tenseleyflow/shithub / b8b7c3a

+	// RepoRefsMounter registers /branches, /tags, /compare/* (S20).

+	RepoRefsMounter func(chi.Router)

+	// RepoSettingsBranchesMounter registers /settings/branches +

+	// /settings/default-branch (S20). Auth-required.

+	RepoSettingsBranchesMounter func(chi.Router)

+		if deps.RepoRefsMounter != nil {

+			deps.RepoRefsMounter(r)

+		}

+		if deps.RepoSettingsBranchesMounter != nil {

+			deps.RepoSettingsBranchesMounter(r)

+		}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package repo

+

+import (

+	"net/http"

+	"path/filepath"

+	"sort"

+	"strings"

+	"time"

+

+	"github.com/go-chi/chi/v5"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/policy"

+	repogit "github.com/tenseleyFlow/shithub/internal/repos/git"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/web/middleware"

+)

+

+// MountRefs registers the S20 branches, tags, and compare routes.

+// Settings routes are wired separately (require lifecycle middleware).

+func (h *Handlers) MountRefs(r chi.Router) {

+	r.Get("/{owner}/{repo}/branches", h.branchesList)

+	r.Get("/{owner}/{repo}/tags", h.tagsList)

+	// Compare uses `...` as the base/head separator (matches GitHub).

+	// chi can't represent the literal `...` in a route param so we use

+	// a wildcard and parse server-side.

+	r.Get("/{owner}/{repo}/compare/*", h.compareView)

+}

+

+// branchesList renders the branches index. Computes ahead/behind

+// against the default branch for each one. Filterable as

+// active/stale/all via the `?filter=` query.

+func (h *Handlers) branchesList(w http.ResponseWriter, r *http.Request) {

+	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoRead)

+	if !ok {

+		return

+	}

+	gitDir, err := h.d.RepoFS.RepoPath(owner.Username, row.Name)

+	if err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		return

+	}

+	refs, err := repogit.ListRefs(r.Context(), gitDir)

+	if err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	rules, _ := h.rq.ListBranchProtectionRules(r.Context(), h.d.Pool, row.ID)

+

+	defaultBranch := row.DefaultBranch

+	rows := make([]branchRow, 0, len(refs.Branches))

+	now := time.Now()

+	for _, b := range refs.Branches {

+		br := branchRow{Name: b.Name, OID: b.OID}

+		if len(b.OID) >= 7 {

+			br.ShortOID = b.OID[:7]

+		}

+		// HeadOf gives us subject + author time without an extra log call.

+		if hc, found, herr := repogit.HeadOf(r.Context(), gitDir, b.Name); herr == nil && found {

+			br.LastSubject = hc.Subject

+			br.LastWhen = hc.AuthorWhen

+			br.Stale = now.Sub(hc.AuthorWhen) > 90*24*time.Hour

+		}

+		if b.Name != defaultBranch {

+			ahead, behind, _ := repogit.AheadBehind(r.Context(), gitDir, defaultBranch, b.Name)

+			br.Ahead = ahead

+			br.Behind = behind

+		}

+		br.IsDefault = b.Name == defaultBranch

+		br.Protected = isBranchProtected(rules, b.Name)

+		rows = append(rows, br)

+	}

+	sort.SliceStable(rows, func(i, j int) bool {

+		if rows[i].IsDefault != rows[j].IsDefault {

+			return rows[i].IsDefault

+		}

+		return rows[i].LastWhen.After(rows[j].LastWhen)

+	})

+

+	filter := r.URL.Query().Get("filter")

+	if filter == "active" || filter == "stale" {

+		want := filter == "stale"

+		filtered := rows[:0]

+		for _, br := range rows {

+			if br.Stale == want {

+				filtered = append(filtered, br)

+			}

+		}

+		rows = filtered

+	}

+

+	h.d.Render.RenderPage(w, r, "repo/branches", map[string]any{

+		"Title":         "Branches · " + row.Name,

+		"CSRFToken":     middleware.CSRFTokenForRequest(r),

+		"Owner":         owner.Username,

+		"Repo":          row,

+		"DefaultBranch": defaultBranch,

+		"Rows":          rows,

+		"Filter":        filter,

+		"Branches":      refs.Branches,

+		"Tags":          refs.Tags,

+	})

+}

+

+// branchRow is the per-row shape rendered on the branches list.

+// Lifted to package level so the filter step can re-slice without an

+// awkward anonymous-type signature.

+type branchRow struct {

+	Name        string

+	OID         string

+	ShortOID    string

+	Ahead       int

+	Behind      int

+	LastSubject string

+	LastWhen    time.Time

+	Protected   bool

+	IsDefault   bool

+	Stale       bool

+}

+

+// isBranchProtected reports whether `branch` matches any rule. Used

+// to render the "Protected" badge on the branches list.

+func isBranchProtected(rules []reposdb.BranchProtectionRule, branch string) bool {

+	for _, r := range rules {

+		if ok, err := filepath.Match(r.Pattern, branch); err == nil && ok {

+			return true

+		}

+	}

+	return false

+}

+

+// tagsList renders the tags index. For each tag we render name, OID,

+// commit subject, and author age. The "Releases" slot per tag is a

+// placeholder until first-class releases ship.

+func (h *Handlers) tagsList(w http.ResponseWriter, r *http.Request) {

+	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoRead)

+	if !ok {

+		return

+	}

+	gitDir, err := h.d.RepoFS.RepoPath(owner.Username, row.Name)

+	if err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		return

+	}

+	refs, _ := repogit.ListRefs(r.Context(), gitDir)

+

+	type tagRow struct {

+		Name        string

+		OID         string

+		ShortOID    string

+		Subject     string

+		AuthorName  string

+		AuthorWhen  time.Time

+	}

+	rows := make([]tagRow, 0, len(refs.Tags))

+	for _, t := range refs.Tags {

+		tr := tagRow{Name: t.Name, OID: t.OID}

+		if len(t.OID) >= 7 {

+			tr.ShortOID = t.OID[:7]

+		}

+		if hc, _, herr := repogit.HeadOf(r.Context(), gitDir, "tags/"+t.Name); herr == nil {

+			tr.Subject = hc.Subject

+			tr.AuthorName = hc.AuthorName

+			tr.AuthorWhen = hc.AuthorWhen

+		}

+		rows = append(rows, tr)

+	}

+	sort.SliceStable(rows, func(i, j int) bool {

+		return rows[i].AuthorWhen.After(rows[j].AuthorWhen)

+	})

+

+	h.d.Render.RenderPage(w, r, "repo/tags", map[string]any{

+		"Title":     "Tags · " + row.Name,

+		"CSRFToken": middleware.CSRFTokenForRequest(r),

+		"Owner":     owner.Username,

+		"Repo":      row,

+		"Rows":      rows,

+		"Branches":  refs.Branches,

+		"Tags":      refs.Tags,

+	})

+}

+

+// compareView renders the compare-against-base preview: a commits

+// list (head-side only) plus the three-dot diff. Path shape is

+// `/{owner}/{repo}/compare/<base>...<head>`. Cross-repo (e.g.

+// `<base>...<fork:branch>`) is shape-supported but the full

+// fork-PR flow ships in S22+S27.

+func (h *Handlers) compareView(w http.ResponseWriter, r *http.Request) {

+	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoRead)

+	if !ok {

+		return

+	}

+	gitDir, err := h.d.RepoFS.RepoPath(owner.Username, row.Name)

+	if err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		return

+	}

+	rest := strings.Trim(chi.URLParam(r, "*"), "/")

+	if rest == "" {

+		http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/compare/"+row.DefaultBranch+"..."+row.DefaultBranch, http.StatusSeeOther)

+		return

+	}

+	base, head, ok := strings.Cut(rest, "...")

+	if !ok {

+		// Two-dot shape — accept but treat as three-dot for the diff.

+		base, head, ok = strings.Cut(rest, "..")

+		if !ok {

+			head = rest

+			base = row.DefaultBranch

+		}

+	}

+	if base == "" {

+		base = row.DefaultBranch

+	}

+

+	// Strip cross-repo "fork:branch" prefix for the local path; full

+	// cross-repo lookup lands in S22+S27.

+	base = stripCrossRepoPrefix(base)

+	head = stripCrossRepoPrefix(head)

+

+	commits, cerr := repogit.CommitsBetween(r.Context(), gitDir, base, head, 250)

+	ahead, behind, abErr := repogit.AheadBehind(r.Context(), gitDir, base, head)

+

+	notFound := abErr != nil

+

+	// Build an inline diff (three-dot via FromMergeBase).

+	var diffHTML string

+	if !notFound {

+		patch, perr := compareSourceMergeBase(r, gitDir, base, head)

+		if perr == nil {

+			diffHTML = renderCompareDiff(patch)

+		}

+	}

+

+	refs, _ := repogit.ListRefs(r.Context(), gitDir)

+	h.d.Render.RenderPage(w, r, "repo/compare", map[string]any{

+		"Title":     "Compare · " + row.Name,

+		"CSRFToken": middleware.CSRFTokenForRequest(r),

+		"Owner":     owner.Username,

+		"Repo":      row,

+		"Base":      base,

+		"Head":      head,

+		"Ahead":     ahead,

+		"Behind":    behind,

+		"Commits":   commits,

+		"DiffHTML":  diffHTML,

+		"NotFound":  notFound,

+		"CommitsErr": cerr != nil,

+		"Branches":  refs.Branches,

+		"Tags":      refs.Tags,

+	})

+}

+

+// stripCrossRepoPrefix turns "fork:branch" into "branch". Local-only

+// for now — see comment in compareView.

+func stripCrossRepoPrefix(s string) string {

+	if idx := strings.IndexByte(s, ':'); idx >= 0 {

+		return s[idx+1:]

+	}

+	return s

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package repo

+

+import (

+	"net/http"

+

+	diffparse "github.com/tenseleyFlow/shithub/internal/repos/diff/parse"

+	diffrender "github.com/tenseleyFlow/shithub/internal/repos/diff/render"

+	diffsource "github.com/tenseleyFlow/shithub/internal/repos/diff/source"

+)

+

+// compareSourceMergeBase fetches the three-dot diff bytes for the

+// compare view. Mirrored from history.go's commit-page wiring; both

+// pages share the same renderer (S19).

+func compareSourceMergeBase(r *http.Request, gitDir, base, head string) ([]byte, error) {

+	hideWS := r.URL.Query().Get("w") == "1"

+	return diffsource.FromMergeBase(r.Context(), gitDir, base, head, diffsource.Options{

+		IgnoreWhitespace: hideWS, FindRenames: true,

+	})

+}

+

+// renderCompareDiff parses + renders unified-mode by default. The

+// commit page exposes split + WS toggles; the compare view picks them

+// up via the same query params.

+func renderCompareDiff(patch []byte) string {

+	parsed, err := diffparse.ParseBytes(patch)

+	if err != nil {

+		return ""

+	}

+	return diffrender.Diff(parsed, diffrender.Options{Mode: diffrender.ModeUnified})

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package repo

+

+import (

+	"errors"

+	"net/http"

+	"strconv"

+	"strings"

+

+	"github.com/go-chi/chi/v5"

+	"github.com/jackc/pgx/v5/pgtype"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	"github.com/tenseleyFlow/shithub/internal/auth/policy"

+	repogit "github.com/tenseleyFlow/shithub/internal/repos/git"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/web/middleware"

+)

+

+// MountSettingsBranches registers the branch-protection + default-

+// branch settings routes. Caller wraps with RequireUser.

+func (h *Handlers) MountSettingsBranches(r chi.Router) {

+	r.Get("/{owner}/{repo}/settings/branches", h.settingsBranches)

+	r.Post("/{owner}/{repo}/settings/branches", h.settingsBranchesUpsert)

+	r.Post("/{owner}/{repo}/settings/branches/{id}/delete", h.settingsBranchesDelete)

+	r.Post("/{owner}/{repo}/settings/default-branch", h.settingsDefaultBranch)

+}

+

+// settingsBranches lists existing protection rules + a form to create

+// a new one. Gated by repo:settings:branches.

+func (h *Handlers) settingsBranches(w http.ResponseWriter, r *http.Request) {

+	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoSettingsBranches)

+	if !ok {

+		return

+	}

+	rules, err := h.rq.ListBranchProtectionRules(r.Context(), h.d.Pool, row.ID)

+	if err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	gitDir, _ := h.d.RepoFS.RepoPath(owner.Username, row.Name)

+	refs, _ := repogit.ListRefs(r.Context(), gitDir)

+

+	h.d.Render.RenderPage(w, r, "repo/settings_branches", map[string]any{

+		"Title":     "Branch protection · " + row.Name,

+		"CSRFToken": middleware.CSRFTokenForRequest(r),

+		"Owner":     owner.Username,

+		"Repo":      row,

+		"Rules":     rules,

+		"Branches":  refs.Branches,

+	})

+}

+

+// settingsBranchesUpsert creates a new rule (no `id` param) or updates

+// an existing one (`id` param set). Form fields: pattern,

+// prevent_force_push, prevent_deletion, require_pr_for_push,

+// allowed_pusher_usernames (comma-separated).

+func (h *Handlers) settingsBranchesUpsert(w http.ResponseWriter, r *http.Request) {

+	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoSettingsBranches)

+	if !ok {

+		return

+	}

+	if err := r.ParseForm(); err != nil {

+		http.Error(w, "form parse", http.StatusBadRequest)

+		return

+	}

+	pattern := strings.TrimSpace(r.PostFormValue("pattern"))

+	if pattern == "" || len(pattern) > 200 {

+		http.Error(w, "pattern length must be 1–200", http.StatusBadRequest)

+		return

+	}

+	preventForcePush := r.PostFormValue("prevent_force_push") == "on"

+	preventDeletion := r.PostFormValue("prevent_deletion") == "on"

+	requirePR := r.PostFormValue("require_pr_for_push") == "on"

+

+	allowed, err := resolveUsernameList(r, h, r.PostFormValue("allowed_pushers"))

+	if err != nil {

+		http.Error(w, err.Error(), http.StatusBadRequest)

+		return

+	}

+

+	viewer := middleware.CurrentUserFromContext(r.Context())

+

+	idStr := r.PostFormValue("id")

+	if idStr == "" {

+		// Create.

+		newID, err := h.rq.UpsertBranchProtectionRule(r.Context(), h.d.Pool, reposdb.UpsertBranchProtectionRuleParams{

+			RepoID:                row.ID,

+			Pattern:               pattern,

+			PreventForcePush:      preventForcePush,

+			PreventDeletion:       preventDeletion,

+			RequirePrForPush:      requirePR,

+			AllowedPusherUserIds:  allowed,

+			CreatedByUserID:       pgtype.Int8{Int64: viewer.ID, Valid: viewer.ID != 0},

+		})

+		if err != nil {

+			h.d.Logger.WarnContext(r.Context(), "branch-protection: insert", "error", err)

+			http.Error(w, "failed to create rule", http.StatusInternalServerError)

+			return

+		}

+		_ = h.d.Audit.Record(r.Context(), h.d.Pool, viewer.ID,

+			audit.ActionRepoCreated, audit.TargetRepo, row.ID,

+			map[string]any{"branch_protection_rule_id": newID, "pattern": pattern, "action": "create"})

+	} else {

+		// Update.

+		id, err := strconv.ParseInt(idStr, 10, 64)

+		if err != nil {

+			http.Error(w, "bad id", http.StatusBadRequest)

+			return

+		}

+		// Defense in depth: confirm the rule belongs to this repo.

+		existing, err := h.rq.GetBranchProtectionRule(r.Context(), h.d.Pool, id)

+		if err != nil || existing.RepoID != row.ID {

+			http.Error(w, "rule not found", http.StatusNotFound)

+			return

+		}

+		if err := h.rq.UpdateBranchProtectionRule(r.Context(), h.d.Pool, reposdb.UpdateBranchProtectionRuleParams{

+			ID:                   id,

+			Pattern:              pattern,

+			PreventForcePush:     preventForcePush,

+			PreventDeletion:      preventDeletion,

+			RequirePrForPush:     requirePR,

+			AllowedPusherUserIds: allowed,

+		}); err != nil {

+			http.Error(w, "failed to update rule", http.StatusInternalServerError)

+			return

+		}

+		_ = h.d.Audit.Record(r.Context(), h.d.Pool, viewer.ID,

+			audit.ActionRepoCreated, audit.TargetRepo, row.ID,

+			map[string]any{"branch_protection_rule_id": id, "pattern": pattern, "action": "update"})

+	}

+	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/branches?notice=saved", http.StatusSeeOther)

+}

+

+// settingsBranchesDelete removes a rule.

+func (h *Handlers) settingsBranchesDelete(w http.ResponseWriter, r *http.Request) {

+	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoSettingsBranches)

+	if !ok {

+		return

+	}

+	idStr := chi.URLParam(r, "id")

+	id, err := strconv.ParseInt(idStr, 10, 64)

+	if err != nil {

+		http.Error(w, "bad id", http.StatusBadRequest)

+		return

+	}

+	existing, err := h.rq.GetBranchProtectionRule(r.Context(), h.d.Pool, id)

+	if err != nil || existing.RepoID != row.ID {

+		http.Error(w, "rule not found", http.StatusNotFound)

+		return

+	}

+	if err := h.rq.DeleteBranchProtectionRule(r.Context(), h.d.Pool, id); err != nil {

+		http.Error(w, "failed to delete rule", http.StatusInternalServerError)

+		return

+	}

+	viewer := middleware.CurrentUserFromContext(r.Context())

+	_ = h.d.Audit.Record(r.Context(), h.d.Pool, viewer.ID,

+		audit.ActionRepoCreated, audit.TargetRepo, row.ID,

+		map[string]any{"branch_protection_rule_id": id, "pattern": existing.Pattern, "action": "delete"})

+

+	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/branches?notice=deleted", http.StatusSeeOther)

+}

+

+// settingsDefaultBranch swaps the repo's default branch. Validates

+// the target exists, updates the DB row, and updates HEAD on disk via

+// `git symbolic-ref`.

+func (h *Handlers) settingsDefaultBranch(w http.ResponseWriter, r *http.Request) {

+	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoSettingsBranches)

+	if !ok {

+		return

+	}

+	if err := r.ParseForm(); err != nil {

+		http.Error(w, "form parse", http.StatusBadRequest)

+		return

+	}

+	newDefault := strings.TrimSpace(r.PostFormValue("default_branch"))

+	if newDefault == "" {

+		http.Error(w, "default_branch required", http.StatusBadRequest)

+		return

+	}

+	gitDir, err := h.d.RepoFS.RepoPath(owner.Username, row.Name)

+	if err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	refs, err := repogit.ListRefs(r.Context(), gitDir)

+	if err != nil {

+		http.Error(w, "ref lookup failed", http.StatusInternalServerError)

+		return

+	}

+	exists := false

+	for _, b := range refs.Branches {

+		if b.Name == newDefault {

+			exists = true

+			break

+		}

+	}

+	if !exists {

+		http.Error(w, "branch not found", http.StatusBadRequest)

+		return

+	}

+

+	if err := h.rq.UpdateRepoDefaultBranch(r.Context(), h.d.Pool, reposdb.UpdateRepoDefaultBranchParams{

+		ID: row.ID, DefaultBranch: newDefault,

+	}); err != nil {

+		http.Error(w, "DB update failed", http.StatusInternalServerError)

+		return

+	}

+	if err := repogit.SetSymbolicRef(r.Context(), gitDir, "HEAD", "refs/heads/"+newDefault); err != nil {

+		// DB updated but symbolic-ref failed — log and surface, but don't roll back DB

+		// since the user-visible truth is the DB row (their UI shows it; new clones

+		// follow it). Operator can re-run by setting it again.

+		h.d.Logger.WarnContext(r.Context(), "default-branch: symbolic-ref", "error", err)

+	}

+

+	viewer := middleware.CurrentUserFromContext(r.Context())

+	_ = h.d.Audit.Record(r.Context(), h.d.Pool, viewer.ID,

+		audit.ActionRepoCreated, audit.TargetRepo, row.ID,

+		map[string]any{"action": "default_branch_changed", "from": row.DefaultBranch, "to": newDefault})

+

+	http.Redirect(w, r, "/"+owner.Username+"/"+row.Name+"/settings/branches?notice=default-changed", http.StatusSeeOther)

+}

+

+// resolveUsernameList parses a comma-separated username list and

+// resolves each to a user_id. Empty input returns an empty slice

+// (no allowed-pushers restriction). Unknown usernames produce an

+// error so the admin sees the typo before the rule lands.

+func resolveUsernameList(r *http.Request, h *Handlers, raw string) ([]int64, error) {

+	raw = strings.TrimSpace(raw)

+	if raw == "" {

+		return []int64{}, nil

+	}

+	uq := usersdb.New()

+	parts := strings.Split(raw, ",")

+	out := make([]int64, 0, len(parts))

+	for _, p := range parts {

+		name := strings.ToLower(strings.TrimSpace(p))

+		if name == "" {

+			continue

+		}

+		u, err := uq.GetUserByUsername(r.Context(), h.d.Pool, name)

+		if err != nil {

+			return nil, errors.New("unknown username: " + name)

+		}

+		out = append(out, u.ID)

+	}

+	return out, nil

+}

+		deps.RepoRefsMounter = repoH.MountRefs

+		deps.RepoSettingsBranchesMounter = func(r chi.Router) {

+			r.Group(func(r chi.Router) {

+				r.Use(middleware.RequireUser)

+				repoH.MountSettingsBranches(r)

+			})

+		}