fix(#1640): fall back to /app endpoint for bot user detection

internal/forge/github/github.go

@@ -900,19 +900,43 @@ func (c *LiveClient) GetOrgPlan(ctx context.Context, org string) (string, error)
 }
 
 // GetAuthenticatedUser returns the login of the authenticated user.
+//
+// For classic PATs and OAuth tokens the identity comes from GET /user.
+// GitHub App installation tokens cannot call /user, so when that call
+// fails the method falls back to GET /app and constructs the
+// conventional bot login "{slug}[bot]".
 func (c *LiveClient) GetAuthenticatedUser(ctx context.Context) (string, error) {
 	resp, err := c.get(ctx, "/user")
-	if err != nil {
+	if err == nil {
+		var user struct {
+			Login string `json:"login"`
+		}
+		if err := decodeJSON(resp, &user); err != nil {
+			return "", fmt.Errorf("decode user: %w", err)
+		}
+		return user.Login, nil
+	}
+
+	// /user is not available for GitHub App installation tokens.
+	// Fall back to /app which returns the app's metadata including
+	// its slug, from which we derive the bot login.
+	appResp, appErr := c.get(ctx, "/app")
+	if appErr != nil {
+		// Neither endpoint worked — return the original /user error
+		// because that is the more common path.
 		return "", fmt.Errorf("get authenticated user: %w", err)
 	}
 
-	var user struct {
-		Login string `json:"login"`
+	var app struct {
+		Slug string `json:"slug"`
+	}
+	if appErr := decodeJSON(appResp, &app); appErr != nil {
+		return "", fmt.Errorf("decode app: %w", appErr)
 	}
-	if err := decodeJSON(resp, &user); err != nil {
-		return "", fmt.Errorf("decode user: %w", err)
+	if app.Slug == "" {
+		return "", fmt.Errorf("get authenticated user: /app returned empty slug")
 	}
-	return user.Login, nil
+	return app.Slug + "[bot]", nil
 }
 
 // GetTokenScopes returns the OAuth scopes granted to the current token

internal/forge/github/github_test.go

@@ -310,6 +310,68 @@ func TestGetAuthenticatedUser(t *testing.T) {
 	assert.Equal(t, "test-bot", user)
 }
 
+func TestGetAuthenticatedUser_FallbackToApp(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/user":
+			// Simulate GitHub App installation token: /user returns 403.
+			w.WriteHeader(http.StatusForbidden)
+			json.NewEncoder(w).Encode(map[string]any{
+				"message": "Resource not accessible by integration",
+			})
+		case "/app":
+			json.NewEncoder(w).Encode(map[string]any{
+				"slug": "fullsend-ai-review",
+			})
+		default:
+			t.Errorf("unexpected request: %s %s", r.Method, r.URL.Path)
+		}
+	}))
+	defer srv.Close()
+
+	client := newTestClient(t, srv)
+	user, err := client.GetAuthenticatedUser(context.Background())
+	require.NoError(t, err)
+	assert.Equal(t, "fullsend-ai-review[bot]", user)
+}
+
+func TestGetAuthenticatedUser_BothFail(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusForbidden)
+		json.NewEncoder(w).Encode(map[string]any{
+			"message": "forbidden",
+		})
+	}))
+	defer srv.Close()
+
+	client := newTestClient(t, srv)
+	_, err := client.GetAuthenticatedUser(context.Background())
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "get authenticated user")
+}
+
+func TestGetAuthenticatedUser_AppEmptySlug(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/user":
+			w.WriteHeader(http.StatusForbidden)
+			json.NewEncoder(w).Encode(map[string]any{
+				"message": "forbidden",
+			})
+		case "/app":
+			json.NewEncoder(w).Encode(map[string]any{
+				"slug": "",
+			})
+		}
+	}))
+	defer srv.Close()
+
+	client := newTestClient(t, srv)
+	_, err := client.GetAuthenticatedUser(context.Background())
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "empty slug")
+}
+
 func TestCreateRepoSecret(t *testing.T) {
 	callNum := 0
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {