tenseleyflow/shithub / 969e627

+	ActionRepoCreated          Action = "repo_created"

+	TargetRepo Target = "repo"

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package repos

+

+import (

+	"context"

+	"errors"

+	"fmt"

+	"log/slog"

+	"os"

+	"strings"

+	"time"

+

+	"github.com/jackc/pgx/v5/pgconn"

+	"github.com/jackc/pgx/v5/pgtype"

+	"github.com/jackc/pgx/v5/pgxpool"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	"github.com/tenseleyFlow/shithub/internal/auth/throttle"

+	"github.com/tenseleyFlow/shithub/internal/infra/storage"

+	repogit "github.com/tenseleyFlow/shithub/internal/repos/git"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/repos/templates"

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+)

+

+// CreateRateLimit caps how many repos one user can create per hour.

+// The spec calls for 10/hour; the value is exported so the operator can

+// override via the throttle plumbing if needed.

+const (

+	CreateRateLimitMax    = 10

+	CreateRateLimitWindow = time.Hour

+)

+

+// Deps wires the repo orchestrator. Inject from the web layer; no

+// global state.

+type Deps struct {

+	Pool    *pgxpool.Pool

+	RepoFS  *storage.RepoFS

+	Audit   *audit.Recorder

+	Limiter *throttle.Limiter

+	Logger  *slog.Logger

+	Now     func() time.Time

+}

+

+// Params describes one repo-create request as it arrives from the

+// handler, normalized but not yet validated against the DB.

+type Params struct {

+	OwnerUserID   int64

+	OwnerUsername string

+

+	Name        string // already lowercased + trimmed

+	Description string

+	Visibility  string // "public" | "private"

+

+	InitReadme   bool

+	LicenseKey   string // "" = none

+	GitignoreKey string // "" = none

+

+	// Optional override for the initial commit timestamp; tests pin this

+	// for determinism. Production callers leave it zero and let

+	// orchestrator default to deps.Now().

+	InitialCommitWhen time.Time

+}

+

+// Result is what Create returns on success.

+type Result struct {

+	Repo             reposdb.Repo

+	InitialCommitOID string // "" when InitReadme/License/Gitignore were all unset

+	DiskPath         string // bare-repo on-disk path

+}

+

+// Create validates, rate-limits, inserts the DB row, initializes the

+// bare repo on disk, optionally builds the initial commit, audit-logs,

+// and returns. On post-DB failure the tx rolls back and the partial

+// repo dir is best-effort removed.

+func Create(ctx context.Context, deps Deps, p Params) (Result, error) {

+	if deps.Pool == nil || deps.RepoFS == nil || deps.Audit == nil || deps.Limiter == nil {

+		return Result{}, errors.New("repos: Deps missing required field")

+	}

+	now := deps.Now

+	if now == nil {

+		now = time.Now

+	}

+

+	if err := ValidateName(p.Name); err != nil {

+		return Result{}, err

+	}

+	if err := ValidateDescription(p.Description); err != nil {

+		return Result{}, err

+	}

+	if p.Visibility != "public" && p.Visibility != "private" {

+		return Result{}, fmt.Errorf("repos: visibility must be public or private (got %q)", p.Visibility)

+	}

+	if p.LicenseKey != "" && !templates.HasLicense(p.LicenseKey) {

+		return Result{}, fmt.Errorf("%w: %s", ErrUnknownLicense, p.LicenseKey)

+	}

+	if p.GitignoreKey != "" && !templates.HasGitignore(p.GitignoreKey) {

+		return Result{}, fmt.Errorf("%w: %s", ErrUnknownGitignore, p.GitignoreKey)

+	}

+

+	// Rate-limit per owning user.

+	if err := deps.Limiter.Hit(ctx, deps.Pool, throttle.Limit{

+		Scope:      "repo_create",

+		Identifier: fmt.Sprintf("user:%d", p.OwnerUserID),

+		Max:        CreateRateLimitMax,

+		Window:     CreateRateLimitWindow,

+	}); err != nil {

+		return Result{}, err

+	}

+

+	// Resolve author identity for the initial commit (only needed when we

+	// actually build one; resolved up-front so an unverified email

+	// rejects the create cleanly even if the user didn't tick init).

+	authorName, authorEmail, err := resolveAuthor(ctx, deps.Pool, p.OwnerUserID)

+	wantInit := p.InitReadme || p.LicenseKey != "" || p.GitignoreKey != ""

+	if wantInit && err != nil {

+		return Result{}, err

+	}

+

+	// Pre-compute disk path from RepoFS. Doing this before the tx avoids

+	// inserting a DB row for a name that fails the path-validation

+	// whitelist (which mostly mirrors our own ValidateName, but

+	// defense-in-depth never hurts).

+	diskPath, err := deps.RepoFS.RepoPath(p.OwnerUsername, p.Name)

+	if err != nil {

+		return Result{}, fmt.Errorf("%w: %v", ErrInvalidName, err)

+	}

+

+	tx, err := deps.Pool.Begin(ctx)

+	if err != nil {

+		return Result{}, fmt.Errorf("repos: begin tx: %w", err)

+	}

+	committed := false

+	defer func() {

+		if !committed {

+			_ = tx.Rollback(ctx)

+		}

+	}()

+

+	q := reposdb.New()

+	row, err := q.CreateRepo(ctx, tx, reposdb.CreateRepoParams{

+		OwnerUserID:     pgtype.Int8{Int64: p.OwnerUserID, Valid: true},

+		OwnerOrgID:      pgtype.Int8{Valid: false},

+		Name:            p.Name,

+		Description:     p.Description,

+		Visibility:      reposdb.RepoVisibility(p.Visibility),

+		DefaultBranch:   "trunk",

+		LicenseKey:      pgtype.Text{String: p.LicenseKey, Valid: p.LicenseKey != ""},

+		PrimaryLanguage: pgtype.Text{Valid: false},

+	})

+	if err != nil {

+		if isUniqueViolation(err) {

+			return Result{}, ErrTaken

+		}

+		return Result{}, fmt.Errorf("repos: insert: %w", err)

+	}

+

+	// FS init AFTER DB insert. If this fails the deferred Rollback

+	// reverses the row; we also best-effort RemoveAll the directory in

+	// case it got partially created.

+	if err := deps.RepoFS.InitBare(ctx, diskPath); err != nil {

+		_ = os.RemoveAll(diskPath)

+		return Result{}, fmt.Errorf("repos: init bare: %w", err)

+	}

+

+	var commitOID string

+	if wantInit {

+		commitWhen := p.InitialCommitWhen

+		if commitWhen.IsZero() {

+			commitWhen = now()

+		}

+		oid, err := buildInitialCommit(ctx, repogit.InitialCommit{

+			GitDir:      diskPath,

+			AuthorName:  authorName,

+			AuthorEmail: authorEmail,

+			Branch:      "trunk",

+			When:        commitWhen,

+			Files:       initFiles(p, authorName, commitWhen.Year()),

+		})

+		if err != nil {

+			_ = os.RemoveAll(diskPath)

+			return Result{}, fmt.Errorf("repos: initial commit: %w", err)

+		}

+		commitOID = oid

+	}

+

+	if err := tx.Commit(ctx); err != nil {

+		_ = os.RemoveAll(diskPath)

+		return Result{}, fmt.Errorf("repos: commit tx: %w", err)

+	}

+	committed = true

+

+	if err := deps.Audit.Record(ctx, deps.Pool, p.OwnerUserID,

+		audit.ActionRepoCreated, audit.TargetRepo, row.ID, map[string]any{

+			"name":       p.Name,

+			"visibility": p.Visibility,

+			"init":       wantInit,

+			"license":    p.LicenseKey,

+			"gitignore":  p.GitignoreKey,

+		}); err != nil {

+		if deps.Logger != nil {

+			deps.Logger.WarnContext(ctx, "repos: audit", "error", err)

+		}

+	}

+

+	return Result{Repo: row, InitialCommitOID: commitOID, DiskPath: diskPath}, nil

+}

+

+// initFiles assembles the FileEntry slice for the initial commit based

+// on which init checkboxes the user ticked.

+func initFiles(p Params, author string, year int) []repogit.FileEntry {

+	var files []repogit.FileEntry

+	if p.InitReadme {

+		files = append(files, repogit.FileEntry{

+			Path: "README.md",

+			Body: []byte(templates.ReadmeText(p.Name, p.Description)),

+		})

+	}

+	if p.LicenseKey != "" {

+		body, err := templates.LicenseText(p.LicenseKey, year, author)

+		if err == nil {

+			files = append(files, repogit.FileEntry{

+				Path: "LICENSE",

+				Body: []byte(body),

+			})

+		}

+	}

+	if p.GitignoreKey != "" {

+		body, err := templates.GitignoreText(p.GitignoreKey)

+		if err == nil {

+			files = append(files, repogit.FileEntry{

+				Path: ".gitignore",

+				Body: []byte(body),

+			})

+		}

+	}

+	return files

+}

+

+// buildInitialCommit is a thin pass-through so tests can swap it (post-MVP).

+var buildInitialCommit = func(ctx context.Context, ic repogit.InitialCommit) (string, error) {

+	return ic.Build(ctx)

+}

+

+// resolveAuthor reads the user's display name + verified primary email.

+// Returns ErrNoVerifiedEmail if the user has no primary email or the

+// primary isn't verified.

+func resolveAuthor(ctx context.Context, pool *pgxpool.Pool, userID int64) (name, addr string, err error) {

+	uq := usersdb.New()

+	user, err := uq.GetUserByID(ctx, pool, userID)

+	if err != nil {

+		return "", "", fmt.Errorf("repos: load user: %w", err)

+	}

+	if !user.PrimaryEmailID.Valid {

+		return "", "", ErrNoVerifiedEmail

+	}

+	em, err := uq.GetUserEmailByID(ctx, pool, user.PrimaryEmailID.Int64)

+	if err != nil {

+		return "", "", fmt.Errorf("repos: load primary email: %w", err)

+	}

+	if !em.Verified {

+		return "", "", ErrNoVerifiedEmail

+	}

+	display := strings.TrimSpace(user.DisplayName)

+	if display == "" {

+		display = user.Username

+	}

+	return display, string(em.Email), nil

+}

+

+// isUniqueViolation matches Postgres SQLSTATE 23505. Used to surface

+// the friendly "name taken" error from the unique-by-owner-and-name

+// indexes when the pre-check raced.

+func isUniqueViolation(err error) bool {

+	var pgErr *pgconn.PgError

+	if errors.As(err, &pgErr) {

+		return pgErr.Code == "23505"

+	}

+	return false

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package repos_test

+

+import (

+	"context"

+	"errors"

+	"io"

+	"log/slog"

+	"os/exec"

+	"path/filepath"

+	"strings"

+	"testing"

+	"time"

+

+	"github.com/jackc/pgx/v5/pgtype"

+	"github.com/jackc/pgx/v5/pgxpool"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	"github.com/tenseleyFlow/shithub/internal/auth/throttle"

+	"github.com/tenseleyFlow/shithub/internal/infra/storage"

+	"github.com/tenseleyFlow/shithub/internal/repos"

+	"github.com/tenseleyFlow/shithub/internal/testing/dbtest"

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+)

+

+// gitCmd wraps exec.Command with the single G204 suppression for this

+// file — every git invocation runs against a t.TempDir path.

+func gitCmd(args ...string) *exec.Cmd {

+	//nolint:gosec // G204 false positive: callers feed t.TempDir paths and fixed flags.

+	return exec.Command("git", args...)

+}

+

+// fixtureHash is a static PHC test fixture (zero salt, zero key) — not a credential.

+const fixtureHash = "$argon2id$v=19$m=16384,t=1,p=1$" +

+	"AAAAAAAAAAAAAAAA$" +

+	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

+

+// setupCreateEnv constructs Deps + a verified-email user against a

+// fresh test DB.

+func setupCreateEnv(t *testing.T) (*pgxpool.Pool, repos.Deps, int64, string, string) {

+	t.Helper()

+	pool := dbtest.NewTestDB(t)

+

+	root := t.TempDir()

+	rfs, err := storage.NewRepoFS(root)

+	if err != nil {

+		t.Fatalf("NewRepoFS: %v", err)

+	}

+

+	deps := repos.Deps{

+		Pool:    pool,

+		RepoFS:  rfs,

+		Audit:   audit.NewRecorder(),

+		Limiter: throttle.NewLimiter(),

+		Logger:  slog.New(slog.NewTextHandler(io.Discard, nil)),

+	}

+

+	uq := usersdb.New()

+	user, err := uq.CreateUser(context.Background(), pool, usersdb.CreateUserParams{

+		Username: "alice", DisplayName: "Alice Anderson", PasswordHash: fixtureHash,

+	})

+	if err != nil {

+		t.Fatalf("CreateUser: %v", err)

+	}

+	em, err := uq.CreateUserEmail(context.Background(), pool, usersdb.CreateUserEmailParams{

+		UserID: user.ID, Email: "alice@example.com", IsPrimary: true, Verified: true,

+	})

+	if err != nil {

+		t.Fatalf("CreateUserEmail: %v", err)

+	}

+	if err := uq.LinkUserPrimaryEmail(context.Background(), pool, usersdb.LinkUserPrimaryEmailParams{

+		ID: user.ID, PrimaryEmailID: pgtype.Int8{Int64: em.ID, Valid: true},

+	}); err != nil {

+		t.Fatalf("LinkUserPrimaryEmail: %v", err)

+	}

+	return pool, deps, user.ID, user.Username, root

+}

+

+func TestCreate_EmptyRepo(t *testing.T) {

+	t.Parallel()

+	_, deps, uid, uname, root := setupCreateEnv(t)

+	res, err := repos.Create(context.Background(), deps, repos.Params{

+		OwnerUserID:   uid,

+		OwnerUsername: uname,

+		Name:          "empty-repo",

+		Visibility:    "public",

+	})

+	if err != nil {

+		t.Fatalf("Create: %v", err)

+	}

+	if res.InitialCommitOID != "" {

+		t.Errorf("expected no initial commit; got %q", res.InitialCommitOID)

+	}

+	if !strings.HasPrefix(res.DiskPath, root) {

+		t.Errorf("DiskPath %q not under root %q", res.DiskPath, root)

+	}

+

+	// HEAD must be a symbolic ref to refs/heads/trunk (unborn branch).

+	out, err := gitCmd("-C", res.DiskPath, "symbolic-ref", "HEAD").CombinedOutput()

+	if err != nil {

+		t.Fatalf("symbolic-ref: %v\n%s", err, out)

+	}

+	if got := strings.TrimSpace(string(out)); got != "refs/heads/trunk" {

+		t.Fatalf("HEAD = %q, want refs/heads/trunk", got)

+	}

+

+	// Zero commits.

+	out, _ = gitCmd("-C", res.DiskPath, "rev-list", "--all", "--count").CombinedOutput()

+	if got := strings.TrimSpace(string(out)); got != "0" {

+		t.Fatalf("rev-list count = %q, want 0", got)

+	}

+}

+

+func TestCreate_WithReadmeLicenseGitignore(t *testing.T) {

+	t.Parallel()

+	_, deps, uid, uname, _ := setupCreateEnv(t)

+	res, err := repos.Create(context.Background(), deps, repos.Params{

+		OwnerUserID:       uid,

+		OwnerUsername:     uname,

+		Name:              "init-repo",

+		Description:       "hello world",

+		Visibility:        "public",

+		InitReadme:        true,

+		LicenseKey:        "MIT",

+		GitignoreKey:      "Go",

+		InitialCommitWhen: time.Date(2026, 5, 7, 12, 0, 0, 0, time.UTC),

+	})

+	if err != nil {

+		t.Fatalf("Create: %v", err)

+	}

+	if res.InitialCommitOID == "" {

+		t.Fatal("expected an initial commit")

+	}

+

+	// Single commit, three files, expected names.

+	out, _ := gitCmd("-C", res.DiskPath, "rev-list", "--count", "trunk").CombinedOutput()

+	if got := strings.TrimSpace(string(out)); got != "1" {

+		t.Fatalf("rev-list count = %q, want 1", got)

+	}

+	out, _ = gitCmd("-C", res.DiskPath, "ls-tree", "--name-only", "trunk").CombinedOutput()

+	got := strings.TrimSpace(string(out))

+	for _, want := range []string{"README.md", "LICENSE", ".gitignore"} {

+		if !strings.Contains(got, want) {

+			t.Errorf("missing %q in tree: %q", want, got)

+		}

+	}

+	// Author identity is alice's verified primary email.

+	out, _ = gitCmd("-C", res.DiskPath, "log", "-1", "--format=%an <%ae>", "trunk").CombinedOutput()

+	if want := "Alice Anderson <alice@example.com>"; strings.TrimSpace(string(out)) != want {

+		t.Errorf("author = %q, want %q", strings.TrimSpace(string(out)), want)

+	}

+	// LICENSE has the year substituted.

+	out, _ = gitCmd("-C", res.DiskPath, "show", "trunk:LICENSE").CombinedOutput()

+	if !strings.Contains(string(out), "2026") {

+		t.Errorf("LICENSE missing year 2026; got first 200 chars: %s", string(out)[:200])

+	}

+}

+

+func TestCreate_RejectsDuplicate(t *testing.T) {

+	t.Parallel()

+	_, deps, uid, uname, _ := setupCreateEnv(t)

+	if _, err := repos.Create(context.Background(), deps, repos.Params{

+		OwnerUserID: uid, OwnerUsername: uname, Name: "dup", Visibility: "public",

+	}); err != nil {

+		t.Fatalf("first create: %v", err)

+	}

+	_, err := repos.Create(context.Background(), deps, repos.Params{

+		OwnerUserID: uid, OwnerUsername: uname, Name: "dup", Visibility: "public",

+	})

+	if !errors.Is(err, repos.ErrTaken) {

+		t.Fatalf("second create: err = %v, want ErrTaken", err)

+	}

+}

+

+func TestCreate_RejectsReservedName(t *testing.T) {

+	t.Parallel()

+	_, deps, uid, uname, _ := setupCreateEnv(t)

+	_, err := repos.Create(context.Background(), deps, repos.Params{

+		OwnerUserID: uid, OwnerUsername: uname, Name: "head", Visibility: "public",

+	})

+	if !errors.Is(err, repos.ErrReservedName) {

+		t.Fatalf("err = %v, want ErrReservedName", err)

+	}

+}

+

+func TestCreate_RefusesWithoutVerifiedEmail(t *testing.T) {

+	t.Parallel()

+	pool := dbtest.NewTestDB(t)

+	root := t.TempDir()

+	rfs, _ := storage.NewRepoFS(root)

+	deps := repos.Deps{

+		Pool: pool, RepoFS: rfs,

+		Audit:   audit.NewRecorder(),

+		Limiter: throttle.NewLimiter(),

+	}

+	uq := usersdb.New()

+	user, err := uq.CreateUser(context.Background(), pool, usersdb.CreateUserParams{

+		Username: "bob", DisplayName: "Bob", PasswordHash: fixtureHash,

+	})

+	if err != nil {

+		t.Fatalf("CreateUser: %v", err)

+	}

+	// User exists but has NO verified primary email.

+	_, err = repos.Create(context.Background(), deps, repos.Params{

+		OwnerUserID: user.ID, OwnerUsername: user.Username,

+		Name: "needs-email", Visibility: "public",

+		InitReadme: true,

+	})

+	if !errors.Is(err, repos.ErrNoVerifiedEmail) {

+		t.Fatalf("err = %v, want ErrNoVerifiedEmail", err)

+	}

+}

+

+func TestCreate_PrivateVisibilityPersists(t *testing.T) {

+	t.Parallel()

+	_, deps, uid, uname, _ := setupCreateEnv(t)

+	res, err := repos.Create(context.Background(), deps, repos.Params{

+		OwnerUserID: uid, OwnerUsername: uname,

+		Name: "secret", Visibility: "private",

+	})

+	if err != nil {

+		t.Fatalf("Create: %v", err)

+	}

+	if string(res.Repo.Visibility) != "private" {

+		t.Errorf("Visibility = %q, want private", res.Repo.Visibility)

+	}

+	// Sharded path layout sanity check (shard is first 2 chars of OWNER).

+	if want := filepath.Join("al", "alice", "secret.git"); !strings.HasSuffix(res.DiskPath, want) {

+		t.Errorf("DiskPath %q does not end with %q", res.DiskPath, want)

+	}

+}

+// gitCmd is a thin wrapper that owns the single G204 suppression for

+// the whole test file. Every test call goes through here; the bare-repo

+// path is always a t.TempDir, never user input.

+func gitCmd(args ...string) *exec.Cmd {

+	//nolint:gosec // G204 false positive: callers feed t.TempDir paths and fixed flags.

+	return exec.Command("git", args...)

+}

+

+	if out, err := gitCmd("init", "--bare", "--initial-branch=trunk", gitDir).CombinedOutput(); err != nil {

+	out, err := gitCmd("-C", gitDir, "rev-parse", "refs/heads/trunk").CombinedOutput()

+	out, err = gitCmd("-C", gitDir, "rev-list", "--count", "trunk").CombinedOutput()

+	out, err = gitCmd("-C", gitDir, "ls-tree", "--name-only", "trunk").CombinedOutput()

+	out, err = gitCmd("-C", gitDir, "log", "-1", "--format=%an <%ae>", "trunk").CombinedOutput()

+	".git":           {},

+	".gitignore":     {},

+	".gitmodules":    {},

+	".well-known":    {},

+	".github":        {},

+	"head":           {},

+	"refs":           {},

+	"objects":        {},

+	"info":           {},

+	"hooks":          {},

+	"branches":       {},