project, and pin Preview/Assets/Monitor views.
  • Extracted shared Supabase helpers into deco-supabase.ts and refactored deco-sites to use them.
  • New UI: GitHub import dialog in onboarding, GitHub card enabled, and “Manage/Disconnect” controls in the account popover.

• Migration

  • Run new DB migrations 063 and 064.
  • Set GitHub App envs: GITHUB_APP_SLUG, GITHUB_APP_ID, GITHUB_APP_PRIVATE_KEY.
  • Optional for deco provisioning: DECO_SUPABASE_URL, DECO_SUPABASE_SERVICE_KEY.
  • Ensure the admin MCP URL is reachable; update ADMIN_MCP in deco-supabase.ts if your endpoint differs.

^{Written for commit 5cddbc6. Summary will update on new commits.}

[github-actions]

🧪 Benchmark

Should we run the Virtual MCP strategy benchmark for this PR?

React with 👍 to run the benchmark.

Reaction	Action
👍	Run quick benchmark (10 & 128 tools)

Benchmark will run on the next push after you react.

[github-actions]

Release Options

Suggested: Patch (2.225.4) — default (no conventional commit prefix detected)

React with an emoji to override the release type:

Reaction	Type	Next Version
👍	Prerelease	2.225.4-alpha.1
🎉	Patch	2.225.4
❤️	Minor	2.226.0
🚀	Major	3.0.0

Current version: 2.225.3

Note: If multiple reactions exist, the smallest bump wins. If no reactions, the suggested bump is used (default: patch).

[cubic-dev-ai]

3 issues found across 14 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/mesh/src/api/routes/github-repos.ts">

<violation number="1" location="apps/mesh/src/api/routes/github-repos.ts:192">
P2: Auth guard checks `auth.user?.id` which rejects API-key authenticated requests. Use `getUserId(ctx)` (already imported) or `isAuthenticated(ctx)` to support both auth methods.

(Based on your team's feedback about using getUserId(ctx) instead of accessing ctx.auth.user directly.) [FEEDBACK_USED]</violation>
</file>

<file name="apps/mesh/src/web/components/account-popover.tsx">

<violation number="1" location="apps/mesh/src/web/components/account-popover.tsx:295">
P2: Query errors are rendered as “Not connected”, which misreports GitHub connection state on network/API failures. Add an explicit error state before the disconnected fallback.</violation>
</file>

<file name="apps/mesh/migrations/059-github-installation-id.ts">

<violation number="1" location="apps/mesh/migrations/059-github-installation-id.ts:23">
P2: `down()` can fail because it sets `access_token` back to NOT NULL without first handling rows that now contain NULL.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: Auth guard checks auth.user?.id which rejects API-key authenticated requests. Use getUserId(ctx) (already imported) or isAuthenticated(ctx) to support both auth methods.

(Based on your team's feedback about using getUserId(ctx) instead of accessing ctx.auth.user directly.)

View Feedback

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/mesh/src/api/routes/github-repos.ts, line 192:

<comment>Auth guard checks `auth.user?.id` which rejects API-key authenticated requests. Use `getUserId(ctx)` (already imported) or `isAuthenticated(ctx)` to support both auth methods.

(Based on your team's feedback about using getUserId(ctx) instead of accessing ctx.auth.user directly.) </comment>

<file context>
@@ -0,0 +1,608 @@
+  "/connection",
+]) {
+  app.use(path, async (c, next) => {
+    if (!c.get("meshContext").auth.user?.id)
+      return c.json({ error: "Unauthorized" }, 401);
+    return next();
</file context>

[cubic-dev-ai]

P2: Query errors are rendered as “Not connected”, which misreports GitHub connection state on network/API failures. Add an explicit error state before the disconnected fallback.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/mesh/src/web/components/account-popover.tsx, line 295:

<comment>Query errors are rendered as “Not connected”, which misreports GitHub connection state on network/API failures. Add an explicit error state before the disconnected fallback.</comment>

<file context>
@@ -252,7 +254,75 @@ function PreferenceRow({
+    return <span className="text-xs text-muted-foreground">Checking…</span>;
+  }
+
+  if (!statusData?.connected) {
+    return <span className="text-xs text-muted-foreground">Not connected</span>;
+  }
</file context>

[cubic-dev-ai]

P2: down() can fail because it sets access_token back to NOT NULL without first handling rows that now contain NULL.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/mesh/migrations/059-github-installation-id.ts, line 23:

<comment>`down()` can fail because it sets `access_token` back to NOT NULL without first handling rows that now contain NULL.</comment>

<file context>
@@ -0,0 +1,31 @@
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+  await sql`ALTER TABLE github_credentials ALTER COLUMN access_token SET NOT NULL`.execute(
+    db,
+  );
</file context>

Suggested change

	await sql`ALTER TABLE github_credentials ALTER COLUMN access_token SET NOT NULL`.execute(
	db,
	);
	await sql`UPDATE github_credentials SET access_token = '' WHERE access_token IS NULL`.execute(db);
	await sql`ALTER TABLE github_credentials ALTER COLUMN access_token SET NOT NULL`.execute(
	db,
	);