tenseleyflow/shithub / 3b9dc8e

+	ActionRepoForked             Action = "repo_forked"

+	ActionRepoForkSynced         Action = "repo_fork_synced"

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package fork

+

+import (

+	"context"

+	"errors"

+	"fmt"

+

+	repogit "github.com/tenseleyFlow/shithub/internal/repos/git"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+)

+

+// AheadBehindStats describes how the fork's default branch relates

+// to the source's default branch. Both numbers are commit counts:

+// `Ahead` = commits in fork not in source; `Behind` = commits in

+// source not in fork.

+//

+// `Comparable` is false when either side's default ref doesn't

+// exist (e.g. an empty fork before its first push, or a source

+// that's never been initialized). The UI renders "—" in that case.

+type AheadBehindStats struct {

+	Ahead      int

+	Behind     int

+	Comparable bool

+}

+

+// AheadBehind computes the stats by reading both default OIDs,

+// then running `rev-list --left-right --count` inside the fork's

+// bare repo. Because forks share object alternates with their

+// source, the fork can resolve OIDs from the source without an

+// explicit fetch — they're already reachable through the

+// alternates link.

+//

+// This is the floor implementation. S36's perf-pass sprint adds

+// caching keyed on `(fork_repo_id, fork_default_oid,

+// upstream_default_oid)` so the rev-list shells out only on push

+// (the deferral pointer is already in S36's spec).

+func AheadBehind(ctx context.Context, deps Deps, forkRepoID int64) (AheadBehindStats, error) {

+	rq := reposdb.New()

+	fork, err := rq.GetRepoByID(ctx, deps.Pool, forkRepoID)

+	if err != nil {

+		return AheadBehindStats{}, fmt.Errorf("ahead-behind: load fork: %w", err)

+	}

+	if !fork.ForkOfRepoID.Valid {

+		return AheadBehindStats{}, ErrSourceNotFound

+	}

+	source, err := rq.GetRepoByID(ctx, deps.Pool, fork.ForkOfRepoID.Int64)

+	if err != nil {

+		return AheadBehindStats{}, ErrSourceNotFound

+	}

+	if source.DeletedAt.Valid {

+		return AheadBehindStats{}, ErrSourceDeleted

+	}

+

+	forkOwner, err := ownerUsername(ctx, deps, fork)

+	if err != nil {

+		return AheadBehindStats{}, err

+	}

+	sourceOwner, err := ownerUsername(ctx, deps, source)

+	if err != nil {

+		return AheadBehindStats{}, err

+	}

+	forkPath, err := deps.RepoFS.RepoPath(forkOwner, fork.Name)

+	if err != nil {

+		return AheadBehindStats{}, err

+	}

+	sourcePath, err := deps.RepoFS.RepoPath(sourceOwner, source.Name)

+	if err != nil {

+		return AheadBehindStats{}, err

+	}

+

+	// Resolve both default OIDs. Either side empty → not comparable.

+	forkOID, err := repogit.ResolveRefOID(ctx, forkPath, fork.DefaultBranch)

+	if err != nil {

+		if errors.Is(err, repogit.ErrRefNotFound) {

+			return AheadBehindStats{Comparable: false}, nil

+		}

+		return AheadBehindStats{}, fmt.Errorf("ahead-behind: resolve fork: %w", err)

+	}

+	sourceOID, err := repogit.ResolveRefOID(ctx, sourcePath, source.DefaultBranch)

+	if err != nil {

+		if errors.Is(err, repogit.ErrRefNotFound) {

+			return AheadBehindStats{Comparable: false}, nil

+		}

+		return AheadBehindStats{}, fmt.Errorf("ahead-behind: resolve source: %w", err)

+	}

+	if forkOID == sourceOID {

+		return AheadBehindStats{Comparable: true}, nil

+	}

+

+	// Run the count inside the fork's repo. The fork's alternates

+	// give it visibility into source's objects, so passing

+	// `<forkOID>...<sourceOID>` resolves both ends.

+	ahead, behind, err := repogit.AheadBehind(ctx, forkPath, sourceOID, forkOID)

+	if err != nil {

+		return AheadBehindStats{}, fmt.Errorf("ahead-behind: rev-list: %w", err)

+	}

+	// repogit.AheadBehind's argument order is (base, head): ahead

+	// = "commits in head not in base"; we asked it for forkOID's

+	// ahead-of sourceOID. So the returned ahead/behind are already

+	// from the fork's perspective.

+	return AheadBehindStats{Ahead: ahead, Behind: behind, Comparable: true}, nil

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package fork

+

+import (

+	"context"

+	"errors"

+	"fmt"

+	"strings"

+

+	"github.com/jackc/pgx/v5"

+	"github.com/jackc/pgx/v5/pgtype"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+)

+

+// CreateParams describes a fork-create request.

+type CreateParams struct {

+	SourceRepoID  int64

+	ActorUserID   int64

+	TargetOwnerID int64 // user id; org id support lands with S31

+	// TargetName is optional. Empty defaults to the source repo's

+	// name; non-empty must pass the same name validator as repo

+	// create (the lookup against the existing rows surfaces a

+	// taken-name error if needed).

+	TargetName string

+	// TargetVisibility is optional. Empty defaults to source

+	// visibility; non-empty must pass `allowedTargetVisibility`.

+	// (Public source can fork to private; private source is

+	// pinned to private.)

+	TargetVisibility string

+}

+

+// CreateResult is the inserted fork shell. The on-disk clone hasn't

+// run yet; init_status is `init_pending`. The caller is expected to

+// enqueue the `repo:fork_clone` worker job whose payload is

+// {SourceRepoID, ForkRepoID}.

+type CreateResult struct {

+	Fork   reposdb.Repo

+	Source reposdb.Repo

+}

+

+// Create writes the fork's `repos` row, applies the fork_count

+// trigger, and emits the audit row. The on-disk clone is the

+// caller's responsibility to enqueue (the web handler does this

+// right after Create returns).

+//

+// Authorization (visibility on source, login, fork:create policy)

+// is the caller's responsibility — this orchestrator trusts the

+// handler's policy gate. Visibility floor + same-owner-name guards

+// are enforced here because they're domain rules, not auth rules.

+func Create(ctx context.Context, deps Deps, p CreateParams) (CreateResult, error) {

+	if p.ActorUserID == 0 {

+		return CreateResult{}, ErrNotLoggedIn

+	}

+	rq := reposdb.New()

+

+	source, err := rq.GetRepoByID(ctx, deps.Pool, p.SourceRepoID)

+	if err != nil {

+		if errors.Is(err, pgx.ErrNoRows) {

+			return CreateResult{}, ErrSourceNotFound

+		}

+		return CreateResult{}, fmt.Errorf("fork: load source: %w", err)

+	}

+	if source.DeletedAt.Valid {

+		return CreateResult{}, ErrSourceDeleted

+	}

+	if source.IsArchived {

+		return CreateResult{}, ErrSourceArchived

+	}

+

+	targetName := strings.TrimSpace(p.TargetName)

+	if targetName == "" {

+		targetName = source.Name

+	}

+	// Same-owner-name shortcut: if the target owner == source owner

+	// AND the name didn't change, this is a no-op fork onto itself.

+	// Users CAN fork their own repos but must rename.

+	if source.OwnerUserID.Valid && source.OwnerUserID.Int64 == p.TargetOwnerID && targetName == source.Name {

+		return CreateResult{}, ErrSelfForkSameName

+	}

+

+	visibility, ok := allowedTargetVisibility(string(source.Visibility), p.TargetVisibility)

+	if !ok {

+		return CreateResult{}, ErrVisibilityFloor

+	}

+

+	// Check name availability against the target owner.

+	exists, err := rq.ExistsRepoForOwnerUser(ctx, deps.Pool, reposdb.ExistsRepoForOwnerUserParams{

+		OwnerUserID: pgtype.Int8{Int64: p.TargetOwnerID, Valid: true},

+		Name:        targetName,

+	})

+	if err != nil {

+		return CreateResult{}, fmt.Errorf("fork: name check: %w", err)

+	}

+	if exists {

+		return CreateResult{}, ErrTargetNameTaken

+	}

+

+	row, err := rq.CreateForkRepo(ctx, deps.Pool, reposdb.CreateForkRepoParams{

+		OwnerUserID:   pgtype.Int8{Int64: p.TargetOwnerID, Valid: true},

+		Name:          targetName,

+		Description:   source.Description,

+		Visibility:    reposdb.RepoVisibility(visibility),

+		DefaultBranch: source.DefaultBranch,

+		ForkOfRepoID:  pgtype.Int8{Int64: source.ID, Valid: true},

+	})

+	if err != nil {

+		return CreateResult{}, fmt.Errorf("fork: insert row: %w", err)

+	}

+

+	if deps.Audit != nil {

+		_ = deps.Audit.Record(ctx, deps.Pool, p.ActorUserID,

+			audit.ActionRepoForked, audit.TargetRepo, row.ID,

+			map[string]any{"source_repo_id": source.ID})

+	}

+	return CreateResult{Fork: row, Source: source}, nil

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+// Package fork owns S27's fork orchestration. The DB row for a fork

+// is created synchronously in Create; the on-disk `git clone --bare

+// --shared` runs out-of-band as a `repo:fork_clone` worker job so

+// fork creation returns fast even for large source repos.

+//

+// Sync (fast-forward fork's default branch from upstream) is the

+// other entrypoint here. Cross-fork PR support extends `internal/

+// pulls` and lives there; this package is just the fork lifecycle.

+package fork

+

+import (

+	"errors"

+	"log/slog"

+

+	"github.com/jackc/pgx/v5/pgxpool"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	"github.com/tenseleyFlow/shithub/internal/infra/storage"

+)

+

+// Deps wires this package against the rest of the runtime.

+type Deps struct {

+	Pool   *pgxpool.Pool

+	RepoFS *storage.RepoFS

+	Audit  *audit.Recorder

+	Logger *slog.Logger

+}

+

+// Errors surfaced to handlers.

+var (

+	ErrNotLoggedIn          = errors.New("fork: login required")

+	ErrSourceNotFound       = errors.New("fork: source repo not found")

+	ErrSourceNotVisible     = errors.New("fork: source repo not visible to actor")

+	ErrTargetNameTaken      = errors.New("fork: target name already exists for owner")

+	ErrVisibilityFloor      = errors.New("fork: target visibility cannot exceed source visibility")

+	ErrSelfForkSameName     = errors.New("fork: forking into the same owner requires a different name")

+	ErrSourceArchived       = errors.New("fork: source repo is archived")

+	ErrSourceDeleted        = errors.New("fork: source repo is deleted")

+	ErrSyncDiverged         = errors.New("fork: fork has diverged from upstream; sync via your client")

+	ErrSyncUpToDate         = errors.New("fork: already up to date")

+	ErrSyncDefaultsMissing  = errors.New("fork: source or fork default branch is empty")

+	ErrSyncRefRaced         = errors.New("fork: ref changed concurrently; retry")

+	ErrForkNotInitialized   = errors.New("fork: fork is still being prepared")

+)

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package fork_test

+

+import (

+	"context"

+	"errors"

+	"io"

+	"log/slog"

+	"os"

+	"os/exec"

+	"path/filepath"

+	"strings"

+	"testing"

+

+	"github.com/jackc/pgx/v5/pgtype"

+	"github.com/jackc/pgx/v5/pgxpool"

+

+	"github.com/tenseleyFlow/shithub/internal/infra/storage"

+	"github.com/tenseleyFlow/shithub/internal/repos/fork"

+	repogit "github.com/tenseleyFlow/shithub/internal/repos/git"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/testing/dbtest"

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+)

+

+const fixtureHash = "$argon2id$v=19$m=16384,t=1,p=1$" +

+	"AAAAAAAAAAAAAAAA$" +

+	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

+

+type fx struct {

+	pool   *pgxpool.Pool

+	deps   fork.Deps

+	rfs    *storage.RepoFS

+	root   string

+	source reposdb.Repo

+	owner  usersdb.User

+	other  usersdb.User

+}

+

+// setup spins a fresh DB + on-disk repos root + a real bare source

+// repo so the fork orchestrator can exercise CloneBareShared,

+// ResolveRefOID, IsAncestor end-to-end.

+func setup(t *testing.T) fx {

+	t.Helper()

+	pool := dbtest.NewTestDB(t)

+	ctx := context.Background()

+

+	root := t.TempDir()

+	rfs, err := storage.NewRepoFS(root)

+	if err != nil {

+		t.Fatalf("NewRepoFS: %v", err)

+	}

+

+	uq := usersdb.New()

+	owner, err := uq.CreateUser(ctx, pool, usersdb.CreateUserParams{

+		Username: "alice", DisplayName: "Alice", PasswordHash: fixtureHash,

+	})

+	if err != nil {

+		t.Fatalf("CreateUser owner: %v", err)

+	}

+	other, err := uq.CreateUser(ctx, pool, usersdb.CreateUserParams{

+		Username: "bob", DisplayName: "Bob", PasswordHash: fixtureHash,

+	})

+	if err != nil {

+		t.Fatalf("CreateUser other: %v", err)

+	}

+

+	source, err := reposdb.New().CreateRepo(ctx, pool, reposdb.CreateRepoParams{

+		OwnerUserID:   pgtype.Int8{Int64: owner.ID, Valid: true},

+		Name:          "demo",

+		DefaultBranch: "trunk",

+		Visibility:    reposdb.RepoVisibilityPublic,

+	})

+	if err != nil {

+		t.Fatalf("CreateRepo source: %v", err)

+	}

+	sourcePath, _ := rfs.RepoPath(owner.Username, source.Name)

+	if err := rfs.InitBare(ctx, sourcePath); err != nil {

+		t.Fatalf("InitBare source: %v", err)

+	}

+

+	return fx{

+		pool: pool,

+		deps: fork.Deps{

+			Pool:   pool,

+			RepoFS: rfs,

+			Logger: slog.New(slog.NewTextHandler(io.Discard, nil)),

+		},

+		rfs:    rfs,

+		root:   root,

+		source: source,

+		owner:  owner,

+		other:  other,

+	}

+}

+

+func gitCmd(args ...string) *exec.Cmd {

+	return exec.Command("git", args...) //nolint:gosec

+}

+

+// commitTo writes file=contents to a worktree of repoPath on branch

+// and commits with msg. Returns the commit OID.

+func commitTo(t *testing.T, repoPath, branch, msg, file, contents string) string {

+	t.Helper()

+	wt := t.TempDir()

+	addArgs := []string{"-C", repoPath, "worktree", "add"}

+	if _, err := gitCmd("-C", repoPath, "show-ref", "--verify", "refs/heads/"+branch).CombinedOutput(); err != nil {

+		addArgs = append(addArgs, "-b", branch, wt)

+	} else {

+		addArgs = append(addArgs, wt, branch)

+	}

+	if out, err := gitCmd(addArgs...).CombinedOutput(); err != nil {

+		t.Fatalf("worktree add %s: %v (%s)", branch, err, out)

+	}

+	defer func() {

+		_ = gitCmd("-C", repoPath, "worktree", "remove", "--force", wt).Run()

+	}()

+	if err := os.WriteFile(filepath.Join(wt, file), []byte(contents), 0o644); err != nil { //nolint:gosec

+		t.Fatalf("write %s: %v", file, err)

+	}

+	for _, a := range [][]string{

+		{"-C", wt, "config", "user.name", "Alice"},

+		{"-C", wt, "config", "user.email", "alice@example.com"},

+		{"-C", wt, "add", "."},

+		{"-C", wt, "commit", "-m", msg},

+	} {

+		if out, err := gitCmd(a...).CombinedOutput(); err != nil {

+			t.Fatalf("%v: %v (%s)", a, err, out)

+		}

+	}

+	out, err := gitCmd("-C", wt, "rev-parse", "HEAD").Output()

+	if err != nil {

+		t.Fatalf("rev-parse: %v", err)

+	}

+	return strings.TrimSpace(string(out))

+}

+

+// runForkClone simulates the worker job inline so tests can assert

+// the post-clone state without spinning up the worker pool.

+func (f fx) runForkClone(t *testing.T, sourceID, forkID int64) {

+	t.Helper()

+	ctx := context.Background()

+	rq := reposdb.New()

+	uq := usersdb.New()

+	src, _ := rq.GetRepoByID(ctx, f.pool, sourceID)

+	frk, _ := rq.GetRepoByID(ctx, f.pool, forkID)

+	srcOwner, _ := uq.GetUserByID(ctx, f.pool, src.OwnerUserID.Int64)

+	frkOwner, _ := uq.GetUserByID(ctx, f.pool, frk.OwnerUserID.Int64)

+	srcPath, _ := f.rfs.RepoPath(srcOwner.Username, src.Name)

+	frkPath, _ := f.rfs.RepoPath(frkOwner.Username, frk.Name)

+	if err := f.rfs.CloneBareShared(ctx, srcPath, frkPath); err != nil {

+		t.Fatalf("CloneBareShared: %v", err)

+	}

+	_ = rq.SetRepoInitStatus(ctx, f.pool, reposdb.SetRepoInitStatusParams{

+		ID: forkID, InitStatus: reposdb.RepoInitStatusInitialized,

+	})

+}

+

+func TestCreate_Basic(t *testing.T) {

+	f := setup(t)

+	res, err := fork.Create(context.Background(), f.deps, fork.CreateParams{

+		SourceRepoID:  f.source.ID,

+		ActorUserID:   f.other.ID,

+		TargetOwnerID: f.other.ID,

+	})

+	if err != nil {

+		t.Fatalf("Create: %v", err)

+	}

+	if res.Fork.InitStatus != reposdb.RepoInitStatusInitPending {

+		t.Errorf("init_status: got %s, want init_pending", res.Fork.InitStatus)

+	}

+	if !res.Fork.ForkOfRepoID.Valid || res.Fork.ForkOfRepoID.Int64 != f.source.ID {

+		t.Errorf("fork_of_repo_id: got %v, want %d", res.Fork.ForkOfRepoID, f.source.ID)

+	}

+	// Trigger should have bumped source's fork_count.

+	src, _ := reposdb.New().GetRepoByID(context.Background(), f.pool, f.source.ID)

+	if src.ForkCount != 1 {

+		t.Errorf("source.fork_count: got %d, want 1", src.ForkCount)

+	}

+}

+

+func TestCreate_VisibilityFloor_PrivateToPublic(t *testing.T) {

+	f := setup(t)

+	// Flip source to private.

+	_, err := f.pool.Exec(context.Background(),

+		"UPDATE repos SET visibility = 'private' WHERE id = $1", f.source.ID)

+	if err != nil {

+		t.Fatalf("flip private: %v", err)

+	}

+	_, err = fork.Create(context.Background(), f.deps, fork.CreateParams{

+		SourceRepoID:     f.source.ID,

+		ActorUserID:      f.other.ID,

+		TargetOwnerID:    f.other.ID,

+		TargetVisibility: "public",

+	})

+	if !errors.Is(err, fork.ErrVisibilityFloor) {

+		t.Errorf("expected ErrVisibilityFloor, got %v", err)

+	}

+}

+

+func TestCreate_VisibilityFloor_PublicToPrivate_OK(t *testing.T) {

+	f := setup(t)

+	res, err := fork.Create(context.Background(), f.deps, fork.CreateParams{

+		SourceRepoID:     f.source.ID,

+		ActorUserID:      f.other.ID,

+		TargetOwnerID:    f.other.ID,

+		TargetVisibility: "private",

+	})

+	if err != nil {

+		t.Fatalf("Create public→private: %v", err)

+	}

+	if res.Fork.Visibility != reposdb.RepoVisibilityPrivate {

+		t.Errorf("fork visibility: got %s, want private", res.Fork.Visibility)

+	}

+}

+

+func TestCreate_SelfForkSameName_Rejected(t *testing.T) {

+	f := setup(t)

+	_, err := fork.Create(context.Background(), f.deps, fork.CreateParams{

+		SourceRepoID:  f.source.ID,

+		ActorUserID:   f.owner.ID,

+		TargetOwnerID: f.owner.ID,

+	})

+	if !errors.Is(err, fork.ErrSelfForkSameName) {

+		t.Errorf("expected ErrSelfForkSameName, got %v", err)

+	}

+}

+

+func TestCreate_SelfForkRenamed_OK(t *testing.T) {

+	f := setup(t)

+	res, err := fork.Create(context.Background(), f.deps, fork.CreateParams{

+		SourceRepoID:  f.source.ID,

+		ActorUserID:   f.owner.ID,

+		TargetOwnerID: f.owner.ID,

+		TargetName:    "demo-fork",

+	})

+	if err != nil {

+		t.Fatalf("self-fork renamed: %v", err)

+	}

+	if res.Fork.Name != "demo-fork" {

+		t.Errorf("fork name: got %s, want demo-fork", res.Fork.Name)

+	}

+}

+

+func TestCreate_TargetNameTaken(t *testing.T) {

+	f := setup(t)

+	// other already has a "demo" repo.

+	_, err := reposdb.New().CreateRepo(context.Background(), f.pool, reposdb.CreateRepoParams{

+		OwnerUserID:   pgtype.Int8{Int64: f.other.ID, Valid: true},

+		Name:          "demo",

+		DefaultBranch: "trunk",

+		Visibility:    reposdb.RepoVisibilityPublic,

+	})

+	if err != nil {

+		t.Fatalf("CreateRepo collision: %v", err)

+	}

+	_, err = fork.Create(context.Background(), f.deps, fork.CreateParams{

+		SourceRepoID:  f.source.ID,

+		ActorUserID:   f.other.ID,

+		TargetOwnerID: f.other.ID,

+	})

+	if !errors.Is(err, fork.ErrTargetNameTaken) {

+		t.Errorf("expected ErrTargetNameTaken, got %v", err)

+	}

+}

+

+func TestCreate_SourceArchived(t *testing.T) {

+	f := setup(t)

+	_, err := f.pool.Exec(context.Background(),

+		"UPDATE repos SET is_archived = true WHERE id = $1", f.source.ID)

+	if err != nil {

+		t.Fatalf("archive: %v", err)

+	}

+	_, err = fork.Create(context.Background(), f.deps, fork.CreateParams{

+		SourceRepoID:  f.source.ID,

+		ActorUserID:   f.other.ID,

+		TargetOwnerID: f.other.ID,

+	})

+	if !errors.Is(err, fork.ErrSourceArchived) {

+		t.Errorf("expected ErrSourceArchived, got %v", err)

+	}

+}

+

+// TestForkCount_DecrementOnDelete confirms the fork_count trigger

+// honors the AFTER DELETE path (the spec promises this and S16's

+// hard-delete cascade depends on it).

+func TestForkCount_DecrementOnDelete(t *testing.T) {

+	f := setup(t)

+	res, err := fork.Create(context.Background(), f.deps, fork.CreateParams{

+		SourceRepoID:  f.source.ID,

+		ActorUserID:   f.other.ID,

+		TargetOwnerID: f.other.ID,

+	})

+	if err != nil {

+		t.Fatalf("Create: %v", err)

+	}

+	if _, err := f.pool.Exec(context.Background(),

+		"DELETE FROM repos WHERE id = $1", res.Fork.ID); err != nil {

+		t.Fatalf("delete fork: %v", err)

+	}

+	src, _ := reposdb.New().GetRepoByID(context.Background(), f.pool, f.source.ID)

+	if src.ForkCount != 0 {

+		t.Errorf("source.fork_count after fork delete: got %d, want 0", src.ForkCount)

+	}

+}

+

+// --- Sync tests --------------------------------------------------------

+

+func TestSync_FastForward(t *testing.T) {

+	f := setup(t)

+	ctx := context.Background()

+	sourcePath, _ := f.rfs.RepoPath(f.owner.Username, f.source.Name)

+	commitTo(t, sourcePath, "trunk", "init", "README.md", "v1\n")

+

+	res, err := fork.Create(ctx, f.deps, fork.CreateParams{

+		SourceRepoID:  f.source.ID,

+		ActorUserID:   f.other.ID,

+		TargetOwnerID: f.other.ID,

+	})

+	if err != nil {

+		t.Fatalf("Create: %v", err)

+	}

+	f.runForkClone(t, f.source.ID, res.Fork.ID)

+

+	// Source advances; fork is now strictly behind.

+	commitTo(t, sourcePath, "trunk", "v2", "README.md", "v2\n")

+

+	syncRes, err := fork.Sync(ctx, f.deps, f.other.ID, res.Fork.ID)

+	if err != nil {

+		t.Fatalf("Sync: %v", err)

+	}

+	forkPath, _ := f.rfs.RepoPath(f.other.Username, res.Fork.Name)

+	got, _ := repogit.ResolveRefOID(ctx, forkPath, "trunk")

+	if got != syncRes.NewOID {

+		t.Errorf("fork tip after sync: got %s, want %s", got, syncRes.NewOID)

+	}

+}

+

+func TestSync_UpToDate(t *testing.T) {

+	f := setup(t)

+	ctx := context.Background()

+	sourcePath, _ := f.rfs.RepoPath(f.owner.Username, f.source.Name)

+	commitTo(t, sourcePath, "trunk", "init", "README.md", "v1\n")

+

+	res, err := fork.Create(ctx, f.deps, fork.CreateParams{

+		SourceRepoID:  f.source.ID,

+		ActorUserID:   f.other.ID,

+		TargetOwnerID: f.other.ID,

+	})

+	if err != nil {

+		t.Fatalf("Create: %v", err)

+	}

+	f.runForkClone(t, f.source.ID, res.Fork.ID)

+

+	// Both sides at same OID: sync returns ErrSyncUpToDate.

+	_, err = fork.Sync(ctx, f.deps, f.other.ID, res.Fork.ID)

+	if !errors.Is(err, fork.ErrSyncUpToDate) {

+		t.Errorf("expected ErrSyncUpToDate, got %v", err)

+	}

+}

+

+func TestSync_Diverged(t *testing.T) {

+	f := setup(t)

+	ctx := context.Background()

+	sourcePath, _ := f.rfs.RepoPath(f.owner.Username, f.source.Name)

+	commitTo(t, sourcePath, "trunk", "init", "README.md", "v1\n")

+

+	res, err := fork.Create(ctx, f.deps, fork.CreateParams{

+		SourceRepoID:  f.source.ID,

+		ActorUserID:   f.other.ID,

+		TargetOwnerID: f.other.ID,

+	})

+	if err != nil {

+		t.Fatalf("Create: %v", err)

+	}

+	f.runForkClone(t, f.source.ID, res.Fork.ID)

+	forkPath, _ := f.rfs.RepoPath(f.other.Username, res.Fork.Name)

+

+	// Both sides advance independently — diverged.

+	commitTo(t, sourcePath, "trunk", "src v2", "README.md", "src-v2\n")

+	commitTo(t, forkPath, "trunk", "fork v2", "README.md", "fork-v2\n")

+

+	_, err = fork.Sync(ctx, f.deps, f.other.ID, res.Fork.ID)

+	if !errors.Is(err, fork.ErrSyncDiverged) {

+		t.Errorf("expected ErrSyncDiverged, got %v", err)

+	}

+}

+

+// --- Ahead/behind tests ------------------------------------------------

+

+func TestAheadBehind_StrictlyBehind(t *testing.T) {

+	f := setup(t)

+	ctx := context.Background()

+	sourcePath, _ := f.rfs.RepoPath(f.owner.Username, f.source.Name)

+	commitTo(t, sourcePath, "trunk", "init", "README.md", "v1\n")

+

+	res, err := fork.Create(ctx, f.deps, fork.CreateParams{

+		SourceRepoID:  f.source.ID,

+		ActorUserID:   f.other.ID,

+		TargetOwnerID: f.other.ID,

+	})

+	if err != nil {

+		t.Fatalf("Create: %v", err)

+	}

+	f.runForkClone(t, f.source.ID, res.Fork.ID)

+	commitTo(t, sourcePath, "trunk", "v2", "README.md", "v2\n")

+	commitTo(t, sourcePath, "trunk", "v3", "README.md", "v3\n")

+

+	stats, err := fork.AheadBehind(ctx, f.deps, res.Fork.ID)

+	if err != nil {

+		t.Fatalf("AheadBehind: %v", err)

+	}

+	if !stats.Comparable || stats.Ahead != 0 || stats.Behind != 2 {

+		t.Errorf("stats: got %+v, want {Ahead:0 Behind:2 Comparable:true}", stats)

+	}

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package fork

+

+import (

+	"context"

+	"fmt"

+

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+)

+

+// ownerUsername resolves the username string for a repo owner. Only

+// user-owned repos are supported today; org-owned repos surface

+// when S31 lands. Returns an error rather than guessing when the

+// repo isn't user-owned so the caller fails loudly during the

+// transition rather than silently misroute.

+func ownerUsername(ctx context.Context, deps Deps, repo reposdb.Repo) (string, error) {

+	if !repo.OwnerUserID.Valid {

+		return "", fmt.Errorf("fork: repo %d has no user owner (org-owned repos arrive in S31)", repo.ID)

+	}

+	u, err := usersdb.New().GetUserByID(ctx, deps.Pool, repo.OwnerUserID.Int64)

+	if err != nil {

+		return "", fmt.Errorf("fork: load owner: %w", err)

+	}

+	return u.Username, nil

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package fork

+

+import (

+	"context"

+	"errors"

+	"fmt"

+

+	"github.com/jackc/pgx/v5"

+	"github.com/jackc/pgx/v5/pgtype"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	repogit "github.com/tenseleyFlow/shithub/internal/repos/git"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+)

+

+// SyncResult describes what Sync did. Reasons cover the four

+// outcomes the spec enumerates: fast-forwarded, already up to date,

+// diverged (refused), or default-branch-missing (typically a freshly

+// initialized fork or upstream that's never been pushed to).

+type SyncResult struct {

+	OldOID string

+	NewOID string

+}

+

+// Sync fast-forwards the fork's default branch to the upstream's.

+// Refuses on diverged history (as the spec mandates — anything else

+// belongs in the user's client). The CAS via UpdateRefCAS catches

+// concurrent pushes to the fork: if a push lands between our read

+// and our update, we return ErrSyncRefRaced and the caller can ask

+// the user to retry.

+//

+// The handler MUST authorize via policy.Can(ActionRepoWrite) on the

+// fork before calling — Sync mutates the fork's refs and is a write

+// action. Read access on the source is implied by ownership of the

+// fork (you forked it; you saw it then).

+func Sync(ctx context.Context, deps Deps, actorUserID, forkRepoID int64) (SyncResult, error) {

+	rq := reposdb.New()

+	fork, err := rq.GetRepoByID(ctx, deps.Pool, forkRepoID)

+	if err != nil {

+		if errors.Is(err, pgx.ErrNoRows) {

+			return SyncResult{}, ErrSourceNotFound

+		}

+		return SyncResult{}, fmt.Errorf("sync: load fork: %w", err)

+	}

+	if fork.InitStatus != reposdb.RepoInitStatusInitialized {

+		return SyncResult{}, ErrForkNotInitialized

+	}

+	if !fork.ForkOfRepoID.Valid {

+		return SyncResult{}, ErrSourceNotFound

+	}

+	source, err := rq.GetRepoByID(ctx, deps.Pool, fork.ForkOfRepoID.Int64)

+	if err != nil {

+		// Source was hard-deleted (orphaned fork). Sync isn't

+		// applicable; surface as not-found.

+		return SyncResult{}, ErrSourceNotFound

+	}

+	if source.DeletedAt.Valid {

+		return SyncResult{}, ErrSourceDeleted

+	}

+

+	forkOwner, err := ownerUsername(ctx, deps, fork)

+	if err != nil {

+		return SyncResult{}, err

+	}

+	sourceOwner, err := ownerUsername(ctx, deps, source)

+	if err != nil {

+		return SyncResult{}, err

+	}

+	forkPath, err := deps.RepoFS.RepoPath(forkOwner, fork.Name)

+	if err != nil {

+		return SyncResult{}, err

+	}

+	sourcePath, err := deps.RepoFS.RepoPath(sourceOwner, source.Name)

+	if err != nil {

+		return SyncResult{}, err

+	}

+

+	// Fork and source must agree on the default branch name. If they

+	// don't, the fast-forward gate doesn't have an obvious answer and

+	// we refuse — the user's client can sync arbitrary refs if they

+	// really want to.

+	branch := fork.DefaultBranch

+	if branch == "" || source.DefaultBranch == "" {

+		return SyncResult{}, ErrSyncDefaultsMissing

+	}

+

+	upstreamOID, err := repogit.ResolveRefOID(ctx, sourcePath, branch)

+	if err != nil {

+		return SyncResult{}, fmt.Errorf("sync: resolve upstream %s: %w", branch, err)

+	}

+	forkOID, err := repogit.ResolveRefOID(ctx, forkPath, branch)

+	if err != nil {

+		// Fork branch doesn't exist (an empty fork) — fall through

+		// to the create-ref path below by passing the zero OID. git

+		// update-ref accepts the literal 40-zero string as "must not

+		// exist yet" semantics.

+		forkOID = "0000000000000000000000000000000000000000"

+	}

+	if forkOID == upstreamOID {

+		return SyncResult{}, ErrSyncUpToDate

+	}

+	if forkOID != "0000000000000000000000000000000000000000" {

+		ancestor, err := repogit.IsAncestor(ctx, forkPath, forkOID, upstreamOID)

+		if err != nil {

+			return SyncResult{}, fmt.Errorf("sync: ancestor check: %w", err)

+		}

+		if !ancestor {

+			// fork has commits upstream doesn't — diverged.

+			return SyncResult{}, ErrSyncDiverged

+		}

+	}

+

+	// CAS update. The fork's bare repo holds the alternates pointing

+	// at source's objects, so the upstream OID is reachable from the

+	// fork's perspective without an explicit fetch.

+	ref := "refs/heads/" + branch

+	if err := repogit.UpdateRefCAS(ctx, forkPath, ref, upstreamOID, forkOID); err != nil {

+		if errors.Is(err, repogit.ErrRefRaced) {

+			return SyncResult{}, ErrSyncRefRaced

+		}

+		return SyncResult{}, fmt.Errorf("sync: update-ref: %w", err)

+	}

+

+	// Update the cached default_branch_oid on the fork so the home

+	// view reflects the new tip without waiting for a push:process

+	// tick (update-ref bypasses the post-receive hook here, same

+	// reason as the merge handler's fix in the audit-remediation

+	// sprint).

+	_ = rq.UpdateRepoDefaultBranchOID(ctx, deps.Pool, reposdb.UpdateRepoDefaultBranchOIDParams{

+		ID:               fork.ID,

+		DefaultBranchOid: pgtype.Text{String: upstreamOID, Valid: true},

+	})

+

+	if deps.Audit != nil {

+		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,

+			audit.ActionRepoForkSynced, audit.TargetRepo, fork.ID,

+			map[string]any{"old_oid": forkOID, "new_oid": upstreamOID, "branch": branch})

+	}

+	return SyncResult{OldOID: forkOID, NewOID: upstreamOID}, nil

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package fork

+

+// allowedTargetVisibility enforces the visibility floor: a fork's

+// visibility must be ≤ source's. Forking public → private is fine

+// (the user is just choosing to keep their copy private); forking

+// private → public would expose previously-private content and is

+// always rejected.

+//

+// Returns "" + false when the proposed shape isn't allowed.

+func allowedTargetVisibility(source, target string) (string, bool) {

+	switch source {

+	case "public":

+		// Any target visibility is allowed; default to public if blank.

+		if target == "" {

+			return "public", true

+		}

+		return target, target == "public" || target == "private"

+	case "private":

+		// Forking a private repo never expands its reach; target must

+		// stay private. Empty defaults to private.

+		if target == "" || target == "private" {

+			return "private", true

+		}

+		return "", false

+	}

+	return "", false

+}