/health lists repositories after GitHub App removal, causing stale installed-repo checks

[leonaIee]

Description

The public /api/v1/health endpoint reports repositories that no longer have an active GitHub App installation.

When the GitHub App is uninstalled, or when a repository is removed from an installation, das-github-mirror intentionally keeps the repository row for historical data. The uninstall/removal handlers clear the active installation state by setting installationId to null and registered to false.

However, the health endpoint currently returns every row from the repos table. It does not filter out repositories where installationId is null. As a result, /health can still list repositories that are no longer connected to the GitHub App.

This is especially important because gittensor-ui uses the mirror health endpoint to verify whether the Gittensor Mirror GitHub App is installed on a repository before allowing registration submissions. If /health includes stale inactive repositories, the UI can incorrectly treat an uninstalled repository as valid.

Relevant code:

• packages/das/src/webhook/handlers/installation.handler.ts
  • On installation.deleted, repos are soft-cleared with installationId: null and registered: false.
  • On installation_repositories.removed, removed repos are also soft-cleared.
• packages/das/src/api/health.controller.ts
  • listRepoHealth() selects all repos using this.repoRepo.find({ select: ["repoFullName", "lastEventAt"] }).
  • There is no filter for active installations, such as installationId IS NOT NULL.
• gittensor-ui/src/api/MirrorApi.ts
  • The UI uses /health to check whether a repository is tracked/installed.

Steps to Reproduce

1. Install the Gittensor Mirror GitHub App on a repository, for example owner/repo, so that a row is created in the mirror repos table.

2. Remove that repository from the GitHub App installation, or uninstall the GitHub App completely.

3. Confirm the repository row remains in the database with installation_id = NULL and registered = false.

4. Call the public health endpoint:

   curl https://<mirror-host>/api/v1/health

5. Check the repos array in the response.

Expected Behavior

Repositories without an active GitHub App installation should not be returned as tracked repositories by /api/v1/health.

For example, a repository with installation_id = NULL should be excluded from the repos list, because the mirror can no longer fetch GitHub data for it.

Actual Behavior

/api/v1/health returns all repository rows, including repositories where installation_id = NULL and registered = false.

This can cause consumers of /health, such as gittensor-ui, to believe the GitHub App is still installed on a repository even after it has been removed or uninstalled.

Environment

• OS: Production/server environment
• Runtime/Node version: Node.js service running das-github-mirror
• Browser: Applicable when reproducing through gittensor-ui

Additional Context

This issue is not about deleting historical mirror data. Preserving old repository data appears intentional and useful.

The issue is that /health is used as an active tracking/installation signal, but it currently includes inactive preserved rows. A likely fix is to make the health endpoint list only repositories with an active installation, for example by filtering out rows where installation_id IS NULL.

This would make the endpoint match how downstream consumers currently interpret it: repositories returned by /health are repositories currently connected to the GitHub App.