`5df8d85`

Allow recreating soft-deleted repos

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 2 days ago

SHA: 5df8d85b84476e9427af97303ddf50885ec82cd3
Parents: cabd341
Tree: e31b3dc

13 changed files

Status	File	+	-
M	`docs/internal/repo-create.md`	5	2
M	`docs/internal/repo-lifecycle.md`	17	8
M	`internal/infra/storage/reposfs.go`	19	0
A	`internal/migrationsfs/migrations/0058_repo_name_reuse_after_soft_delete.sql`	32	0
M	`internal/repos/create.go`	77	2
M	`internal/repos/create_test.go`	97	0
M	`internal/repos/lifecycle/hard_delete.go`	54	31
M	`internal/repos/lifecycle/lifecycle_test.go`	52	3
A	`internal/repos/lifecycle/paths.go`	102	0
M	`internal/repos/lifecycle/soft_delete.go`	149	6
M	`internal/repos/queries/repos.sql`	33	0
M	`internal/repos/sqlc/querier.go`	7	0
M	`internal/repos/sqlc/repos.sql.go`	123	0

docs/internal/repo-create.mdmodified

  ## What's wired
 -- **Migration:** `0017_repos.sql` adds the `repos` table (with `repo_visibility` enum, owner XOR check, per-owner unique-by-name partial indexes, soft-delete column).
 +- **Migration:** `0017_repos.sql` adds the `repos` table (with `repo_visibility` enum, owner XOR check, per-owner unique-by-name partial indexes, soft-delete column). `0058_repo_name_reuse_after_soft_delete.sql` narrows those uniqueness indexes to active repos so deleted names can be reused.
  - **Source remotes:** `0052_repo_source_remotes.sql` adds one optional public fetch URL per repo. Creation and settings can save this URL, fetch heads/tags, and use it later for submodule gitlink backfill.
  - **sqlc package:** `internal/repos/sqlc` (`reposdb`) — Create, Get-by-owner-and-name, Exists, List-by-owner, Count, SoftDelete, UpdateDiskUsed.
  - `internal/repos/validate.go` — name shape (≤100 chars, `[a-z0-9._-]`, non-separator edges, no dot-dot, no leading dot) + reserved-name list.
    │     (refuse with ErrNoVerifiedEmail when init is requested AND missing)
    ├─ RepoFS.RepoPath(owner, name) → defense-in-depth path validation
    ├─ tx.Begin()
 +  │   ├─ LockRepoOwnerName(owner/name) advisory lock
    │   └─ reposdb.CreateRepo(...)        ← unique-violation surfaces as ErrTaken
    ├─ RepoFS.InitBare(diskPath)          ← `git init --bare --initial-branch=trunk`
 +  │   └─ if a legacy soft-deleted repo still occupies diskPath:
 +  │      move it to `.deleted/<old-repo-id>.git` and retry
    ├─ if init flag set:
    │     buildInitialCommit(ic) → commit OID
    │       (hash-object → update-index → write-tree → commit-tree → update-ref)
  Failure handling at each step:
  - DB insert error: tx already rolled back via the deferred Rollback closure; nothing on disk to clean.
 -- FS InitBare error: tx still uncommitted (we Rollback via defer); best-effort `os.RemoveAll(diskPath)` clears any partially-mkdir'd directory.
 +- FS InitBare error: tx still uncommitted (we Rollback via defer); best-effort `os.RemoveAll(diskPath)` clears any partially-mkdir'd directory. `storage.ErrAlreadyExists` is not blindly removed because it can be a legacy soft-deleted repo path; create first tries to displace that path to the deleted tombstone.
  - Initial-commit error: same as above — Rollback + RemoveAll.
  - tx.Commit error: post-FS-success but DB couldn't commit. We RemoveAll the bare repo dir to keep DB and disk consistent.
  - Audit error: logged at WARN, not propagated — we don't fail the create just because audit logging blipped.

docs/internal/repo-lifecycle.mdmodified

  * **Soft delete**: `POST /{owner}/{repo}/settings/delete` →
    `lifecycle.SoftDelete`. Sets `deleted_at = now()`. Repo disappears
 -  from listings, profile pinned slot, search. `/{owner}/{repo}` 404s
 -  for non-owners (auth-aware via S15 policy's `DenyRepoDeleted`).
 +  from listings, profile pinned slot, search. The bare repo is moved
 +  from the canonical `<owner>/<name>.git` path to an internal
 +  `.deleted/<repo-id>.git` tombstone so a fresh repo can reuse the same
 +  owner/name during the grace window. `/{owner}/{repo}` 404s for
 +  non-owners (auth-aware via S15 policy's `DenyRepoDeleted`).
  * **Restore**: owner sees the soft-deleted repo at
    `/settings/repositories`. POST to
 -  `/settings/repositories/restore/{id}` clears `deleted_at`. Past the
 -  7-day grace, restore returns `ErrPastGrace` (410).
 +  `/settings/repositories/restore/{id}` moves the tombstone back to the
 +  canonical path and clears `deleted_at`. If the owner/name was reused,
 +  restore returns `ErrNameTaken` and leaves the deleted repo in the
 +  restore list. Past the 7-day grace, restore returns `ErrPastGrace`
 +  (410).
  * **Hard delete**: `lifecycle:sweep` worker job (registered in
    `cmd/shithubd/worker.go`) runs periodically. The handler:
 . `ListRepoIDsPastSoftDeleteGrace` — finds rows past 7 days.
         `push_events`, `repo_collaborators`, `repo_redirects` (rows
         pointing at this repo), `repo_transfer_requests`, and
         `webhook_events_pending`.
 -     * `RemoveAll` the bare repo on disk.
 +     * Remove the tombstoned bare repo on disk. Legacy soft-deleted
 +       repos whose bare data still sits at the canonical path are
 +       removed only when no active repo has reused the owner/name.
       * Audit `repo_hard_deleted` with the row snapshot in `meta`,
         since the repo_id no longer resolves.
 . The same job also flips pending transfers past their TTL via
    INSERT INTO jobs (kind, payload) VALUES ('lifecycle:sweep', '{}'::jsonb);
    NOTIFY shithub_jobs;
    ```
 -* Soft-deleted repos take their disk path with them — the bare repo
 -  on disk stays for the full grace window. If disk pressure becomes
 -  an issue, configure the grace window down (it's a constant in
 +* Soft-deleted repos keep their bare data for the full grace window,
 +  but under the owner-local `.deleted/<repo-id>.git` tombstone path
 +  rather than the active canonical path. If disk pressure becomes an
 +  issue, configure the grace window down (it's a constant in
    `lifecycle.go::softDeleteGrace`; promote to config in S37 if needed).
  * Renaming a repo doesn't require restarting any worker or hook.
    The atomic FS move + DB update means the next hook invocation will

internal/infra/storage/reposfs.gomodified

  	return p, nil
+ }
 +// DeletedRepoPath returns the internal tombstone path used while a
 +// soft-deleted repo is inside its restore grace window. Keeping
 +// tombstones outside the canonical <owner>/<name>.git path lets a new
 +// active repo reuse the name without losing the old row's restore data.
 +func (r *RepoFS) DeletedRepoPath(owner, name string, repoID int64) (string, error) {
 +	if repoID <= 0 {
 +		return "", fmt.Errorf("%w: repo id required", ErrInvalidPath)
 +	}
 +	canonical, err := r.RepoPath(owner, name)
 +	if err != nil {
 +		return "", err
 +	}
 +	p := filepath.Join(filepath.Dir(canonical), ".deleted", fmt.Sprintf("%d.git", repoID))
 +	if err := r.containedInRoot(p); err != nil {
 +		return "", err
 +	}
 +	return p, nil
 +}
++
  // containedInRoot returns ErrEscapesRoot when p does not resolve under r.root.
  // Defense-in-depth: validateName already rejects ".." and absolute paths,
  // but a future caller might compose paths differently.

internal/migrationsfs/migrations/0058_repo_name_reuse_after_soft_delete.sqladded

 +-- SPDX-License-Identifier: AGPL-3.0-or-later
 +--
 +-- Soft-deleted repos must no longer reserve their owner/name forever.
 +-- Runtime lifecycle code moves the bare repo to a tombstone path so
 +-- the canonical on-disk path can be reused by a fresh repo.
++
 +-- +goose Up
 +DROP INDEX IF EXISTS repos_owner_user_name_idx;
 +DROP INDEX IF EXISTS repos_owner_org_name_idx;
++
 +CREATE UNIQUE INDEX repos_owner_user_name_idx
 +    ON repos (owner_user_id, name)
 +    WHERE owner_user_id IS NOT NULL AND deleted_at IS NULL;
++
 +CREATE UNIQUE INDEX repos_owner_org_name_idx
 +    ON repos (owner_org_id, name)
 +    WHERE owner_org_id IS NOT NULL AND deleted_at IS NULL;
++
 +-- +goose Down
 +DROP INDEX IF EXISTS repos_owner_user_name_idx;
 +DROP INDEX IF EXISTS repos_owner_org_name_idx;
++
 +-- This rollback can fail if a name has been reused while the prior row
 +-- remains soft-deleted. That is intentional: reverting the old invariant
 +-- requires resolving those duplicates first.
 +CREATE UNIQUE INDEX repos_owner_user_name_idx
 +    ON repos (owner_user_id, name)
 +    WHERE owner_user_id IS NOT NULL;
++
 +CREATE UNIQUE INDEX repos_owner_org_name_idx
 +    ON repos (owner_org_id, name)
 +    WHERE owner_org_id IS NOT NULL;

internal/repos/create.gomodified

  	"strings"
  	"time"
 +	"github.com/jackc/pgx/v5"
  	"github.com/jackc/pgx/v5/pgconn"
  	"github.com/jackc/pgx/v5/pgtype"
  	"github.com/jackc/pgx/v5/pgxpool"
  	}()
  	q := reposdb.New()
 +	lockKey, err := createRepoNameLockKey(p)
 +	if err != nil {
 +		return Result{}, err
 +	}
 +	if err := q.LockRepoOwnerName(ctx, tx, lockKey); err != nil {
 +		return Result{}, fmt.Errorf("repos: lock owner/name: %w", err)
 +	}
  	row, err := q.CreateRepo(ctx, tx, reposdb.CreateRepoParams{
  		OwnerUserID:     pgtype.Int8{Int64: p.OwnerUserID, Valid: p.OwnerUserID != 0},
  		OwnerOrgID:      pgtype.Int8{Int64: p.OwnerOrgID, Valid: p.OwnerOrgID != 0},
  	// reverses the row; we also best-effort RemoveAll the directory in
  	// case it got partially created.
  	if err := deps.RepoFS.InitBare(ctx, diskPath); err != nil {
 -		_ = os.RemoveAll(diskPath)
 -		return Result{}, fmt.Errorf("repos: init bare: %w", err)
 +		if errors.Is(err, storage.ErrAlreadyExists) {
 +			displaced, displaceErr := displaceDeletedRepoPath(ctx, deps, q, tx, p, ownerSlug, diskPath)
 +			if displaceErr != nil {
 +				return Result{}, fmt.Errorf("repos: reclaim deleted repo path: %w", displaceErr)
 +			}
 +			if displaced {
 +				err = deps.RepoFS.InitBare(ctx, diskPath)
 +			}
 +		}
 +		if err != nil {
 +			if !errors.Is(err, storage.ErrAlreadyExists) {
 +				_ = os.RemoveAll(diskPath)
 +			}
 +			return Result{}, fmt.Errorf("repos: init bare: %w", err)
 +		}
+ 	}
  	// Install push-pipeline hooks. Skipped when ShithubdPath is empty
  	return display, string(em.Email), nil
+ }
 +func createRepoNameLockKey(p Params) (string, error) {
 +	name := strings.ToLower(p.Name)
 +	switch {
 +	case p.OwnerUserID != 0 && p.OwnerOrgID == 0:
 +		return fmt.Sprintf("repo-name:user:%d:%s", p.OwnerUserID, name), nil
 +	case p.OwnerOrgID != 0 && p.OwnerUserID == 0:
 +		return fmt.Sprintf("repo-name:org:%d:%s", p.OwnerOrgID, name), nil
 +	default:
 +		return "", errors.New("repos: owner is XOR — set OwnerUserID OR OwnerOrgID, not both")
 +	}
 +}
++
 +func displaceDeletedRepoPath(
 +	ctx context.Context,
 +	deps Deps,
 +	q *reposdb.Queries,
 +	db reposdb.DBTX,
 +	p Params,
 +	ownerSlug string,
 +	diskPath string,
 +) (bool, error) {
 +	deleted, err := softDeletedRepoForCreate(ctx, q, db, p)
 +	if errors.Is(err, pgx.ErrNoRows) {
 +		return false, nil
 +	}
 +	if err != nil {
 +		return false, err
 +	}
 +	deletedPath, err := deps.RepoFS.DeletedRepoPath(ownerSlug, p.Name, deleted.ID)
 +	if err != nil {
 +		return false, err
 +	}
 +	if err := deps.RepoFS.Move(diskPath, deletedPath); err != nil {
 +		if errors.Is(err, os.ErrNotExist) {
 +			return false, nil
 +		}
 +		return false, err
 +	}
 +	return true, nil
 +}
++
 +func softDeletedRepoForCreate(ctx context.Context, q *reposdb.Queries, db reposdb.DBTX, p Params) (reposdb.Repo, error) {
 +	if p.OwnerUserID != 0 {
 +		return q.GetSoftDeletedRepoByOwnerUserAndName(ctx, db, reposdb.GetSoftDeletedRepoByOwnerUserAndNameParams{
 +			OwnerUserID: pgtype.Int8{Int64: p.OwnerUserID, Valid: true},
 +			Name:        p.Name,
 +		})
 +	}
 +	return q.GetSoftDeletedRepoByOwnerOrgAndName(ctx, db, reposdb.GetSoftDeletedRepoByOwnerOrgAndNameParams{
 +		OwnerOrgID: pgtype.Int8{Int64: p.OwnerOrgID, Valid: true},
 +		Name:       p.Name,
 +	})
 +}
++
  // isUniqueViolation matches Postgres SQLSTATE 23505. Used to surface
  // the friendly "name taken" error from the unique-by-owner-and-name
  // indexes when the pre-check raced.

internal/repos/create_test.gomodified

  	"fmt"
  	"io"
  	"log/slog"
 +	"os"
  	"os/exec"
  	"path/filepath"
  	"strings"
  	"github.com/tenseleyFlow/shithub/internal/infra/storage"
  	"github.com/tenseleyFlow/shithub/internal/orgs"
  	"github.com/tenseleyFlow/shithub/internal/repos"
 +	"github.com/tenseleyFlow/shithub/internal/repos/lifecycle"
  	"github.com/tenseleyFlow/shithub/internal/testing/dbtest"
  	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"
+ )
+ 	}
+ }
 +func TestCreate_ReusesSoftDeletedRepoName(t *testing.T) {
 +	t.Parallel()
 +	pool, deps, uid, uname, _ := setupCreateEnv(t)
 +	ctx := context.Background()
 +	first, err := repos.Create(ctx, deps, repos.Params{
 +		OwnerUserID: uid, OwnerUsername: uname, Name: "reuse", Visibility: "public",
 +		InitReadme: true,
 +	})
 +	if err != nil {
 +		t.Fatalf("first create: %v", err)
 +	}
 +	deletedPath, err := deps.RepoFS.DeletedRepoPath(uname, "reuse", first.Repo.ID)
 +	if err != nil {
 +		t.Fatalf("DeletedRepoPath: %v", err)
 +	}
 +	ldeps := lifecycle.Deps{Pool: pool, RepoFS: deps.RepoFS, Audit: audit.NewRecorder(), Logger: deps.Logger}
 +	if err := lifecycle.SoftDelete(ctx, ldeps, uid, first.Repo.ID); err != nil {
 +		t.Fatalf("SoftDelete: %v", err)
 +	}
 +	if _, err := os.Stat(first.DiskPath); !os.IsNotExist(err) {
 +		t.Fatalf("canonical path after soft-delete: err = %v, want not exist", err)
 +	}
 +	if _, err := os.Stat(deletedPath); err != nil {
 +		t.Fatalf("deleted tombstone missing: %v", err)
 +	}
++
 +	second, err := repos.Create(ctx, deps, repos.Params{
 +		OwnerUserID: uid, OwnerUsername: uname, Name: "reuse", Visibility: "public",
 +	})
 +	if err != nil {
 +		t.Fatalf("recreate: %v", err)
 +	}
 +	if second.Repo.ID == first.Repo.ID {
 +		t.Fatalf("recreate reused old repo id %d", second.Repo.ID)
 +	}
 +	if _, err := os.Stat(second.DiskPath); err != nil {
 +		t.Fatalf("replacement canonical path missing: %v", err)
 +	}
++
 +	if _, err := pool.Exec(ctx,
 +		`UPDATE repos SET deleted_at = now() - interval '8 days' WHERE id = $1`, first.Repo.ID); err != nil {
 +		t.Fatalf("backdate deleted repo: %v", err)
 +	}
 +	if err := lifecycle.HardDelete(ctx, ldeps, 0, first.Repo.ID); err != nil {
 +		t.Fatalf("HardDelete old repo: %v", err)
 +	}
 +	if _, err := os.Stat(second.DiskPath); err != nil {
 +		t.Fatalf("replacement path should survive hard-delete of old repo: %v", err)
 +	}
 +}
++
 +func TestCreate_DisplacesLegacySoftDeletedOrgRepoPath(t *testing.T) {
 +	t.Parallel()
 +	pool, deps, uid, _, _ := setupCreateEnv(t)
 +	ctx := context.Background()
 +	org, err := orgs.Create(ctx, orgs.Deps{Pool: pool}, orgs.CreateParams{
 +		Slug: "gardesk", DisplayName: "gardesk", CreatedByUserID: uid,
 +	})
 +	if err != nil {
 +		t.Fatalf("orgs.Create: %v", err)
 +	}
 +	first, err := repos.Create(ctx, deps, repos.Params{
 +		OwnerOrgID: org.ID, OwnerSlug: string(org.Slug), ActorUserID: uid,
 +		Name: "garterm", Visibility: "public", InitReadme: true,
 +	})
 +	if err != nil {
 +		t.Fatalf("first create: %v", err)
 +	}
 +	if _, err := pool.Exec(ctx,
 +		`UPDATE repos SET deleted_at = now(), updated_at = now() WHERE id = $1`, first.Repo.ID); err != nil {
 +		t.Fatalf("legacy soft delete: %v", err)
 +	}
++
 +	second, err := repos.Create(ctx, deps, repos.Params{
 +		OwnerOrgID: org.ID, OwnerSlug: string(org.Slug), ActorUserID: uid,
 +		Name: "garterm", Visibility: "public",
 +	})
 +	if err != nil {
 +		t.Fatalf("recreate after legacy soft delete: %v", err)
 +	}
 +	if second.Repo.ID == first.Repo.ID {
 +		t.Fatalf("recreate reused old repo id %d", second.Repo.ID)
 +	}
 +	deletedPath, err := deps.RepoFS.DeletedRepoPath(string(org.Slug), "garterm", first.Repo.ID)
 +	if err != nil {
 +		t.Fatalf("DeletedRepoPath: %v", err)
 +	}
 +	if _, err := os.Stat(deletedPath); err != nil {
 +		t.Fatalf("legacy repo was not moved to tombstone: %v", err)
 +	}
 +	if _, err := os.Stat(second.DiskPath); err != nil {
 +		t.Fatalf("replacement canonical path missing: %v", err)
 +	}
 +}
++
  func TestCreate_RejectsReservedName(t *testing.T) {
  	t.Parallel()
  	_, deps, uid, uname, _ := setupCreateEnv(t)

internal/repos/lifecycle/hard_delete.gomodified

  import (
  	"context"
  	"fmt"
 -	"os"
  	"github.com/jackc/pgx/v5/pgtype"
  	"github.com/tenseleyFlow/shithub/internal/auth/audit"
  	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
 -	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"
+ )
  // HardDelete is the worker-driven cascade that runs after the soft-
  //  3. DELETE FROM repos — FK cascades handle push_events,
  //     webhook_events_pending, repo_collaborators, transfer requests,
  //     and any redirect rows pointing at this id.
 -//  4. RemoveAll the bare repo on disk.
 +//  4. Remove the bare repo tombstone on disk. For legacy soft-deleted
 +//     rows that still occupy the canonical path, remove that path only
 +//     when no new active repo has reused the owner/name.
  //  5. Audit-log the hard-delete with a snapshot of the removed row in
  //     the meta payload so the audit row is self-contained even after
  //     the repo_id is gone.
  // id encoded in some way; pass 0 to record "system" in audit.
  func HardDelete(ctx context.Context, deps Deps, actorUserID, repoID int64) error {
  	rq := reposdb.New()
 -	uq := usersdb.New()
 -	repo, err := rq.GetRepoByID(ctx, deps.Pool, repoID)
 +	tx, err := deps.Pool.Begin(ctx)
 +	if err != nil {
 +		return fmt.Errorf("begin: %w", err)
 +	}
 +	committed := false
 +	defer func() {
 +		if !committed {
 +			_ = tx.Rollback(ctx)
 +		}
 +	}()
++
 +	repo, err := rq.GetRepoByID(ctx, tx, repoID)
  	if err != nil {
  		return fmt.Errorf("load repo: %w", err)
+ 	}
 +	if err := lockRepoName(ctx, rq, tx, repo); err != nil {
 +		return err
 +	}
  	if !repo.DeletedAt.Valid {
  		return ErrNotDeleted
+ 	}
  	if repo.OwnerUserID.Valid {
  		snapshot["owner_user_id"] = repo.OwnerUserID.Int64
+ 	}
 -	ownerName := ""
 -	if repo.OwnerUserID.Valid {
 -		if u, err := uq.GetUserByID(ctx, deps.Pool, repo.OwnerUserID.Int64); err == nil {
 -			ownerName = u.Username
 -		}
 +	if repo.OwnerOrgID.Valid {
 +		snapshot["owner_org_id"] = repo.OwnerOrgID.Int64
+ 	}
+-
 -	tx, err := deps.Pool.Begin(ctx)
 +	if ownerSlug, err := ownerSlugForRepo(ctx, deps, repo); err == nil {
 +		snapshot["owner"] = ownerSlug
 +	}
 +	paths, pathErr := diskPathsForRepo(ctx, deps, repo)
 +	activeNameExists, err := activeRepoNameExists(ctx, rq, tx, repo)
  	if err != nil {
 -		return fmt.Errorf("begin: %w", err)
 +		return fmt.Errorf("hard-delete name check: %w", err)
+ 	}
 -	committed := false
 -	defer func() {
 -		if !committed {
 -			_ = tx.Rollback(ctx)
 -		}
 -	}()
  	// 1. Orphan child forks.
  	if _, err := rq.OrphanForksOf(ctx, tx, pgtype.Int8{Int64: repoID, Valid: true}); err != nil {
  	if err := rq.HardDeleteRepo(ctx, tx, repoID); err != nil {
  		return fmt.Errorf("delete repo: %w", err)
+ 	}
++
 +	// 4. Remove the bare repo while the owner/name advisory lock is
 +	// still held. That matters for legacy soft-deleted rows whose data
 +	// is still at the canonical path: a concurrent recreate cannot race
 +	// this cleanup and have its new bare repo removed.
 +	if pathErr == nil {
 +		if err := removeDeletedRepoPath(deps, paths, activeNameExists); err != nil && deps.Logger != nil {
 +			deps.Logger.WarnContext(ctx, "hard delete: fs delete failed",
 +				"repo_id", repoID, "path", paths.deleted, "canonical_path", paths.canonical, "error", err)
 +		}
 +	} else if deps.Logger != nil {
 +		deps.Logger.WarnContext(ctx, "hard delete: compute fs path failed", "repo_id", repoID, "error", pathErr)
 +	}
++
  	if err := tx.Commit(ctx); err != nil {
  		return fmt.Errorf("commit: %w", err)
+ 	}
  	committed = true
 -	// 4. Remove the bare repo on disk. Best-effort: log and continue
 -	//    so a missing path doesn't leave a "deleted but DB row gone"
 -	//    inconsistency that's impossible to recover from.
 -	if ownerName != "" {
 -		if path, err := deps.RepoFS.RepoPath(ownerName, repo.Name); err == nil {
 -			if err := os.RemoveAll(path); err != nil && deps.Logger != nil {
 -				deps.Logger.WarnContext(ctx, "hard delete: fs RemoveAll failed",
 -					"repo_id", repoID, "path", path, "error", err)
 -			}
 -		}
 -	}
+-
  	// 5. Audit. Use a fresh pool conn since the repo_id no longer
  	//    exists; the meta blob carries the snapshot.
  	if deps.Audit != nil {
+ 	}
  	return nil
+ }
++
 +func removeDeletedRepoPath(deps Deps, paths repoDiskPaths, activeNameExists bool) error {
 +	deletedExists, err := deps.RepoFS.Exists(paths.deleted)
 +	if err != nil {
 +		return err
 +	}
 +	if deletedExists {
 +		return deps.RepoFS.Delete(paths.deleted)
 +	}
 +	if activeNameExists {
 +		return nil
 +	}
 +	return deps.RepoFS.Delete(paths.canonical)
 +}

internal/repos/lifecycle/lifecycle_test.gomodified

  func TestSoftDeleteAndRestore(t *testing.T) {
  	t.Parallel()
  	env := setup(t)
 +	deletedPath, err := env.deps.RepoFS.DeletedRepoPath("alice", "demo", env.repoID)
 +	if err != nil {
 +		t.Fatalf("DeletedRepoPath: %v", err)
 +	}
  	if err := lifecycle.SoftDelete(context.Background(), env.deps, env.alice.ID, env.repoID); err != nil {
  		t.Fatalf("SoftDelete: %v", err)
+ 	}
 +	if _, err := os.Stat(env.originalFS); !os.IsNotExist(err) {
 +		t.Fatalf("canonical path after soft-delete: err = %v, want not exist", err)
 +	}
 +	if _, err := os.Stat(deletedPath); err != nil {
 +		t.Fatalf("deleted tombstone missing: %v", err)
 +	}
  	if err := lifecycle.SoftDelete(context.Background(), env.deps, env.alice.ID, env.repoID); !errors.Is(err, lifecycle.ErrAlreadyDeleted) {
  		t.Errorf("double soft-delete: err=%v", err)
+ 	}
  	if err := lifecycle.Restore(context.Background(), env.deps, env.alice.ID, env.repoID); err != nil {
  		t.Fatalf("Restore: %v", err)
+ 	}
 +	if _, err := os.Stat(env.originalFS); err != nil {
 +		t.Fatalf("canonical path after restore missing: %v", err)
 +	}
 +	if _, err := os.Stat(deletedPath); !os.IsNotExist(err) {
 +		t.Fatalf("deleted tombstone after restore: err = %v, want not exist", err)
 +	}
  	if err := lifecycle.Restore(context.Background(), env.deps, env.alice.ID, env.repoID); !errors.Is(err, lifecycle.ErrNotDeleted) {
  		t.Errorf("double restore: err=%v", err)
+ 	}
+ }
 +func TestRestore_RefusesWhenNameReused(t *testing.T) {
 +	t.Parallel()
 +	env := setup(t)
 +	ctx := context.Background()
 +	if err := lifecycle.SoftDelete(ctx, env.deps, env.alice.ID, env.repoID); err != nil {
 +		t.Fatalf("SoftDelete: %v", err)
 +	}
 +	replacement, err := repos.Create(ctx, env.rdeps, repos.Params{
 +		OwnerUserID: env.alice.ID, OwnerUsername: env.alice.Username,
 +		Name: "demo", Visibility: "public",
 +	})
 +	if err != nil {
 +		t.Fatalf("replacement create: %v", err)
 +	}
 +	if err := lifecycle.Restore(ctx, env.deps, env.alice.ID, env.repoID); !errors.Is(err, lifecycle.ErrNameTaken) {
 +		t.Fatalf("Restore: err = %v, want ErrNameTaken", err)
 +	}
 +	if _, err := os.Stat(replacement.DiskPath); err != nil {
 +		t.Fatalf("replacement canonical path missing: %v", err)
 +	}
 +	deletedPath, err := env.deps.RepoFS.DeletedRepoPath("alice", "demo", env.repoID)
 +	if err != nil {
 +		t.Fatalf("DeletedRepoPath: %v", err)
 +	}
 +	if _, err := os.Stat(deletedPath); err != nil {
 +		t.Fatalf("old tombstone should remain restorable: %v", err)
 +	}
 +}
++
  func TestRestore_PastGraceRefuses(t *testing.T) {
  	t.Parallel()
  	env := setup(t)
  func TestHardDelete_PastGraceCascades(t *testing.T) {
  	t.Parallel()
  	env := setup(t)
 +	deletedPath, err := env.deps.RepoFS.DeletedRepoPath("alice", "demo", env.repoID)
 +	if err != nil {
 +		t.Fatalf("DeletedRepoPath: %v", err)
 +	}
  	if err := lifecycle.SoftDelete(context.Background(), env.deps, env.alice.ID, env.repoID); err != nil {
  		t.Fatal(err)
+ 	}
  	if _, err := rq.GetRepoByID(context.Background(), env.deps.Pool, env.repoID); err == nil {
  		t.Errorf("repo row still present after hard-delete")
+ 	}
 -	// FS dir gone.
 -	if _, err := os.Stat(env.originalFS); !os.IsNotExist(err) {
 -		t.Errorf("FS path still present: err=%v", err)
 +	// Tombstone dir gone.
 +	if _, err := os.Stat(deletedPath); !os.IsNotExist(err) {
 +		t.Errorf("deleted tombstone still present: err=%v", err)
+ 	}
+ }

internal/repos/lifecycle/paths.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +package lifecycle
++
 +import (
 +	"context"
 +	"errors"
 +	"fmt"
 +	"strings"
++
 +	"github.com/jackc/pgx/v5/pgconn"
 +	"github.com/jackc/pgx/v5/pgtype"
++
 +	orgsdb "github.com/tenseleyFlow/shithub/internal/orgs/sqlc"
 +	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
 +	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"
 +)
++
 +type repoDiskPaths struct {
 +	canonical string
 +	deleted   string
 +}
++
 +func lockRepoName(ctx context.Context, q *reposdb.Queries, db reposdb.DBTX, repo reposdb.Repo) error {
 +	key, err := repoNameLockKey(repo.OwnerUserID, repo.OwnerOrgID, repo.Name)
 +	if err != nil {
 +		return err
 +	}
 +	if err := q.LockRepoOwnerName(ctx, db, key); err != nil {
 +		return fmt.Errorf("lock repo owner/name: %w", err)
 +	}
 +	return nil
 +}
++
 +func repoNameLockKey(ownerUserID, ownerOrgID pgtype.Int8, name string) (string, error) {
 +	name = strings.ToLower(name)
 +	switch {
 +	case ownerUserID.Valid && !ownerOrgID.Valid:
 +		return fmt.Sprintf("repo-name:user:%d:%s", ownerUserID.Int64, name), nil
 +	case ownerOrgID.Valid && !ownerUserID.Valid:
 +		return fmt.Sprintf("repo-name:org:%d:%s", ownerOrgID.Int64, name), nil
 +	default:
 +		return "", errors.New("lifecycle: repo owner is not xor")
 +	}
 +}
++
 +func diskPathsForRepo(ctx context.Context, deps Deps, repo reposdb.Repo) (repoDiskPaths, error) {
 +	owner, err := ownerSlugForRepo(ctx, deps, repo)
 +	if err != nil {
 +		return repoDiskPaths{}, err
 +	}
 +	canonical, err := deps.RepoFS.RepoPath(owner, repo.Name)
 +	if err != nil {
 +		return repoDiskPaths{}, fmt.Errorf("canonical repo path: %w", err)
 +	}
 +	deleted, err := deps.RepoFS.DeletedRepoPath(owner, repo.Name, repo.ID)
 +	if err != nil {
 +		return repoDiskPaths{}, fmt.Errorf("deleted repo path: %w", err)
 +	}
 +	return repoDiskPaths{canonical: canonical, deleted: deleted}, nil
 +}
++
 +func ownerSlugForRepo(ctx context.Context, deps Deps, repo reposdb.Repo) (string, error) {
 +	switch {
 +	case repo.OwnerUserID.Valid && !repo.OwnerOrgID.Valid:
 +		user, err := usersdb.New().GetUserIncludingDeleted(ctx, deps.Pool, repo.OwnerUserID.Int64)
 +		if err != nil {
 +			return "", fmt.Errorf("load repo owner user: %w", err)
 +		}
 +		return user.Username, nil
 +	case repo.OwnerOrgID.Valid && !repo.OwnerUserID.Valid:
 +		org, err := orgsdb.New().GetOrgByID(ctx, deps.Pool, repo.OwnerOrgID.Int64)
 +		if err != nil {
 +			return "", fmt.Errorf("load repo owner org: %w", err)
 +		}
 +		return string(org.Slug), nil
 +	default:
 +		return "", errors.New("lifecycle: repo owner is not xor")
 +	}
 +}
++
 +func activeRepoNameExists(ctx context.Context, q *reposdb.Queries, db reposdb.DBTX, repo reposdb.Repo) (bool, error) {
 +	switch {
 +	case repo.OwnerUserID.Valid && !repo.OwnerOrgID.Valid:
 +		return q.ExistsRepoForOwnerUser(ctx, db, reposdb.ExistsRepoForOwnerUserParams{
 +			OwnerUserID: pgtype.Int8{Int64: repo.OwnerUserID.Int64, Valid: true},
 +			Name:        repo.Name,
 +		})
 +	case repo.OwnerOrgID.Valid && !repo.OwnerUserID.Valid:
 +		return q.ExistsRepoForOwnerOrg(ctx, db, reposdb.ExistsRepoForOwnerOrgParams{
 +			OwnerOrgID: pgtype.Int8{Int64: repo.OwnerOrgID.Int64, Valid: true},
 +			Name:       repo.Name,
 +		})
 +	default:
 +		return false, errors.New("lifecycle: repo owner is not xor")
 +	}
 +}
++
 +func isUniqueViolation(err error) bool {
 +	var pgErr *pgconn.PgError
 +	return errors.As(err, &pgErr) && pgErr.Code == "23505"
 +}

internal/repos/lifecycle/soft_delete.gomodified

  import (
  	"context"
 +	"errors"
  	"fmt"
 +	"os"
  	"github.com/tenseleyFlow/shithub/internal/auth/audit"
 +	"github.com/tenseleyFlow/shithub/internal/infra/storage"
  	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
+ )
  // SoftDelete sets repos.deleted_at to now. The repo disappears from
  // listings and the home page returns 404 for non-owners (auth-aware).
 -// The bare repo on disk is left alone until the hard-delete worker
 -// runs at the end of the grace window.
 +// The bare repo is moved from the canonical owner/name path into an
 +// internal tombstone path so the owner can recreate the same repo name
 +// during the grace window without colliding with the deleted repo.
  func SoftDelete(ctx context.Context, deps Deps, actorUserID, repoID int64) error {
  	rq := reposdb.New()
 -	repo, err := rq.GetRepoByID(ctx, deps.Pool, repoID)
++
 +	tx, err := deps.Pool.Begin(ctx)
 +	if err != nil {
 +		return fmt.Errorf("begin: %w", err)
 +	}
 +	committed := false
 +	defer func() {
 +		if !committed {
 +			_ = tx.Rollback(ctx)
 +		}
 +	}()
++
 +	repo, err := rq.GetRepoByID(ctx, tx, repoID)
  	if err != nil {
  		return fmt.Errorf("load repo: %w", err)
+ 	}
 +	if err := lockRepoName(ctx, rq, tx, repo); err != nil {
 +		return err
 +	}
  	if repo.DeletedAt.Valid {
  		return ErrAlreadyDeleted
+ 	}
 -	if err := rq.SoftDeleteRepoLifecycle(ctx, deps.Pool, repoID); err != nil {
 +	moved, err := moveCanonicalToDeleted(ctx, deps, repo)
 +	if err != nil {
 +		return err
 +	}
 +	if err := rq.SoftDeleteRepoLifecycle(ctx, tx, repoID); err != nil {
 +		if moved {
 +			moveDeletedBackToCanonical(ctx, deps, repo)
 +		}
  		return fmt.Errorf("soft delete: %w", err)
+ 	}
 +	if err := tx.Commit(ctx); err != nil {
 +		if moved {
 +			moveDeletedBackToCanonical(ctx, deps, repo)
 +		}
 +		return fmt.Errorf("commit: %w", err)
 +	}
 +	committed = true
  	if deps.Audit != nil {
  		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,
  			audit.ActionRepoSoftDeleted, audit.TargetRepo, repoID,
  // refuse — the operator-visible contract is "7 days, then it's gone".
  func Restore(ctx context.Context, deps Deps, actorUserID, repoID int64) error {
  	rq := reposdb.New()
 -	repo, err := rq.GetRepoByID(ctx, deps.Pool, repoID)
++
 +	tx, err := deps.Pool.Begin(ctx)
 +	if err != nil {
 +		return fmt.Errorf("begin: %w", err)
 +	}
 +	committed := false
 +	defer func() {
 +		if !committed {
 +			_ = tx.Rollback(ctx)
 +		}
 +	}()
++
 +	repo, err := rq.GetRepoByID(ctx, tx, repoID)
  	if err != nil {
  		return fmt.Errorf("load repo: %w", err)
+ 	}
 +	if err := lockRepoName(ctx, rq, tx, repo); err != nil {
 +		return err
 +	}
  	if !repo.DeletedAt.Valid {
  		return ErrNotDeleted
+ 	}
  	if deps.now().Sub(repo.DeletedAt.Time) > softDeleteGrace {
  		return ErrPastGrace
+ 	}
 -	if err := rq.RestoreRepo(ctx, deps.Pool, repoID); err != nil {
 +	taken, err := activeRepoNameExists(ctx, rq, tx, repo)
 +	if err != nil {
 +		return fmt.Errorf("restore name check: %w", err)
 +	}
 +	if taken {
 +		return ErrNameTaken
 +	}
 +	moved, err := moveDeletedToCanonical(ctx, deps, repo)
 +	if err != nil {
 +		if errors.Is(err, storage.ErrAlreadyExists) {
 +			return ErrNameTaken
 +		}
 +		return err
 +	}
 +	if err := rq.RestoreRepo(ctx, tx, repoID); err != nil {
 +		if moved {
 +			moveCanonicalBackToDeleted(ctx, deps, repo)
 +		}
 +		if isUniqueViolation(err) {
 +			return ErrNameTaken
 +		}
  		return fmt.Errorf("restore: %w", err)
+ 	}
 +	if err := tx.Commit(ctx); err != nil {
 +		if moved {
 +			moveCanonicalBackToDeleted(ctx, deps, repo)
 +		}
 +		return fmt.Errorf("commit: %w", err)
 +	}
 +	committed = true
  	if deps.Audit != nil {
  		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,
  			audit.ActionRepoRestored, audit.TargetRepo, repoID, nil)
  	return nil
+ }
 +func moveCanonicalToDeleted(ctx context.Context, deps Deps, repo reposdb.Repo) (bool, error) {
 +	paths, err := diskPathsForRepo(ctx, deps, repo)
 +	if err != nil {
 +		return false, err
 +	}
 +	if err := deps.RepoFS.Move(paths.canonical, paths.deleted); err != nil {
 +		if errors.Is(err, os.ErrNotExist) {
 +			exists, existsErr := deps.RepoFS.Exists(paths.deleted)
 +			if existsErr != nil {
 +				return false, existsErr
 +			}
 +			if exists {
 +				return false, nil
 +			}
 +		}
 +		return false, fmt.Errorf("move repo to deleted path: %w", err)
 +	}
 +	return true, nil
 +}
++
 +func moveDeletedToCanonical(ctx context.Context, deps Deps, repo reposdb.Repo) (bool, error) {
 +	paths, err := diskPathsForRepo(ctx, deps, repo)
 +	if err != nil {
 +		return false, err
 +	}
 +	if err := deps.RepoFS.Move(paths.deleted, paths.canonical); err != nil {
 +		if errors.Is(err, os.ErrNotExist) {
 +			exists, existsErr := deps.RepoFS.Exists(paths.canonical)
 +			if existsErr != nil {
 +				return false, existsErr
 +			}
 +			if exists {
 +				return false, nil
 +			}
 +		}
 +		return false, fmt.Errorf("move repo to canonical path: %w", err)
 +	}
 +	return true, nil
 +}
++
 +func moveDeletedBackToCanonical(ctx context.Context, deps Deps, repo reposdb.Repo) {
 +	paths, err := diskPathsForRepo(ctx, deps, repo)
 +	if err != nil {
 +		if deps.Logger != nil {
 +			deps.Logger.WarnContext(ctx, "soft delete: compute rollback path failed", "repo_id", repo.ID, "error", err)
 +		}
 +		return
 +	}
 +	if err := deps.RepoFS.Move(paths.deleted, paths.canonical); err != nil && deps.Logger != nil {
 +		deps.Logger.WarnContext(ctx, "soft delete: rollback fs move failed",
 +			"repo_id", repo.ID, "from", paths.deleted, "to", paths.canonical, "error", err)
 +	}
 +}
++
 +func moveCanonicalBackToDeleted(ctx context.Context, deps Deps, repo reposdb.Repo) {
 +	paths, err := diskPathsForRepo(ctx, deps, repo)
 +	if err != nil {
 +		if deps.Logger != nil {
 +			deps.Logger.WarnContext(ctx, "restore: compute rollback path failed", "repo_id", repo.ID, "error", err)
 +		}
 +		return
 +	}
 +	if err := deps.RepoFS.Move(paths.canonical, paths.deleted); err != nil && deps.Logger != nil {
 +		deps.Logger.WarnContext(ctx, "restore: rollback fs move failed",
 +			"repo_id", repo.ID, "from", paths.canonical, "to", paths.deleted, "error", err)
 +	}
 +}
++
  // int64ValueOrZero unwraps a pgtype.Int8 stored as raw int64+bool. We
  // keep this private helper duplicated across packages rather than
  // pulling pgtype into the audit-meta hot path.

internal/repos/queries/repos.sqlmodified

            star_count, watcher_count, fork_count, init_status,
            last_indexed_oid;
 +-- name: LockRepoOwnerName :exec
 +-- Serializes DB + filesystem operations for one logical owner/name
 +-- pair. Create, soft-delete, restore, and hard-delete all touch the
 +-- canonical bare path; a transaction-scoped advisory lock keeps those
 +-- cross-resource moves from racing.
 +SELECT pg_advisory_xact_lock(hashtextextended($1, 0));
++
  -- name: GetRepoByID :one
  SELECT id, owner_user_id, owner_org_id, name, description, visibility,
         default_branch, is_archived, archived_at, deleted_at,
  FROM repos
  WHERE owner_user_id = $1 AND name = $2 AND deleted_at IS NULL;
 +-- name: GetSoftDeletedRepoByOwnerUserAndName :one
 +SELECT id, owner_user_id, owner_org_id, name, description, visibility,
 +       default_branch, is_archived, archived_at, deleted_at,
 +       disk_used_bytes, fork_of_repo_id, license_key, primary_language,
 +       has_issues, has_pulls, created_at, updated_at, default_branch_oid,
 +       allow_squash_merge, allow_rebase_merge, allow_merge_commit, default_merge_method,
 +       star_count, watcher_count, fork_count, init_status,
 +       last_indexed_oid
 +FROM repos
 +WHERE owner_user_id = $1 AND name = $2 AND deleted_at IS NOT NULL
 +ORDER BY deleted_at DESC, id DESC
 +LIMIT 1;
++
  -- name: ExistsRepoForOwnerUser :one
  SELECT EXISTS(
      SELECT 1 FROM repos
  FROM repos
  WHERE owner_org_id = $1 AND name = $2 AND deleted_at IS NULL;
 +-- name: GetSoftDeletedRepoByOwnerOrgAndName :one
 +SELECT id, owner_user_id, owner_org_id, name, description, visibility,
 +       default_branch, is_archived, archived_at, deleted_at,
 +       disk_used_bytes, fork_of_repo_id, license_key, primary_language,
 +       has_issues, has_pulls, created_at, updated_at, default_branch_oid,
 +       allow_squash_merge, allow_rebase_merge, allow_merge_commit, default_merge_method,
 +       star_count, watcher_count, fork_count, init_status,
 +       last_indexed_oid
 +FROM repos
 +WHERE owner_org_id = $1 AND name = $2 AND deleted_at IS NOT NULL
 +ORDER BY deleted_at DESC, id DESC
 +LIMIT 1;
++
  -- name: ExistsRepoForOwnerOrg :one
  SELECT EXISTS(
      SELECT 1 FROM repos

internal/repos/sqlc/querier.gomodified

  	GetRepoOwnerUsernameByID(ctx context.Context, db DBTX, id int64) (GetRepoOwnerUsernameByIDRow, error)
  	// SPDX-License-Identifier: AGPL-3.0-or-later
  	GetRepoSourceRemote(ctx context.Context, db DBTX, repoID int64) (RepoSourceRemote, error)
 +	GetSoftDeletedRepoByOwnerOrgAndName(ctx context.Context, db DBTX, arg GetSoftDeletedRepoByOwnerOrgAndNameParams) (Repo, error)
 +	GetSoftDeletedRepoByOwnerUserAndName(ctx context.Context, db DBTX, arg GetSoftDeletedRepoByOwnerUserAndNameParams) (Repo, error)
  	GetTransferRequest(ctx context.Context, db DBTX, id int64) (RepoTransferRequest, error)
  	HardDeleteRepo(ctx context.Context, db DBTX, id int64) error
  	InsertProfilePin(ctx context.Context, db DBTX, arg InsertProfilePinParams) error
  	ListSoftDeletedReposForOwner(ctx context.Context, db DBTX, ownerUserID pgtype.Int8) ([]ListSoftDeletedReposForOwnerRow, error)
  	// Sender / repo-settings view.
  	ListTransfersForRepo(ctx context.Context, db DBTX, repoID int64) ([]RepoTransferRequest, error)
 +	// Serializes DB + filesystem operations for one logical owner/name
 +	// pair. Create, soft-delete, restore, and hard-delete all touch the
 +	// canonical bare path; a transaction-scoped advisory lock keeps those
 +	// cross-resource moves from racing.
 +	LockRepoOwnerName(ctx context.Context, db DBTX, hashtextextended string) error
  	// Returns the current repo_id when (old_owner_user_id, old_name) hits
  	// a redirect row.
  	LookupRedirectByUserOwner(ctx context.Context, db DBTX, arg LookupRedirectByUserOwnerParams) (int64, error)

internal/repos/sqlc/repos.sql.gomodified

  	return i, err
+ }
 +const getSoftDeletedRepoByOwnerOrgAndName = `-- name: GetSoftDeletedRepoByOwnerOrgAndName :one
 +SELECT id, owner_user_id, owner_org_id, name, description, visibility,
 +       default_branch, is_archived, archived_at, deleted_at,
 +       disk_used_bytes, fork_of_repo_id, license_key, primary_language,
 +       has_issues, has_pulls, created_at, updated_at, default_branch_oid,
 +       allow_squash_merge, allow_rebase_merge, allow_merge_commit, default_merge_method,
 +       star_count, watcher_count, fork_count, init_status,
 +       last_indexed_oid
 +FROM repos
 +WHERE owner_org_id = $1 AND name = $2 AND deleted_at IS NOT NULL
 +ORDER BY deleted_at DESC, id DESC
 +LIMIT 1
 +`
++
 +type GetSoftDeletedRepoByOwnerOrgAndNameParams struct {
 +	OwnerOrgID pgtype.Int8
 +	Name       string
 +}
++
 +func (q *Queries) GetSoftDeletedRepoByOwnerOrgAndName(ctx context.Context, db DBTX, arg GetSoftDeletedRepoByOwnerOrgAndNameParams) (Repo, error) {
 +	row := db.QueryRow(ctx, getSoftDeletedRepoByOwnerOrgAndName, arg.OwnerOrgID, arg.Name)
 +	var i Repo
 +	err := row.Scan(
 +		&i.ID,
 +		&i.OwnerUserID,
 +		&i.OwnerOrgID,
 +		&i.Name,
 +		&i.Description,
 +		&i.Visibility,
 +		&i.DefaultBranch,
 +		&i.IsArchived,
 +		&i.ArchivedAt,
 +		&i.DeletedAt,
 +		&i.DiskUsedBytes,
 +		&i.ForkOfRepoID,
 +		&i.LicenseKey,
 +		&i.PrimaryLanguage,
 +		&i.HasIssues,
 +		&i.HasPulls,
 +		&i.CreatedAt,
 +		&i.UpdatedAt,
 +		&i.DefaultBranchOid,
 +		&i.AllowSquashMerge,
 +		&i.AllowRebaseMerge,
 +		&i.AllowMergeCommit,
 +		&i.DefaultMergeMethod,
 +		&i.StarCount,
 +		&i.WatcherCount,
 +		&i.ForkCount,
 +		&i.InitStatus,
 +		&i.LastIndexedOid,
 +	)
 +	return i, err
 +}
++
 +const getSoftDeletedRepoByOwnerUserAndName = `-- name: GetSoftDeletedRepoByOwnerUserAndName :one
 +SELECT id, owner_user_id, owner_org_id, name, description, visibility,
 +       default_branch, is_archived, archived_at, deleted_at,
 +       disk_used_bytes, fork_of_repo_id, license_key, primary_language,
 +       has_issues, has_pulls, created_at, updated_at, default_branch_oid,
 +       allow_squash_merge, allow_rebase_merge, allow_merge_commit, default_merge_method,
 +       star_count, watcher_count, fork_count, init_status,
 +       last_indexed_oid
 +FROM repos
 +WHERE owner_user_id = $1 AND name = $2 AND deleted_at IS NOT NULL
 +ORDER BY deleted_at DESC, id DESC
 +LIMIT 1
 +`
++
 +type GetSoftDeletedRepoByOwnerUserAndNameParams struct {
 +	OwnerUserID pgtype.Int8
 +	Name        string
 +}
++
 +func (q *Queries) GetSoftDeletedRepoByOwnerUserAndName(ctx context.Context, db DBTX, arg GetSoftDeletedRepoByOwnerUserAndNameParams) (Repo, error) {
 +	row := db.QueryRow(ctx, getSoftDeletedRepoByOwnerUserAndName, arg.OwnerUserID, arg.Name)
 +	var i Repo
 +	err := row.Scan(
 +		&i.ID,
 +		&i.OwnerUserID,
 +		&i.OwnerOrgID,
 +		&i.Name,
 +		&i.Description,
 +		&i.Visibility,
 +		&i.DefaultBranch,
 +		&i.IsArchived,
 +		&i.ArchivedAt,
 +		&i.DeletedAt,
 +		&i.DiskUsedBytes,
 +		&i.ForkOfRepoID,
 +		&i.LicenseKey,
 +		&i.PrimaryLanguage,
 +		&i.HasIssues,
 +		&i.HasPulls,
 +		&i.CreatedAt,
 +		&i.UpdatedAt,
 +		&i.DefaultBranchOid,
 +		&i.AllowSquashMerge,
 +		&i.AllowRebaseMerge,
 +		&i.AllowMergeCommit,
 +		&i.DefaultMergeMethod,
 +		&i.StarCount,
 +		&i.WatcherCount,
 +		&i.ForkCount,
 +		&i.InitStatus,
 +		&i.LastIndexedOid,
 +	)
 +	return i, err
 +}
++
  const insertProfilePin = `-- name: InsertProfilePin :exec
  INSERT INTO profile_pins (set_id, repo_id, position)
  VALUES ($1, $2, $3)
  	return items, nil
+ }
 +const lockRepoOwnerName = `-- name: LockRepoOwnerName :exec
 +SELECT pg_advisory_xact_lock(hashtextextended($1, 0))
 +`
++
 +// Serializes DB + filesystem operations for one logical owner/name
 +// pair. Create, soft-delete, restore, and hard-delete all touch the
 +// canonical bare path; a transaction-scoped advisory lock keeps those
 +// cross-resource moves from racing.
 +func (q *Queries) LockRepoOwnerName(ctx context.Context, db DBTX, hashtextextended string) error {
 +	_, err := db.Exec(ctx, lockRepoOwnerName, hashtextextended)
 +	return err
 +}
++
  const replaceRepoTopics = `-- name: ReplaceRepoTopics :exec
  DELETE FROM repo_topics WHERE repo_id = $1
+ `