fix(security-agent): handle invalid GitHub installations

[jeanduplessis]

Summary

Fixes Security Agent Dependabot sync so stale or revoked GitHub App installations are handled as user-remediable reauthorization states instead of Sentry errors.

• Treats Dependabot HTTP 401 as auth_invalid, skips cleanly, and avoids Sentry capture for that expected path.
• Persists auth_invalid_at and auth_invalid_reason on GitHub platform integrations so recent future syncs short-circuit without calling GitHub.
• Prevents owner freshness from advancing when any selected repo hits auth-invalid.
• Clears the auth-invalid state when the installation is refreshed or a Dependabot fetch succeeds.
• Surfaces auth-invalid state through Security Agent permission status so the UI can route users to reauthorization.

For a 50-repo stale installation scenario:

• Before: up to 150 Sentry records from 3 captures per repo, plus sibling Bad credentials issues.
• After: 0 Sentry records for the expected auth-invalid path.

Migration: 0142_purple_jackpot adds nullable platform_integrations.auth_invalid_at and platform_integrations.auth_invalid_reason.

This does not change global GitHub App auth, token generation, app selection, or behavior for installations whose tokens are still valid.

Verification

• Confirmed the local Drizzle migration applies cleanly.
• Reviewed the 50-repo 401 scenario: first 401 marks the installation auth-invalid, no Sentry records are emitted for the expected path, and recent future syncs make zero GitHub calls.

Visual Changes

N/A

Reviewer Notes

• Auth-invalid writes are throttled to match the one-hour short-circuit window.
• Expected 401s use non-Sentry logging; Sentry remains for unexpected handler/storage failures.
• If GitHub incorrectly returns 401 during an upstream incident, this may temporarily mark affected installations as needing reauthorization and short-circuit syncs for up to one hour. Freshness does not advance, no Sentry burst occurs, and the flag clears automatically after GitHub recovers and a Dependabot fetch succeeds. The tradeoff is possible temporary stale freshness or reauthorization UI for users whose installation is still valid.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

Both previous suggestions have been addressed: captureException added for Sentry visibility on clearIntegrationAuthInvalid failures, and a clarifying comment added for the time-invariant auth_invalid_at flag behavior.

Files Reviewed (11 files)

• apps/web/src/app/api/internal/code-review-status/[reviewId]/route.test.ts — fixture updated with new nullable columns
• apps/web/src/lib/bot/platforms/github.test.ts — fixture updated with new nullable columns
• apps/web/src/lib/integrations/db/platform-integrations.ts — clears auth_invalid_at in 5 write paths
• apps/web/src/lib/security-agent/core/types.ts — new SyncResult fields look correct
• apps/web/src/lib/security-agent/github/dependabot-api.test.ts — covers classifyFetchAlertsError and 401 path
• apps/web/src/lib/security-agent/github/dependabot-api.ts — 401 classification and non-Sentry warn path looks correct
• apps/web/src/lib/security-agent/router/shared-handlers.ts — previous suggestion resolved: clarifying comment added
• apps/web/src/lib/security-agent/services/sync-service.test.ts — thorough coverage of new paths
• apps/web/src/lib/security-agent/services/sync-service.ts — previous suggestion resolved: captureException added
• packages/db/src/migrations/0142_purple_jackpot.sql — clean DDL, nullable columns, safe for live tables
• packages/db/src/schema.ts — schema matches migration

---

_{Reviewed by claude-4.6-sonnet-20260217 · 205,352 tokens}

_{Review guidance: REVIEW.md from base branch main}