mongrel-intelligence · aaight · Feb 23, 2026 · Feb 23, 2026
diff --git a/src/router/acknowledgments.ts b/src/router/acknowledgments.ts
@@ -10,16 +10,28 @@
  * Errors are always caught and logged — never propagated.
  */
 
-import { getProjectGitHubToken } from '../config/projects.js';
-import { findProjectByRepo } from '../config/provider.js';
 import { markdownToAdf } from '../pm/jira/adf.js';
-import type { ProjectConfig } from '../types/index.js';
 import {
+	_resetJiraBotCache,
+	_resetTrelloBotCache,
 	resolveGitHubHeaders,
+	resolveGitHubTokenForAck,
+	resolveJiraBotAccountId,
 	resolveJiraCredentials,
+	resolveTrelloBotMemberId,
 	resolveTrelloCredentials,
 } from './platformClients.js';
 
+// Re-export bot-identity helpers so callers that import from acknowledgments
+// continue to work without changes.
+export {
+	resolveJiraBotAccountId,
+	resolveTrelloBotMemberId,
+	resolveGitHubTokenForAck,
+	_resetJiraBotCache,
+	_resetTrelloBotCache,
+};
+
 // ---------------------------------------------------------------------------
 // Trello
 // ---------------------------------------------------------------------------
@@ -171,107 +183,3 @@ export async function deleteJiraAck(
 		console.warn('[Ack] Failed to delete JIRA orphan ack:', String(err));
 	}
 }
-
-// ---------------------------------------------------------------------------
-// Bot identity resolution (cached, for self-authored comment detection)
-// ---------------------------------------------------------------------------
-
-const IDENTITY_CACHE_TTL_MS = 60_000; // 60 seconds
-
-const jiraBotCache = new Map<string, { accountId: string; expiresAt: number }>();
-
-/**
- * Resolve the JIRA account ID for the bot credentials linked to a project.
- * Cached per-project with 60s TTL. Returns null on any failure.
- */
-export async function resolveJiraBotAccountId(projectId: string): Promise<string | null> {
-	const cached = jiraBotCache.get(projectId);
-	if (cached && Date.now() < cached.expiresAt) return cached.accountId;
-
-	const creds = await resolveJiraCredentials(projectId);
-	if (!creds) return null;
-
-	try {
-		const response = await fetch(`${creds.baseUrl}/rest/api/2/myself`, {
-			headers: { Authorization: `Basic ${creds.auth}`, Accept: 'application/json' },
-		});
-		if (!response.ok) return null;
-
-		const data = (await response.json()) as { accountId?: string };
-		if (!data.accountId) return null;
-
-		jiraBotCache.set(projectId, {
-			accountId: data.accountId,
-			expiresAt: Date.now() + IDENTITY_CACHE_TTL_MS,
-		});
-		return data.accountId;
-	} catch {
-		return null;
-	}
-}
-
-/** @internal Visible for testing only */
-export function _resetJiraBotCache(): void {
-	jiraBotCache.clear();
-}
-
-const trelloBotCache = new Map<string, { memberId: string; expiresAt: number }>();
-
-/**
- * Resolve the Trello member ID for the bot credentials linked to a project.
- * Cached per-project with 60s TTL. Returns null on any failure.
- */
-export async function resolveTrelloBotMemberId(projectId: string): Promise<string | null> {
-	const cached = trelloBotCache.get(projectId);
-	if (cached && Date.now() < cached.expiresAt) return cached.memberId;
-
-	const creds = await resolveTrelloCredentials(projectId);
-	if (!creds) return null;
-
-	try {
-		const response = await fetch(
-			`https://api.trello.com/1/members/me?key=${creds.apiKey}&token=${creds.token}`,
-			{ headers: { Accept: 'application/json' } },
-		);
-		if (!response.ok) return null;
-
-		const data = (await response.json()) as { id?: string };
-		if (!data.id) return null;
-
-		trelloBotCache.set(projectId, {
-			memberId: data.id,
-			expiresAt: Date.now() + IDENTITY_CACHE_TTL_MS,
-		});
-		return data.id;
-	} catch {
-		return null;
-	}
-}
-
-/** @internal Visible for testing only */
-export function _resetTrelloBotCache(): void {
-	trelloBotCache.clear();
-}
-
-// ---------------------------------------------------------------------------
-// Resolve GitHub token for router-side ack posting
-// ---------------------------------------------------------------------------
-
-/**
- * Resolve a GitHub token for posting ack comments from the router.
- * Uses the implementer token since ack comments are "from" the bot.
- */
-export async function resolveGitHubTokenForAck(
-	repoFullName: string,
-): Promise<{ token: string; project: ProjectConfig } | null> {
-	const project = await findProjectByRepo(repoFullName);
-	if (!project) return null;
-
-	try {
-		const token = await getProjectGitHubToken(project);
-		return { token, project };
-	} catch {
-		console.warn('[Ack] Missing GitHub token for repo:', repoFullName);
-		return null;
-	}
-}
diff --git a/src/router/platformClients.ts b/src/router/platformClients.ts
@@ -2,12 +2,19 @@
  * Shared credential resolution and platform API header helpers for router modules.
  *
  * Resolves credentials once per call and returns typed objects.
+ * Also provides cached bot identity lookups and JIRA cloudId resolution.
  * Callers use raw `fetch()` — the router Docker image does not bundle
  * `src/trello/client.ts` or `src/github/client.ts`.
  */
 
-import { findProjectById, getIntegrationCredential } from '../config/provider.js';
+import { getProjectGitHubToken } from '../config/projects.js';
+import {
+	findProjectById,
+	findProjectByRepo,
+	getIntegrationCredential,
+} from '../config/provider.js';
 import { getJiraConfig } from '../pm/config.js';
+import type { ProjectConfig } from '../types/index.js';
 
 // ---------------------------------------------------------------------------
 // Credential resolution helpers
@@ -76,3 +83,159 @@ export function resolveGitHubHeaders(
 		...extra,
 	};
 }
+
+// ---------------------------------------------------------------------------
+// GitHub token resolution
+// ---------------------------------------------------------------------------
+
+/**
+ * Resolve a GitHub implementer token for a given repository.
+ * Returns the token and resolved project, or null on failure.
+ */
+export async function getGitHubTokenForProject(
+	repoFullName: string,
+): Promise<{ token: string; project: ProjectConfig } | null> {
+	const project = await findProjectByRepo(repoFullName);
+	if (!project) return null;
+
+	try {
+		const token = await getProjectGitHubToken(project);
+		return { token, project };
+	} catch {
+		return null;
+	}
+}
+
+/**
+ * Resolve a GitHub implementer token for acknowledgment posting.
+ * Alias of getGitHubTokenForProject for backward compatibility.
+ */
+export async function resolveGitHubTokenForAck(
+	repoFullName: string,
+): Promise<{ token: string; project: ProjectConfig } | null> {
+	return getGitHubTokenForProject(repoFullName);
+}
+
+// ---------------------------------------------------------------------------
+// Bot identity caches
+// ---------------------------------------------------------------------------
+
+const IDENTITY_CACHE_TTL_MS = 60_000; // 60 seconds
+
+// Trello bot member ID cache (per project)
+const trelloBotCache = new Map<string, { memberId: string; expiresAt: number }>();
+
+/**
+ * Resolve the Trello member ID for the bot credentials linked to a project.
+ * Cached per-project with 60s TTL. Returns null on any failure.
+ */
+export async function resolveTrelloBotMemberId(projectId: string): Promise<string | null> {
+	const cached = trelloBotCache.get(projectId);
+	if (cached && Date.now() < cached.expiresAt) return cached.memberId;
+
+	const creds = await resolveTrelloCredentials(projectId);
+	if (!creds) return null;
+
+	try {
+		const response = await fetch(
+			`https://api.trello.com/1/members/me?key=${creds.apiKey}&token=${creds.token}`,
+			{ headers: { Accept: 'application/json' } },
+		);
+		if (!response.ok) return null;
+
+		const data = (await response.json()) as { id?: string };
+		if (!data.id) return null;
+
+		trelloBotCache.set(projectId, {
+			memberId: data.id,
+			expiresAt: Date.now() + IDENTITY_CACHE_TTL_MS,
+		});
+		return data.id;
+	} catch {
+		return null;
+	}
+}
+
+/** @internal Visible for testing only */
+export function _resetTrelloBotCache(): void {
+	trelloBotCache.clear();
+}
+
+// JIRA bot account ID cache (per project)
+const jiraBotCache = new Map<string, { accountId: string; expiresAt: number }>();
+
+/**
+ * Resolve the JIRA account ID for the bot credentials linked to a project.
+ * Cached per-project with 60s TTL. Returns null on any failure.
+ */
+export async function resolveJiraBotAccountId(projectId: string): Promise<string | null> {
+	const cached = jiraBotCache.get(projectId);
+	if (cached && Date.now() < cached.expiresAt) return cached.accountId;
+
+	const creds = await resolveJiraCredentials(projectId);
+	if (!creds) return null;
+
+	try {
+		const response = await fetch(`${creds.baseUrl}/rest/api/2/myself`, {
+			headers: { Authorization: `Basic ${creds.auth}`, Accept: 'application/json' },
+		});
+		if (!response.ok) return null;
+
+		const data = (await response.json()) as { accountId?: string };
+		if (!data.accountId) return null;
+
+		jiraBotCache.set(projectId, {
+			accountId: data.accountId,
+			expiresAt: Date.now() + IDENTITY_CACHE_TTL_MS,
+		});
+		return data.accountId;
+	} catch {
+		return null;
+	}
+}
+
+/** @internal Visible for testing only */
+export function _resetJiraBotCache(): void {
+	jiraBotCache.clear();
+}
+
+// JIRA CloudId cache (per baseUrl)
+const jiraCloudIdCache = new Map<string, string>();
+
+/**
+ * Lightweight JIRA cloudId resolver with in-memory cache.
+ * Keyed by baseUrl. Returns null on any failure.
+ */
+export async function getJiraCloudId(creds: JiraCredentials): Promise<string | null> {
+	const cached = jiraCloudIdCache.get(creds.baseUrl);
+	if (cached) return cached;
+
+	let response: Response;
+	try {
+		response = await fetch(`${creds.baseUrl}/_edge/tenant_info`, {
+			headers: { Authorization: `Basic ${creds.auth}` },
+		});
+	} catch (err) {
+		console.warn('[PlatformClients] Failed to fetch JIRA cloudId:', String(err));
+		return null;
+	}
+
+	if (!response.ok) {
+		console.warn('[PlatformClients] JIRA tenant_info returned', response.status);
+		return null;
+	}
+
+	const data = (await response.json()) as { cloudId?: string };
+	if (!data.cloudId) {
+		console.warn('[PlatformClients] JIRA tenant_info missing cloudId');
+		return null;
+	}
+
+	jiraCloudIdCache.set(creds.baseUrl, data.cloudId);
+	return data.cloudId;
+}
+
+/** @internal Visible for testing only */
+export function _resetJiraCloudIdCache(): void {
+	jiraCloudIdCache.clear();
+}
diff --git a/src/router/reactions.ts b/src/router/reactions.ts
@@ -14,56 +14,15 @@ import { trelloClient, withTrelloCredentials } from '../trello/client.js';
 import type { ProjectConfig } from '../types/index.js';
 import { parseRepoFullName } from '../utils/repo.js';
 import {
+	_resetJiraCloudIdCache,
+	getJiraCloudId,
 	resolveGitHubHeaders,
 	resolveJiraCredentials,
 	resolveTrelloCredentials,
 } from './platformClients.js';
 
-// In-memory JIRA CloudId cache keyed by baseUrl
-const jiraCloudIdCache = new Map<string, string>();
-
-/**
- * Lightweight JIRA cloudId resolver with in-memory cache.
- * Mirrors jiraClient.getCloudId() but uses standalone fetch() with explicit credentials.
- */
-async function getJiraCloudId(
-	baseUrl: string,
-	email: string,
-	apiToken: string,
-): Promise<string | null> {
-	const cached = jiraCloudIdCache.get(baseUrl);
-	if (cached) return cached;
-
-	const auth = Buffer.from(`${email}:${apiToken}`).toString('base64');
-	let response: Response;
-	try {
-		response = await fetch(`${baseUrl}/_edge/tenant_info`, {
-			headers: { Authorization: `Basic ${auth}` },
-		});
-	} catch (err) {
-		console.warn('[Reactions] Failed to fetch JIRA cloudId:', String(err));
-		return null;
-	}
-
-	if (!response.ok) {
-		console.warn('[Reactions] JIRA tenant_info returned', response.status);
-		return null;
-	}
-
-	const data = (await response.json()) as { cloudId?: string };
-	if (!data.cloudId) {
-		console.warn('[Reactions] JIRA tenant_info missing cloudId');
-		return null;
-	}
-
-	jiraCloudIdCache.set(baseUrl, data.cloudId);
-	return data.cloudId;
-}
-
-/** @internal Visible for testing only */
-export function _resetJiraCloudIdCache(): void {
-	jiraCloudIdCache.clear();
-}
+// Re-export cache reset for test compatibility
+export { _resetJiraCloudIdCache };
 
 // ---------------------------------------------------------------------------
 // Platform-specific reaction senders
@@ -204,7 +163,7 @@ async function sendJiraReaction(projectId: string, payload: unknown): Promise<vo
 	}
 
 	// Try the reactions API first
-	const cloudId = await getJiraCloudId(creds.baseUrl, creds.email, creds.apiToken);
+	const cloudId = await getJiraCloudId(creds);
 	if (cloudId) {
 		const emojiId = 'atlassian-thought_balloon';
 		const ari = `ari%3Acloud%3Ajira%3A${cloudId}%3Acomment%2F${issueId}%2F${commentId}`;