Allow public issue participation

Status	File	+	-
M	`docs/internal/issues.md`	7	3
M	`docs/internal/permissions.md`	9	6
M	`internal/auth/policy/actions.go`	7	0
M	`internal/auth/policy/policy.go`	46	20
M	`internal/auth/policy/policy_test.go`	47	2

docs/internal/issues.mdmodified

  Public reads still pass through `policy.Can(ActionIssueRead)` so
  private repos return the existence-leak 404. RequireUser on writes
  gives anonymous browsers a `/login` redirect instead of the same 404.
 +Issue creation and commenting follow GitHub's public-participation
 +model: any logged-in user may open or comment on issues in a public
 +repo, while private repos require `read` access.
  ## Cross-reference indexing
  `SetLock` flips `locked` + emits a `locked`/`unlocked` event. Comments
  hit the locked gate inside `AddComment`: non-collaborators get
 -`ErrIssueLocked`. The `IsCollab` flag is the caller's responsibility —
 -for v1 the web handler treats the repo owner as the only collaborator;
 -S15's `repo_collaborators` table is wired but the lookup is deferred.
 +`ErrIssueLocked`. The `IsCollab` flag is the caller's responsibility;
 +the web handler resolves it via `policy.HasRoleAtLeast(..., RoleTriage)`,
 +so owners, direct collaborators, and team-derived triage+ roles can
 +comment through a lock.
  ## Rate limit

docs/internal/permissions.mdmodified

  | `repo:transfer`                       | `admin`          |
  | `repo:visibility`                     | `admin`          |
  | `issue:read`                          | `read` (private) |
 -| `issue:create`                        | `write`          |
 -| `issue:comment`                       | `write`          |
 +| `issue:create`                        | logged in on public; `read` on private |
 +| `issue:comment`                       | logged in on public; `read` on private |
  | `issue:close`                         | `triage`         |
  | `issue:label`                         | `triage`         |
  | `issue:assign`                        | `triage`         |
 . **Anonymous + private repo** → deny (`DenyVisibility`). Caller maps
     to 404, not 403, to avoid existence leak.
 . **Public repo + read** → allow.
 -6. Compute effective role (owner ⇒ admin; collaborator ⇒ row.role;
 +6. **Public issue participation** → logged-in users can create and
 +   comment on issues in public repos, subject to the suspended actor,
 +   archived repo, and suspended org write gates.
 +7. Compute effective role (owner ⇒ admin; collaborator ⇒ row.role;
     else `RoleNone`).
 -7. **Archived repo + write** → deny (`DenyArchived`). Even owners
 +8. **Archived repo + write** → deny (`DenyArchived`). Even owners
     can't push to archived repos.
 -8. **Min role for action** vs effective role. Below threshold + private
 +9. **Min role for action** vs effective role. Below threshold + private
     repo + no role → deny as visibility (404). Below threshold with any
     role → deny as `DenyRoleTooLow` (403).
 -9. **Login-required actions** (star/fork) on anonymous → deny
 +10. **Login-required actions** (star/fork) on anonymous → deny
     (`DenyAnonymous`).
  ## Existence-leak guard

internal/auth/policy/actions.gomodified

  // isReadAction is the inverse, broken out for readability at call sites
  // that branch on intent rather than on the absence of writes.
  func isReadAction(a Action) bool { return !isWriteAction(a) }
++
 +// isIssueParticipationAction is the GitHub-shaped issue conversation
 +// surface: any logged-in user can open or comment on issues in a public
 +// repo, while private repos require normal read access.
 +func isIssueParticipationAction(a Action) bool {
 +	return a == ActionIssueCreate || a == ActionIssueComment
 +}

internal/auth/policy/policy.gomodified

  		return allow("public repo read")
+ 	}
 -	// 6. From here we need the actor's effective role on the repo.
 +	// 6. Public issue participation: any logged-in user can open or
 +	//    comment on issues in a public repo. Private repos still fall
 +	//    through to the role check below, where read access is required.
 +	//    Archive/org-suspension write gates stay below role resolution
 +	//    for the general case, so enforce them explicitly here before
 +	//    allowing a non-collaborator public-repo issue action.
 +	if isIssueParticipationAction(action) && repo.IsPublic() {
 +		if actor.IsAnonymous {
 +			return deny(DenyAnonymous, "anonymous cannot create/comment on issues")
 +		}
 +		if repo.IsArchived {
 +			return deny(DenyArchived, "repo archived")
 +		}
 +		if repo.OwnerOrgID != 0 && isOrgSuspended(ctx, d, repo.OwnerOrgID) {
 +			return deny(DenyOrgSuspended, "owning org suspended")
 +		}
 +		return allow("public issue participation")
 +	}
++
 +	// 7. From here we need the actor's effective role on the repo.
  	//    Owner short-circuits to admin; collaborator role from DB
  	//    otherwise; org membership stub for S31.
  	role, err := effectiveRole(ctx, d, actor, repo)
  		return deny(DenyDBError, "role lookup failed: "+err.Error())
+ 	}
 -	// 6a. Author-self-close on issues and PRs. The author of an issue or
 +	// 7a. Author-self-close on issues and PRs. The author of an issue or
  	//     PR is allowed to close (and reopen — same Action) their own
  	//     thread regardless of their collaborator role. Handlers populate
  	//     `repo.AuthorUserID` on the close path; everywhere else the
  		return allow("author of thread")
+ 	}
 -	// 7. Archived repos: writes denied even for owners. Reads still go
 +	// 8. Archived repos: writes denied even for owners. Reads still go
  	//    through the role check above. (We could short-circuit reads
  	//    earlier but keeping the flow uniform makes the matrix readable.)
  	if repo.IsArchived && isWriteAction(action) {
  		return deny(DenyArchived, "repo archived")
+ 	}
 -	// 7b. Org suspension (S30): writes against any repo owned by a
 +	// 8b. Org suspension (S30): writes against any repo owned by a
  	//     suspended org are denied uniformly. Reads stay allowed (the
  	//     org's contributions to the broader graph aren't erased).
  	//     The check is gated on a write action AND a non-zero
  	//     OwnerOrgID so user-owned repos pay nothing for it.
 -	if repo.OwnerOrgID != 0 && isWriteAction(action) {
 -		if d.Pool != nil {
 -			var suspended bool
 -			err := d.Pool.QueryRow(
 -				ctx,
 -				`SELECT suspended_at IS NOT NULL FROM orgs WHERE id = $1`,
 -				repo.OwnerOrgID,
 -			).Scan(&suspended)
 -			if err == nil && suspended {
 +	if repo.OwnerOrgID != 0 && isWriteAction(action) && isOrgSuspended(ctx, d, repo.OwnerOrgID) {
  		return deny(DenyOrgSuspended, "owning org suspended")
+ 	}
 -		}
 -	}
 -	// 8. Map action → minimum required role; check.
 +	// 9. Map action → minimum required role; check.
  	want := minRoleFor(action)
  	if want != RoleNone && !RoleAtLeast(role, want) {
  		// No role at all + private repo → look like a visibility deny
  		return deny(DenyRoleTooLow, "role too low")
+ 	}
 -	// 9. Login-required actions: star/fork/watch-set need any
 +	// 10. Login-required actions: star/fork/watch-set need any
  	//    logged-in user. Anonymous reaches here only on a public repo
  	//    (see step 4); we deny with the anonymous code so the handler
  	//    can render a friendly "log in to star" prompt.
  	return allow("granted")
+ }
 +func isOrgSuspended(ctx context.Context, d Deps, orgID int64) bool {
 +	if d.Pool == nil {
 +		return false
 +	}
 +	var suspended bool
 +	err := d.Pool.QueryRow(
 +		ctx,
 +		`SELECT suspended_at IS NOT NULL FROM orgs WHERE id = $1`,
 +		orgID,
 +	).Scan(&suspended)
 +	return err == nil && suspended
 +}
++
  // IsVisibleTo is a convenience wrapper around Can(actor, repo:read, …).
  // Used by listing endpoints that need to filter results by visibility
  // without caring about the deny reason.
  		return RoleTriage
  	// Write tier — code push, branch create, PR open/comment.
 -	case ActionRepoWrite, ActionPullCreate, ActionPullReview, ActionPullClose,
 -		ActionIssueCreate, ActionIssueComment:
 +	case ActionRepoWrite, ActionPullCreate, ActionPullReview, ActionPullClose:
  		return RoleWrite
 +	// Issue participation on private repos requires read access. Public
 +	// repos are handled by Can's public issue participation branch above.
 +	case ActionIssueCreate, ActionIssueComment:
 +		return RoleRead
++
  	// Maintain tier — most settings except dangerous ones.
  	case ActionRepoSettingsGeneral, ActionRepoSettingsBranches:
  		return RoleMaintain

internal/auth/policy/policy_test.gomodified

  		return true
+ 	}
 +	// Public issue participation: any logged-in user can open/comment
 +	// on issues in a non-archived public repo.
 +	if (action == policy.ActionIssueCreate || action == policy.ActionIssueComment) && !isPrivate {
 +		if actor == actorAnonymous || isArchived {
 +			return false
 +		}
 +		return true
 +	}
++
  	// Compute role.
  	var have policy.Role
  	switch actor {
  		return policy.RoleRead
  	case policy.ActionIssueClose, policy.ActionIssueLabel, policy.ActionIssueAssign:
  		return policy.RoleTriage
 -	case policy.ActionRepoWrite, policy.ActionPullCreate, policy.ActionPullReview, policy.ActionPullClose,
 -		policy.ActionIssueCreate, policy.ActionIssueComment:
 +	case policy.ActionIssueCreate, policy.ActionIssueComment:
 +		return policy.RoleRead
 +	case policy.ActionRepoWrite, policy.ActionPullCreate, policy.ActionPullReview, policy.ActionPullClose:
  		return policy.RoleWrite
  	case policy.ActionRepoSettingsGeneral, policy.ActionRepoSettingsBranches:
  		return policy.RoleMaintain
+ 	}
+ }
 +func TestCan_PublicIssueParticipation(t *testing.T) {
 +	t.Parallel()
++
 +	d := policy.Deps{}
 +	publicRepo := makeRepo(repoPublic)
 +	privateRepo := makeRepo(repoPrivate)
 +	archivedPublicRepo := makeRepo(repoArchivedPublic)
 +	stranger := makeActor(actorUnrelated)
 +	readCollab := makeActor(actorCollabRead)
++
 +	for _, action := range []policy.Action{policy.ActionIssueCreate, policy.ActionIssueComment} {
 +		action := action
 +		t.Run(string(action), func(t *testing.T) {
 +			t.Parallel()
++
 +			if got := policy.Can(context.Background(), d, stranger, action, publicRepo); !got.Allow {
 +				t.Fatalf("logged-in non-collab on public repo should be allowed to %s: %#v", action, got)
 +			}
 +			if got := policy.Can(context.Background(), d, policy.AnonymousActor(), action, publicRepo); got.Allow || got.Code != policy.DenyAnonymous {
 +				t.Fatalf("anonymous public repo %s = %#v, want DenyAnonymous", action, got)
 +			}
 +			ctx := ctxWithCollabRole(t, actorCollabRead)
 +			if got := policy.Can(ctx, d, readCollab, action, privateRepo); !got.Allow {
 +				t.Fatalf("read collab on private repo should be allowed to %s: %#v", action, got)
 +			}
 +			if got := policy.Can(context.Background(), d, stranger, action, privateRepo); got.Allow || got.Code != policy.DenyVisibility {
 +				t.Fatalf("stranger private repo %s = %#v, want DenyVisibility", action, got)
 +			}
 +			if got := policy.Can(context.Background(), d, stranger, action, archivedPublicRepo); got.Allow || got.Code != policy.DenyArchived {
 +				t.Fatalf("archived public repo %s = %#v, want DenyArchived", action, got)
 +			}
 +		})
 +	}
 +}
++
  func TestRoleAtLeast(t *testing.T) {
  	t.Parallel()
  	cases := []struct {

tenseleyflow/shithub / `458c494`

5 changed files