tenseleyflow/shithub / 1671b76

+type TransferPrincipalKind string

+

+const (

+	TransferPrincipalKindUser TransferPrincipalKind = "user"

+	TransferPrincipalKindOrg  TransferPrincipalKind = "org"

+)

+

+func (e *TransferPrincipalKind) Scan(src interface{}) error {

+	switch s := src.(type) {

+	case []byte:

+		*e = TransferPrincipalKind(s)

+	case string:

+		*e = TransferPrincipalKind(s)

+	default:

+		return fmt.Errorf("unsupported scan type for TransferPrincipalKind: %T", src)

+	}

+	return nil

+}

+

+type NullTransferPrincipalKind struct {

+	TransferPrincipalKind TransferPrincipalKind

+	Valid                 bool // Valid is true if TransferPrincipalKind is not NULL

+}

+

+// Scan implements the Scanner interface.

+func (ns *NullTransferPrincipalKind) Scan(value interface{}) error {

+	if value == nil {

+		ns.TransferPrincipalKind, ns.Valid = "", false

+		return nil

+	}

+	ns.Valid = true

+	return ns.TransferPrincipalKind.Scan(value)

+}

+

+// Value implements the driver Valuer interface.

+func (ns NullTransferPrincipalKind) Value() (driver.Value, error) {

+	if !ns.Valid {

+		return nil, nil

+	}

+	return string(ns.TransferPrincipalKind), nil

+}

+

+type TransferStatus string

+

+const (

+	TransferStatusPending  TransferStatus = "pending"

+	TransferStatusAccepted TransferStatus = "accepted"

+	TransferStatusDeclined TransferStatus = "declined"

+	TransferStatusCanceled TransferStatus = "canceled"

+	TransferStatusExpired  TransferStatus = "expired"

+)

+

+func (e *TransferStatus) Scan(src interface{}) error {

+	switch s := src.(type) {

+	case []byte:

+		*e = TransferStatus(s)

+	case string:

+		*e = TransferStatus(s)

+	default:

+		return fmt.Errorf("unsupported scan type for TransferStatus: %T", src)

+	}

+	return nil

+}

+

+type NullTransferStatus struct {

+	TransferStatus TransferStatus

+	Valid          bool // Valid is true if TransferStatus is not NULL

+}

+

+// Scan implements the Scanner interface.

+func (ns *NullTransferStatus) Scan(value interface{}) error {

+	if value == nil {

+		ns.TransferStatus, ns.Valid = "", false

+		return nil

+	}

+	ns.Valid = true

+	return ns.TransferStatus.Scan(value)

+}

+

+// Value implements the driver Valuer interface.

+func (ns NullTransferStatus) Value() (driver.Value, error) {

+	if !ns.Valid {

+		return nil, nil

+	}

+	return string(ns.TransferStatus), nil

+}

+

+type RepoRedirect struct {

+	OldOwnerUserID pgtype.Int8

+	OldOwnerOrgID  pgtype.Int8

+	OldName        string

+	RepoID         int64

+	RedirectedAt   pgtype.Timestamptz

+}

+

+type RepoTransferRequest struct {

+	ID              int64

+	RepoID          int64

+	FromUserID      int64

+	ToPrincipalKind TransferPrincipalKind

+	ToPrincipalID   int64

+	CreatedBy       int64

+	CreatedAt       pgtype.Timestamptz

+	ExpiresAt       pgtype.Timestamptz

+	Status          TransferStatus

+	AcceptedAt      pgtype.Timestamptz

+	DeclinedAt      pgtype.Timestamptz

+	CanceledAt      pgtype.Timestamptz

+}

+

+type TransferPrincipalKind string

+

+const (

+	TransferPrincipalKindUser TransferPrincipalKind = "user"

+	TransferPrincipalKindOrg  TransferPrincipalKind = "org"

+)

+

+func (e *TransferPrincipalKind) Scan(src interface{}) error {

+	switch s := src.(type) {

+	case []byte:

+		*e = TransferPrincipalKind(s)

+	case string:

+		*e = TransferPrincipalKind(s)

+	default:

+		return fmt.Errorf("unsupported scan type for TransferPrincipalKind: %T", src)

+	}

+	return nil

+}

+

+type NullTransferPrincipalKind struct {

+	TransferPrincipalKind TransferPrincipalKind

+	Valid                 bool // Valid is true if TransferPrincipalKind is not NULL

+}

+

+// Scan implements the Scanner interface.

+func (ns *NullTransferPrincipalKind) Scan(value interface{}) error {

+	if value == nil {

+		ns.TransferPrincipalKind, ns.Valid = "", false

+		return nil

+	}

+	ns.Valid = true

+	return ns.TransferPrincipalKind.Scan(value)

+}

+

+// Value implements the driver Valuer interface.

+func (ns NullTransferPrincipalKind) Value() (driver.Value, error) {

+	if !ns.Valid {

+		return nil, nil

+	}

+	return string(ns.TransferPrincipalKind), nil

+}

+

+type TransferStatus string

+

+const (

+	TransferStatusPending  TransferStatus = "pending"

+	TransferStatusAccepted TransferStatus = "accepted"

+	TransferStatusDeclined TransferStatus = "declined"

+	TransferStatusCanceled TransferStatus = "canceled"

+	TransferStatusExpired  TransferStatus = "expired"

+)

+

+func (e *TransferStatus) Scan(src interface{}) error {

+	switch s := src.(type) {

+	case []byte:

+		*e = TransferStatus(s)

+	case string:

+		*e = TransferStatus(s)

+	default:

+		return fmt.Errorf("unsupported scan type for TransferStatus: %T", src)

+	}

+	return nil

+}

+

+type NullTransferStatus struct {

+	TransferStatus TransferStatus

+	Valid          bool // Valid is true if TransferStatus is not NULL

+}

+

+// Scan implements the Scanner interface.

+func (ns *NullTransferStatus) Scan(value interface{}) error {

+	if value == nil {

+		ns.TransferStatus, ns.Valid = "", false

+		return nil

+	}

+	ns.Valid = true

+	return ns.TransferStatus.Scan(value)

+}

+

+// Value implements the driver Valuer interface.

+func (ns NullTransferStatus) Value() (driver.Value, error) {

+	if !ns.Valid {

+		return nil, nil

+	}

+	return string(ns.TransferStatus), nil

+}

+

+type RepoRedirect struct {

+	OldOwnerUserID pgtype.Int8

+	OldOwnerOrgID  pgtype.Int8

+	OldName        string

+	RepoID         int64

+	RedirectedAt   pgtype.Timestamptz

+}

+

+type RepoTransferRequest struct {

+	ID              int64

+	RepoID          int64

+	FromUserID      int64

+	ToPrincipalKind TransferPrincipalKind

+	ToPrincipalID   int64

+	CreatedBy       int64

+	CreatedAt       pgtype.Timestamptz

+	ExpiresAt       pgtype.Timestamptz

+	Status          TransferStatus

+	AcceptedAt      pgtype.Timestamptz

+	DeclinedAt      pgtype.Timestamptz

+	CanceledAt      pgtype.Timestamptz

+}

+

+-- SPDX-License-Identifier: AGPL-3.0-or-later

+--

+-- S16 repo lifecycle.

+--

+-- Two tables, both auxiliary to repos:

+--

+--   repo_redirects          — one row per (old_owner, old_name) → repo_id

+--                             so /old/repo 301s to the current path.

+--                             Written on rename and on transfer-accept.

+--                             A single repo accumulates redirect rows

+--                             over its lifetime; the current name is

+--                             always on `repos.name` itself.

+--

+--   repo_transfer_requests  — pending transfer offers. The recipient

+--                             accepts or declines; expiration is 7

+--                             days; the sender can cancel.

+

+-- +goose Up

+

+CREATE TABLE repo_redirects (

+    old_owner_user_id  bigint,

+    old_owner_org_id   bigint,

+    old_name           citext      NOT NULL,

+    repo_id            bigint      NOT NULL REFERENCES repos(id) ON DELETE CASCADE,

+    redirected_at      timestamptz NOT NULL DEFAULT now(),

+

+    -- Exactly one old-owner FK is set, mirroring repos.owner_xor.

+    CONSTRAINT repo_redirects_old_owner_xor CHECK (

+        (old_owner_user_id IS NOT NULL AND old_owner_org_id IS NULL)

+     OR (old_owner_user_id IS NULL     AND old_owner_org_id IS NOT NULL)

+    ),

+    CONSTRAINT repo_redirects_old_name_length CHECK (char_length(old_name::text) BETWEEN 1 AND 100)

+);

+

+-- Lookup index for /{old_owner}/{old_name} → repo_id. Two partial

+-- indexes mirror the unique index pattern on `repos`.

+CREATE UNIQUE INDEX repo_redirects_user_old_idx

+    ON repo_redirects (old_owner_user_id, old_name)

+    WHERE old_owner_user_id IS NOT NULL;

+

+CREATE UNIQUE INDEX repo_redirects_org_old_idx

+    ON repo_redirects (old_owner_org_id, old_name)

+    WHERE old_owner_org_id IS NOT NULL;

+

+

+CREATE TYPE transfer_principal_kind AS ENUM ('user', 'org');

+CREATE TYPE transfer_status         AS ENUM ('pending', 'accepted', 'declined', 'canceled', 'expired');

+

+CREATE TABLE repo_transfer_requests (

+    id                 bigserial   PRIMARY KEY,

+    repo_id            bigint      NOT NULL REFERENCES repos(id) ON DELETE CASCADE,

+    from_user_id       bigint      NOT NULL REFERENCES users(id) ON DELETE CASCADE,

+    to_principal_kind  transfer_principal_kind NOT NULL,

+    to_principal_id    bigint      NOT NULL,

+    created_by         bigint      NOT NULL REFERENCES users(id) ON DELETE CASCADE,

+    created_at         timestamptz NOT NULL DEFAULT now(),

+    expires_at         timestamptz NOT NULL,

+    status             transfer_status NOT NULL DEFAULT 'pending',

+    accepted_at        timestamptz,

+    declined_at        timestamptz,

+    canceled_at        timestamptz,

+

+    -- Status invariants. We don't validate the (status, *_at) cross-

+    -- invariant here — the lifecycle orchestrator owns those updates

+    -- in transactions and is the single writer.

+    CONSTRAINT repo_transfer_requests_status_terminal CHECK (

+        (status = 'pending'  AND accepted_at IS NULL AND declined_at IS NULL AND canceled_at IS NULL) OR

+        (status = 'accepted' AND accepted_at IS NOT NULL) OR

+        (status = 'declined' AND declined_at IS NOT NULL) OR

+        (status = 'canceled' AND canceled_at IS NOT NULL) OR

+        (status = 'expired')

+    )

+);

+

+-- Recipient inbox lookup: "show me pending transfers offered to user X."

+CREATE INDEX repo_transfer_requests_recipient_idx

+    ON repo_transfer_requests (to_principal_kind, to_principal_id, status)

+    WHERE status = 'pending';

+

+-- Sender lookup + history.

+CREATE INDEX repo_transfer_requests_repo_idx

+    ON repo_transfer_requests (repo_id, created_at DESC);

+

+-- Expiry sweep (the worker that flips pending → expired runs over this).

+CREATE INDEX repo_transfer_requests_expiry_idx

+    ON repo_transfer_requests (expires_at)

+    WHERE status = 'pending';

+

+-- +goose Down

+DROP TABLE IF EXISTS repo_transfer_requests;

+DROP TYPE IF EXISTS transfer_status;

+DROP TYPE IF EXISTS transfer_principal_kind;

+DROP TABLE IF EXISTS repo_redirects;

+-- SPDX-License-Identifier: AGPL-3.0-or-later

+--

+-- S16 lifecycle queries. Kept in a separate file from repos.sql so the

+-- mainline CRUD stays easy to read.

+

+-- ─── repo mutations ────────────────────────────────────────────────────

+

+-- name: RenameRepo :exec

+-- Same-owner rename. The handler validates the new name shape and the

+-- redirect row is INSERTed in the same tx.

+UPDATE repos SET name = $2, updated_at = now() WHERE id = $1;

+

+-- name: TransferRepoOwner :exec

+-- Sets owner_user_id (or owner_org_id post-S31) on accept. The xor

+-- check on the table enforces the shape. Also clears the other side

+-- so a user→org transfer flips both columns atomically.

+UPDATE repos

+SET owner_user_id = sqlc.narg(owner_user_id)::bigint,

+    owner_org_id  = sqlc.narg(owner_org_id)::bigint,

+    name          = $2,

+    updated_at    = now()

+WHERE id = $1;

+

+-- name: ArchiveRepo :exec

+UPDATE repos SET is_archived = true, archived_at = now(), updated_at = now() WHERE id = $1;

+

+-- name: UnarchiveRepo :exec

+UPDATE repos SET is_archived = false, archived_at = NULL, updated_at = now() WHERE id = $1;

+

+-- name: SetRepoVisibility :exec

+UPDATE repos SET visibility = $2, updated_at = now() WHERE id = $1;

+

+-- name: SoftDeleteRepoLifecycle :exec

+-- Distinct name from S11's SoftDeleteRepo so future code that wants to

+-- preserve the lifecycle audit-emission shape can find this one.

+UPDATE repos SET deleted_at = now(), updated_at = now() WHERE id = $1;

+

+-- name: RestoreRepo :exec

+UPDATE repos SET deleted_at = NULL, updated_at = now() WHERE id = $1;

+

+-- name: HardDeleteRepo :exec

+DELETE FROM repos WHERE id = $1;

+

+

+-- ─── redirects ─────────────────────────────────────────────────────────

+

+-- name: InsertRepoRedirect :exec

+-- Both old-owner FKs are nullable; pass exactly one. The CHECK

+-- constraint on the table enforces the xor shape.

+INSERT INTO repo_redirects (old_owner_user_id, old_owner_org_id, old_name, repo_id)

+VALUES (sqlc.narg(old_owner_user_id)::bigint, sqlc.narg(old_owner_org_id)::bigint, $1, $2)

+ON CONFLICT DO NOTHING;

+

+-- name: LookupRedirectByUserOwner :one

+-- Returns the current repo_id when (old_owner_user_id, old_name) hits

+-- a redirect row.

+SELECT repo_id FROM repo_redirects

+WHERE old_owner_user_id = $1 AND old_name = $2;

+

+-- name: DeleteRedirectsForRepo :exec

+-- Used by hard-delete: drop the redirect rows pointing at this repo

+-- (they would dangle once the repos row is gone; the FK ON DELETE

+-- CASCADE would handle it, but explicit is auditable).

+DELETE FROM repo_redirects WHERE repo_id = $1;

+

+

+-- ─── transfer requests ─────────────────────────────────────────────────

+

+-- name: InsertTransferRequest :one

+INSERT INTO repo_transfer_requests (

+    repo_id, from_user_id, to_principal_kind, to_principal_id,

+    created_by, expires_at

+) VALUES (

+    $1, $2, $3, $4, $5, $6

+)

+RETURNING id, repo_id, from_user_id, to_principal_kind, to_principal_id,

+          created_by, created_at, expires_at, status,

+          accepted_at, declined_at, canceled_at;

+

+-- name: GetTransferRequest :one

+SELECT id, repo_id, from_user_id, to_principal_kind, to_principal_id,

+       created_by, created_at, expires_at, status,

+       accepted_at, declined_at, canceled_at

+FROM repo_transfer_requests

+WHERE id = $1;

+

+-- name: ListPendingTransfersForUser :many

+-- Inbox view: pending offers a user can act on.

+SELECT id, repo_id, from_user_id, to_principal_kind, to_principal_id,

+       created_by, created_at, expires_at, status,

+       accepted_at, declined_at, canceled_at

+FROM repo_transfer_requests

+WHERE to_principal_kind = 'user' AND to_principal_id = $1 AND status = 'pending'

+ORDER BY created_at DESC;

+

+-- name: ListTransfersForRepo :many

+-- Sender / repo-settings view.

+SELECT id, repo_id, from_user_id, to_principal_kind, to_principal_id,

+       created_by, created_at, expires_at, status,

+       accepted_at, declined_at, canceled_at

+FROM repo_transfer_requests

+WHERE repo_id = $1

+ORDER BY created_at DESC;

+

+-- name: AcceptTransferRequest :exec

+UPDATE repo_transfer_requests

+SET status = 'accepted', accepted_at = now()

+WHERE id = $1 AND status = 'pending';

+

+-- name: DeclineTransferRequest :exec

+UPDATE repo_transfer_requests

+SET status = 'declined', declined_at = now()

+WHERE id = $1 AND status = 'pending';

+

+-- name: CancelTransferRequest :exec

+UPDATE repo_transfer_requests

+SET status = 'canceled', canceled_at = now()

+WHERE id = $1 AND status = 'pending';

+

+-- name: ExpirePendingTransfers :execrows

+-- Called by the periodic worker (transfers:expire) — flips pending

+-- offers past their expires_at to the expired terminal state.

+UPDATE repo_transfer_requests

+SET status = 'expired'

+WHERE status = 'pending' AND expires_at < now();

+

+

+-- ─── soft-delete sweep query ───────────────────────────────────────────

+

+-- name: ListRepoIDsPastSoftDeleteGrace :many

+-- The repo:hard_delete enqueuer queries this to find rows ready for

+-- destruction. The 7-day grace is hard-coded here; if we add a config

+-- knob later, change this to a parameter.

+SELECT id FROM repos

+WHERE deleted_at IS NOT NULL AND deleted_at < now() - interval '7 days'

+ORDER BY deleted_at ASC;

+

+-- name: ListSoftDeletedReposForOwner :many

+-- /settings/repositories/restore page lists these.

+SELECT id, owner_user_id, name, deleted_at

+FROM repos

+WHERE owner_user_id = $1 AND deleted_at IS NOT NULL

+ORDER BY deleted_at DESC;

+

+

+-- ─── rename rate limit support ─────────────────────────────────────────

+

+-- name: CountRecentRedirectsForRepo :one

+-- Used to enforce the 5-per-30-days rename rate limit. The redirect

+-- row is the audit trail for renames; counting them per repo gives a

+-- reliable cap.

+SELECT count(*)::int AS recent_count

+FROM repo_redirects

+WHERE repo_id = $1 AND redirected_at > now() - interval '30 days';

+

+

+-- ─── fork-anchor cleanup on hard delete ────────────────────────────────

+

+-- name: OrphanForksOf :execrows

+-- Children pointing at this repo lose their fork-of pointer. Mirrors

+-- GitHub's behavior when an upstream is deleted.

+UPDATE repos SET fork_of_repo_id = NULL WHERE fork_of_repo_id = $1;

+// Code generated by sqlc. DO NOT EDIT.

+// versions:

+//   sqlc v1.31.1

+// source: lifecycle.sql

+

+package reposdb

+

+import (

+	"context"

+

+	"github.com/jackc/pgx/v5/pgtype"

+)

+

+const acceptTransferRequest = `-- name: AcceptTransferRequest :exec

+UPDATE repo_transfer_requests

+SET status = 'accepted', accepted_at = now()

+WHERE id = $1 AND status = 'pending'

+`

+

+func (q *Queries) AcceptTransferRequest(ctx context.Context, db DBTX, id int64) error {

+	_, err := db.Exec(ctx, acceptTransferRequest, id)

+	return err

+}

+

+const archiveRepo = `-- name: ArchiveRepo :exec

+UPDATE repos SET is_archived = true, archived_at = now(), updated_at = now() WHERE id = $1

+`

+

+func (q *Queries) ArchiveRepo(ctx context.Context, db DBTX, id int64) error {

+	_, err := db.Exec(ctx, archiveRepo, id)

+	return err

+}

+

+const cancelTransferRequest = `-- name: CancelTransferRequest :exec

+UPDATE repo_transfer_requests

+SET status = 'canceled', canceled_at = now()

+WHERE id = $1 AND status = 'pending'

+`

+

+func (q *Queries) CancelTransferRequest(ctx context.Context, db DBTX, id int64) error {

+	_, err := db.Exec(ctx, cancelTransferRequest, id)

+	return err

+}

+

+const countRecentRedirectsForRepo = `-- name: CountRecentRedirectsForRepo :one

+

+SELECT count(*)::int AS recent_count

+FROM repo_redirects

+WHERE repo_id = $1 AND redirected_at > now() - interval '30 days'

+`

+

+// ─── rename rate limit support ─────────────────────────────────────────

+// Used to enforce the 5-per-30-days rename rate limit. The redirect

+// row is the audit trail for renames; counting them per repo gives a

+// reliable cap.

+func (q *Queries) CountRecentRedirectsForRepo(ctx context.Context, db DBTX, repoID int64) (int32, error) {

+	row := db.QueryRow(ctx, countRecentRedirectsForRepo, repoID)

+	var recent_count int32

+	err := row.Scan(&recent_count)

+	return recent_count, err

+}

+

+const declineTransferRequest = `-- name: DeclineTransferRequest :exec

+UPDATE repo_transfer_requests

+SET status = 'declined', declined_at = now()

+WHERE id = $1 AND status = 'pending'

+`

+

+func (q *Queries) DeclineTransferRequest(ctx context.Context, db DBTX, id int64) error {

+	_, err := db.Exec(ctx, declineTransferRequest, id)

+	return err

+}

+

+const deleteRedirectsForRepo = `-- name: DeleteRedirectsForRepo :exec

+DELETE FROM repo_redirects WHERE repo_id = $1

+`

+

+// Used by hard-delete: drop the redirect rows pointing at this repo

+// (they would dangle once the repos row is gone; the FK ON DELETE

+// CASCADE would handle it, but explicit is auditable).

+func (q *Queries) DeleteRedirectsForRepo(ctx context.Context, db DBTX, repoID int64) error {

+	_, err := db.Exec(ctx, deleteRedirectsForRepo, repoID)

+	return err

+}

+

+const expirePendingTransfers = `-- name: ExpirePendingTransfers :execrows

+UPDATE repo_transfer_requests

+SET status = 'expired'

+WHERE status = 'pending' AND expires_at < now()

+`

+

+// Called by the periodic worker (transfers:expire) — flips pending

+// offers past their expires_at to the expired terminal state.

+func (q *Queries) ExpirePendingTransfers(ctx context.Context, db DBTX) (int64, error) {

+	result, err := db.Exec(ctx, expirePendingTransfers)

+	if err != nil {

+		return 0, err

+	}

+	return result.RowsAffected(), nil

+}

+

+const getTransferRequest = `-- name: GetTransferRequest :one

+SELECT id, repo_id, from_user_id, to_principal_kind, to_principal_id,

+       created_by, created_at, expires_at, status,

+       accepted_at, declined_at, canceled_at

+FROM repo_transfer_requests

+WHERE id = $1

+`

+

+func (q *Queries) GetTransferRequest(ctx context.Context, db DBTX, id int64) (RepoTransferRequest, error) {

+	row := db.QueryRow(ctx, getTransferRequest, id)

+	var i RepoTransferRequest

+	err := row.Scan(

+		&i.ID,

+		&i.RepoID,

+		&i.FromUserID,

+		&i.ToPrincipalKind,

+		&i.ToPrincipalID,

+		&i.CreatedBy,

+		&i.CreatedAt,

+		&i.ExpiresAt,

+		&i.Status,

+		&i.AcceptedAt,

+		&i.DeclinedAt,

+		&i.CanceledAt,

+	)

+	return i, err

+}

+

+const hardDeleteRepo = `-- name: HardDeleteRepo :exec

+DELETE FROM repos WHERE id = $1

+`

+

+func (q *Queries) HardDeleteRepo(ctx context.Context, db DBTX, id int64) error {

+	_, err := db.Exec(ctx, hardDeleteRepo, id)

+	return err

+}

+

+const insertRepoRedirect = `-- name: InsertRepoRedirect :exec

+

+INSERT INTO repo_redirects (old_owner_user_id, old_owner_org_id, old_name, repo_id)

+VALUES ($3::bigint, $4::bigint, $1, $2)

+ON CONFLICT DO NOTHING

+`

+

+type InsertRepoRedirectParams struct {

+	OldName        string

+	RepoID         int64

+	OldOwnerUserID pgtype.Int8

+	OldOwnerOrgID  pgtype.Int8

+}

+

+// ─── redirects ─────────────────────────────────────────────────────────

+// Both old-owner FKs are nullable; pass exactly one. The CHECK

+// constraint on the table enforces the xor shape.

+func (q *Queries) InsertRepoRedirect(ctx context.Context, db DBTX, arg InsertRepoRedirectParams) error {

+	_, err := db.Exec(ctx, insertRepoRedirect,

+		arg.OldName,

+		arg.RepoID,

+		arg.OldOwnerUserID,

+		arg.OldOwnerOrgID,

+	)

+	return err

+}

+

+const insertTransferRequest = `-- name: InsertTransferRequest :one

+

+INSERT INTO repo_transfer_requests (

+    repo_id, from_user_id, to_principal_kind, to_principal_id,

+    created_by, expires_at

+) VALUES (

+    $1, $2, $3, $4, $5, $6

+)

+RETURNING id, repo_id, from_user_id, to_principal_kind, to_principal_id,

+          created_by, created_at, expires_at, status,

+          accepted_at, declined_at, canceled_at

+`

+

+type InsertTransferRequestParams struct {

+	RepoID          int64

+	FromUserID      int64

+	ToPrincipalKind TransferPrincipalKind

+	ToPrincipalID   int64

+	CreatedBy       int64

+	ExpiresAt       pgtype.Timestamptz

+}

+

+// ─── transfer requests ─────────────────────────────────────────────────

+func (q *Queries) InsertTransferRequest(ctx context.Context, db DBTX, arg InsertTransferRequestParams) (RepoTransferRequest, error) {

+	row := db.QueryRow(ctx, insertTransferRequest,

+		arg.RepoID,

+		arg.FromUserID,

+		arg.ToPrincipalKind,

+		arg.ToPrincipalID,

+		arg.CreatedBy,

+		arg.ExpiresAt,

+	)

+	var i RepoTransferRequest

+	err := row.Scan(

+		&i.ID,

+		&i.RepoID,

+		&i.FromUserID,

+		&i.ToPrincipalKind,

+		&i.ToPrincipalID,

+		&i.CreatedBy,

+		&i.CreatedAt,

+		&i.ExpiresAt,

+		&i.Status,

+		&i.AcceptedAt,

+		&i.DeclinedAt,

+		&i.CanceledAt,

+	)

+	return i, err

+}

+

+const listPendingTransfersForUser = `-- name: ListPendingTransfersForUser :many

+SELECT id, repo_id, from_user_id, to_principal_kind, to_principal_id,

+       created_by, created_at, expires_at, status,

+       accepted_at, declined_at, canceled_at

+FROM repo_transfer_requests

+WHERE to_principal_kind = 'user' AND to_principal_id = $1 AND status = 'pending'

+ORDER BY created_at DESC

+`

+

+// Inbox view: pending offers a user can act on.

+func (q *Queries) ListPendingTransfersForUser(ctx context.Context, db DBTX, toPrincipalID int64) ([]RepoTransferRequest, error) {

+	rows, err := db.Query(ctx, listPendingTransfersForUser, toPrincipalID)

+	if err != nil {

+		return nil, err

+	}

+	defer rows.Close()

+	items := []RepoTransferRequest{}

+	for rows.Next() {

+		var i RepoTransferRequest

+		if err := rows.Scan(

+			&i.ID,

+			&i.RepoID,

+			&i.FromUserID,

+			&i.ToPrincipalKind,

+			&i.ToPrincipalID,

+			&i.CreatedBy,

+			&i.CreatedAt,

+			&i.ExpiresAt,

+			&i.Status,

+			&i.AcceptedAt,

+			&i.DeclinedAt,

+			&i.CanceledAt,

+		); err != nil {

+			return nil, err

+		}

+		items = append(items, i)

+	}

+	if err := rows.Err(); err != nil {

+		return nil, err

+	}

+	return items, nil

+}

+

+const listRepoIDsPastSoftDeleteGrace = `-- name: ListRepoIDsPastSoftDeleteGrace :many

+

+SELECT id FROM repos

+WHERE deleted_at IS NOT NULL AND deleted_at < now() - interval '7 days'

+ORDER BY deleted_at ASC

+`

+

+// ─── soft-delete sweep query ───────────────────────────────────────────

+// The repo:hard_delete enqueuer queries this to find rows ready for

+// destruction. The 7-day grace is hard-coded here; if we add a config

+// knob later, change this to a parameter.

+func (q *Queries) ListRepoIDsPastSoftDeleteGrace(ctx context.Context, db DBTX) ([]int64, error) {

+	rows, err := db.Query(ctx, listRepoIDsPastSoftDeleteGrace)

+	if err != nil {

+		return nil, err

+	}

+	defer rows.Close()

+	items := []int64{}

+	for rows.Next() {

+		var id int64

+		if err := rows.Scan(&id); err != nil {

+			return nil, err

+		}

+		items = append(items, id)

+	}

+	if err := rows.Err(); err != nil {

+		return nil, err

+	}

+	return items, nil

+}

+

+const listSoftDeletedReposForOwner = `-- name: ListSoftDeletedReposForOwner :many

+SELECT id, owner_user_id, name, deleted_at

+FROM repos

+WHERE owner_user_id = $1 AND deleted_at IS NOT NULL

+ORDER BY deleted_at DESC

+`

+

+type ListSoftDeletedReposForOwnerRow struct {

+	ID          int64

+	OwnerUserID pgtype.Int8

+	Name        string

+	DeletedAt   pgtype.Timestamptz

+}

+

+// /settings/repositories/restore page lists these.

+func (q *Queries) ListSoftDeletedReposForOwner(ctx context.Context, db DBTX, ownerUserID pgtype.Int8) ([]ListSoftDeletedReposForOwnerRow, error) {

+	rows, err := db.Query(ctx, listSoftDeletedReposForOwner, ownerUserID)

+	if err != nil {

+		return nil, err

+	}

+	defer rows.Close()

+	items := []ListSoftDeletedReposForOwnerRow{}

+	for rows.Next() {

+		var i ListSoftDeletedReposForOwnerRow

+		if err := rows.Scan(

+			&i.ID,

+			&i.OwnerUserID,

+			&i.Name,

+			&i.DeletedAt,

+		); err != nil {

+			return nil, err

+		}

+		items = append(items, i)

+	}

+	if err := rows.Err(); err != nil {

+		return nil, err

+	}

+	return items, nil

+}

+

+const listTransfersForRepo = `-- name: ListTransfersForRepo :many

+SELECT id, repo_id, from_user_id, to_principal_kind, to_principal_id,

+       created_by, created_at, expires_at, status,

+       accepted_at, declined_at, canceled_at

+FROM repo_transfer_requests

+WHERE repo_id = $1

+ORDER BY created_at DESC

+`

+

+// Sender / repo-settings view.

+func (q *Queries) ListTransfersForRepo(ctx context.Context, db DBTX, repoID int64) ([]RepoTransferRequest, error) {

+	rows, err := db.Query(ctx, listTransfersForRepo, repoID)

+	if err != nil {

+		return nil, err

+	}

+	defer rows.Close()

+	items := []RepoTransferRequest{}

+	for rows.Next() {

+		var i RepoTransferRequest

+		if err := rows.Scan(

+			&i.ID,

+			&i.RepoID,

+			&i.FromUserID,

+			&i.ToPrincipalKind,

+			&i.ToPrincipalID,

+			&i.CreatedBy,

+			&i.CreatedAt,

+			&i.ExpiresAt,

+			&i.Status,

+			&i.AcceptedAt,

+			&i.DeclinedAt,

+			&i.CanceledAt,

+		); err != nil {

+			return nil, err

+		}

+		items = append(items, i)

+	}

+	if err := rows.Err(); err != nil {

+		return nil, err

+	}

+	return items, nil

+}

+

+const lookupRedirectByUserOwner = `-- name: LookupRedirectByUserOwner :one

+SELECT repo_id FROM repo_redirects

+WHERE old_owner_user_id = $1 AND old_name = $2

+`

+

+type LookupRedirectByUserOwnerParams struct {

+	OldOwnerUserID pgtype.Int8

+	OldName        string

+}

+

+// Returns the current repo_id when (old_owner_user_id, old_name) hits

+// a redirect row.

+func (q *Queries) LookupRedirectByUserOwner(ctx context.Context, db DBTX, arg LookupRedirectByUserOwnerParams) (int64, error) {

+	row := db.QueryRow(ctx, lookupRedirectByUserOwner, arg.OldOwnerUserID, arg.OldName)

+	var repo_id int64

+	err := row.Scan(&repo_id)

+	return repo_id, err

+}

+

+const orphanForksOf = `-- name: OrphanForksOf :execrows

+

+UPDATE repos SET fork_of_repo_id = NULL WHERE fork_of_repo_id = $1

+`

+

+// ─── fork-anchor cleanup on hard delete ────────────────────────────────

+// Children pointing at this repo lose their fork-of pointer. Mirrors

+// GitHub's behavior when an upstream is deleted.

+func (q *Queries) OrphanForksOf(ctx context.Context, db DBTX, forkOfRepoID pgtype.Int8) (int64, error) {

+	result, err := db.Exec(ctx, orphanForksOf, forkOfRepoID)

+	if err != nil {

+		return 0, err

+	}

+	return result.RowsAffected(), nil

+}

+

+const renameRepo = `-- name: RenameRepo :exec

+

+

+UPDATE repos SET name = $2, updated_at = now() WHERE id = $1

+`

+

+type RenameRepoParams struct {

+	ID   int64

+	Name string

+}

+

+// SPDX-License-Identifier: AGPL-3.0-or-later

+//

+// S16 lifecycle queries. Kept in a separate file from repos.sql so the

+// mainline CRUD stays easy to read.

+// ─── repo mutations ────────────────────────────────────────────────────

+// Same-owner rename. The handler validates the new name shape and the

+// redirect row is INSERTed in the same tx.

+func (q *Queries) RenameRepo(ctx context.Context, db DBTX, arg RenameRepoParams) error {

+	_, err := db.Exec(ctx, renameRepo, arg.ID, arg.Name)

+	return err

+}

+

+const restoreRepo = `-- name: RestoreRepo :exec

+UPDATE repos SET deleted_at = NULL, updated_at = now() WHERE id = $1

+`

+

+func (q *Queries) RestoreRepo(ctx context.Context, db DBTX, id int64) error {

+	_, err := db.Exec(ctx, restoreRepo, id)

+	return err

+}

+

+const setRepoVisibility = `-- name: SetRepoVisibility :exec

+UPDATE repos SET visibility = $2, updated_at = now() WHERE id = $1

+`

+

+type SetRepoVisibilityParams struct {

+	ID         int64

+	Visibility RepoVisibility

+}

+

+func (q *Queries) SetRepoVisibility(ctx context.Context, db DBTX, arg SetRepoVisibilityParams) error {

+	_, err := db.Exec(ctx, setRepoVisibility, arg.ID, arg.Visibility)

+	return err

+}

+

+const softDeleteRepoLifecycle = `-- name: SoftDeleteRepoLifecycle :exec

+UPDATE repos SET deleted_at = now(), updated_at = now() WHERE id = $1

+`

+

+// Distinct name from S11's SoftDeleteRepo so future code that wants to

+// preserve the lifecycle audit-emission shape can find this one.

+func (q *Queries) SoftDeleteRepoLifecycle(ctx context.Context, db DBTX, id int64) error {

+	_, err := db.Exec(ctx, softDeleteRepoLifecycle, id)

+	return err

+}

+

+const transferRepoOwner = `-- name: TransferRepoOwner :exec

+UPDATE repos

+SET owner_user_id = $3::bigint,

+    owner_org_id  = $4::bigint,

+    name          = $2,

+    updated_at    = now()

+WHERE id = $1

+`

+

+type TransferRepoOwnerParams struct {

+	ID          int64

+	Name        string

+	OwnerUserID pgtype.Int8

+	OwnerOrgID  pgtype.Int8

+}

+

+// Sets owner_user_id (or owner_org_id post-S31) on accept. The xor

+// check on the table enforces the shape. Also clears the other side

+// so a user→org transfer flips both columns atomically.

+func (q *Queries) TransferRepoOwner(ctx context.Context, db DBTX, arg TransferRepoOwnerParams) error {

+	_, err := db.Exec(ctx, transferRepoOwner,

+		arg.ID,

+		arg.Name,

+		arg.OwnerUserID,

+		arg.OwnerOrgID,

+	)

+	return err

+}

+

+const unarchiveRepo = `-- name: UnarchiveRepo :exec

+UPDATE repos SET is_archived = false, archived_at = NULL, updated_at = now() WHERE id = $1

+`

+

+func (q *Queries) UnarchiveRepo(ctx context.Context, db DBTX, id int64) error {

+	_, err := db.Exec(ctx, unarchiveRepo, id)

+	return err

+}

+type TransferPrincipalKind string

+

+const (

+	TransferPrincipalKindUser TransferPrincipalKind = "user"

+	TransferPrincipalKindOrg  TransferPrincipalKind = "org"

+)

+

+func (e *TransferPrincipalKind) Scan(src interface{}) error {

+	switch s := src.(type) {

+	case []byte:

+		*e = TransferPrincipalKind(s)

+	case string:

+		*e = TransferPrincipalKind(s)

+	default:

+		return fmt.Errorf("unsupported scan type for TransferPrincipalKind: %T", src)

+	}

+	return nil

+}

+

+type NullTransferPrincipalKind struct {

+	TransferPrincipalKind TransferPrincipalKind

+	Valid                 bool // Valid is true if TransferPrincipalKind is not NULL

+}

+

+// Scan implements the Scanner interface.

+func (ns *NullTransferPrincipalKind) Scan(value interface{}) error {

+	if value == nil {

+		ns.TransferPrincipalKind, ns.Valid = "", false

+		return nil

+	}

+	ns.Valid = true

+	return ns.TransferPrincipalKind.Scan(value)

+}

+

+// Value implements the driver Valuer interface.

+func (ns NullTransferPrincipalKind) Value() (driver.Value, error) {

+	if !ns.Valid {

+		return nil, nil

+	}

+	return string(ns.TransferPrincipalKind), nil

+}

+

+type TransferStatus string

+

+const (

+	TransferStatusPending  TransferStatus = "pending"

+	TransferStatusAccepted TransferStatus = "accepted"

+	TransferStatusDeclined TransferStatus = "declined"

+	TransferStatusCanceled TransferStatus = "canceled"

+	TransferStatusExpired  TransferStatus = "expired"

+)

+

+func (e *TransferStatus) Scan(src interface{}) error {

+	switch s := src.(type) {

+	case []byte:

+		*e = TransferStatus(s)

+	case string:

+		*e = TransferStatus(s)

+	default:

+		return fmt.Errorf("unsupported scan type for TransferStatus: %T", src)

+	}

+	return nil

+}

+

+type NullTransferStatus struct {

+	TransferStatus TransferStatus

+	Valid          bool // Valid is true if TransferStatus is not NULL

+}

+

+// Scan implements the Scanner interface.

+func (ns *NullTransferStatus) Scan(value interface{}) error {

+	if value == nil {

+		ns.TransferStatus, ns.Valid = "", false

+		return nil

+	}

+	ns.Valid = true

+	return ns.TransferStatus.Scan(value)

+}

+

+// Value implements the driver Valuer interface.

+func (ns NullTransferStatus) Value() (driver.Value, error) {

+	if !ns.Valid {

+		return nil, nil

+	}

+	return string(ns.TransferStatus), nil

+}

+

+type RepoRedirect struct {

+	OldOwnerUserID pgtype.Int8

+	OldOwnerOrgID  pgtype.Int8

+	OldName        string

+	RepoID         int64

+	RedirectedAt   pgtype.Timestamptz

+}

+

+type RepoTransferRequest struct {

+	ID              int64

+	RepoID          int64

+	FromUserID      int64

+	ToPrincipalKind TransferPrincipalKind

+	ToPrincipalID   int64

+	CreatedBy       int64

+	CreatedAt       pgtype.Timestamptz

+	ExpiresAt       pgtype.Timestamptz

+	Status          TransferStatus

+	AcceptedAt      pgtype.Timestamptz

+	DeclinedAt      pgtype.Timestamptz