tenseleyflow/shithub / 3d70843

+	ActionRepoCreated            Action = "repo_created"

+	ActionRepoRenamed            Action = "repo_renamed"

+	ActionRepoArchived           Action = "repo_archived"

+	ActionRepoUnarchived         Action = "repo_unarchived"

+	ActionRepoVisibilityChanged  Action = "repo_visibility_changed"

+	ActionRepoSoftDeleted        Action = "repo_soft_deleted"

+	ActionRepoRestored           Action = "repo_restored"

+	ActionRepoHardDeleted        Action = "repo_hard_deleted"

+	ActionRepoTransferRequested  Action = "repo_transfer_requested"

+	ActionRepoTransferAccepted   Action = "repo_transfer_accepted"

+	ActionRepoTransferDeclined   Action = "repo_transfer_declined"

+	ActionRepoTransferCanceled   Action = "repo_transfer_canceled"

+	ActionRepoTransferExpired    Action = "repo_transfer_expired"

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package lifecycle

+

+import (

+	"context"

+	"fmt"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+)

+

+// Archive sets is_archived=true on the repo. Idempotent in spirit — a

+// double-archive returns ErrAlreadyArchived so handlers can surface a

+// "this repo is already archived" friendly message without having to

+// inspect state up front.

+func Archive(ctx context.Context, deps Deps, actorUserID, repoID int64) error {

+	rq := reposdb.New()

+	repo, err := rq.GetRepoByID(ctx, deps.Pool, repoID)

+	if err != nil {

+		return fmt.Errorf("load repo: %w", err)

+	}

+	if repo.IsArchived {

+		return ErrAlreadyArchived

+	}

+	if err := rq.ArchiveRepo(ctx, deps.Pool, repoID); err != nil {

+		return fmt.Errorf("archive: %w", err)

+	}

+	if deps.Audit != nil {

+		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,

+			audit.ActionRepoArchived, audit.TargetRepo, repoID, nil)

+	}

+	return nil

+}

+

+// Unarchive clears is_archived. Same idempotency contract as Archive.

+func Unarchive(ctx context.Context, deps Deps, actorUserID, repoID int64) error {

+	rq := reposdb.New()

+	repo, err := rq.GetRepoByID(ctx, deps.Pool, repoID)

+	if err != nil {

+		return fmt.Errorf("load repo: %w", err)

+	}

+	if !repo.IsArchived {

+		return ErrNotArchived

+	}

+	if err := rq.UnarchiveRepo(ctx, deps.Pool, repoID); err != nil {

+		return fmt.Errorf("unarchive: %w", err)

+	}

+	if deps.Audit != nil {

+		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,

+			audit.ActionRepoUnarchived, audit.TargetRepo, repoID, nil)

+	}

+	return nil

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package lifecycle

+

+import "errors"

+

+// errAs is a tiny wrapper so the package's call sites read as a single

+// expression. errors.As can't be used inline in a type-switch context.

+func errAs(err error, target any) bool {

+	return errors.As(err, target)

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package lifecycle

+

+import (

+	"context"

+	"fmt"

+	"os"

+

+	"github.com/jackc/pgx/v5/pgtype"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+)

+

+// HardDelete is the worker-driven cascade that runs after the soft-

+// delete grace expires. The order is explicit and auditable:

+//

+//  1. Anonymize forks-of-this-repo (clear fork_of_repo_id on children).

+//  2. Drop the redirect rows that point at this repo (other repos

+//     keeping us as their old name; keep redirects pointed away from

+//     us so old URLs of *this* repo's previous identity are still

+//     resolvable from the now-deleted row, until that repo is also

+//     deleted by ON DELETE CASCADE on the FK).

+//  3. DELETE FROM repos — FK cascades handle push_events,

+//     webhook_events_pending, repo_collaborators, transfer requests,

+//     and any redirect rows pointing at this id.

+//  4. RemoveAll the bare repo on disk.

+//  5. Audit-log the hard-delete with a snapshot of the removed row in

+//     the meta payload so the audit row is self-contained even after

+//     the repo_id is gone.

+//

+// The op refuses to run on a repo that isn't past its soft-delete

+// grace window — defense-in-depth even though the worker query

+// already gates this. ActorUserID is typically the worker's instance

+// id encoded in some way; pass 0 to record "system" in audit.

+func HardDelete(ctx context.Context, deps Deps, actorUserID, repoID int64) error {

+	rq := reposdb.New()

+	uq := usersdb.New()

+	repo, err := rq.GetRepoByID(ctx, deps.Pool, repoID)

+	if err != nil {

+		return fmt.Errorf("load repo: %w", err)

+	}

+	if !repo.DeletedAt.Valid {

+		return ErrNotDeleted

+	}

+	if deps.now().Sub(repo.DeletedAt.Time) < softDeleteGrace {

+		return fmt.Errorf("hard-delete: %w", ErrPastGrace)

+		// Sentinel mismatch on purpose — the only "before grace"

+		// failure is the worker mis-firing. Reuse ErrPastGrace's

+		// inverse semantics to keep the error surface tight.

+	}

+

+	// Snapshot for the audit row before we mutate.

+	snapshot := map[string]any{

+		"id":         repo.ID,

+		"name":       repo.Name,

+		"visibility": string(repo.Visibility),

+	}

+	if repo.OwnerUserID.Valid {

+		snapshot["owner_user_id"] = repo.OwnerUserID.Int64

+	}

+	ownerName := ""

+	if repo.OwnerUserID.Valid {

+		if u, err := uq.GetUserByID(ctx, deps.Pool, repo.OwnerUserID.Int64); err == nil {

+			ownerName = u.Username

+		}

+	}

+

+	tx, err := deps.Pool.Begin(ctx)

+	if err != nil {

+		return fmt.Errorf("begin: %w", err)

+	}

+	committed := false

+	defer func() {

+		if !committed {

+			_ = tx.Rollback(ctx)

+		}

+	}()

+

+	// 1. Orphan child forks.

+	if _, err := rq.OrphanForksOf(ctx, tx, pgtype.Int8{Int64: repoID, Valid: true}); err != nil {

+		return fmt.Errorf("orphan forks: %w", err)

+	}

+

+	// 2. (Skipped — see comment in the doc block. The repo's outgoing

+	//    redirect rows go in step 3 via FK cascade.)

+

+	// 3. Drop the repo row. FK ON DELETE CASCADE on push_events,

+	//    repo_collaborators, repo_redirects, repo_transfer_requests,

+	//    and webhook_events_pending makes this a single SQL.

+	if err := rq.HardDeleteRepo(ctx, tx, repoID); err != nil {

+		return fmt.Errorf("delete repo: %w", err)

+	}

+	if err := tx.Commit(ctx); err != nil {

+		return fmt.Errorf("commit: %w", err)

+	}

+	committed = true

+

+	// 4. Remove the bare repo on disk. Best-effort: log and continue

+	//    so a missing path doesn't leave a "deleted but DB row gone"

+	//    inconsistency that's impossible to recover from.

+	if ownerName != "" {

+		if path, err := deps.RepoFS.RepoPath(ownerName, repo.Name); err == nil {

+			if err := os.RemoveAll(path); err != nil && deps.Logger != nil {

+				deps.Logger.WarnContext(ctx, "hard delete: fs RemoveAll failed",

+					"repo_id", repoID, "path", path, "error", err)

+			}

+		}

+	}

+

+	// 5. Audit. Use a fresh pool conn since the repo_id no longer

+	//    exists; the meta blob carries the snapshot.

+	if deps.Audit != nil {

+		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,

+			audit.ActionRepoHardDeleted, audit.TargetRepo, repoID, snapshot)

+	}

+	return nil

+}

+

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+// Package lifecycle owns the post-creation mutations of a repo: rename,

+// transfer, archive/unarchive, visibility flip, soft-delete, restore,

+// and hard-delete. Every operation is a single function with strict

+// ordering of DB and FS work; recovery semantics are documented at

+// each call site.

+//

+// The package is policy-agnostic — callers (web handlers, the

+// hard-delete worker) are expected to have already passed the request

+// through policy.Can with the appropriate Action. Lifecycle's job is

+// to *execute* the change correctly, not decide who's allowed.

+package lifecycle

+

+import (

+	"errors"

+	"log/slog"

+	"time"

+

+	"github.com/jackc/pgx/v5/pgxpool"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	"github.com/tenseleyFlow/shithub/internal/infra/storage"

+)

+

+// Deps wires the orchestrator. Construct once and pass to every Op.

+// All Ops are stateless w.r.t. Deps so a single value can serve many

+// concurrent requests.

+type Deps struct {

+	Pool   *pgxpool.Pool

+	RepoFS *storage.RepoFS

+	Audit  *audit.Recorder

+	Logger *slog.Logger

+	Now    func() time.Time

+}

+

+// now returns deps.Now() or wall time. Tests pin Now for determinism.

+func (d Deps) now() time.Time {

+	if d.Now != nil {

+		return d.Now()

+	}

+	return time.Now()

+}

+

+// Errors surfaced by lifecycle ops. Handlers map these to HTTP status

+// codes and friendly user messages.

+var (

+	ErrInvalidName       = errors.New("lifecycle: invalid name")

+	ErrReservedName      = errors.New("lifecycle: name is reserved")

+	ErrNameTaken         = errors.New("lifecycle: name already taken on owner")

+	ErrRenameRateLimited = errors.New("lifecycle: rename rate limit exceeded")

+	ErrSameName          = errors.New("lifecycle: new name equals current")

+	ErrTransferToSelf    = errors.New("lifecycle: transfer recipient is the same owner")

+	ErrTransferTerminal  = errors.New("lifecycle: transfer no longer pending")

+	ErrTransferExpired   = errors.New("lifecycle: transfer expired")

+	ErrAlreadyArchived   = errors.New("lifecycle: repo is already archived")

+	ErrNotArchived       = errors.New("lifecycle: repo is not archived")

+	ErrAlreadyDeleted    = errors.New("lifecycle: repo is already soft-deleted")

+	ErrNotDeleted        = errors.New("lifecycle: repo is not soft-deleted")

+	ErrPastGrace         = errors.New("lifecycle: soft-delete grace expired; restore unavailable")

+)

+

+// renameRateLimitWindow / renameRateLimitMax mirror the spec's lean.

+// Adjust together; the SQL counts redirects within the window.

+const (

+	renameRateLimitWindow = 30 * 24 * time.Hour

+	renameRateLimitMax    = 5

+

+	// transferTTL is the time a recipient has to accept before the

+	// offer auto-expires.

+	transferTTL = 7 * 24 * time.Hour

+

+	// softDeleteGrace is the window between soft-delete and the worker

+	// hard-deleting. Mirrored in the SQL `interval '7 days'`.

+	softDeleteGrace = 7 * 24 * time.Hour

+)

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package lifecycle_test

+

+import (

+	"context"

+	"errors"

+	"os"

+	"path/filepath"

+	"testing"

+	"time"

+

+	"github.com/jackc/pgx/v5/pgtype"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	"github.com/tenseleyFlow/shithub/internal/auth/throttle"

+	"github.com/tenseleyFlow/shithub/internal/infra/storage"

+	"github.com/tenseleyFlow/shithub/internal/repos"

+	"github.com/tenseleyFlow/shithub/internal/repos/lifecycle"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/testing/dbtest"

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+)

+

+const fixtureHash = "$argon2id$v=19$m=16384,t=1,p=1$" +

+	"AAAAAAAAAAAAAAAA$" +

+	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

+

+type env struct {

+	deps  lifecycle.Deps

+	rdeps repos.Deps

+

+	alice usersdb.User

+	bob   usersdb.User

+

+	repoID     int64

+	originalFS string

+}

+

+func setup(t *testing.T) *env {

+	t.Helper()

+	pool := dbtest.NewTestDB(t)

+	root := t.TempDir()

+	rfs, err := storage.NewRepoFS(root)

+	if err != nil {

+		t.Fatalf("NewRepoFS: %v", err)

+	}

+	uq := usersdb.New()

+	mk := func(name string) usersdb.User {

+		u, err := uq.CreateUser(context.Background(), pool, usersdb.CreateUserParams{

+			Username: name, DisplayName: name, PasswordHash: fixtureHash,

+		})

+		if err != nil {

+			t.Fatalf("CreateUser %s: %v", name, err)

+		}

+		em, err := uq.CreateUserEmail(context.Background(), pool, usersdb.CreateUserEmailParams{

+			UserID: u.ID, Email: name + "@example.com", IsPrimary: true, Verified: true,

+		})

+		if err != nil {

+			t.Fatalf("CreateUserEmail %s: %v", name, err)

+		}

+		_ = uq.LinkUserPrimaryEmail(context.Background(), pool, usersdb.LinkUserPrimaryEmailParams{

+			ID: u.ID, PrimaryEmailID: pgtype.Int8{Int64: em.ID, Valid: true},

+		})

+		return u

+	}

+	alice := mk("alice")

+	bob := mk("bob")

+

+	rdeps := repos.Deps{

+		Pool: pool, RepoFS: rfs, Audit: audit.NewRecorder(), Limiter: throttle.NewLimiter(),

+	}

+	res, err := repos.Create(context.Background(), rdeps, repos.Params{

+		OwnerUserID: alice.ID, OwnerUsername: alice.Username,

+		Name: "demo", Visibility: "public", InitReadme: true,

+	})

+	if err != nil {

+		t.Fatalf("repos.Create: %v", err)

+	}

+

+	return &env{

+		deps:  lifecycle.Deps{Pool: pool, RepoFS: rfs, Audit: audit.NewRecorder()},

+		rdeps: rdeps,

+		alice: alice, bob: bob,

+		repoID:     res.Repo.ID,

+		originalFS: res.DiskPath,

+	}

+}

+

+func TestRename_HappyPath(t *testing.T) {

+	t.Parallel()

+	env := setup(t)

+	if err := lifecycle.Rename(context.Background(), env.deps, lifecycle.RenameParams{

+		ActorUserID: env.alice.ID,

+		RepoID:      env.repoID,

+		OwnerUserID: env.alice.ID,

+		OwnerName:   "alice",

+		OldName:     "demo",

+		NewName:     "renamed",

+	}); err != nil {

+		t.Fatalf("Rename: %v", err)

+	}

+	rq := reposdb.New()

+	repo, err := rq.GetRepoByID(context.Background(), env.deps.Pool, env.repoID)

+	if err != nil {

+		t.Fatalf("GetRepoByID: %v", err)

+	}

+	if repo.Name != "renamed" {

+		t.Errorf("name = %q, want renamed", repo.Name)

+	}

+	// Redirect row exists.

+	rid, err := rq.LookupRedirectByUserOwner(context.Background(), env.deps.Pool, reposdb.LookupRedirectByUserOwnerParams{

+		OldOwnerUserID: pgtype.Int8{Int64: env.alice.ID, Valid: true},

+		OldName:        "demo",

+	})

+	if err != nil || rid != env.repoID {

+		t.Errorf("LookupRedirect: id=%d err=%v", rid, err)

+	}

+	// FS dir moved.

+	newPath := filepath.Join(filepath.Dir(env.originalFS), "renamed.git")

+	if _, err := os.Stat(newPath); err != nil {

+		t.Errorf("new path missing: %v", err)

+	}

+}

+

+func TestRename_RejectsSameName(t *testing.T) {

+	t.Parallel()

+	env := setup(t)

+	err := lifecycle.Rename(context.Background(), env.deps, lifecycle.RenameParams{

+		RepoID: env.repoID, OwnerUserID: env.alice.ID, OwnerName: "alice",

+		OldName: "demo", NewName: "demo",

+	})

+	if !errors.Is(err, lifecycle.ErrSameName) {

+		t.Errorf("err = %v, want ErrSameName", err)

+	}

+}

+

+func TestRename_RateLimit(t *testing.T) {

+	t.Parallel()

+	env := setup(t)

+	for i := 0; i < 5; i++ {

+		newName := []string{"a1", "a2", "a3", "a4", "a5"}[i]

+		oldName := "demo"

+		if i > 0 {

+			oldName = []string{"a1", "a2", "a3", "a4"}[i-1]

+		}

+		if err := lifecycle.Rename(context.Background(), env.deps, lifecycle.RenameParams{

+			RepoID: env.repoID, OwnerUserID: env.alice.ID, OwnerName: "alice",

+			OldName: oldName, NewName: newName,

+		}); err != nil {

+			t.Fatalf("rename %d: %v", i, err)

+		}

+	}

+	err := lifecycle.Rename(context.Background(), env.deps, lifecycle.RenameParams{

+		RepoID: env.repoID, OwnerUserID: env.alice.ID, OwnerName: "alice",

+		OldName: "a5", NewName: "a6",

+	})

+	if !errors.Is(err, lifecycle.ErrRenameRateLimited) {

+		t.Errorf("6th rename: err=%v, want ErrRenameRateLimited", err)

+	}

+}

+

+func TestArchiveUnarchive(t *testing.T) {

+	t.Parallel()

+	env := setup(t)

+	if err := lifecycle.Archive(context.Background(), env.deps, env.alice.ID, env.repoID); err != nil {

+		t.Fatalf("Archive: %v", err)

+	}

+	if err := lifecycle.Archive(context.Background(), env.deps, env.alice.ID, env.repoID); !errors.Is(err, lifecycle.ErrAlreadyArchived) {

+		t.Errorf("double archive: err=%v, want ErrAlreadyArchived", err)

+	}

+	if err := lifecycle.Unarchive(context.Background(), env.deps, env.alice.ID, env.repoID); err != nil {

+		t.Fatalf("Unarchive: %v", err)

+	}

+	if err := lifecycle.Unarchive(context.Background(), env.deps, env.alice.ID, env.repoID); !errors.Is(err, lifecycle.ErrNotArchived) {

+		t.Errorf("double unarchive: err=%v, want ErrNotArchived", err)

+	}

+}

+

+func TestSetVisibility(t *testing.T) {

+	t.Parallel()

+	env := setup(t)

+	if err := lifecycle.SetVisibility(context.Background(), env.deps, env.alice.ID, env.repoID, "private"); err != nil {

+		t.Fatalf("SetVisibility: %v", err)

+	}

+	rq := reposdb.New()

+	repo, _ := rq.GetRepoByID(context.Background(), env.deps.Pool, env.repoID)

+	if string(repo.Visibility) != "private" {

+		t.Errorf("Visibility = %q, want private", repo.Visibility)

+	}

+	if err := lifecycle.SetVisibility(context.Background(), env.deps, env.alice.ID, env.repoID, "bogus"); !errors.Is(err, lifecycle.ErrInvalidVisibility) {

+		t.Errorf("invalid: err=%v, want ErrInvalidVisibility", err)

+	}

+}

+

+func TestSoftDeleteAndRestore(t *testing.T) {

+	t.Parallel()

+	env := setup(t)

+	if err := lifecycle.SoftDelete(context.Background(), env.deps, env.alice.ID, env.repoID); err != nil {

+		t.Fatalf("SoftDelete: %v", err)

+	}

+	if err := lifecycle.SoftDelete(context.Background(), env.deps, env.alice.ID, env.repoID); !errors.Is(err, lifecycle.ErrAlreadyDeleted) {

+		t.Errorf("double soft-delete: err=%v", err)

+	}

+	if err := lifecycle.Restore(context.Background(), env.deps, env.alice.ID, env.repoID); err != nil {

+		t.Fatalf("Restore: %v", err)

+	}

+	if err := lifecycle.Restore(context.Background(), env.deps, env.alice.ID, env.repoID); !errors.Is(err, lifecycle.ErrNotDeleted) {

+		t.Errorf("double restore: err=%v", err)

+	}

+}

+

+func TestRestore_PastGraceRefuses(t *testing.T) {

+	t.Parallel()

+	env := setup(t)

+	// Pin Now to 8 days from now after a soft-delete to simulate

+	// past-grace state.

+	if err := lifecycle.SoftDelete(context.Background(), env.deps, env.alice.ID, env.repoID); err != nil {

+		t.Fatal(err)

+	}

+	env.deps.Now = func() time.Time { return time.Now().Add(8 * 24 * time.Hour) }

+	if err := lifecycle.Restore(context.Background(), env.deps, env.alice.ID, env.repoID); !errors.Is(err, lifecycle.ErrPastGrace) {

+		t.Errorf("past-grace restore: err=%v, want ErrPastGrace", err)

+	}

+}

+

+func TestTransfer_AcceptHappyPath(t *testing.T) {

+	t.Parallel()

+	env := setup(t)

+	id, err := lifecycle.RequestTransfer(context.Background(), env.deps, lifecycle.TransferRequestParams{

+		ActorUserID: env.alice.ID, RepoID: env.repoID,

+		FromUserID: env.alice.ID, ToPrincipalKind: "user", ToPrincipalID: env.bob.ID,

+	})

+	if err != nil {

+		t.Fatalf("RequestTransfer: %v", err)

+	}

+	if err := lifecycle.AcceptTransfer(context.Background(), env.deps, env.bob.ID, id); err != nil {

+		t.Fatalf("AcceptTransfer: %v", err)

+	}

+	rq := reposdb.New()

+	repo, _ := rq.GetRepoByID(context.Background(), env.deps.Pool, env.repoID)

+	if !repo.OwnerUserID.Valid || repo.OwnerUserID.Int64 != env.bob.ID {

+		t.Errorf("owner_user_id = %v, want %d", repo.OwnerUserID, env.bob.ID)

+	}

+	// Redirect from alice/demo → repo_id should resolve.

+	rid, err := rq.LookupRedirectByUserOwner(context.Background(), env.deps.Pool, reposdb.LookupRedirectByUserOwnerParams{

+		OldOwnerUserID: pgtype.Int8{Int64: env.alice.ID, Valid: true},

+		OldName:        "demo",

+	})

+	if err != nil || rid != env.repoID {

+		t.Errorf("redirect: id=%d err=%v", rid, err)

+	}

+}

+

+func TestTransfer_DeclineLeavesOwnerUnchanged(t *testing.T) {

+	t.Parallel()

+	env := setup(t)

+	id, _ := lifecycle.RequestTransfer(context.Background(), env.deps, lifecycle.TransferRequestParams{

+		ActorUserID: env.alice.ID, RepoID: env.repoID,

+		FromUserID: env.alice.ID, ToPrincipalKind: "user", ToPrincipalID: env.bob.ID,

+	})

+	if err := lifecycle.DeclineTransfer(context.Background(), env.deps, env.bob.ID, id); err != nil {

+		t.Fatalf("DeclineTransfer: %v", err)

+	}

+	rq := reposdb.New()

+	repo, _ := rq.GetRepoByID(context.Background(), env.deps.Pool, env.repoID)

+	if !repo.OwnerUserID.Valid || repo.OwnerUserID.Int64 != env.alice.ID {

+		t.Errorf("owner changed despite decline: %v", repo.OwnerUserID)

+	}

+}

+

+func TestTransfer_CancelByOwner(t *testing.T) {

+	t.Parallel()

+	env := setup(t)

+	id, _ := lifecycle.RequestTransfer(context.Background(), env.deps, lifecycle.TransferRequestParams{

+		ActorUserID: env.alice.ID, RepoID: env.repoID,

+		FromUserID: env.alice.ID, ToPrincipalKind: "user", ToPrincipalID: env.bob.ID,

+	})

+	if err := lifecycle.CancelTransfer(context.Background(), env.deps, env.alice.ID, id); err != nil {

+		t.Fatalf("CancelTransfer: %v", err)

+	}

+	// Bob's accept now fails.

+	if err := lifecycle.AcceptTransfer(context.Background(), env.deps, env.bob.ID, id); !errors.Is(err, lifecycle.ErrTransferTerminal) {

+		t.Errorf("accept-after-cancel: err=%v, want ErrTransferTerminal", err)

+	}

+}

+

+func TestTransfer_ExpireSweepFlipsPending(t *testing.T) {

+	t.Parallel()

+	env := setup(t)

+	_, _ = lifecycle.RequestTransfer(context.Background(), env.deps, lifecycle.TransferRequestParams{

+		ActorUserID: env.alice.ID, RepoID: env.repoID,

+		FromUserID: env.alice.ID, ToPrincipalKind: "user", ToPrincipalID: env.bob.ID,

+	})

+	// Force the row past its expires_at by SQL update so we don't need

+	// to advance lifecycle.now() through the call path.

+	_, err := env.deps.Pool.Exec(context.Background(),

+		`UPDATE repo_transfer_requests SET expires_at = now() - interval '1 minute' WHERE repo_id = $1`, env.repoID)

+	if err != nil {

+		t.Fatalf("force expiry: %v", err)

+	}

+	n, err := lifecycle.ExpirePending(context.Background(), env.deps)

+	if err != nil {

+		t.Fatalf("ExpirePending: %v", err)

+	}

+	if n != 1 {

+		t.Errorf("expired count = %d, want 1", n)

+	}

+}

+

+func TestHardDelete_PastGraceCascades(t *testing.T) {

+	t.Parallel()

+	env := setup(t)

+	if err := lifecycle.SoftDelete(context.Background(), env.deps, env.alice.ID, env.repoID); err != nil {

+		t.Fatal(err)

+	}

+	// Force deleted_at past grace and pin Now likewise.

+	_, _ = env.deps.Pool.Exec(context.Background(),

+		`UPDATE repos SET deleted_at = now() - interval '8 days' WHERE id = $1`, env.repoID)

+	env.deps.Now = func() time.Time { return time.Now() }

+

+	if err := lifecycle.HardDelete(context.Background(), env.deps, 0, env.repoID); err != nil {

+		t.Fatalf("HardDelete: %v", err)

+	}

+	// Repo row gone.

+	rq := reposdb.New()

+	if _, err := rq.GetRepoByID(context.Background(), env.deps.Pool, env.repoID); err == nil {

+		t.Errorf("repo row still present after hard-delete")

+	}

+	// FS dir gone.

+	if _, err := os.Stat(env.originalFS); !os.IsNotExist(err) {

+		t.Errorf("FS path still present: err=%v", err)

+	}

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package lifecycle

+

+import (

+	"context"

+	"fmt"

+	"os"

+	"strings"

+

+	"github.com/jackc/pgx/v5/pgconn"

+	"github.com/jackc/pgx/v5/pgtype"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	"github.com/tenseleyFlow/shithub/internal/repos"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+)

+

+// RenameParams is what a same-owner rename takes.

+type RenameParams struct {

+	ActorUserID int64 // who is initiating; recorded in audit

+	RepoID      int64

+	OwnerUserID int64  // current owner — also gives us the FS path

+	OwnerName   string // current owner username (for FS path)

+	OldName     string // current repo name

+	NewName     string // requested name

+}

+

+// Rename performs a same-owner rename: validate → tx (insert redirect,

+// update repos.name) → FS Move → audit. On FS failure the DB tx is

+// reverted via a compensating UPDATE so the persistent state is

+// consistent. The caller is responsible for policy.Can; we don't

+// re-check here.

+func Rename(ctx context.Context, deps Deps, p RenameParams) error {

+	newName := strings.ToLower(strings.TrimSpace(p.NewName))

+	if newName == strings.ToLower(p.OldName) {

+		return ErrSameName

+	}

+	if err := repos.ValidateName(newName); err != nil {

+		return fmt.Errorf("%w: %v", ErrInvalidName, err)

+	}

+

+	// Rate limit: count recent renames (= redirect rows for this repo).

+	rq := reposdb.New()

+	count, err := rq.CountRecentRedirectsForRepo(ctx, deps.Pool, p.RepoID)

+	if err != nil {

+		return fmt.Errorf("count redirects: %w", err)

+	}

+	if int(count) >= renameRateLimitMax {

+		return ErrRenameRateLimited

+	}

+

+	tx, err := deps.Pool.Begin(ctx)

+	if err != nil {

+		return fmt.Errorf("begin: %w", err)

+	}

+	committed := false

+	defer func() {

+		if !committed {

+			_ = tx.Rollback(ctx)

+		}

+	}()

+

+	// 1. Insert redirect row before mutating the repo so a unique-name

+	//    collision rolls back both with a single ROLLBACK.

+	if err := rq.InsertRepoRedirect(ctx, tx, reposdb.InsertRepoRedirectParams{

+		OldOwnerUserID: pgtype.Int8{Int64: p.OwnerUserID, Valid: true},

+		OldOwnerOrgID:  pgtype.Int8{Valid: false},

+		OldName:        p.OldName,

+		RepoID:         p.RepoID,

+	}); err != nil {

+		return fmt.Errorf("insert redirect: %w", err)

+	}

+

+	// 2. Update the name. Unique-violation here means the new name is

+	//    taken on this owner.

+	if err := rq.RenameRepo(ctx, tx, reposdb.RenameRepoParams{ID: p.RepoID, Name: newName}); err != nil {

+		var pgErr *pgconn.PgError

+		if errAs(err, &pgErr) && pgErr.Code == "23505" {

+			return ErrNameTaken

+		}

+		return fmt.Errorf("rename repo: %w", err)

+	}

+

+	if err := tx.Commit(ctx); err != nil {

+		return fmt.Errorf("commit: %w", err)

+	}

+	committed = true

+

+	// 3. FS rename. On failure, run the compensating SQL so DB matches

+	//    disk again. The compensating tx is best-effort logged; if it

+	//    also fails the operator must reconcile by hand (rare path).

+	oldPath, e1 := deps.RepoFS.RepoPath(p.OwnerName, p.OldName)

+	newPath, e2 := deps.RepoFS.RepoPath(p.OwnerName, newName)

+	if e1 != nil || e2 != nil {

+		compensateRename(ctx, deps, p.RepoID, p.OldName, p.OwnerUserID, newName)

+		return fmt.Errorf("repo path resolution: e1=%v e2=%v", e1, e2)

+	}

+	if _, err := os.Stat(oldPath); err == nil {

+		if err := deps.RepoFS.Move(oldPath, newPath); err != nil {

+			compensateRename(ctx, deps, p.RepoID, p.OldName, p.OwnerUserID, newName)

+			return fmt.Errorf("fs move: %w", err)

+		}

+	}

+	// (oldPath missing is acceptable — the on-disk repo may not exist

+	// yet for a freshly-created repo whose initial commit hasn't been

+	// pushed by the user. The bare-repo init is creation-time; rename

+	// just needs to handle the present-or-absent case symmetrically.)

+

+	if deps.Audit != nil {

+		_ = deps.Audit.Record(ctx, deps.Pool, p.ActorUserID,

+			audit.ActionRepoRenamed, audit.TargetRepo, p.RepoID,

+			map[string]any{"old_name": p.OldName, "new_name": newName})

+	}

+	return nil

+}

+

+// compensateRename undoes the redirect+name change after an FS failure.

+// Logged at warn so the operator notices but the request still returns

+// the original error (the caller sees the FS error, which is the user-

+// visible truth).

+func compensateRename(ctx context.Context, deps Deps, repoID int64, oldName string, ownerUserID int64, newName string) {

+	rq := reposdb.New()

+	if err := rq.RenameRepo(ctx, deps.Pool, reposdb.RenameRepoParams{ID: repoID, Name: oldName}); err != nil {

+		if deps.Logger != nil {

+			deps.Logger.WarnContext(ctx, "rename: compensating UPDATE failed", "repo_id", repoID, "error", err)

+		}

+	}

+	// Drop the redirect row we just wrote — it now points at a name

+	// that's about to come back to its old self.

+	_, err := deps.Pool.Exec(ctx,

+		`DELETE FROM repo_redirects WHERE repo_id = $1 AND old_owner_user_id = $2 AND old_name = $3`,

+		repoID, ownerUserID, oldName)

+	if err != nil && deps.Logger != nil {

+		deps.Logger.WarnContext(ctx, "rename: compensating redirect-delete failed", "repo_id", repoID, "error", err)

+	}

+	_ = newName // kept in signature for symmetry / future logging

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package lifecycle

+

+import (

+	"context"

+	"fmt"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+)

+

+// SoftDelete sets repos.deleted_at to now. The repo disappears from

+// listings and the home page returns 404 for non-owners (auth-aware).

+// The bare repo on disk is left alone until the hard-delete worker

+// runs at the end of the grace window.

+func SoftDelete(ctx context.Context, deps Deps, actorUserID, repoID int64) error {

+	rq := reposdb.New()

+	repo, err := rq.GetRepoByID(ctx, deps.Pool, repoID)

+	if err != nil {

+		return fmt.Errorf("load repo: %w", err)

+	}

+	if repo.DeletedAt.Valid {

+		return ErrAlreadyDeleted

+	}

+	if err := rq.SoftDeleteRepoLifecycle(ctx, deps.Pool, repoID); err != nil {

+		return fmt.Errorf("soft delete: %w", err)

+	}

+	if deps.Audit != nil {

+		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,

+			audit.ActionRepoSoftDeleted, audit.TargetRepo, repoID,

+			map[string]any{"name": repo.Name, "owner_user_id": int64ValueOrZero(repo.OwnerUserID.Int64, repo.OwnerUserID.Valid)})

+	}

+	return nil

+}

+

+// Restore clears repos.deleted_at within the grace window. Past the

+// window the row may still exist (worker hasn't run yet) but we

+// refuse — the operator-visible contract is "7 days, then it's gone".

+func Restore(ctx context.Context, deps Deps, actorUserID, repoID int64) error {

+	rq := reposdb.New()

+	repo, err := rq.GetRepoByID(ctx, deps.Pool, repoID)

+	if err != nil {

+		return fmt.Errorf("load repo: %w", err)

+	}

+	if !repo.DeletedAt.Valid {

+		return ErrNotDeleted

+	}

+	if deps.now().Sub(repo.DeletedAt.Time) > softDeleteGrace {

+		return ErrPastGrace

+	}

+	if err := rq.RestoreRepo(ctx, deps.Pool, repoID); err != nil {

+		return fmt.Errorf("restore: %w", err)

+	}

+	if deps.Audit != nil {

+		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,

+			audit.ActionRepoRestored, audit.TargetRepo, repoID, nil)

+	}

+	return nil

+}

+

+// int64ValueOrZero unwraps a pgtype.Int8 stored as raw int64+bool. We

+// keep this private helper duplicated across packages rather than

+// pulling pgtype into the audit-meta hot path.

+func int64ValueOrZero(v int64, valid bool) int64 {

+	if valid {

+		return v

+	}

+	return 0

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package lifecycle

+

+import (

+	"context"

+	"errors"

+	"fmt"

+	"os"

+

+	"github.com/jackc/pgx/v5"

+	"github.com/jackc/pgx/v5/pgconn"

+	"github.com/jackc/pgx/v5/pgtype"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+)

+

+// TransferRequestParams describes a new transfer offer.

+type TransferRequestParams struct {

+	ActorUserID    int64

+	RepoID         int64

+	FromUserID     int64

+	ToPrincipalKind string // "user" — "org" arrives in S31

+	ToPrincipalID  int64

+}

+

+// RequestTransfer creates a pending transfer with a 7-day TTL. Returns

+// the new request id. Confirmation typing ("type owner/repo to confirm")

+// belongs in the handler — this function trusts its inputs.

+func RequestTransfer(ctx context.Context, deps Deps, p TransferRequestParams) (int64, error) {

+	if p.ToPrincipalKind != "user" {

+		return 0, fmt.Errorf("transfer: principal kind %q not supported in S16 (org transfers in S31)", p.ToPrincipalKind)

+	}

+	if p.ToPrincipalID == p.FromUserID {

+		return 0, ErrTransferToSelf

+	}

+

+	rq := reposdb.New()

+	row, err := rq.InsertTransferRequest(ctx, deps.Pool, reposdb.InsertTransferRequestParams{

+		RepoID:           p.RepoID,

+		FromUserID:       p.FromUserID,

+		ToPrincipalKind:  reposdb.TransferPrincipalKind(p.ToPrincipalKind),

+		ToPrincipalID:    p.ToPrincipalID,

+		CreatedBy:        p.ActorUserID,

+		ExpiresAt:        pgtype.Timestamptz{Time: deps.now().Add(transferTTL), Valid: true},

+	})

+	if err != nil {

+		return 0, fmt.Errorf("insert transfer: %w", err)

+	}

+	if deps.Audit != nil {

+		_ = deps.Audit.Record(ctx, deps.Pool, p.ActorUserID,

+			audit.ActionRepoTransferRequested, audit.TargetRepo, p.RepoID,

+			map[string]any{

+				"to_principal_kind": p.ToPrincipalKind,

+				"to_principal_id":   p.ToPrincipalID,

+				"transfer_id":       row.ID,

+			})

+	}

+	return row.ID, nil

+}

+

+// AcceptTransfer flips the transfer to accepted, updates the repo's

+// owner, writes a redirect row from the old owner+name, and renames

+// the bare repo on disk if the recipient also has a different name

+// in mind (rare; defaults to keeping the same name).

+//

+// The recipient is the actor in this op. We re-check status under the

+// row lock so concurrent accept/cancel/decline races are settled

+// deterministically by the DB.

+func AcceptTransfer(ctx context.Context, deps Deps, actorUserID, transferID int64) error {

+	rq := reposdb.New()

+	uq := usersdb.New()

+

+	tx, err := deps.Pool.Begin(ctx)

+	if err != nil {

+		return fmt.Errorf("begin: %w", err)

+	}

+	committed := false

+	defer func() {

+		if !committed {

+			_ = tx.Rollback(ctx)

+		}

+	}()

+

+	// Lock the transfer row to serialize racing accept/decline/cancel.

+	row, err := lockTransfer(ctx, tx, transferID)

+	if err != nil {

+		return err

+	}

+	if row.Status != reposdb.TransferStatusPending {

+		return ErrTransferTerminal

+	}

+	if !row.ExpiresAt.Valid || deps.now().After(row.ExpiresAt.Time) {

+		return ErrTransferExpired

+	}

+	if row.ToPrincipalKind != reposdb.TransferPrincipalKindUser || row.ToPrincipalID != actorUserID {

+		// The actor isn't the recipient — a 403 at the handler.

+		return ErrTransferTerminal

+	}

+

+	repo, err := rq.GetRepoByID(ctx, tx, row.RepoID)

+	if err != nil {

+		return fmt.Errorf("load repo: %w", err)

+	}

+	oldOwnerUserID := int64(0)

+	if repo.OwnerUserID.Valid {

+		oldOwnerUserID = repo.OwnerUserID.Int64

+	}

+

+	// Insert redirect from the old owner/name.

+	if err := rq.InsertRepoRedirect(ctx, tx, reposdb.InsertRepoRedirectParams{

+		OldOwnerUserID: pgtype.Int8{Int64: oldOwnerUserID, Valid: oldOwnerUserID != 0},

+		OldOwnerOrgID:  pgtype.Int8{Valid: false},

+		OldName:        repo.Name,

+		RepoID:         repo.ID,

+	}); err != nil {

+		return fmt.Errorf("insert redirect: %w", err)

+	}

+

+	// Update owner. We keep the same name; if it collides on the

+	// recipient, the unique index trips and the tx rolls back.

+	if err := rq.TransferRepoOwner(ctx, tx, reposdb.TransferRepoOwnerParams{

+		ID:           repo.ID,

+		Name:         repo.Name,

+		OwnerUserID:  pgtype.Int8{Int64: actorUserID, Valid: true},

+		OwnerOrgID:   pgtype.Int8{Valid: false},

+	}); err != nil {

+		var pgErr *pgconn.PgError

+		if errAs(err, &pgErr) && pgErr.Code == "23505" {

+			return ErrNameTaken

+		}

+		return fmt.Errorf("transfer owner: %w", err)

+	}

+

+	// Mark the transfer accepted.

+	if err := rq.AcceptTransferRequest(ctx, tx, transferID); err != nil {

+		return fmt.Errorf("accept request: %w", err)

+	}

+

+	if err := tx.Commit(ctx); err != nil {

+		return fmt.Errorf("commit: %w", err)

+	}

+	committed = true

+

+	// FS move from the old owner's shard to the recipient's. Best-

+	// effort: if the on-disk repo doesn't exist (never pushed), skip.

+	oldOwner, err := uq.GetUserByID(ctx, deps.Pool, oldOwnerUserID)

+	if err != nil {

+		// Old owner row gone (recently deleted) — nothing to move.

+		return nil

+	}

+	newOwner, err := uq.GetUserByID(ctx, deps.Pool, actorUserID)

+	if err != nil {

+		// Should never happen — recipient is the actor — but don't roll

+		// back FS-wise on this rare error; the DB is the source of

+		// truth and an operator can reconcile the disk path later.

+		if deps.Logger != nil {

+			deps.Logger.WarnContext(ctx, "transfer accept: new owner lookup", "error", err)

+		}

+		return nil

+	}

+	oldPath, e1 := deps.RepoFS.RepoPath(oldOwner.Username, repo.Name)

+	newPath, e2 := deps.RepoFS.RepoPath(newOwner.Username, repo.Name)

+	if e1 != nil || e2 != nil {

+		if deps.Logger != nil {

+			deps.Logger.WarnContext(ctx, "transfer accept: path resolve", "e1", e1, "e2", e2)

+		}

+		return nil

+	}

+	if _, err := os.Stat(oldPath); err == nil {

+		if err := deps.RepoFS.Move(oldPath, newPath); err != nil {

+			if deps.Logger != nil {

+				deps.Logger.WarnContext(ctx, "transfer accept: fs move", "error", err)

+			}

+			return nil

+		}

+	}

+

+	if deps.Audit != nil {

+		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,

+			audit.ActionRepoTransferAccepted, audit.TargetRepo, repo.ID,

+			map[string]any{"transfer_id": transferID, "from_user_id": oldOwnerUserID})

+	}

+	return nil

+}

+

+// DeclineTransfer flips the row to declined. Recipient is the actor.

+func DeclineTransfer(ctx context.Context, deps Deps, actorUserID, transferID int64) error {

+	rq := reposdb.New()

+	row, err := rq.GetTransferRequest(ctx, deps.Pool, transferID)

+	if err != nil {

+		return fmt.Errorf("load transfer: %w", err)

+	}

+	if row.Status != reposdb.TransferStatusPending {

+		return ErrTransferTerminal

+	}

+	if row.ToPrincipalKind != reposdb.TransferPrincipalKindUser || row.ToPrincipalID != actorUserID {

+		return ErrTransferTerminal

+	}

+	if err := rq.DeclineTransferRequest(ctx, deps.Pool, transferID); err != nil {

+		return fmt.Errorf("decline: %w", err)

+	}

+	if deps.Audit != nil {

+		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,

+			audit.ActionRepoTransferDeclined, audit.TargetRepo, row.RepoID,

+			map[string]any{"transfer_id": transferID})

+	}

+	return nil

+}

+

+// CancelTransfer is the sender pulling the offer. Repo-admin actors

+// (owner) can cancel.

+func CancelTransfer(ctx context.Context, deps Deps, actorUserID, transferID int64) error {

+	rq := reposdb.New()

+	row, err := rq.GetTransferRequest(ctx, deps.Pool, transferID)

+	if err != nil {

+		return fmt.Errorf("load transfer: %w", err)

+	}

+	if row.Status != reposdb.TransferStatusPending {

+		return ErrTransferTerminal

+	}

+	if err := rq.CancelTransferRequest(ctx, deps.Pool, transferID); err != nil {

+		return fmt.Errorf("cancel: %w", err)

+	}

+	if deps.Audit != nil {

+		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,

+			audit.ActionRepoTransferCanceled, audit.TargetRepo, row.RepoID,

+			map[string]any{"transfer_id": transferID})

+	}

+	return nil

+}

+

+// ExpirePending sweeps every pending transfer past its expires_at.

+// Returns the count of rows flipped — the worker uses this for

+// observability. Audit logs are emitted in bulk via a single row that

+// records the count; per-transfer audit lines would be noisy and the

+// individual transfer rows themselves carry the timestamp.

+func ExpirePending(ctx context.Context, deps Deps) (int64, error) {

+	rq := reposdb.New()

+	n, err := rq.ExpirePendingTransfers(ctx, deps.Pool)

+	if err != nil {

+		return 0, fmt.Errorf("expire: %w", err)

+	}

+	return n, nil

+}

+

+// lockTransfer reads the row inside a tx with FOR UPDATE so concurrent

+// accept/decline/cancel can't double-fire. Returns the row directly —

+// the caller already has the transferID in scope.

+func lockTransfer(ctx context.Context, tx pgx.Tx, transferID int64) (reposdb.RepoTransferRequest, error) {

+	row, err := tx.Query(ctx,

+		`SELECT id, repo_id, from_user_id, to_principal_kind, to_principal_id,

+                created_by, created_at, expires_at, status,

+                accepted_at, declined_at, canceled_at

+         FROM repo_transfer_requests

+         WHERE id = $1

+         FOR UPDATE`, transferID)

+	if err != nil {

+		return reposdb.RepoTransferRequest{}, fmt.Errorf("lock transfer: %w", err)

+	}

+	defer row.Close()

+	if !row.Next() {

+		return reposdb.RepoTransferRequest{}, errors.New("transfer not found")

+	}

+	var r reposdb.RepoTransferRequest

+	if err := row.Scan(&r.ID, &r.RepoID, &r.FromUserID, &r.ToPrincipalKind, &r.ToPrincipalID,

+		&r.CreatedBy, &r.CreatedAt, &r.ExpiresAt, &r.Status,

+		&r.AcceptedAt, &r.DeclinedAt, &r.CanceledAt); err != nil {

+		return reposdb.RepoTransferRequest{}, fmt.Errorf("scan transfer: %w", err)

+	}

+	return r, nil

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package lifecycle

+

+import (

+	"context"

+	"errors"

+	"fmt"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+)

+

+// ErrInvalidVisibility is returned when a caller passes a value that

+// isn't "public" or "private". Handlers should map to a 400.

+var ErrInvalidVisibility = errors.New("lifecycle: visibility must be public or private")

+

+// SetVisibility flips a repo between public and private. Forks remain

+// independent (separate repos at the data layer), and existing clones

+// already pulled remain — that's git's nature, not a bug. The UI is

+// responsible for surfacing the "future clones will be private"

+// caveat to the user.

+func SetVisibility(ctx context.Context, deps Deps, actorUserID, repoID int64, newVisibility string) error {

+	switch newVisibility {

+	case "public", "private":

+	default:

+		return ErrInvalidVisibility

+	}

+

+	rq := reposdb.New()

+	repo, err := rq.GetRepoByID(ctx, deps.Pool, repoID)

+	if err != nil {

+		return fmt.Errorf("load repo: %w", err)

+	}

+	if string(repo.Visibility) == newVisibility {

+		return nil // idempotent no-op

+	}

+

+	if err := rq.SetRepoVisibility(ctx, deps.Pool, reposdb.SetRepoVisibilityParams{

+		ID:         repoID,

+		Visibility: reposdb.RepoVisibility(newVisibility),

+	}); err != nil {

+		return fmt.Errorf("set visibility: %w", err)

+	}

+	if deps.Audit != nil {

+		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,

+			audit.ActionRepoVisibilityChanged, audit.TargetRepo, repoID,

+			map[string]any{"from": string(repo.Visibility), "to": newVisibility})

+	}

+	return nil

+}