tenseleyflow/shithub / 8d3abff

+	ActionStarCreated            Action = "star_created"

+	ActionStarDeleted            Action = "star_deleted"

+	ActionWatchSet               Action = "watch_set"

+	ActionWatchUnset             Action = "watch_unset"

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package social

+

+import (

+	"context"

+	"fmt"

+

+	socialdb "github.com/tenseleyFlow/shithub/internal/social/sqlc"

+)

+

+// AutoWatchOnCollab inserts a `level='all'` row when no preference

+// exists. Triggered by S15's collaborator-add path. Non-destructive:

+// if the user has already chosen a level (including `ignore`), their

+// choice is preserved.

+//

+// Matches GitHub: collaborators get full notifications by default;

+// they can opt down to `participating` or `ignore` later.

+func AutoWatchOnCollab(ctx context.Context, deps Deps, userID, repoID int64) error {

+	return autoWatch(ctx, deps, userID, repoID, WatchAll)

+}

+

+// AutoWatchOnInvolvement inserts a `level='participating'` row when

+// no preference exists. Triggered by issues.AddComment, mention

+// resolution, assignment, review-requested. Non-destructive.

+//

+// Matches GitHub: any first-touch involvement (commenting, getting

+// mentioned, getting assigned) auto-subscribes the user to that

+// thread's notifications, but only at the participating level so a

+// drive-by mention doesn't flood them with future events.

+func AutoWatchOnInvolvement(ctx context.Context, deps Deps, userID, repoID int64) error {

+	return autoWatch(ctx, deps, userID, repoID, WatchParticipating)

+}

+

+// autoWatch is the shared implementation. The InsertIfAbsent query's

+// ON CONFLICT DO NOTHING is what makes this safe to call repeatedly

+// from any orchestrator without coordinating "first call" semantics.

+func autoWatch(ctx context.Context, deps Deps, userID, repoID int64, level WatchLevel) error {

+	if userID == 0 {

+		// Anonymous can't auto-watch. Not an error — the caller may

+		// not know whether the actor is logged in.

+		return nil

+	}

+	if err := socialdb.New().InsertWatchIfAbsent(ctx, deps.Pool, socialdb.InsertWatchIfAbsentParams{

+		UserID: userID,

+		RepoID: repoID,

+		Level:  socialdb.WatchLevel(level),

+	}); err != nil {

+		return fmt.Errorf("auto-watch %s: %w", level, err)

+	}

+	return nil

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package social

+

+import (

+	"context"

+

+	"github.com/jackc/pgx/v5/pgtype"

+

+	socialdb "github.com/tenseleyFlow/shithub/internal/social/sqlc"

+)

+

+// EmitEvent is the canonical seam for inserting a row into

+// `domain_events`. Other packages (issues, pulls, repos lifecycle)

+// will call this rather than reaching into the sqlc query directly,

+// so the event-shape contract has one place to evolve as S29 and

+// S33 wire up their consumers.

+//

+// Pass repoID = 0 for user-scoped events (where there's no repo

+// involved). The handler / orchestrator owns the public-flag

+// decision: public-repo events should set true; private-repo events

+// must set false.

+type EmitParams struct {

+	ActorUserID int64

+	Kind        string

+	RepoID      int64 // 0 for user-scoped

+	SourceKind  string

+	SourceID    int64

+	Public      bool

+	Payload     []byte // already-marshaled JSON; pass `[]byte("{}")` for empty

+}

+

+// Emit writes one row to domain_events. Non-fatal at the caller's

+// discretion; orchestrators typically log on error rather than

+// failing the whole transaction (the in-band action is more

+// important than the event log).

+func Emit(ctx context.Context, deps Deps, p EmitParams) error {

+	payload := p.Payload

+	if len(payload) == 0 {

+		payload = []byte("{}")

+	}

+	_, err := socialdb.New().InsertDomainEvent(ctx, deps.Pool, socialdb.InsertDomainEventParams{

+		ActorUserID: pgInt(p.ActorUserID),

+		Kind:        p.Kind,

+		RepoID:      pgInt(p.RepoID),

+		SourceKind:  p.SourceKind,

+		SourceID:    p.SourceID,

+		Public:      p.Public,

+		Payload:     payload,

+	})

+	return err

+}

+

+func pgInt(v int64) pgtype.Int8 {

+	return pgtype.Int8{Int64: v, Valid: v != 0}

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+// Package social owns S26's stars / watches / events surface. The

+// package is read-mostly from the rest of the runtime: notifications

+// fan-out (S29) reads `watches` for routing, the activity feed

+// (post-MVP) reads `domain_events` for public timelines, and the

+// repo profile reads cached counts. Mutations come through the

+// orchestrator entrypoints below.

+package social

+

+import (

+	"errors"

+	"log/slog"

+

+	"github.com/jackc/pgx/v5/pgxpool"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	"github.com/tenseleyFlow/shithub/internal/auth/throttle"

+)

+

+// Deps wires the package against the rest of the runtime. Pool is

+// required. Limiter governs the per-user star/unstar rate cap (spec

+// pitfall: trending-manipulation abuse vector). Logger is optional

+// (falls back to discarding when nil). Audit is optional; when set,

+// state-changing operations record an audit row.

+type Deps struct {

+	Pool    *pgxpool.Pool

+	Limiter *throttle.Limiter

+	Logger  *slog.Logger

+	Audit   *audit.Recorder

+}

+

+// Errors surfaced to handlers.

+var (

+	ErrNotLoggedIn      = errors.New("social: login required")

+	ErrInvalidWatchLevel = errors.New("social: watch level must be all, participating, or ignore")

+	ErrStarRateLimit    = errors.New("social: star/unstar rate limit exceeded")

+)

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package social

+

+import (

+	"context"

+	"fmt"

+	"time"

+

+	"github.com/jackc/pgx/v5/pgtype"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	"github.com/tenseleyFlow/shithub/internal/auth/throttle"

+	socialdb "github.com/tenseleyFlow/shithub/internal/social/sqlc"

+)

+

+// starRateMax is the spec's day-1 rate cap: 100 star/unstar actions

+// per hour per user. Defends against trending-manipulation abuse

+// (S35 owns the abuse-heuristics layer; this is the floor).

+const (

+	starRateMax    = 100

+	starRateWindow = time.Hour

+)

+

+// Star idempotently records a star. Re-starring an already-starred

+// repo is a no-op (the underlying INSERT … ON CONFLICT DO NOTHING +

+// AFTER INSERT trigger combination keeps star_count consistent).

+//

+// The handler MUST authorize via policy.Can(ActionStarCreate, repo)

+// before calling — this orchestrator trusts that the actor has read

+// access to the repo and is logged in.

+//

+// Emits a `star` event into domain_events with `public = repoIsPublic`.

+func Star(ctx context.Context, deps Deps, actorUserID, repoID int64, repoIsPublic bool) error {

+	if actorUserID == 0 {

+		return ErrNotLoggedIn

+	}

+	if err := hitStarLimit(ctx, deps, actorUserID); err != nil {

+		return err

+	}

+

+	tx, err := deps.Pool.Begin(ctx)

+	if err != nil {

+		return err

+	}

+	committed := false

+	defer func() {

+		if !committed {

+			_ = tx.Rollback(ctx)

+		}

+	}()

+

+	q := socialdb.New()

+	if err := q.InsertStar(ctx, tx, socialdb.InsertStarParams{

+		UserID: actorUserID, RepoID: repoID,

+	}); err != nil {

+		return fmt.Errorf("insert star: %w", err)

+	}

+	if _, err := q.InsertDomainEvent(ctx, tx, socialdb.InsertDomainEventParams{

+		ActorUserID: pgtype.Int8{Int64: actorUserID, Valid: true},

+		Kind:        "star",

+		RepoID:      pgtype.Int8{Int64: repoID, Valid: true},

+		SourceKind:  "repo",

+		SourceID:    repoID,

+		Public:      repoIsPublic,

+		Payload:     []byte("{}"),

+	}); err != nil {

+		return fmt.Errorf("insert event: %w", err)

+	}

+	if err := tx.Commit(ctx); err != nil {

+		return err

+	}

+	committed = true

+	if deps.Audit != nil {

+		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,

+			audit.ActionStarCreated, audit.TargetRepo, repoID, nil)

+	}

+	return nil

+}

+

+// Unstar removes the star idempotently. Unstarring a non-starred

+// repo is a no-op. Emits an `unstar` event for symmetry.

+func Unstar(ctx context.Context, deps Deps, actorUserID, repoID int64, repoIsPublic bool) error {

+	if actorUserID == 0 {

+		return ErrNotLoggedIn

+	}

+	if err := hitStarLimit(ctx, deps, actorUserID); err != nil {

+		return err

+	}

+

+	tx, err := deps.Pool.Begin(ctx)

+	if err != nil {

+		return err

+	}

+	committed := false

+	defer func() {

+		if !committed {

+			_ = tx.Rollback(ctx)

+		}

+	}()

+

+	q := socialdb.New()

+	if err := q.DeleteStar(ctx, tx, socialdb.DeleteStarParams{

+		UserID: actorUserID, RepoID: repoID,

+	}); err != nil {

+		return fmt.Errorf("delete star: %w", err)

+	}

+	if _, err := q.InsertDomainEvent(ctx, tx, socialdb.InsertDomainEventParams{

+		ActorUserID: pgtype.Int8{Int64: actorUserID, Valid: true},

+		Kind:        "unstar",

+		RepoID:      pgtype.Int8{Int64: repoID, Valid: true},

+		SourceKind:  "repo",

+		SourceID:    repoID,

+		Public:      repoIsPublic,

+		Payload:     []byte("{}"),

+	}); err != nil {

+		return fmt.Errorf("insert event: %w", err)

+	}

+	if err := tx.Commit(ctx); err != nil {

+		return err

+	}

+	committed = true

+	if deps.Audit != nil {

+		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,

+			audit.ActionStarDeleted, audit.TargetRepo, repoID, nil)

+	}

+	return nil

+}

+

+// HasStar reports whether the user has starred the repo. Used by the

+// star button on the repo page to render the toggled state.

+func HasStar(ctx context.Context, deps Deps, userID, repoID int64) (bool, error) {

+	if userID == 0 {

+		return false, nil

+	}

+	return socialdb.New().HasStar(ctx, deps.Pool, socialdb.HasStarParams{

+		UserID: userID, RepoID: repoID,

+	})

+}

+

+func hitStarLimit(ctx context.Context, deps Deps, userID int64) error {

+	if deps.Limiter == nil {

+		return nil

+	}

+	if err := deps.Limiter.Hit(ctx, deps.Pool, throttle.Limit{

+		Scope:      "star",

+		Identifier: fmt.Sprintf("user:%d", userID),

+		Max:        starRateMax,

+		Window:     starRateWindow,

+	}); err != nil {

+		return ErrStarRateLimit

+	}

+	return nil

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package social

+

+import (

+	"context"

+	"errors"

+	"fmt"

+

+	"github.com/jackc/pgx/v5"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	socialdb "github.com/tenseleyFlow/shithub/internal/social/sqlc"

+)

+

+// WatchLevel mirrors the DB enum so handlers can pass typed values

+// without importing socialdb.

+type WatchLevel string

+

+const (

+	WatchAll           WatchLevel = "all"

+	WatchParticipating WatchLevel = "participating"

+	WatchIgnore        WatchLevel = "ignore"

+)

+

+func (w WatchLevel) valid() bool {

+	switch w {

+	case WatchAll, WatchParticipating, WatchIgnore:

+		return true

+	}

+	return false

+}

+

+// SetWatch upserts an explicit watch level. The handler authorizes

+// via policy.Can(ActionWatchSet, repo) before calling.

+func SetWatch(ctx context.Context, deps Deps, actorUserID, repoID int64, level WatchLevel) error {

+	if actorUserID == 0 {

+		return ErrNotLoggedIn

+	}

+	if !level.valid() {

+		return ErrInvalidWatchLevel

+	}

+	if err := socialdb.New().UpsertWatch(ctx, deps.Pool, socialdb.UpsertWatchParams{

+		UserID: actorUserID,

+		RepoID: repoID,

+		Level:  socialdb.WatchLevel(level),

+	}); err != nil {

+		return fmt.Errorf("upsert watch: %w", err)

+	}

+	if deps.Audit != nil {

+		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,

+			audit.ActionWatchSet, audit.TargetRepo, repoID,

+			map[string]any{"level": string(level)})

+	}

+	return nil

+}

+

+// UnsetWatch removes the explicit row, returning the user to the

+// implicit `participating` default.

+func UnsetWatch(ctx context.Context, deps Deps, actorUserID, repoID int64) error {

+	if actorUserID == 0 {

+		return ErrNotLoggedIn

+	}

+	if err := socialdb.New().DeleteWatch(ctx, deps.Pool, socialdb.DeleteWatchParams{

+		UserID: actorUserID, RepoID: repoID,

+	}); err != nil {

+		return fmt.Errorf("delete watch: %w", err)

+	}

+	if deps.Audit != nil {

+		_ = deps.Audit.Record(ctx, deps.Pool, actorUserID,

+			audit.ActionWatchUnset, audit.TargetRepo, repoID, nil)

+	}

+	return nil

+}

+

+// CurrentLevel returns the actor's current watch level for the repo,

+// resolving the implicit `participating` default when no row exists.

+func CurrentLevel(ctx context.Context, deps Deps, userID, repoID int64) (WatchLevel, error) {

+	if userID == 0 {

+		return WatchParticipating, nil

+	}

+	row, err := socialdb.New().GetWatch(ctx, deps.Pool, socialdb.GetWatchParams{

+		UserID: userID, RepoID: repoID,

+	})

+	if err != nil {

+		if errors.Is(err, pgx.ErrNoRows) {

+			return WatchParticipating, nil

+		}

+		return "", err

+	}

+	return WatchLevel(row.Level), nil

+}