`05bcb8a`

S16: danger-zone routes + transfer inbox + restore page + redirect lookup

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 6 days ago

SHA: 05bcb8a6be9abc06d77fea27a363dc351bcd4064
Parents: 9256e8c
Tree: ebde4e1

8 changed files

Status	File	+
M	`internal/web/handlers/handlers.go`	11
A	`internal/web/handlers/repo/lifecycle.go`	371
A	`internal/web/handlers/repo/redirect.go`	56
M	`internal/web/handlers/repo/repo.go`	7
M	`internal/web/server.go`	7
A	`internal/web/templates/repo/restore_list.html`	21
A	`internal/web/templates/repo/settings.html`	81
A	`internal/web/templates/repo/transfers_inbox.html`	25

internal/web/handlers/handlers.gomodified

  	// CSRF-protected group. Two-segment match doesn't collide with the
  	// /{username} catch-all.
  	RepoHomeMounter func(chi.Router)
 +	// RepoLifecycleMounter, when non-nil, registers the danger-zone
 +	// routes (rename, transfer, archive, visibility, delete, restore,
 +	// transfer accept/decline/cancel, inbox). All routes are auth-
 +	// required; the handler enforces policy.Can per route.
 +	RepoLifecycleMounter func(chi.Router)
  	// GitHTTPMounter, when non-nil, registers the smart-HTTP git routes
  	// (`*.git/info/refs`, `git-upload-pack`, `git-receive-pack`). MUST
  	// land in a route group that bypasses CSRF, response compression,
  		if deps.RepoHomeMounter != nil {
  			deps.RepoHomeMounter(r)
+ 		}
 +		// Lifecycle danger-zone + transfers + restore. Order: after
 +		// RepoHome so explicit settings paths are matched first, before
 +		// Profile's /{username} catch-all.
 +		if deps.RepoLifecycleMounter != nil {
 +			deps.RepoLifecycleMounter(r)
 +		}
  		// Profile is registered LAST so /{username} doesn't shadow any
  		// static top-level route.
  		if deps.ProfileMounter != nil {

internal/web/handlers/repo/lifecycle.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +package repo
++
 +import (
 +	"errors"
 +	"net/http"
 +	"strconv"
 +	"strings"
++
 +	"github.com/go-chi/chi/v5"
 +	"github.com/jackc/pgx/v5/pgtype"
++
 +	"github.com/tenseleyFlow/shithub/internal/auth/policy"
 +	"github.com/tenseleyFlow/shithub/internal/repos/lifecycle"
 +	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
 +	"github.com/tenseleyFlow/shithub/internal/web/middleware"
 +	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"
 +)
++
 +// MountLifecycle registers the repo settings danger-zone routes plus
 +// the per-user inbox/restore views. Caller wraps with RequireUser so
 +// every route below has a logged-in viewer in context. Routes:
 +//
 +//	GET  /{owner}/{repo}/settings              — danger zone view
 +//	POST /{owner}/{repo}/settings/rename
 +//	POST /{owner}/{repo}/settings/transfer
 +//	POST /{owner}/{repo}/settings/archive
 +//	POST /{owner}/{repo}/settings/unarchive
 +//	POST /{owner}/{repo}/settings/visibility
 +//	POST /{owner}/{repo}/settings/delete
 +//	POST /transfers/{id}/accept
 +//	POST /transfers/{id}/decline
 +//	POST /transfers/{id}/cancel
 +//	GET  /transfers                            — recipient inbox
 +//	GET  /settings/repositories                — restore listing
 +//	POST /settings/repositories/restore/{id}
 +func (h *Handlers) MountLifecycle(r chi.Router) {
 +	r.Get("/{owner}/{repo}/settings", h.repoSettings)
 +	r.Post("/{owner}/{repo}/settings/rename", h.repoRename)
 +	r.Post("/{owner}/{repo}/settings/transfer", h.repoTransferRequest)
 +	r.Post("/{owner}/{repo}/settings/archive", h.repoArchive)
 +	r.Post("/{owner}/{repo}/settings/unarchive", h.repoUnarchive)
 +	r.Post("/{owner}/{repo}/settings/visibility", h.repoVisibility)
 +	r.Post("/{owner}/{repo}/settings/delete", h.repoSoftDelete)
 +	r.Post("/transfers/{id}/accept", h.transferAccept)
 +	r.Post("/transfers/{id}/decline", h.transferDecline)
 +	r.Post("/transfers/{id}/cancel", h.transferCancel)
 +	r.Get("/transfers", h.transferInbox)
 +	r.Get("/settings/repositories", h.restoreList)
 +	r.Post("/settings/repositories/restore/{id}", h.repoRestore)
 +}
++
 +// loadRepoAndAuthorize is the common preamble for every settings-route
 +// handler. Resolves owner+repo, applies policy.Can with the chosen
 +// action, and either returns the row or writes the response.
 +func (h *Handlers) loadRepoAndAuthorize(w http.ResponseWriter, r *http.Request, action policy.Action) (reposdb.Repo, usersdb.User, bool) {
 +	ownerName := chi.URLParam(r, "owner")
 +	repoName := chi.URLParam(r, "repo")
 +	owner, err := h.uq.GetUserByUsername(r.Context(), h.d.Pool, ownerName)
 +	if err != nil {
 +		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
 +		return reposdb.Repo{}, usersdb.User{}, false
 +	}
 +	row, err := h.rq.GetRepoByOwnerUserAndName(r.Context(), h.d.Pool, reposdb.GetRepoByOwnerUserAndNameParams{
 +		OwnerUserID: pgtype.Int8{Int64: owner.ID, Valid: true},
 +		Name:        repoName,
 +	})
 +	if err != nil {
 +		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
 +		return reposdb.Repo{}, usersdb.User{}, false
 +	}
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	actor := policy.UserActor(viewer.ID, viewer.Username, false, false)
 +	repoRef := policy.NewRepoRefFromRepo(row)
 +	if !policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, action, repoRef).Allow {
 +		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
 +		return reposdb.Repo{}, usersdb.User{}, false
 +	}
 +	return row, owner, true
 +}
++
 +// repoSettings renders the danger-zone view. Limited to owners (admin
 +// action). The actual settings UI is S32; this is just the danger
 +// zone S16 owns.
 +func (h *Handlers) repoSettings(w http.ResponseWriter, r *http.Request) {
 +	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoAdmin)
 +	if !ok {
 +		return
 +	}
 +	transfers, _ := h.rq.ListTransfersForRepo(r.Context(), h.d.Pool, row.ID)
 +	h.d.Render.RenderPage(w, r, "repo/settings", map[string]any{
 +		"Title":     "Settings · " + row.Name,
 +		"CSRFToken": middleware.CSRFTokenForRequest(r),
 +		"Owner":     owner.Username,
 +		"Repo":      row,
 +		"Transfers": transfers,
 +	})
 +}
++
 +func (h *Handlers) repoRename(w http.ResponseWriter, r *http.Request) {
 +	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoAdmin)
 +	if !ok {
 +		return
 +	}
 +	newName := strings.ToLower(strings.TrimSpace(r.PostFormValue("new_name")))
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	err := lifecycle.Rename(r.Context(), h.lifecycleDeps(), lifecycle.RenameParams{
 +		ActorUserID: viewer.ID,
 +		RepoID:      row.ID,
 +		OwnerUserID: owner.ID,
 +		OwnerName:   owner.Username,
 +		OldName:     row.Name,
 +		NewName:     newName,
 +	})
 +	if err != nil {
 +		h.lifecycleError(w, r, err)
 +		return
 +	}
 +	policy.InvalidateRepo(r.Context(), row.ID)
 +	http.Redirect(w, r, "/"+owner.Username+"/"+newName+"/settings", http.StatusSeeOther)
 +}
++
 +func (h *Handlers) repoTransferRequest(w http.ResponseWriter, r *http.Request) {
 +	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoAdmin)
 +	if !ok {
 +		return
 +	}
 +	target := strings.ToLower(strings.TrimSpace(r.PostFormValue("to_user")))
 +	confirm := strings.TrimSpace(r.PostFormValue("confirm"))
 +	if confirm != owner.Username+"/"+row.Name {
 +		http.Error(w, "confirmation text didn't match owner/repo", http.StatusBadRequest)
 +		return
 +	}
 +	to, err := h.uq.GetUserByUsername(r.Context(), h.d.Pool, target)
 +	if err != nil {
 +		http.Error(w, "recipient not found", http.StatusBadRequest)
 +		return
 +	}
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	if _, err := lifecycle.RequestTransfer(r.Context(), h.lifecycleDeps(), lifecycle.TransferRequestParams{
 +		ActorUserID: viewer.ID, RepoID: row.ID,
 +		FromUserID: owner.ID, ToPrincipalKind: "user", ToPrincipalID: to.ID,
 +	}); err != nil {
 +		h.lifecycleError(w, r, err)
 +		return
 +	}
 +	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings?notice=transfer-requested", http.StatusSeeOther)
 +}
++
 +func (h *Handlers) repoArchive(w http.ResponseWriter, r *http.Request) {
 +	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoArchive)
 +	if !ok {
 +		return
 +	}
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	if err := lifecycle.Archive(r.Context(), h.lifecycleDeps(), viewer.ID, row.ID); err != nil {
 +		h.lifecycleError(w, r, err)
 +		return
 +	}
 +	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings?notice=archived", http.StatusSeeOther)
 +}
++
 +func (h *Handlers) repoUnarchive(w http.ResponseWriter, r *http.Request) {
 +	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoArchive)
 +	if !ok {
 +		return
 +	}
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	if err := lifecycle.Unarchive(r.Context(), h.lifecycleDeps(), viewer.ID, row.ID); err != nil {
 +		h.lifecycleError(w, r, err)
 +		return
 +	}
 +	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings?notice=unarchived", http.StatusSeeOther)
 +}
++
 +func (h *Handlers) repoVisibility(w http.ResponseWriter, r *http.Request) {
 +	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoVisibility)
 +	if !ok {
 +		return
 +	}
 +	to := strings.ToLower(strings.TrimSpace(r.PostFormValue("visibility")))
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	if err := lifecycle.SetVisibility(r.Context(), h.lifecycleDeps(), viewer.ID, row.ID, to); err != nil {
 +		h.lifecycleError(w, r, err)
 +		return
 +	}
 +	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings?notice=visibility", http.StatusSeeOther)
 +}
++
 +func (h *Handlers) repoSoftDelete(w http.ResponseWriter, r *http.Request) {
 +	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoDelete)
 +	if !ok {
 +		return
 +	}
 +	confirm := strings.TrimSpace(r.PostFormValue("confirm"))
 +	if confirm != owner.Username+"/"+row.Name {
 +		http.Error(w, "confirmation text didn't match owner/repo", http.StatusBadRequest)
 +		return
 +	}
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	if err := lifecycle.SoftDelete(r.Context(), h.lifecycleDeps(), viewer.ID, row.ID); err != nil {
 +		h.lifecycleError(w, r, err)
 +		return
 +	}
 +	http.Redirect(w, r, "/settings/repositories?notice=deleted", http.StatusSeeOther)
 +}
++
 +// transferAccept / Decline / Cancel act on a transfer ID. Recipient is
 +// always the actor for accept/decline; sender (or repo admin) for cancel.
 +func (h *Handlers) transferAccept(w http.ResponseWriter, r *http.Request) {
 +	id := parseTransferID(w, r)
 +	if id == 0 {
 +		return
 +	}
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	if err := lifecycle.AcceptTransfer(r.Context(), h.lifecycleDeps(), viewer.ID, id); err != nil {
 +		h.lifecycleError(w, r, err)
 +		return
 +	}
 +	http.Redirect(w, r, "/transfers?notice=accepted", http.StatusSeeOther)
 +}
++
 +func (h *Handlers) transferDecline(w http.ResponseWriter, r *http.Request) {
 +	id := parseTransferID(w, r)
 +	if id == 0 {
 +		return
 +	}
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	if err := lifecycle.DeclineTransfer(r.Context(), h.lifecycleDeps(), viewer.ID, id); err != nil {
 +		h.lifecycleError(w, r, err)
 +		return
 +	}
 +	http.Redirect(w, r, "/transfers?notice=declined", http.StatusSeeOther)
 +}
++
 +func (h *Handlers) transferCancel(w http.ResponseWriter, r *http.Request) {
 +	id := parseTransferID(w, r)
 +	if id == 0 {
 +		return
 +	}
 +	// Verify the actor is allowed to cancel: must be repo admin on the
 +	// repo this transfer belongs to.
 +	row, err := h.rq.GetTransferRequest(r.Context(), h.d.Pool, id)
 +	if err != nil {
 +		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
 +		return
 +	}
 +	repo, err := h.rq.GetRepoByID(r.Context(), h.d.Pool, row.RepoID)
 +	if err != nil {
 +		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
 +		return
 +	}
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	actor := policy.UserActor(viewer.ID, viewer.Username, false, false)
 +	if !policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, policy.ActionRepoAdmin, policy.NewRepoRefFromRepo(repo)).Allow {
 +		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
 +		return
 +	}
 +	if err := lifecycle.CancelTransfer(r.Context(), h.lifecycleDeps(), viewer.ID, id); err != nil {
 +		h.lifecycleError(w, r, err)
 +		return
 +	}
 +	http.Redirect(w, r, "/"+chi.URLParam(r, "owner")+"/"+chi.URLParam(r, "repo")+"/settings?notice=transfer-canceled", http.StatusSeeOther)
 +}
++
 +func (h *Handlers) transferInbox(w http.ResponseWriter, r *http.Request) {
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	rows, err := h.rq.ListPendingTransfersForUser(r.Context(), h.d.Pool, viewer.ID)
 +	if err != nil {
 +		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")
 +		return
 +	}
 +	h.d.Render.RenderPage(w, r, "repo/transfers_inbox", map[string]any{
 +		"Title":     "Transfer inbox",
 +		"CSRFToken": middleware.CSRFTokenForRequest(r),
 +		"Pending":   rows,
 +	})
 +}
++
 +func (h *Handlers) restoreList(w http.ResponseWriter, r *http.Request) {
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	rows, err := h.rq.ListSoftDeletedReposForOwner(r.Context(), h.d.Pool, pgtype.Int8{Int64: viewer.ID, Valid: true})
 +	if err != nil {
 +		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")
 +		return
 +	}
 +	h.d.Render.RenderPage(w, r, "repo/restore_list", map[string]any{
 +		"Title":     "Restore deleted repositories",
 +		"CSRFToken": middleware.CSRFTokenForRequest(r),
 +		"Repos":     rows,
 +	})
 +}
++
 +func (h *Handlers) repoRestore(w http.ResponseWriter, r *http.Request) {
 +	idStr := chi.URLParam(r, "id")
 +	repoID, err := strconv.ParseInt(idStr, 10, 64)
 +	if err != nil || repoID <= 0 {
 +		http.Error(w, "bad id", http.StatusBadRequest)
 +		return
 +	}
 +	repo, err := h.rq.GetRepoByID(r.Context(), h.d.Pool, repoID)
 +	if err != nil {
 +		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
 +		return
 +	}
 +	viewer := middleware.CurrentUserFromContext(r.Context())
 +	if !repo.OwnerUserID.Valid || repo.OwnerUserID.Int64 != viewer.ID {
 +		// Restore is owner-only; site-admin path is S34. Existence-leak
 +		// guard: don't reveal a soft-deleted repo to non-owners.
 +		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
 +		return
 +	}
 +	if err := lifecycle.Restore(r.Context(), h.lifecycleDeps(), viewer.ID, repoID); err != nil {
 +		h.lifecycleError(w, r, err)
 +		return
 +	}
 +	http.Redirect(w, r, "/settings/repositories?notice=restored", http.StatusSeeOther)
 +}
++
 +// parseTransferID parses the chi URL param; writes a 400 and returns 0
 +// on malformed input.
 +func parseTransferID(w http.ResponseWriter, r *http.Request) int64 {
 +	idStr := chi.URLParam(r, "id")
 +	id, err := strconv.ParseInt(idStr, 10, 64)
 +	if err != nil || id <= 0 {
 +		http.Error(w, "bad id", http.StatusBadRequest)
 +		return 0
 +	}
 +	return id
 +}
++
 +// lifecycleDeps assembles the orchestrator deps from the handler's deps.
 +func (h *Handlers) lifecycleDeps() lifecycle.Deps {
 +	return lifecycle.Deps{
 +		Pool:   h.d.Pool,
 +		RepoFS: h.d.RepoFS,
 +		Audit:  h.d.Audit,
 +		Logger: h.d.Logger,
 +	}
 +}
++
 +// lifecycleError surfaces the typed lifecycle errors as user-friendly
 +// HTTP responses. Specific cases get specific status codes; everything
 +// else falls back to 500.
 +func (h *Handlers) lifecycleError(w http.ResponseWriter, r *http.Request, err error) {
 +	switch {
 +	case errors.Is(err, lifecycle.ErrNameTaken),
 +		errors.Is(err, lifecycle.ErrInvalidName),
 +		errors.Is(err, lifecycle.ErrReservedName),
 +		errors.Is(err, lifecycle.ErrSameName),
 +		errors.Is(err, lifecycle.ErrInvalidVisibility),
 +		errors.Is(err, lifecycle.ErrTransferToSelf):
 +		http.Error(w, err.Error(), http.StatusBadRequest)
 +	case errors.Is(err, lifecycle.ErrRenameRateLimited):
 +		http.Error(w, "rename rate limit (5 per 30 days) exceeded", http.StatusTooManyRequests)
 +	case errors.Is(err, lifecycle.ErrAlreadyArchived),
 +		errors.Is(err, lifecycle.ErrNotArchived),
 +		errors.Is(err, lifecycle.ErrAlreadyDeleted),
 +		errors.Is(err, lifecycle.ErrNotDeleted):
 +		http.Error(w, err.Error(), http.StatusConflict)
 +	case errors.Is(err, lifecycle.ErrTransferTerminal),
 +		errors.Is(err, lifecycle.ErrTransferExpired):
 +		http.Error(w, "transfer no longer pending", http.StatusConflict)
 +	case errors.Is(err, lifecycle.ErrPastGrace):
 +		http.Error(w, "soft-delete grace expired", http.StatusGone)
 +	default:
 +		h.d.Logger.WarnContext(r.Context(), "lifecycle: unexpected error", "error", err)
 +		http.Error(w, "internal error", http.StatusInternalServerError)
 +	}
 +}

internal/web/handlers/repo/redirect.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +package repo
++
 +import (
 +	"net/http"
 +	"strings"
++
 +	"github.com/jackc/pgx/v5/pgtype"
++
 +	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
 +	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"
 +)
++
 +// tryRedirect resolves a (stale_owner, stale_name) URL to its current
 +// canonical form via repo_redirects. Returns "" when no redirect row
 +// matches, in which case the caller should 404. The returned URL
 +// preserves the request's RemainingPath so e.g. /old/repo/blob/x
 +// becomes /new/repo/blob/x — handy when more granular routes ship.
 +func (h *Handlers) tryRedirect(r *http.Request, ownerName, repoName string) string {
 +	owner, err := h.uq.GetUserByUsername(r.Context(), h.d.Pool, ownerName)
 +	if err != nil {
 +		return ""
 +	}
 +	repoID, err := h.rq.LookupRedirectByUserOwner(r.Context(), h.d.Pool, reposdb.LookupRedirectByUserOwnerParams{
 +		OldOwnerUserID: pgtype.Int8{Int64: owner.ID, Valid: true},
 +		OldName:        repoName,
 +	})
 +	if err != nil {
 +		return ""
 +	}
 +	row, err := h.rq.GetRepoByID(r.Context(), h.d.Pool, repoID)
 +	if err != nil || row.DeletedAt.Valid {
 +		// Repo gone for real; let the caller serve a clean 404 instead
 +		// of redirecting into a 404. This keeps user agents from
 +		// chasing dead links via a 301.
 +		return ""
 +	}
 +	currentOwner := ""
 +	if row.OwnerUserID.Valid {
 +		if u, err := h.uq.GetUserByID(r.Context(), h.d.Pool, row.OwnerUserID.Int64); err == nil {
 +			currentOwner = u.Username
 +		}
 +	}
 +	if currentOwner == "" || row.Name == "" {
 +		return ""
 +	}
 +	// Preserve any path tail beyond /{owner}/{repo} (rare today; will
 +	// matter when blob/tree/issues subpaths land).
 +	tail := strings.TrimPrefix(r.URL.Path, "/"+ownerName+"/"+repoName)
 +	return "/" + currentOwner + "/" + row.Name + tail
 +}
++
 +// _ keeps usersdb imported even when only its types are referenced
 +// indirectly via the handlers struct. Unused-import guard.
 +var _ = usersdb.New

internal/web/handlers/repo/repo.gomodified

  	row, err := h.lookupRepoForViewer(r.Context(), owner, name, middleware.CurrentUserFromContext(r.Context()).ID)
  	if err != nil {
 +		// Maybe the (owner, name) is a stale name; look up the redirect
 +		// table and 301 to the canonical URL so old bookmarks keep
 +		// working. Authoritative miss after the redirect check 404s.
 +		if newURL := h.tryRedirect(r, owner, name); newURL != "" {
 +			http.Redirect(w, r, newURL, http.StatusMovedPermanently)
 +			return
 +		}
  		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
  		return
+ 	}

internal/web/server.gomodified

  			})
+ 		}
  		deps.RepoHomeMounter = repoH.MountRepoHome
 +		// Lifecycle danger-zone routes — also auth-required.
 +		deps.RepoLifecycleMounter = func(r chi.Router) {
 +			r.Group(func(r chi.Router) {
 +				r.Use(middleware.RequireUser)
 +				repoH.MountLifecycle(r)
 +			})
 +		}
  		gitHTTPH, err := buildGitHTTPHandlers(cfg, pool, logger)
  		if err != nil {

internal/web/templates/repo/restore_list.htmladded

 +{{ define "page" -}}
 +<section class="shithub-restore-list">
 +  <h1>Restore deleted repositories</h1>
 +  <p>Soft-deleted repositories can be restored within 7 days of deletion.</p>
 +  {{ if .Repos }}
 +  <ul>
 +    {{ range .Repos }}
 +    <li>
 +      <strong>{{ .Name }}</strong> · deleted {{ relativeTime .DeletedAt.Time }}
 +      <form method="POST" action="/settings/repositories/restore/{{ .ID }}" style="display:inline">
 +        <input type="hidden" name="csrf_token" value="{{ $.CSRFToken }}">
 +        <button type="submit" class="shithub-button shithub-button-primary">Restore</button>
 +      </form>
 +    </li>
 +    {{ end }}
 +  </ul>
 +  {{ else }}
 +  <p>No soft-deleted repositories.</p>
 +  {{ end }}
 +</section>
 +{{- end }}

internal/web/templates/repo/settings.htmladded

 +{{ define "page" -}}
 +<section class="shithub-repo-settings">
 +  <header>
 +    <h1>Settings · <a href="/{{ .Owner }}/{{ .Repo.Name }}">{{ .Owner }}/{{ .Repo.Name }}</a></h1>
 +    <p class="shithub-repo-settings-note">Danger-zone actions only. Full settings UI ships in a later sprint.</p>
 +  </header>
++
 +  <section class="shithub-danger-zone">
 +    <h2>Rename</h2>
 +    <form method="POST" action="/{{ .Owner }}/{{ .Repo.Name }}/settings/rename">
 +      <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
 +      <label>New name <input type="text" name="new_name" pattern="[a-z0-9](?:[a-z0-9._-]{0,98}[a-z0-9_])?" required></label>
 +      <button type="submit" class="shithub-button shithub-button-primary">Rename</button>
 +    </form>
 +    <p class="shithub-hint">5 renames allowed per 30 days. Old URLs 301-redirect.</p>
 +  </section>
++
 +  <section class="shithub-danger-zone">
 +    <h2>Visibility</h2>
 +    <form method="POST" action="/{{ .Owner }}/{{ .Repo.Name }}/settings/visibility">
 +      <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
 +      <label><input type="radio" name="visibility" value="public" {{ if eq (printf "%s" .Repo.Visibility) "public" }}checked{{ end }}> Public</label>
 +      <label><input type="radio" name="visibility" value="private" {{ if eq (printf "%s" .Repo.Visibility) "private" }}checked{{ end }}> Private</label>
 +      <button type="submit" class="shithub-button">Update visibility</button>
 +    </form>
 +    <p class="shithub-hint">Existing clones already pulled stay where they are; visibility flips affect future clones.</p>
 +  </section>
++
 +  <section class="shithub-danger-zone">
 +    <h2>Archive</h2>
 +    {{ if .Repo.IsArchived }}
 +    <form method="POST" action="/{{ .Owner }}/{{ .Repo.Name }}/settings/unarchive">
 +      <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
 +      <button type="submit" class="shithub-button">Unarchive</button>
 +    </form>
 +    {{ else }}
 +    <form method="POST" action="/{{ .Owner }}/{{ .Repo.Name }}/settings/archive">
 +      <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
 +      <button type="submit" class="shithub-button">Archive (read-only)</button>
 +    </form>
 +    {{ end }}
 +  </section>
++
 +  <section class="shithub-danger-zone">
 +    <h2>Transfer ownership</h2>
 +    <form method="POST" action="/{{ .Owner }}/{{ .Repo.Name }}/settings/transfer">
 +      <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
 +      <label>Recipient username <input type="text" name="to_user" required></label>
 +      <label>Type <code>{{ .Owner }}/{{ .Repo.Name }}</code> to confirm
 +        <input type="text" name="confirm" required></label>
 +      <button type="submit" class="shithub-button shithub-button-danger">Send transfer offer</button>
 +    </form>
 +    {{ if .Transfers }}
 +    <h3>Transfer history</h3>
 +    <ul>
 +      {{ range .Transfers }}
 +      <li>#{{ .ID }} · status {{ .Status }} · expires {{ relativeTime .ExpiresAt.Time }}
 +        {{ if eq (printf "%s" .Status) "pending" }}
 +        <form method="POST" action="/transfers/{{ .ID }}/cancel" style="display:inline">
 +          <input type="hidden" name="csrf_token" value="{{ $.CSRFToken }}">
 +          <button type="submit" class="shithub-button">Cancel</button>
 +        </form>
 +        {{ end }}
 +      </li>
 +      {{ end }}
 +    </ul>
 +    {{ end }}
 +  </section>
++
 +  <section class="shithub-danger-zone shithub-danger-zone-final">
 +    <h2>Delete repository</h2>
 +    <p>Soft-delete with 7-day grace. Until the grace expires you can restore from <a href="/settings/repositories">Restore deleted repositories</a>.</p>
 +    <form method="POST" action="/{{ .Owner }}/{{ .Repo.Name }}/settings/delete">
 +      <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
 +      <label>Type <code>{{ .Owner }}/{{ .Repo.Name }}</code> to confirm
 +        <input type="text" name="confirm" required></label>
 +      <button type="submit" class="shithub-button shithub-button-danger">Delete</button>
 +    </form>
 +  </section>
 +</section>
 +{{- end }}

internal/web/templates/repo/transfers_inbox.htmladded

 +{{ define "page" -}}
 +<section class="shithub-transfer-inbox">
 +  <h1>Transfer inbox</h1>
 +  {{ if .Pending }}
 +  <ul>
 +    {{ range .Pending }}
 +    <li>
 +      Repo <code>#{{ .RepoID }}</code> offered by user <code>#{{ .FromUserID }}</code>
 +      <span> · expires {{ relativeTime .ExpiresAt.Time }}</span>
 +      <form method="POST" action="/transfers/{{ .ID }}/accept" style="display:inline">
 +        <input type="hidden" name="csrf_token" value="{{ $.CSRFToken }}">
 +        <button type="submit" class="shithub-button shithub-button-primary">Accept</button>
 +      </form>
 +      <form method="POST" action="/transfers/{{ .ID }}/decline" style="display:inline">
 +        <input type="hidden" name="csrf_token" value="{{ $.CSRFToken }}">
 +        <button type="submit" class="shithub-button">Decline</button>
 +      </form>
 +    </li>
 +    {{ end }}
 +  </ul>
 +  {{ else }}
 +  <p>No pending transfers.</p>
 +  {{ end }}
 +</section>
 +{{- end }}