tenseleyflow/shithub / 1fe08a6

+	"github.com/tenseleyFlow/shithub/internal/infra/config"

+	// BillingEnforce carries PRO07's per-feature enforcement flags.

+	// Branch-protection gating on personal private repos consults

+	// these to decide whether a user-kind would-deny should block the

+	// save (enforce=true) or log a report-only event and proceed

+	// (PRO05 default, enforce=false).

+	BillingEnforce config.EnforceConfig

+	"github.com/tenseleyFlow/shithub/internal/infra/config"

+	return newRepoFixtureWithEnforce(t, config.EnforceConfig{})

+}

+

+// newRepoFixtureWithEnforce mirrors newRepoFixture but plumbs an

+// operator-configured per-feature enforce matrix into the handler

+// Deps. PRO07 tests pass a config with the relevant user-kind flag

+// flipped to true to exercise the enforce path.

+func newRepoFixtureWithEnforce(t *testing.T, enforce config.EnforceConfig) *repoFixture {

+		Logger:         slog.New(slog.NewTextHandler(io.Discard, nil)),

+		Render:         rr,

+		Pool:           pool,

+		RepoFS:         rfs,

+		ObjectStore:    objectStore,

+		Audit:          audit.NewRecorder(),

+		Limiter:        throttle.NewLimiter(),

+		BillingEnforce: enforce,

+// Enforcement semantics:

+//   - Org kind: SP05 enforcement — would-denies return the notice

+//     code unconditionally.

+//   - User kind, PRO07 enforce flag off (default): logs the would-

+//     deny via Logger and returns empty notice (report-only).

+//   - User kind, PRO07 enforce flag on: returns the notice code

+//     (blocks the save). The flag is per-feature; see

+//     EnforceConfig.UserAdvancedBranchProtection and

+//     EnforceConfig.UserRequiredReviewers in internal/infra/config.

+	if p.IsUser() && !h.userBranchProtectionEnforceOn(feature) {

+// userBranchProtectionEnforceOn maps a feature to the operator's

+// per-feature enforce knob. Unknown features default to false (safe:

+// stay in report-only). PRO07 ships with both flags defaulting to

+// false; operators flip per feature after the 7-day telemetry soak.

+func (h *Handlers) userBranchProtectionEnforceOn(feature entitlements.Feature) bool {

+	switch feature {

+	case entitlements.FeatureRequiredReviewers:

+		return h.d.BillingEnforce.UserRequiredReviewers

+	case entitlements.FeatureAdvancedBranchProtection:

+		return h.d.BillingEnforce.UserAdvancedBranchProtection

+	default:

+		return false

+	}

+}

+

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package repo

+

+import (

+	"context"

+	"net/http/httptest"

+	"net/url"

+	"strconv"

+	"testing"

+	"time"

+

+	"github.com/jackc/pgx/v5/pgtype"

+

+	billingdb "github.com/tenseleyFlow/shithub/internal/billing/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/infra/config"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+)

+

+// PRO07 — user-kind branch protection enforce flip.

+//

+// PRO05 plumbed user-kind report-only logging through

+// evaluateBranchProtectionFeature. PRO07 wires

+// EnforceConfig.User{RequiredReviewers,AdvancedBranchProtection} into

+// the same site so operators can flip per-feature enforcement after

+// the telemetry soak. These tests pin both modes.

+

+func TestSettingsBranches_UserKindReportOnlyRequiredReviewersAllowsSave(t *testing.T) {

+	t.Parallel()

+	f := newRepoFixture(t) // zero-value enforce ⇒ report-only

+	mux := f.branchesSettingsMux(f.owner.ID, f.owner.Username)

+

+	resp := httptest.NewRecorder()

+	req := newFormRequest("POST", "/alice/private-repo/settings/branches", url.Values{

+		"pattern":               {"trunk"},

+		"required_review_count": {"2"},

+	})

+	mux.ServeHTTP(resp, req)

+	if resp.Code != 303 {

+		t.Fatalf("status=%d body=%s", resp.Code, resp.Body.String())

+	}

+	// Report-only ⇒ no notice code; redirect lands on the saved

+	// confirmation page.

+	if got := resp.Header().Get("Location"); got != "/alice/private-repo/settings/branches?notice=saved" {

+		t.Fatalf("expected report-only save, got redirect=%q", got)

+	}

+	assertBranchProtectionRuleCount(t, f, f.privateRepo.ID, 1)

+}

+

+func TestSettingsBranches_UserKindEnforceFlipRequiredReviewersBlocks(t *testing.T) {

+	t.Parallel()

+	f := newRepoFixtureWithEnforce(t, config.EnforceConfig{

+		UserRequiredReviewers: true,

+	})

+	mux := f.branchesSettingsMux(f.owner.ID, f.owner.Username)

+

+	resp := httptest.NewRecorder()

+	req := newFormRequest("POST", "/alice/private-repo/settings/branches", url.Values{

+		"pattern":               {"trunk"},

+		"required_review_count": {"2"},

+	})

+	mux.ServeHTTP(resp, req)

+	if resp.Code != 303 {

+		t.Fatalf("status=%d body=%s", resp.Code, resp.Body.String())

+	}

+	if got := resp.Header().Get("Location"); got != "/alice/private-repo/settings/branches?notice=required-reviewers-upgrade" {

+		t.Fatalf("expected upgrade notice, got %q", got)

+	}

+	assertBranchProtectionRuleCount(t, f, f.privateRepo.ID, 0)

+}

+

+func TestSettingsBranches_UserKindEnforceFlipAdvancedChecksBlocks(t *testing.T) {

+	t.Parallel()

+	f := newRepoFixtureWithEnforce(t, config.EnforceConfig{

+		UserAdvancedBranchProtection: true,

+	})

+	mux := f.branchesSettingsMux(f.owner.ID, f.owner.Username)

+

+	resp := httptest.NewRecorder()

+	req := newFormRequest("POST", "/alice/private-repo/settings/branches", url.Values{

+		"pattern":                     {"trunk"},

+		"required_status_check_names": {"ci"},

+	})

+	mux.ServeHTTP(resp, req)

+	if resp.Code != 303 {

+		t.Fatalf("status=%d body=%s", resp.Code, resp.Body.String())

+	}

+	if got := resp.Header().Get("Location"); got != "/alice/private-repo/settings/branches?notice=branch-protection-upgrade" {

+		t.Fatalf("expected upgrade notice, got %q", got)

+	}

+	assertBranchProtectionRuleCount(t, f, f.privateRepo.ID, 0)

+}

+

+// TestSettingsBranches_UserKindEnforceFlipDoesNotAffectPublicRepos

+// locks the visibility short-circuit: enforce flags fire only on

+// private personal repos. Public personal repos stay ungated.

+func TestSettingsBranches_UserKindEnforceFlipDoesNotAffectPublicRepos(t *testing.T) {

+	t.Parallel()

+	f := newRepoFixtureWithEnforce(t, config.EnforceConfig{

+		UserRequiredReviewers:        true,

+		UserAdvancedBranchProtection: true,

+	})

+	mux := f.branchesSettingsMux(f.owner.ID, f.owner.Username)

+

+	resp := httptest.NewRecorder()

+	req := newFormRequest("POST", "/alice/public-repo/settings/branches", url.Values{

+		"pattern":               {"trunk"},

+		"required_review_count": {"2"},

+	})

+	mux.ServeHTTP(resp, req)

+	if resp.Code != 303 {

+		t.Fatalf("status=%d body=%s", resp.Code, resp.Body.String())

+	}

+	if got := resp.Header().Get("Location"); got != "/alice/public-repo/settings/branches?notice=saved" {

+		t.Fatalf("public repo should bypass gate, got %q", got)

+	}

+}

+

+// TestSettingsBranches_UserKindEnforceFlipAllowsProUser verifies the

+// gate is keyed on Plan, not just kind: a Pro personal account

+// completes the save even with the enforce flag flipped.

+func TestSettingsBranches_UserKindEnforceFlipAllowsProUser(t *testing.T) {

+	t.Parallel()

+	f := newRepoFixtureWithEnforce(t, config.EnforceConfig{

+		UserRequiredReviewers: true,

+	})

+	upgradeRepoFixtureOwnerToPro(t, f)

+	mux := f.branchesSettingsMux(f.owner.ID, f.owner.Username)

+

+	resp := httptest.NewRecorder()

+	req := newFormRequest("POST", "/alice/private-repo/settings/branches", url.Values{

+		"pattern":               {"trunk"},

+		"required_review_count": {"2"},

+	})

+	mux.ServeHTTP(resp, req)

+	if resp.Code != 303 {

+		t.Fatalf("status=%d body=%s", resp.Code, resp.Body.String())

+	}

+	if got := resp.Header().Get("Location"); got != "/alice/private-repo/settings/branches?notice=saved" {

+		t.Fatalf("Pro user with enforce should save, got %q", got)

+	}

+	assertBranchProtectionRuleCount(t, f, f.privateRepo.ID, 1)

+}

+

+// TestSettingsBranches_OrgKindUnchangedByPRO07Flags is the regression

+// guard: PRO07's per-feature flags target user kind only. Org-kind

+// gating has been on since SP05 and must not change shape when the

+// user-kind flags flip.

+func TestSettingsBranches_OrgKindUnchangedByPRO07Flags(t *testing.T) {

+	t.Parallel()

+	for _, enforce := range []config.EnforceConfig{

+		{},

+		{UserRequiredReviewers: true, UserAdvancedBranchProtection: true},

+	} {

+		f := newRepoFixtureWithEnforce(t, enforce)

+		orgID := f.insertOwnedOrg(t, "acme")

+		repo := f.insertOrgRepo(t, orgID, "private-org-repo", reposdb.RepoVisibilityPrivate)

+		mux := f.branchesSettingsMux(f.owner.ID, f.owner.Username)

+

+		resp := httptest.NewRecorder()

+		req := newFormRequest("POST", "/acme/private-org-repo/settings/branches", url.Values{

+			"pattern":               {"trunk"},

+			"required_review_count": {"2"},

+		})

+		mux.ServeHTTP(resp, req)

+		if resp.Code != 303 {

+			t.Fatalf("enforce=%+v status=%d body=%s", enforce, resp.Code, resp.Body.String())

+		}

+		if got := resp.Header().Get("Location"); got != "/acme/private-org-repo/settings/branches?notice=required-reviewers-upgrade" {

+			t.Errorf("enforce=%+v: org redirect=%q, want upgrade notice", enforce, got)

+		}

+		assertBranchProtectionRuleCount(t, f, repo.ID, 0)

+	}

+}

+

+func upgradeRepoFixtureOwnerToPro(t *testing.T, f *repoFixture) {

+	t.Helper()

+	now := time.Now().UTC()

+	suffix := strconv.FormatInt(f.owner.ID, 10)

+	_, err := billingdb.New().ApplyUserSubscriptionSnapshot(context.Background(), f.pool, billingdb.ApplyUserSubscriptionSnapshotParams{

+		UserID:               f.owner.ID,

+		Plan:                 billingdb.UserPlanPro,

+		SubscriptionStatus:   billingdb.BillingSubscriptionStatusActive,

+		StripeSubscriptionID: pgtype.Text{String: "sub_bp_pro_" + suffix, Valid: true},

+		CurrentPeriodStart:   pgtype.Timestamptz{Time: now.Add(-time.Hour), Valid: true},

+		CurrentPeriodEnd:     pgtype.Timestamptz{Time: now.Add(30 * 24 * time.Hour), Valid: true},

+		LastWebhookEventID:   "evt_bp_pro_" + suffix,

+	})

+	if err != nil {

+		t.Fatalf("upgrade owner to Pro: %v", err)

+	}

+}