docs(blog): add GitHub Issues integration article

Add English blog post documenting HagiCode's frontend-direct approach
to GitHub Issues integration, covering OAuth flow, security design,
and the synchronization data flow.

Co-Authored-By: Hagicode <noreply@hagicode.com>
Signed-off-by: newbe36524 <newbe36524@qq.com>

Author: newbe36524

src/content/docs/en/blog/2026-01-22-github-issues-集成.mdx

@@ -0,0 +1,344 @@
+---
+title: "GitHub Issues Integration"
+date: 2026-01-22
+truncate: true
+tags: [GitHub, GitHub Issues, OAuth, Frontend Architecture, HagiCode]
+description: "This article documents the full process of integrating GitHub Issues into the HagiCode platform. We explore how a frontend-direct plus minimal-backend architecture can deliver secure OAuth authentication and efficient Issue synchronization while keeping the backend lightweight."
+---
+
+## Building GitHub Issues Integration from Scratch: HagiCode's Frontend-Direct Approach
+
+> This article documents the full process of integrating GitHub Issues into the HagiCode platform. We explore how a "frontend-direct + minimal-backend" architecture can deliver secure OAuth authentication and efficient Issues synchronization while keeping the backend lightweight.
+
+## Background: Why Integrate GitHub?
+
+As an AI-assisted development platform, HagiCode's core value lies in connecting ideas with implementation. In real usage, however, we found that after users complete a Proposal in HagiCode, they often still need to manually copy the content into GitHub Issues for project tracking.
+
+This creates several obvious pain points:
+
+1.  **Fragmented workflow**: Users have to switch back and forth between two systems. The experience is not only clumsy, but also makes it easy for critical information to get lost during copy and paste.
+2.  **Inconvenient collaboration**: Other team members are used to reviewing tasks on GitHub and cannot directly see proposal progress inside HagiCode.
+3.  **Duplicate work**: Every time a proposal is updated, someone has to manually update the corresponding Issue on GitHub, which adds unnecessary maintenance cost.
+
+To solve this problem, we decided to introduce the **GitHub Issues Integration** feature, connecting HagiCode sessions with GitHub repositories and enabling "one-click sync."
+
+## About HagiCode
+
+> Hey, let us introduce what we're building.
+
+We are building **HagiCode**, an AI-powered coding assistant designed to make development smarter, more convenient, and more fun.
+
+**Smart**: AI assists throughout the process, from idea to code, multiplying development efficiency. **Convenient**: Multithreaded concurrent operations make full use of resources and keep the workflow smooth. **Fun**: Gamification and an achievement system make coding less tedious and much more rewarding.
+
+The project is evolving quickly. If you're interested in technical writing, knowledge management, or AI-assisted development, come take a look on [GitHub](https://github.com/HagiCode-org/site).
+
+---
+
+## Architecture Choice: Frontend-Direct vs Backend Proxy
+
+When designing the integration, we had two paths in front of us: the traditional "backend proxy" model and a more aggressive "frontend-direct" model.
+
+### Comparing the Approaches
+
+In the traditional **backend proxy model**, every request from the frontend must first pass through our backend, which then calls the GitHub API. This centralizes the logic, but it also puts a substantial burden on the backend:
+
+1.  **Bloated backend**: We would need a dedicated GitHub API client wrapper and would also have to handle OAuth's complex state machine.
+2.  **Token risk**: The user's GitHub token would have to be stored in the backend database. Even if encrypted, that still increases the security exposure surface.
+3.  **Development cost**: We would need database migrations to store tokens and an additional synchronization service to maintain.
+
+The **frontend-direct model** is much lighter. In this approach, the backend is used only for the most sensitive "secret exchange" step, namely the OAuth callback. Once the token is obtained, it is stored directly in the browser's `localStorage`. After that, operations such as creating Issues or updating comments are sent straight from the frontend to GitHub over HTTP.
+
+| Comparison Dimension | Backend Proxy Model | Frontend-Direct Model |
+| :--- | :--- | :--- |
+| **Backend complexity** | Requires a full OAuth service and GitHub API client | Only requires a single OAuth callback endpoint |
+| **Token management** | Must be encrypted and stored in the database, with leak risk | Stored in the browser and visible only to the user |
+| **Implementation cost** | Requires database migrations and multi-service development | Mostly frontend effort |
+| **User experience** | Unified logic, but potentially higher server latency | Extremely responsive, interacts directly with GitHub |
+
+Because we wanted fast integration and minimal backend changes, **we ultimately chose the frontend-direct model**. It is like giving the browser a temporary pass. Once it has that pass, it can go handle business with GitHub on its own without asking the backend administrator for approval every time.
+
+---
+
+## Core Design: Data Flow and Security
+
+Once the architecture was decided, we had to design the actual data flow. The heart of the synchronization process is safely obtaining the token and using it efficiently.
+
+### Overall Architecture Diagram
+
+The whole system can be abstracted into three roles: the browser (frontend), the HagiCode backend, and GitHub.
+
+```text
++--------------+        +--------------+        +--------------+
+| Frontend     |        |   Backend    |        |    GitHub    |
+| React        |        |   ASP.NET    |        |   REST API   |
+|              |        |              |        |              |
+|  +--------+  |        |              |        |              |
+|  | OAuth  |--+--------> /callback    |        |              |
+|  | Flow   |  |        |              |        |              |
+|  +--------+  |        |              |        |              |
+|              |        |              |        |              |
+|  +--------+  |        |  +--------+  |        |  +--------+  |
+|  | GitHub |  +------------>Session |  +----------> Issues |  |
+|  | API    |  |        |  |Metadata|  |        |  |        |  |
+|  | Direct |  |        |  +--------+  |        |  +--------+  |
+|  +--------+  |        |              |        |              |
++--------------+        +--------------+        +--------------+
+```
+
+**The key point is this**: only one small part of OAuth, exchanging the code for a token, needs to go through the backend. After that, the heavy lifting, such as creating the Issue, is handled directly between the frontend and GitHub.
+
+### Detailed Synchronization Data Flow
+
+When a user clicks the "Sync to GitHub" button in the HagiCode interface, a series of complex actions takes place:
+
+```text
+User clicks "Sync to GitHub"
+         │
+         ▼
+1. Frontend checks localStorage for the GitHub token
+         │
+         ▼
+2. Format the Issue content (convert the Proposal into Markdown)
+         │
+         ▼
+3. Frontend directly calls the GitHub API to create or update the Issue
+         │
+         ▼
+4. Call the HagiCode backend API to update Session.metadata (store Issue URL and related info)
+         │
+         ▼
+5. Backend broadcasts a SessionUpdated event through SignalR
+         │
+         ▼
+6. Frontend receives the event and updates the UI to show the "Synced" state
+```
+
+### Security Design
+
+Security is always the top priority when integrating third-party services. We made the following considerations:
+
+1.  **CSRF protection**: During the OAuth redirect, we generate a random `state` parameter and store it in `sessionStorage`. On callback, we strictly validate the state to prevent forged requests.
+2.  **Isolated token storage**: The token is stored only in the browser's `localStorage`. Thanks to the Same-Origin Policy, only HagiCode's scripts can read it, which avoids putting users at risk from a server-side database leak.
+3.  **Error boundaries**: We designed dedicated error handling for common GitHub API failures, such as `401` for expired tokens, `422` for validation failures, and `429` for rate limits, so users receive clear and friendly feedback.
+
+---
+
+## In Practice: Implementation Details
+
+Theory is one thing; implementation is another. Let's look at how the code comes together.
+
+### 1. Minimal Backend Changes
+
+The backend only needs to do two things: store synchronization information and handle the OAuth callback.
+
+**Database change**
+We only need to add a `Metadata` column to the `Sessions` table to store JSON-formatted extension data.
+
+```sql
+-- Add metadata column to Sessions table
+ALTER TABLE "Sessions" ADD COLUMN "Metadata" text NULL;
+```
+
+**Entity and DTO definitions**
+
+```csharp
+// src/HagiCode.DomainServices.Contracts/Entities/Session.cs
+public class Session : AuditedAggregateRoot<SessionId>
+{
+    // ... other properties ...
+
+    /// <summary>
+    /// JSON metadata for storing extension data like GitHub integration
+    /// </summary>
+    public string? Metadata { get; set; }
+}
+
+// DTO definition for easier frontend serialization
+public class GitHubIssueMetadata
+{
+    public required string Owner { get; set; }
+    public required string Repo { get; set; }
+    public int IssueNumber { get; set; }
+    public required string IssueUrl { get; set; }
+    public DateTime SyncedAt { get; set; }
+    public string LastSyncStatus { get; set; } = "success";
+}
+
+public class SessionMetadata
+{
+    public GitHubIssueMetadata? GitHubIssue { get; set; }
+}
+```
+
+### 2. Frontend OAuth Flow
+
+This is the entry point of the connection. We use the standard Authorization Code Flow.
+
+```typescript
+// src/HagiCode.Client/src/services/githubOAuth.ts
+
+// Generate the authorization URL and redirect
+export async function generateAuthUrl(): Promise<string> {
+  const state = generateRandomString(); // Generate a random string for CSRF protection
+  sessionStorage.setItem('hagicode_github_state', state);
+  
+  const params = new URLSearchParams({
+    client_id: clientId,
+    redirect_uri: window.location.origin + '/settings?tab=github&oauth=callback',
+    scope: ['repo', 'public_repo'].join(' '),
+    state: state,
+  });
+  
+  return `https://github.com/login/oauth/authorize?${params.toString()}`;
+}
+
+// Exchange the code for a token on the callback page
+export async function exchangeCodeForToken(code: string, state: string): Promise<GitHubToken> {
+  // 1. Validate the state to prevent CSRF
+  const savedState = sessionStorage.getItem('hagicode_github_state');
+  if (state !== savedState) throw new Error('Invalid state parameter');
+
+  // 2. Call the backend API to perform the token exchange
+  // Note: this step must go through the backend because it requires ClientSecret,
+  // which must not be exposed in the frontend
+  const response = await fetch('/api/GitHubOAuth/callback', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ code, state, redirectUri: window.location.origin + '/settings?tab=github&oauth=callback' }),
+  });
+
+  if (!response.ok) throw new Error('Failed to exchange token');
+  
+  const token = await response.json();
+  
+  // 3. Save it to LocalStorage
+  saveToken(token);
+  return token;
+}
+```
+
+### 3. GitHub API Client Wrapper
+
+Once we have the token, we need a reliable tool for calling the GitHub API.
+
+```typescript
+// src/HagiCode.Client/src/services/githubApiClient.ts
+
+const GITHUB_API_BASE = 'https://api.github.com';
+
+// Core request wrapper
+async function githubApi<T>(endpoint: string, options: RequestInit = {}): Promise<T> {
+  const token = localStorage.getItem('gh_token');
+  if (!token) throw new Error('Not connected to GitHub');
+  
+  const response = await fetch(`${GITHUB_API_BASE}${endpoint}`, {
+    ...options,
+    headers: {
+      ...options.headers,
+      Authorization: `Bearer ${token}`,
+      Accept: 'application/vnd.github.v3+json', // Specify the API version
+    },
+  });
+  
+  // Error handling logic
+  if (!response.ok) {
+    if (response.status === 401) throw new Error('GitHub token expired, please reconnect');
+    if (response.status === 403) throw new Error('No permission to access this repository or rate limit exceeded');
+    if (response.status === 422) throw new Error('Issue validation failed, possibly due to a duplicate title');
+    throw new Error(`GitHub API Error: ${response.statusText}`);
+  }
+  
+  return response.json();
+}
+
+// Create an Issue
+export async function createIssue(owner: string, repo: string, data: { title: string, body: string, labels: string[] }) {
+  return githubApi(`/repos/${owner}/${repo}/issues`, {
+    method: 'POST',
+    body: JSON.stringify(data),
+  });
+}
+```
+
+### 4. Content Formatting and Synchronization
+
+The final step is converting HagiCode session data into the GitHub Issue format. It is a bit like doing translation work.
+
+```typescript
+// Convert a Session object to a Markdown string
+function formatIssueForSession(session: Session): string {
+  let content = `# ${session.title}\n\n`;
+  content += `**> HagiCode Session:** #${session.code}\n`;
+  content += `**> Status:** ${session.status}\n\n`;
+  content += `## Description\n\n${session.description || 'No description provided.'}\n\n`;
+  
+  // If this is a Proposal session, add extra fields
+  if (session.type === 'proposal') {
+    content += `## Chief Complaint\n\n${session.chiefComplaint || ''}\n\n`;
+    // Add a deep link so users can jump back from GitHub to HagiCode
+    content += `---\n\n**[View in HagiCode](hagicode://sessions/${session.id})**\n`;
+  }
+  
+  return content;
+}
+
+// Main logic for clicking the sync button
+const handleSync = async (session: Session) => {
+  try {
+    const repoInfo = parseRepositoryFromUrl(session.repoUrl); // Parse the repository URL
+    if (!repoInfo) throw new Error('Invalid repository URL');
+
+    toast.loading('Syncing to GitHub...');
+    
+    // 1. Format the content
+    const issueBody = formatIssueForSession(session);
+    
+    // 2. Call the API
+    const issue = await githubApiClient.createIssue(repoInfo.owner, repoInfo.repo, {
+      title: `[HagiCode] ${session.title}`,
+      body: issueBody,
+      labels: ['hagicode', 'proposal', `status:${session.status}`],
+    });
+    
+    // 3. Update Session Metadata (store the Issue link)
+    await SessionsService.patchApiSessionsSessionId(session.id, {
+      metadata: {
+        githubIssue: {
+          owner: repoInfo.owner,
+          repo: repoInfo.repo,
+          issueNumber: issue.number,
+          issueUrl: issue.html_url,
+          syncedAt: new Date().toISOString(),
+        }
+      }
+    });
+
+    toast.success('Sync successful!');
+  } catch (err) {
+    console.error(err);
+    toast.error('Sync failed, please check the token or network');
+  }
+};
+```
+
+---
+
+## Summary and Outlook
+
+With this frontend-direct approach, we achieved seamless GitHub Issues integration with the smallest possible amount of backend code.
+
+### What We Gained
+1.  **High development efficiency**: Backend changes were minimal, mainly one extra database field and a simple OAuth callback endpoint, while most of the logic stayed in the frontend.
+2.  **Strong security**: The token does not pass through the server database, which reduces the risk of leakage.
+3.  **Better user experience**: Requests are initiated directly from the frontend, so responses are fast and do not need backend relay.
+
+### Things to Watch Out For
+When deploying this in practice, there are a few pitfalls to keep in mind:
+- **OAuth App configuration**: Make sure the `Authorization callback URL` in your GitHub OAuth App settings is correct, usually `http://localhost:3000/settings?tab=github&oauth=callback`.
+- **Rate limits**: GitHub API limits unauthenticated requests heavily, but authenticated requests with a token are usually sufficient at 5000 requests per hour.
+- **URL parsing**: Repository URLs entered by users can come in many forms, so your regex should handle `.git` suffixes, SSH format, and similar cases.
+
+### Future Enhancements
+The current feature still supports only one-way synchronization, from HagiCode to GitHub. In the future, we plan to implement two-way synchronization through GitHub Webhooks. For example, when an Issue is closed on GitHub, the session status in HagiCode could update automatically as well. That will require the backend to expose a webhook receiver endpoint, which is also the next interesting piece of work on our roadmap.
+
+We hope this article gives you a few ideas for building your own third-party integrations. If you have questions, feel free to open an Issue on [HagiCode GitHub](https://github.com/HagiCode-org/site).