tenseleyflow/shithub / 2f1f48e

+# Two-factor authentication

+

+Two-factor authentication (2FA) requires a second proof — beyond

+your password — before you can sign in. shithub supports

+**TOTP** (Time-based One-Time Password): six-digit codes from an

+authenticator app that change every 30 seconds.

+

+Strongly recommended. Account takeover is the most common bad

+outcome on a forge; a stolen password by itself can't sign in if

+2FA is on.

+

+## Setting up TOTP

+

+1. Settings → Account security → Two-factor authentication →

+   "Enable TOTP".

+2. Open your authenticator (Google Authenticator, 1Password,

+   Authy, etc.) and scan the QR code. The text-form secret is

+   shown beneath the QR if your app needs it.

+3. Enter the six-digit code from the app to confirm enrollment.

+4. **Save the recovery codes** that appear. There are 10. Each is

+   single-use. Store them somewhere your authenticator-device

+   loss won't take with it (password manager, paper safe).

+

+You're now enrolled. The next sign-in will ask for the code after

+the password.

+

+## Recovery codes

+

+If you lose your authenticator (phone died, factory reset, etc.),

+recovery codes are your way back in.

+

+- Each code works **once**.

+- Used codes are crossed off — you can see which are spent.

+- When you have ≤2 unused codes left, the UI nudges you to

+  regenerate. Regenerating invalidates all previous codes.

+

+If you exhaust all 10 codes, the only path back in is operator

+intervention — they cannot give you your codes back, but they can

+disable 2FA on the account after verifying your identity through

+a side channel.

+

+## Disabling 2FA

+

+Settings → Account security → "Disable TOTP". Requires entering

+the current TOTP code.

+

+This is recorded in your audit log. If you didn't disable 2FA,

+treat that audit row as evidence of compromise and rotate

+everything (password, all PATs, all SSH keys).

+

+## Sign-in flow with 2FA

+

+1. Username + password.

+2. If correct, you're prompted for the six-digit code (or "use a

+   recovery code").

+3. Code accepted → signed in.

+

+## What 2FA does and doesn't protect

+

+- **Protects against** stolen passwords (phishing, leaked-DB

+  reuse, shoulder-surfing).

+- **Does not protect against** stolen sessions — once you're

+  signed in, the session cookie is the access. Use "Sign out

+  everywhere" if a device is lost.

+- **Does not protect** PAT-based git or API access — PATs are

+  separate credentials; rotate them on the same cadence as

+  passwords.

+# Account settings

+

+Your settings are split into a small number of pages reachable

+from the avatar menu.

+

+## Profile

+

+Display name, bio, location, website, company, pronouns. Visible

+on your profile page (`/<username>`). Markdown is **not** rendered

+in the bio — it's plain text with hyperlinks auto-linked.

+

+## Emails

+

+You can have multiple email addresses on one account. One is

+**primary** (used for notifications and as the default committer

+match), the others are secondary (still match commits authored

+with that email).

+

+Each email is independently verified — until you click the link

+sent to it, that address can't be used as primary.

+

+## Password

+

+Change with the current password. Successful change invalidates

+**every** session except the current one (the session-epoch

+mechanism). Other devices will be signed out.

+

+## Two-factor authentication

+

+See [TOTP & recovery codes](./2fa.md). Strongly recommended.

+

+## Sessions

+

+Lists every active session with device + last-used time. "Sign

+out everywhere" bumps your session epoch — every other session is

+killed instantly. Use this if you suspect an unauthorized sign-in.

+

+## SSH and GPG keys

+

+- **SSH keys** authenticate `git@shithub.example:...` operations.

+- **GPG keys** verify signed commits — when a commit's signature

+  matches a registered GPG key, the commit shows a "Verified"

+  badge in history.

+

+Each key shows last-used timestamp; rotate when devices are lost.

+

+## Personal access tokens

+

+See [PATs](./personal-access-tokens.md).

+

+## Notifications

+

+See [Notifications](./notifications.md).

+

+## Audit log

+

+Settings → Audit log lists security-relevant actions on your

+account: sign-ins, password changes, 2FA toggles, key add/remove,

+PAT create/revoke, suspension events. Each row carries the IP and

+user-agent at the time. Export as JSON if you need to share with

+an operator during incident response.

+

+## Delete account

+

+The bottom of Settings → Account has a delete button. It requires

+typing your username for confirmation. Deletion:

+

+- Marks the account for soft-delete with a 30-day grace.

+- Hides your repos, issues, comments, and PRs immediately.

+- Frees the username after grace; until then, the username is

+  reserved.

+

+Within the grace period, signing in restores the account fully.

+After grace, the deletion is final; comments and issues you

+authored are reattributed to a `ghost` user.

+# Branch protection & reviews

+

+Branch protection lets a repo admin guard specific branches —

+typically `main` — from direct pushes, force-pushes, deletion,

+and merges that don't meet the team's review/CI bar.

+

+Configured at Repository → Settings → Branches.

+

+## Per-rule controls

+

+A rule applies to one or more branches by name pattern (`main`,

+`release/*`, etc.). Each rule can independently:

+

+- **Require pull request before merging** — direct pushes to the

+  branch are rejected. The only way in is a merged PR.

+- **Require N approvals** — a PR can't merge without that many

+  approvals from users with write access.

+- **Dismiss stale approvals on new commits** — when the PR head

+  moves, prior approvals are wiped.

+- **Require approval from someone other than the last pusher** —

+  the author of the most recent push to the PR can't be one of

+  the approvers.

+- **Require conversation resolution** — every line comment must

+  be marked "Resolved" before merge.

+- **Require status checks** — list of CI check names. The PR's

+  head commit must report success on each before merge enables.

+- **Require status checks to be up-to-date** — head must include

+  the latest base commit before checks count.

+- **Restrict who can push** (for non-PR pushes if PRs aren't

+  required) — list of users/teams.

+- **Disallow force-pushes**.

+- **Disallow deletions**.

+- **Lock branch** — read-only; no merges either. Used for

+  archived release lines.

+

+## How reviews count

+

+- Approvals from users with **read-only** access on the repo

+  don't count.

+- An approval is dismissed if the reviewer is removed from the

+  repo.

+- "Request changes" blocks merge until the same reviewer

+  re-reviews (Approve or Comment) — a different reviewer's

+  Approve does not lift the block.

+

+## Status checks

+

+Status checks come from external CI runners (or, in the future,

+shithub's own runner). A check has:

+

+- **Context** — the name (e.g., `ci/lint`, `ci/test`).

+- **State** — `pending`, `success`, `failure`, `error`.

+- **Description** — short human text.

+- **Target URL** — link to the run details.

+

+The first time a context name appears on the repo, you can add

+it to the required-checks list. The PR's merge gate evaluates

+the **head commit's most recent state per context**.

+

+## Bypass

+

+A repo admin can bypass branch protection for a single push

+(per-action; not a permanent setting) — useful for emergencies.

+The bypass is recorded in the audit log with the admin's id and

+the affected commits.

+# Cloning over HTTPS with a PAT

+

+For git over HTTPS, you authenticate with a **personal access

+token** (PAT), not your account password. This matches GitHub's

+behavior since 2021 and reflects the same security thinking:

+account passwords are more sensitive than scoped, revocable

+tokens.

+

+## 1. Create a PAT

+

+Settings → Developer settings → Personal access tokens → "New

+token".

+

+- **Note** — name the token after where you'll use it ("laptop",

+  "ci-runner-1"). Future-you will thank present-you.

+- **Expiration** — pick the shortest interval that's tolerable.

+  Tokens you forget about are tokens an attacker eventually finds.

+- **Scopes** — for git push/pull from a workstation, pick `repo`

+  (read+write). For read-only mirroring, `repo:read` is enough.

+

+When you submit, the token is shown **once**. Copy it immediately

+into your password manager — we never display it again.

+

+## 2. Clone

+

+```sh

+git clone https://shithub.example/<owner>/<repo>.git

+```

+

+When git asks for credentials:

+

+- **Username:** your shithub username.

+- **Password:** the PAT.

+

+## 3. Cache credentials

+

+Typing the PAT every push gets old. Use a credential helper:

+

+- **macOS:** `git config --global credential.helper osxkeychain`

+- **Windows:** `git config --global credential.helper manager`

+- **Linux (GNOME):** `git config --global credential.helper

+  /usr/share/doc/git/contrib/credential/libsecret/...`

+- **Anywhere, in a pinch:** `git config --global credential.helper

+  cache` (in-memory, default 15-minute TTL).

+

+The helper stores `(url, username, password)`; the next push to

+the same host reuses it.

+

+## 4. Use a CI runner

+

+In CI, set the username/password as secrets and inject them via

+the URL or `~/.netrc`. Use a token with the narrowest scope the

+job needs and a short expiration.

+

+```sh

+git clone https://x-access-token:${SHITHUB_PAT}@shithub.example/owner/repo.git

+```

+

+Because the token is in the URL, make sure your CI doesn't echo

+the URL into logs.

+

+## When pushes fail

+

+| Symptom                                              | Likely cause                              |

+|------------------------------------------------------|-------------------------------------------|

+| `403 Forbidden` on push                              | Token lacks `repo` write scope.           |

+| `401 Unauthorized` immediately                       | Wrong username, expired token, or the token was revoked. |

+| `protected branch hook declined`                     | Branch protection requires PR + reviews — push to a feature branch instead. |

+| `pre-receive hook declined: repo over quota`        | Repo size cap hit; see your operator.     |

+| `error: failed to push some refs … updates were rejected` | Standard git non-fast-forward — pull/rebase first. |

+# Issues

+

+Issues track bugs, ideas, and conversations against a repository.

+Anyone with read access to a repo can see its issues; opening and

+commenting depends on the repo's settings (open to all logged-in

+users by default).

+

+## Opening an issue

+

+Repo → Issues → "New issue". Required:

+

+- **Title** — one line.

+- **Body** — markdown ([reference](./markdown.md)). Drag-and-drop

+  attachments upload to the repo's blob store.

+

+Optional:

+

+- **Labels** — colored tags maintainers use for triage.

+- **Assignees** — who's expected to handle it.

+- **Milestone** — group issues toward a release/target.

+

+## References

+

+shithub auto-links these in issue + comment bodies:

+

+- `#123` — issue or PR in this repo.

+- `owner/repo#123` — issue or PR in another repo.

+- `@username` — user mention; they get a notification.

+- `@org/team` — team mention; every member is notified.

+- Commit SHAs (full or 7+ chars) — link to the commit page.

+

+## Closing

+

+Three ways an issue closes:

+

+- Manually, via the "Close" button.

+- Via a referenced commit/PR — `Fixes #123` or `Closes #123` in a

+  merged PR's title or body auto-closes the issue.

+- Via API.

+

+Closed issues stay visible; you can reopen them.

+

+## Comments + reactions

+

+Each comment supports the same markdown as the body. Reactions

+(👍 👎 😄 🎉 😕 ❤️ 🚀 👀) live on every issue/comment as a way to

+signal agreement without adding "+1" noise.

+

+## Locking

+

+Maintainers can lock a conversation. Locked issues accept no new

+comments or reactions; existing content stays.

+

+## Filters and search

+

+The Issues list supports filters:

+

+- `is:open` / `is:closed`

+- `author:<user>`

+- `assignee:<user>`

+- `label:"good first issue"`

+- `milestone:"v1.0"`

+- `mentions:<user>`

+- `commenter:<user>`

+- Sort: newest, oldest, most commented, recently updated.

+

+Free-text after the filter narrows by title + body.

+# Markdown reference

+

+shithub renders user-authored markdown — issue bodies, comments,

+PR descriptions, READMEs — through a CommonMark + GFM parser

+with a UGC-safe sanitizer. The set we support is close to

+GitHub's, with a few deliberate omissions.

+

+## Basics

+

+```

+# Heading 1

+## Heading 2

+### Heading 3

+

+**bold**, *italic*, ~~strikethrough~~, `inline code`.

+

+> A blockquote.

+

+- bullet

+- list

+

+1. ordered

+2. list

+

+[link text](https://example.com)

+

+![alt text](https://example.com/image.png)

+

+---  (horizontal rule)

+```

+

+## Code

+

+Three-backtick fenced blocks with an optional language tag. The

+language drives syntax highlighting (chroma).

+

+````

+```go

+func main() {

+    fmt.Println("hello")

+}

+```

+````

+

+## Tables

+

+GFM-style:

+

+```

+| Column A | Column B |

+|----------|----------|

+| cell 1   | cell 2   |

+| cell 3   | cell 4   |

+```

+

+Alignment with `:`:

+

+```

+| Left | Center | Right |

+|:-----|:------:|------:|

+```

+

+## Task lists

+

+```

+- [x] done

+- [ ] todo

+```

+

+Checkboxes are clickable in issues and PRs you can edit.

+

+## References

+

+shithub auto-links these in any user-authored markdown:

+

+- `#123` — issue or PR in the current repo.

+- `owner/repo#123` — issue/PR in another repo.

+- `@username` — user mention; notifies them.

+- `@org/team` — team mention.

+- A SHA (full or 7+ chars) — commit link.

+

+## Emoji shortcodes

+

+`:rocket:` → 🚀, `:eyes:` → 👀, etc. The set matches GitHub's

+shortcode list.

+

+## What we don't support

+

+- **Inline HTML** — sanitized away. Use markdown alternatives.

+- **`<style>` / `<script>`** — sanitized away.

+- **Custom HTML attributes** (`onclick`, `style`, `id` on arbitrary

+  elements) — stripped.

+- **Footnotes** — not yet (planned).

+- **MathJax / KaTeX** — not yet (planned).

+- **Mermaid diagrams** — not yet (post-MVP).

+- **Image attributes** like `<img width="200">` — strip-and-render

+  without the attribute. Use markdown image syntax with a small

+  thumbnail upstream.

+

+## Why a sanitizer?

+

+User-authored markdown is the largest XSS surface on a forge.

+shithub renders through a single helper (`internal/markdown`)

+that runs every input through a `bluemonday` UGC policy after

+parsing. Anything outside the supported set is silently dropped,

+not preserved as escaped text.

+

+## Previewing

+

+Issue and PR forms have a "Preview" tab that renders the markdown

+through the exact same pipeline we use for the saved version.

+What you see in preview is what you'll see after submit.

+# Notifications

+

+shithub notifies you when something happens that needs your

+attention: an issue is assigned, a review is requested, a comment

+mentions you, a watched repo has new activity.

+

+Two delivery channels:

+

+- **In-app inbox** at `/notifications`.

+- **Email** to your primary email.

+

+Both are driven by the same routing rules.

+

+## Watch levels

+

+For each repo, your subscription level is one of:

+

+- **Ignore** — never notify, even on direct mentions.

+- **Participating only** (default for repos you've never touched)

+  — notify only when something concerns you directly: you're

+  assigned, mentioned, your comment was replied to, your PR has

+  a review.

+- **All activity** — every issue, PR, comment, push gets a

+  notification.

+- **Custom** — pick which event categories you want.

+

+Set the level from the repo header's "Watch" dropdown.

+

+## Auto-subscribe

+

+You're auto-subscribed to:

+

+- Issues + PRs you opened.

+- Issues + PRs you commented on (until you unsubscribe via the

+  "Unsubscribe" button on the thread).

+- Issues + PRs you're assigned to or your review is requested on.

+

+Auto-subscribe lives at the **thread** level, not the repo level —

+unsubscribing from one issue doesn't change anything else.

+

+## Reading the inbox

+

+The `/notifications` page lists unread + pinned threads.

+- **Mark as read** — collapse and remove from the unread list.

+- **Mark as done** — archive; comes back if there's new activity.

+- **Mute thread** — never notify on this thread again, even on

+  new mentions.

+

+Filters: by repo, by reason (mention, review-requested, assigned,

+etc.), and by read/unread.

+

+## Email behavior

+

+- Each notification is one email; we don't bundle (yet).

+- Subject: `[<repo>] <issue title> (#<n>)`.

+- Reply-by-email is **not supported** — replies bounce. We don't

+  want to be in the email-thread-state-management business.

+- Each email has a one-click **HMAC-signed unsubscribe link**

+  that moves the thread to muted without a sign-in step.

+

+## Stop emails entirely

+

+Settings → Notifications → "Email delivery: never". The in-app

+inbox keeps working.

+

+## How frequently we email

+

+There's no digest mode (yet). Emails go out as the events happen.

+If that's too much, switch the repo to "Participating only" or

+mute specific threads.

+# Organizations & teams

+

+Organizations group people and repos under a shared namespace.

+A repo at `acme/widget` is owned by the `acme` org, and access

+is managed through teams + direct collaborators.

+

+## Creating an org

+

+Account menu → "New organization". You'll need:

+

+- A name — same rules as usernames; cannot collide with an

+  existing user or org.

+- A primary email (for billing/notifications; org settings only).

+

+The creator is the first owner.

+

+## Roles

+

+- **Owner** — full admin: settings, billing, member management,

+  any repo. There must always be at least one owner.

+- **Member** — appears in the org's people list; sees public + the

+  private repos a team grants them.

+

+A user can be both an owner and a team member.

+

+## Inviting members

+

+Org → People → "Invite member". Type an existing username or

+email. The invitee gets a notification + email; they accept on a

+landing page and become a member immediately.

+

+Invitations expire after 7 days; resend or revoke from the same

+page.

+

+## Removing members

+

+Owner → click a member → "Remove". The user loses team

+memberships and any direct grants the org had given them. If they

+authored issues/PRs, those stay; if they had pending invitations,

+those are cancelled.

+

+## Teams

+

+Teams are how you grant repo access at scale.

+

+- **Create:** Org → Teams → "New team".

+- **Members:** add org members; non-members must be invited to

+  the org first.

+- **Repo access:** add repos with one of `read`, `triage`, `write`,

+  `maintain`, `admin`. Multiple teams can grant on the same repo;

+  the user's effective permission is the **maximum**.

+- **One-level nesting:** a team can have a parent team. Members

+  of a parent team are also considered members of every child

+  team for permission purposes.

+

+## Mentioning a team

+

+`@acme/security` in any markdown body notifies every member of

+that team. Useful for review requests and triage.

+

+## Org-owned repos

+

+Indistinguishable from user-owned repos in most ways; the

+difference is that access is governed by team grants instead of

+the owner being a single user.

+

+## Audit

+

+Org → Settings → Audit log surfaces org-level events: member

+add/remove, team create/delete, repo transferred in/out, role

+changes. Same per-row IP + user-agent capture as the personal

+audit log.

+# Personal access tokens

+

+Personal access tokens (PATs) are scoped, expirable credentials

+you create from your account settings. They're how you

+authenticate to the API and to git over HTTPS.

+

+PATs are **not** passwords:

+

+- They have an expiration.

+- They have scopes — a token cannot do what its scopes don't grant.

+- They are listed in your settings with a "last used" timestamp.

+- They can be revoked individually without changing your password.

+

+## Scopes

+

+Pick the smallest set the consumer needs.

+

+| Scope          | What it allows                                                       |

+|----------------|----------------------------------------------------------------------|

+| `repo:read`    | Read repos you can already see (public + your private + collabs).    |

+| `repo`         | Above + push, manage settings on repos you own/admin.                |

+| `user:read`    | Read your profile + email.                                           |

+| `user`         | Above + edit profile, emails.                                        |

+| `notifications`| Read + mark-read your notification inbox.                            |

+| `webhooks`     | Manage webhooks on repos you own/admin.                              |

+| `admin:org`    | Org management (membership, teams) for orgs you admin.               |

+| `gist`         | Reserved for future Gists feature; non-functional today.             |

+

+Scopes only **grant**; they never elevate. A `repo` scope on your

+PAT cannot push to a repo you don't have write access to.

+

+## Creating a PAT

+

+Settings → Developer settings → Personal access tokens → "New

+token".

+

+- **Note** — what is this token for? "ci-runner staging" beats

+  "test1".

+- **Expiration** — pick the smallest tolerable; 90 days is a

+  reasonable default. "Never" is available but discouraged.

+- **Scopes** — check only what you need.

+

+The token is displayed **once**. Copy it now; we cannot show it

+to you again. If you lose it, revoke and re-create.

+

+## Token format

+

+Tokens are 40 characters of base32 with a `shp_` prefix:

+

+```

+shp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

+```

+

+The prefix is recognized by GitHub-style secret-scanning tools.

+If you accidentally publish a token, secret scanners may notify

+you (and us); revoke immediately.

+

+## Using a PAT

+

+- **Git over HTTPS:** username = your shithub username, password

+  = the PAT. See [HTTPS clone](./https.md).

+- **API:** `Authorization: Bearer <token>` or `Authorization:

+  token <token>`.

+

+## Revoking

+

+Settings → Developer settings → Personal access tokens shows every

+PAT on the account. Click "Revoke" — the token stops working

+immediately. Anything using it will get `401`.

+

+If you suspect a token leaked, revoke first and investigate after.

+# Pull requests

+

+A pull request (PR) proposes merging one branch into another.

+The PR is the conversation around the diff — review comments,

+status checks, the merge itself.

+

+## Opening a PR

+

+1. Push a branch to the repo (or to your fork).

+2. Visit the repo and click the "Compare & pull request" prompt

+   that appears, or go to Pull requests → "New pull request".

+3. Pick **base** (where you want to merge into) and **compare**

+   (your branch).

+4. Title + body. Markdown supported. Reference issues with

+   `Fixes #N` to auto-close on merge.

+

+The PR shows the file diff, commit list, and any pre-existing

+status checks for the head commit.

+

+## Reviewing

+

+Open a PR → "Files changed" tab.

+

+- **Comment on a line:** click the `+` in the gutter.

+- **Suggest a change:** in the comment, pick "Suggestion" — your

+  inline patch becomes a one-click commit the author can apply.

+- **Submit a review:** "Review changes" → choose:

+  - **Comment** — observations, no verdict.

+  - **Approve** — green checkmark, counts toward the required-

+    reviewer threshold (if branch protection is on).

+  - **Request changes** — red X, blocks merge until dismissed or

+    re-reviewed.

+

+A reviewer can leave many inline comments and bundle them into

+one review submission.

+

+## Merging

+

+Three merge methods (the maintainer picks per repo or per PR if

+multiple are enabled):

+

+- **Merge commit** — the classic non-fast-forward merge with a

+  commit that has both parents. Preserves all PR commits as-is.

+- **Squash and merge** — replaces every PR commit with one

+  squashed commit on the base branch. PR title/body becomes the

+  commit message.

+- **Rebase and merge** — replays the PR's commits onto the base.

+  No merge commit; linear history.

+

+shithub detects merge conflicts up front and prevents merge

+until the PR head is updated. Use the "Update branch" button to

+merge or rebase the base into your branch (the maintainer picks

+which strategy is allowed).

+

+## Branch protection gates

+

+If the base branch is protected, the merge button is disabled

+until:

+

+- Required status checks pass (CI integrations report success).

+- Required number of approvals collected.

+- "Request changes" reviews resolved (dismiss or re-review).

+- Conversations resolved (if "Require conversation resolution" is on).

+

+See [Branch protection & reviews](./branch-protection.md).

+

+## Draft PRs

+

+Open as draft to signal "not ready yet, but visible". Drafts

+cannot be merged. Convert to "Ready for review" when you want

+reviewers.

+

+## After merge

+

+- The head branch can be auto-deleted (account-level + per-repo

+  setting).

+- Linked issues with `Fixes #N` close automatically.

+- Watchers + subscribers get notifications.

+# Quickstart

+

+This walks the simplest possible path: sign up, create a repo,

+clone it, push a commit. About five minutes.

+

+## 1. Sign up

+

+Visit `/signup`. You'll need:

+

+- A working email address (a verification link is sent there).

+- A username — letters, numbers, and dashes; not in our reserved

+  list (the form tells you if it is).

+- A password — 12 characters minimum and not in the common-password

+  list. Argon2id is used to hash; we never store the plaintext.

+

+After you submit, the verification email arrives within a minute.

+Click the link to activate the account. Until you do, you can sign

+in but most write actions are gated.

+

+## 2. Create a repository

+

+Sign in and click "New repository" (or visit `/new`).

+

+- **Name** — alphanumerics and dashes; can't collide with your

+  existing repos.

+- **Visibility** — public (anyone can read) or private (only you

+  + collaborators).

+- **Initialize** — optionally add a README, a `.gitignore` (pick

+  from the templates), and a license. If you initialize, the repo

+  has commits immediately and you can clone right away. If you

+  don't, the repo is empty and you'll see push instructions.

+

+## 3. Clone the repo

+

+The repo page shows a "Code" dropdown with a clone URL. For

+HTTPS you'll need a [personal access

+token](./personal-access-tokens.md) — your account password does

+not work for git operations.

+

+```sh

+git clone https://shithub.example/<your-username>/<repo>.git

+cd <repo>

+```

+

+When prompted for credentials, the username is your shithub

+username and the password is the PAT.

+

+## 4. Push a commit

+

+```sh

+echo "hello" >> README.md

+git add README.md

+git commit -m "say hello"

+git push origin main

+```

+

+Refresh the repo page — your commit appears in the history. If

+this is your first push, the repo's default branch is set to

+whatever you pushed (usually `main`).

+

+## Where to go next

+

+- [Set up SSH](./ssh.md) so you don't have to enter a token every

+  push.

+- [Open your first issue](./issues.md).

+- [Open a pull request](./pull-requests.md) — branch, push,

+  compare.

+- [Configure notifications](./notifications.md) so you don't get

+  buried.

+# Search

+

+Top-bar search opens a quick palette: type and you'll see matching

+repos, users, issues, and code snippets. Pressing enter takes you

+to the full search results page with filters.

+

+The full results page (`/search`) supports four scopes:

+

+- **Code** — file content + path matches across repos you can see.

+- **Repositories** — repo names, descriptions, topics.

+- **Issues + PRs** — across repos you can see.

+- **Users** — usernames, display names.

+

+## Filters and operators

+

+The search bar supports a small grammar inspired by GitHub's:

+

+| Operator                  | Effect                                                |

+|---------------------------|-------------------------------------------------------|

+| `repo:owner/name`         | Restrict to one repo.                                 |

+| `org:name`                | Restrict to repos owned by an org.                    |

+| `user:name`               | Restrict to a user's repos.                           |

+| `path:src/`               | Restrict by file path prefix.                         |

+| `extension:go`            | Restrict by file extension.                           |

+| `language:go`             | Restrict by detected language.                        |

+| `author:name`             | (issues/PRs) author.                                  |

+| `commenter:name`          | (issues/PRs) someone commented.                       |

+| `is:open` / `is:closed`   | (issues/PRs) state.                                   |

+| `is:pr` / `is:issue`      | Narrow to PR or issue.                                |

+| `label:"good first issue"`| (issues/PRs) labelled.                                |

+| `milestone:"v1.0"`        | (issues/PRs) milestoned.                              |

+| `created:2026-01-01..2026-04-01` | Date range (ISO 8601).                         |

+| `-foo`                    | Negate.                                               |

+

+Quoted strings are exact; unquoted strings are tokenized.

+

+## Visibility rules

+

+Search only ever returns results you would be allowed to see:

+

+- Public repos and their content/issues/PRs are searchable

+  without sign-in.

+- Private repos require you to have read access (collaborator,

+  team member, owner).

+- Search through someone else's PAT or session never reveals

+  results to your own queries — each user's search is scoped to

+  their own visibility.

+

+## Indexing latency

+

+- New repos are indexed within seconds of the first push.

+- Subsequent pushes update the index within a few seconds.

+- Issue + PR text is indexed inside the same transaction that

+  created the row — searchable immediately.

+

+If you push but the new content isn't appearing in search after

+~30 seconds, the indexer is backed up; try the file directly via

+the repo's tree view to confirm the data exists. Operators

+monitor index lag; persistent staleness is an alert.

+# Cloning over SSH

+

+> **Status:** the SSH transport is planned but not yet shipped.

+> Until it lands, use [HTTPS with a PAT](./https.md). The procedure

+> below is what the SSH path will look like; the underlying server

+> infrastructure (per-key authorization, command-locked sessions)

+> already exists in the codebase.

+

+SSH lets you push and pull without re-entering credentials each

+time. shithub authenticates each connection by SSH public key:

+the key fingerprint maps to a user, and the session is locked to

+the git protocol — you cannot get a shell.

+

+## 1. Generate an SSH key

+

+Skip this if you already have a key you're happy with

+(`~/.ssh/id_ed25519.pub` typically).

+

+```sh

+ssh-keygen -t ed25519 -C "you@example.com"

+```

+

+Accept the default path. Set a passphrase if you want belt-and-

+braces; `ssh-agent` will remember it for the session.

+

+## 2. Copy the public key

+

+```sh

+cat ~/.ssh/id_ed25519.pub

+```

+

+Copy the entire line, including the `ssh-ed25519` prefix and the

+trailing comment.

+

+## 3. Add the key in shithub

+

+Settings → SSH and GPG keys → "New SSH key". Paste the key, give

+it a label (e.g., "laptop"), save.

+

+The page shows the fingerprint shithub computed; verify it matches

+what `ssh-keygen -l -f ~/.ssh/id_ed25519.pub` prints locally.

+

+## 4. Test the connection

+

+```sh

+ssh -T git@shithub.example

+```

+

+You'll see a confirmation message. The `-T` disables PTY allocation;

+shithub's SSH service refuses TTYs anyway.

+

+## 5. Clone with SSH

+

+```sh

+git clone git@shithub.example:<owner>/<repo>.git

+```

+

+Subsequent pushes don't prompt — the agent presents the key, the

+server matches the fingerprint to your account, and the session

+is locked to `git-receive-pack` / `git-upload-pack`.

+

+## Removing or rotating a key

+

+Settings → SSH and GPG keys lists every key on the account with

+its last-used timestamp. Remove a key the moment a device is lost

+or decommissioned — the next `git push` from that device will be

+rejected.

+# Webhooks

+

+Webhooks send HTTP POSTs to your URL when something happens in a

+repo (push, PR opened, issue commented, etc.). Configured at

+Repository → Settings → Webhooks → "Add webhook".

+

+## Configuration

+

+- **Payload URL** — the HTTPS endpoint we POST to. HTTP is

+  rejected on production instances.

+- **Content type** — `application/json` (default) or

+  `application/x-www-form-urlencoded`.

+- **Secret** — used to HMAC-sign each delivery. We strongly

+  recommend setting one. The secret is stored AEAD-encrypted at

+  rest; you cannot retrieve it after creation, only replace it.

+- **Events** — pick "Just push", "Send everything", or specific

+  events.

+- **Active** — toggle without deleting.

+

+## Signature verification

+

+Each delivery includes:

+

+- `X-Shithub-Event: <event-name>` — e.g., `push`, `pull_request`.

+- `X-Shithub-Delivery: <uuid>` — unique per delivery (idempotent).

+- `X-Shithub-Signature-256: sha256=<hex>` — HMAC-SHA256 of the

+  raw body using your configured secret.

+

+**Always verify the signature before trusting the payload.**

+Constant-time comparison; never compare with `==`.

+

+### Go

+

+```go

+func verify(body []byte, sig, secret string) bool {

+    sig = strings.TrimPrefix(sig, "sha256=")

+    mac := hmac.New(sha256.New, []byte(secret))

+    mac.Write(body)

+    expected := hex.EncodeToString(mac.Sum(nil))

+    return hmac.Equal([]byte(sig), []byte(expected))

+}

+```

+

+### Python

+

+```python

+import hmac, hashlib

+

+def verify(body: bytes, sig: str, secret: str) -> bool:

+    expected = hmac.new(secret.encode(), body, hashlib.sha256).hexdigest()

+    sig = sig.removeprefix("sha256=")

+    return hmac.compare_digest(sig, expected)

+```

+

+### Node.js

+

+```js

+const crypto = require("crypto");

+

+function verify(body, sig, secret) {

+  const expected = "sha256=" + crypto

+    .createHmac("sha256", secret)

+    .update(body)

+    .digest("hex");

+  return crypto.timingSafeEqual(

+    Buffer.from(sig),

+    Buffer.from(expected),

+  );

+}

+```

+

+The body must be the **raw request body**, not the parsed JSON.

+Frameworks that auto-parse will give you the wrong bytes.

+

+## Idempotency

+

+Use `X-Shithub-Delivery` as your idempotency key. We may retry a

+delivery if your endpoint returns 5xx or times out, so processing

+the same delivery twice should be safe in your system.

+

+## Retries

+

+A delivery is retried on:

+

+- Network error.

+- 5xx response.

+- Timeout (default 10s).

+

+Retry schedule: exponential backoff with jitter, up to ~6 retries

+over ~24h. After 50 consecutive failures, the webhook **auto-

+disables** to stop bombarding a broken endpoint. You'll see a

+banner on the webhook config page; flip "Active" back on once

+the endpoint is fixed.

+

+## Inspecting deliveries

+

+Webhook detail page → "Recent deliveries". Each row shows:

+

+- Event + delivery ID + timestamp.

+- Request headers + (truncated) body we sent.

+- Response status + headers + (truncated) body we got back.

+- "Redeliver" — re-sends the original payload with the same

+  signature.

+

+Stored bodies are capped at 32 KiB (your endpoint can accept

+bigger; we just don't keep more for the inspector).

+

+## SSRF defense

+

+shithub validates webhook URLs server-side: hostnames are

+resolved, IPs are checked against a block-list (RFC1918, link-

+local, loopback, multicast, 169.254.0.0/16, etc.), and the

+request is dialed to the resolved IP — no following CNAMEs into

+internal address space at delivery time.

+

+Operators of self-hosted instances can opt in to private

+destinations via an `AllowedHosts` list — see

+[self-host configuration](../self-host/configuration.md).