Add org GitHub import workers

Status	File	+	-
M	`cmd/shithubd/worker.go`	16	4
M	`internal/actions/sqlc/models.go`	41	0
M	`internal/admin/sqlc/models.go`	41	0
M	`internal/auth/policy/sqlc/models.go`	41	0
M	`internal/checks/sqlc/models.go`	41	0
M	`internal/issues/sqlc/models.go`	41	0
M	`internal/meta/sqlc/models.go`	41	0
A	`internal/migrationsfs/migrations/0059_org_github_imports.sql`	88	0
M	`internal/notif/sqlc/models.go`	41	0
A	`internal/orgs/github_import.go`	292	0
A	`internal/orgs/queries/github_imports.sql`	158	0
A	`internal/orgs/sqlc/github_imports.sql.go`	595	0
M	`internal/orgs/sqlc/models.go`	41	0
M	`internal/orgs/sqlc/querier.go`	18	0
M	`internal/pulls/sqlc/models.go`	41	0
M	`internal/ratelimit/sqlc/models.go`	41	0
M	`internal/repos/create.go`	6	1
M	`internal/repos/git/remotes.go`	51	5
M	`internal/repos/queries/repos.sql`	6	5
M	`internal/repos/source_remote.go`	149	0
M	`internal/repos/sqlc/models.go`	41	0
M	`internal/repos/sqlc/querier.go`	3	3
M	`internal/repos/sqlc/repos.sql.go`	7	6
M	`internal/social/sqlc/models.go`	41	0
M	`internal/users/sqlc/models.go`	41	0
M	`internal/web/handlers/repo/source_remote.go`	15	104
M	`internal/webhook/sqlc/models.go`	41	0
A	`internal/worker/jobs/org_github_import.go`	347	0
M	`internal/worker/jobs/repo_index_code.go`	5	6
A	`internal/worker/jobs/repo_owner_slug.go`	16	0
M	`internal/worker/jobs/repo_size_recalc.go`	5	1
M	`internal/worker/sqlc/models.go`	41	0
M	`internal/worker/types.go`	8	0

cmd/shithubd/worker.gomodified

  	"github.com/tenseleyFlow/shithub/internal/auth/audit"
  	"github.com/tenseleyFlow/shithub/internal/auth/email"
  	"github.com/tenseleyFlow/shithub/internal/auth/secretbox"
++	"github.com/tenseleyFlow/shithub/internal/auth/throttle"
  	"github.com/tenseleyFlow/shithub/internal/infra/config"
  	"github.com/tenseleyFlow/shithub/internal/infra/db"
  	"github.com/tenseleyFlow/shithub/internal/infra/storage"
  		if err != nil {
  			return fmt.Errorf("object storage: %w", err)
  		}
++		box, boxErr := secretbox.FromBase64(cfg.Auth.TOTPKeyB64)
++		if boxErr != nil {
++			logger.Warn("secretbox unavailable for encrypted worker payloads",
++				"hint", "set Auth.TOTPKeyB64 to a base64 32-byte key",
++				"error", boxErr)
++		}
  		p := worker.NewPool(pool, worker.PoolConfig{
  			Workers:    count,
  		p.Register(worker.KindRepoIndexReconcile, jobs.RepoIndexReconcile(jobs.IndexReconcileDeps{
  			Pool: pool, Logger: logger,
  		}))
++		importDeps := jobs.OrgGitHubImportDeps{
++			Pool: pool, RepoFS: rfs, Box: box, Audit: auditRecorder(),
++			Limiter: throttle.NewLimiter(), Logger: logger, ShithubdPath: shithubdPath,
++		}
++		p.Register(worker.KindOrgGitHubImportDiscover, jobs.OrgGitHubImportDiscover(importDeps))
++		p.Register(worker.KindOrgGitHubImportRepo, jobs.OrgGitHubImportRepo(importDeps))
  		notifSender, _ := pickNotifEmailSender(cfg)
  		p.Register(worker.KindNotifyFanout, jobs.NotifyFanout(jobs.NotifyFanoutDeps{
  		// purge-old prunes terminal rows past the retention window.
  		// We reuse the TOTP key as the at-rest secretbox key — both
  		// are encrypted-blob columns in the same trust domain.
--		hookBox, hookBoxErr := secretbox.FromBase64(cfg.Auth.TOTPKeyB64)
++		if boxErr != nil {
--		if hookBoxErr != nil {
  			logger.Warn("webhook: secretbox unavailable; webhook delivery disabled",
  				"hint", "set Auth.TOTPKeyB64 to a base64 32-byte key",
--				"error", hookBoxErr)
++				"error", boxErr)
  		} else {
  			p.Register(webhook.KindWebhookFanout, jobs.WebhookFanout(jobs.WebhookFanoutDeps{
  				Pool: pool, Logger: logger,
  			p.Register(webhook.KindWebhookDeliver, jobs.WebhookDeliver(jobs.WebhookDeliverDeps{
  				Pool:      pool,
  				Logger:    logger,
--				SecretBox: hookBox,
++				SecretBox: box,
  				SSRF:      webhook.DefaultSSRFConfig(),
  			}))
  			p.Register(webhook.KindWebhookPurgeOld, jobs.WebhookPurgeOld(jobs.WebhookPurgeOldDeps{

internal/actions/sqlc/models.gomodified

  	UpdatedAt             pgtype.Timestamptz
+ }
++type OrgGithubImport struct {
++	ID                int64
++	OrgID             int64
++	SourceHost        string
++	SourceOrg         string
++	RequestedByUserID pgtype.Int8
++	Status            string
++	IncludePrivate    bool
++	TokenPresent      bool
++	TokenCiphertext   []byte
++	TokenNonce        []byte
++	TotalCount        int32
++	LastError         pgtype.Text
++	StartedAt         pgtype.Timestamptz
++	CompletedAt       pgtype.Timestamptz
++	CreatedAt         pgtype.Timestamptz
++	UpdatedAt         pgtype.Timestamptz
++}
++
++type OrgGithubImportRepo struct {
++	ID               int64
++	ImportID         int64
++	GithubID         pgtype.Int8
++	SourceFullName   string
++	SourceName       string
++	TargetName       string
++	CloneUrl         string
++	Description      string
++	DefaultBranch    string
++	TargetVisibility RepoVisibility
++	IsPrivate        bool
++	IsFork           bool
++	Status           string
++	RepoID           pgtype.Int8
++	LastError        pgtype.Text
++	StartedAt        pgtype.Timestamptz
++	CompletedAt      pgtype.Timestamptz
++	CreatedAt        pgtype.Timestamptz
++	UpdatedAt        pgtype.Timestamptz
++}
++
  type OrgInvitation struct {
  	ID              int64
  	OrgID           int64

internal/admin/sqlc/models.gomodified

  	UpdatedAt             pgtype.Timestamptz
+ }
++type OrgGithubImport struct {
++	ID                int64
++	OrgID             int64
++	SourceHost        string
++	SourceOrg         string
++	RequestedByUserID pgtype.Int8
++	Status            string
++	IncludePrivate    bool
++	TokenPresent      bool
++	TokenCiphertext   []byte
++	TokenNonce        []byte
++	TotalCount        int32
++	LastError         pgtype.Text
++	StartedAt         pgtype.Timestamptz
++	CompletedAt       pgtype.Timestamptz
++	CreatedAt         pgtype.Timestamptz
++	UpdatedAt         pgtype.Timestamptz
++}
++
++type OrgGithubImportRepo struct {
++	ID               int64
++	ImportID         int64
++	GithubID         pgtype.Int8
++	SourceFullName   string
++	SourceName       string
++	TargetName       string
++	CloneUrl         string
++	Description      string
++	DefaultBranch    string
++	TargetVisibility RepoVisibility
++	IsPrivate        bool
++	IsFork           bool
++	Status           string
++	RepoID           pgtype.Int8
++	LastError        pgtype.Text
++	StartedAt        pgtype.Timestamptz
++	CompletedAt      pgtype.Timestamptz
++	CreatedAt        pgtype.Timestamptz
++	UpdatedAt        pgtype.Timestamptz
++}
++
  type OrgInvitation struct {
  	ID              int64
  	OrgID           int64

internal/auth/policy/sqlc/models.gomodified

  	UpdatedAt             pgtype.Timestamptz
+ }
++type OrgGithubImport struct {
++	ID                int64
++	OrgID             int64
++	SourceHost        string
++	SourceOrg         string
++	RequestedByUserID pgtype.Int8
++	Status            string
++	IncludePrivate    bool
++	TokenPresent      bool
++	TokenCiphertext   []byte
++	TokenNonce        []byte
++	TotalCount        int32
++	LastError         pgtype.Text
++	StartedAt         pgtype.Timestamptz
++	CompletedAt       pgtype.Timestamptz
++	CreatedAt         pgtype.Timestamptz
++	UpdatedAt         pgtype.Timestamptz
++}
++
++type OrgGithubImportRepo struct {
++	ID               int64
++	ImportID         int64
++	GithubID         pgtype.Int8
++	SourceFullName   string
++	SourceName       string
++	TargetName       string
++	CloneUrl         string
++	Description      string
++	DefaultBranch    string
++	TargetVisibility RepoVisibility
++	IsPrivate        bool
++	IsFork           bool
++	Status           string
++	RepoID           pgtype.Int8
++	LastError        pgtype.Text
++	StartedAt        pgtype.Timestamptz
++	CompletedAt      pgtype.Timestamptz
++	CreatedAt        pgtype.Timestamptz
++	UpdatedAt        pgtype.Timestamptz
++}
++
  type OrgInvitation struct {
  	ID              int64
  	OrgID           int64

internal/checks/sqlc/models.gomodified

  	UpdatedAt             pgtype.Timestamptz
+ }
++type OrgGithubImport struct {
++	ID                int64
++	OrgID             int64
++	SourceHost        string
++	SourceOrg         string
++	RequestedByUserID pgtype.Int8
++	Status            string
++	IncludePrivate    bool
++	TokenPresent      bool
++	TokenCiphertext   []byte
++	TokenNonce        []byte
++	TotalCount        int32
++	LastError         pgtype.Text
++	StartedAt         pgtype.Timestamptz
++	CompletedAt       pgtype.Timestamptz
++	CreatedAt         pgtype.Timestamptz
++	UpdatedAt         pgtype.Timestamptz
++}
++
++type OrgGithubImportRepo struct {
++	ID               int64
++	ImportID         int64
++	GithubID         pgtype.Int8
++	SourceFullName   string
++	SourceName       string
++	TargetName       string
++	CloneUrl         string
++	Description      string
++	DefaultBranch    string
++	TargetVisibility RepoVisibility
++	IsPrivate        bool
++	IsFork           bool
++	Status           string
++	RepoID           pgtype.Int8
++	LastError        pgtype.Text
++	StartedAt        pgtype.Timestamptz
++	CompletedAt      pgtype.Timestamptz
++	CreatedAt        pgtype.Timestamptz
++	UpdatedAt        pgtype.Timestamptz
++}
++
  type OrgInvitation struct {
  	ID              int64
  	OrgID           int64

internal/issues/sqlc/models.gomodified

  	UpdatedAt             pgtype.Timestamptz
+ }
++type OrgGithubImport struct {
++	ID                int64
++	OrgID             int64
++	SourceHost        string
++	SourceOrg         string
++	RequestedByUserID pgtype.Int8
++	Status            string
++	IncludePrivate    bool
++	TokenPresent      bool
++	TokenCiphertext   []byte
++	TokenNonce        []byte
++	TotalCount        int32
++	LastError         pgtype.Text
++	StartedAt         pgtype.Timestamptz
++	CompletedAt       pgtype.Timestamptz
++	CreatedAt         pgtype.Timestamptz
++	UpdatedAt         pgtype.Timestamptz
++}
++
++type OrgGithubImportRepo struct {
++	ID               int64
++	ImportID         int64
++	GithubID         pgtype.Int8
++	SourceFullName   string
++	SourceName       string
++	TargetName       string
++	CloneUrl         string
++	Description      string
++	DefaultBranch    string
++	TargetVisibility RepoVisibility
++	IsPrivate        bool
++	IsFork           bool
++	Status           string
++	RepoID           pgtype.Int8
++	LastError        pgtype.Text
++	StartedAt        pgtype.Timestamptz
++	CompletedAt      pgtype.Timestamptz
++	CreatedAt        pgtype.Timestamptz
++	UpdatedAt        pgtype.Timestamptz
++}
++
  type OrgInvitation struct {
  	ID              int64
  	OrgID           int64

internal/meta/sqlc/models.gomodified

  	UpdatedAt             pgtype.Timestamptz
+ }
++type OrgGithubImport struct {
++	ID                int64
++	OrgID             int64
++	SourceHost        string
++	SourceOrg         string
++	RequestedByUserID pgtype.Int8
++	Status            string
++	IncludePrivate    bool
++	TokenPresent      bool
++	TokenCiphertext   []byte
++	TokenNonce        []byte
++	TotalCount        int32
++	LastError         pgtype.Text
++	StartedAt         pgtype.Timestamptz
++	CompletedAt       pgtype.Timestamptz
++	CreatedAt         pgtype.Timestamptz
++	UpdatedAt         pgtype.Timestamptz
++}
++
++type OrgGithubImportRepo struct {
++	ID               int64
++	ImportID         int64
++	GithubID         pgtype.Int8
++	SourceFullName   string
++	SourceName       string
++	TargetName       string
++	CloneUrl         string
++	Description      string
++	DefaultBranch    string
++	TargetVisibility RepoVisibility
++	IsPrivate        bool
++	IsFork           bool
++	Status           string
++	RepoID           pgtype.Int8
++	LastError        pgtype.Text
++	StartedAt        pgtype.Timestamptz
++	CompletedAt      pgtype.Timestamptz
++	CreatedAt        pgtype.Timestamptz
++	UpdatedAt        pgtype.Timestamptz
++}
++
  type OrgInvitation struct {
  	ID              int64
  	OrgID           int64

internal/migrationsfs/migrations/0059_org_github_imports.sqladded

++-- SPDX-License-Identifier: AGPL-3.0-or-later
++--
++-- GitHub organization imports. One parent row tracks discovery/progress;
++-- one child row tracks each GitHub repository to create and fetch.
++
++-- +goose Up
++
++CREATE TABLE org_github_imports (
++    id bigint GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
++    org_id bigint NOT NULL REFERENCES orgs(id) ON DELETE CASCADE,
++    source_host text NOT NULL DEFAULT 'github.com',
++    source_org text NOT NULL,
++    requested_by_user_id bigint REFERENCES users(id) ON DELETE SET NULL,
++    status text NOT NULL DEFAULT 'queued',
++    include_private boolean NOT NULL DEFAULT false,
++    token_present boolean NOT NULL DEFAULT false,
++    token_ciphertext bytea,
++    token_nonce bytea,
++    total_count integer NOT NULL DEFAULT 0,
++    last_error text,
++    started_at timestamptz,
++    completed_at timestamptz,
++    created_at timestamptz NOT NULL DEFAULT now(),
++    updated_at timestamptz NOT NULL DEFAULT now(),
++    CHECK (source_host = 'github.com'),
++    CHECK (source_org <> ''),
++    CHECK (length(source_org) <= 100),
++    CHECK (status IN ('queued', 'discovering', 'importing', 'completed', 'failed')),
++    CHECK (total_count >= 0),
++    CHECK ((token_ciphertext IS NULL) = (token_nonce IS NULL)),
++    CHECK ((token_ciphertext IS NULL) OR token_present)
++);
++
++CREATE TABLE org_github_import_repos (
++    id bigint GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
++    import_id bigint NOT NULL REFERENCES org_github_imports(id) ON DELETE CASCADE,
++    github_id bigint,
++    source_full_name text NOT NULL,
++    source_name text NOT NULL,
++    target_name text NOT NULL,
++    clone_url text NOT NULL,
++    description text NOT NULL DEFAULT '',
++    default_branch text NOT NULL DEFAULT '',
++    target_visibility repo_visibility NOT NULL DEFAULT 'public',
++    is_private boolean NOT NULL DEFAULT false,
++    is_fork boolean NOT NULL DEFAULT false,
++    status text NOT NULL DEFAULT 'queued',
++    repo_id bigint REFERENCES repos(id) ON DELETE SET NULL,
++    last_error text,
++    started_at timestamptz,
++    completed_at timestamptz,
++    created_at timestamptz NOT NULL DEFAULT now(),
++    updated_at timestamptz NOT NULL DEFAULT now(),
++    CHECK (source_full_name <> ''),
++    CHECK (source_name <> ''),
++    CHECK (target_name <> ''),
++    CHECK (clone_url <> ''),
++    CHECK (length(clone_url) <= 2048),
++    CHECK (status IN ('queued', 'importing', 'imported', 'skipped', 'failed'))
++);
++
++CREATE UNIQUE INDEX org_github_import_repos_import_target_idx
++    ON org_github_import_repos(import_id, target_name);
++
++CREATE INDEX org_github_imports_org_created_idx
++    ON org_github_imports(org_id, created_at DESC);
++
++CREATE INDEX org_github_import_repos_import_status_idx
++    ON org_github_import_repos(import_id, status);
++
++CREATE TRIGGER org_github_imports_set_updated_at
++BEFORE UPDATE ON org_github_imports
++FOR EACH ROW EXECUTE FUNCTION tg_set_updated_at();
++
++CREATE TRIGGER org_github_import_repos_set_updated_at
++BEFORE UPDATE ON org_github_import_repos
++FOR EACH ROW EXECUTE FUNCTION tg_set_updated_at();
++
++
++-- +goose Down
++
++DROP TRIGGER IF EXISTS org_github_import_repos_set_updated_at ON org_github_import_repos;
++DROP TRIGGER IF EXISTS org_github_imports_set_updated_at ON org_github_imports;
++DROP INDEX IF EXISTS org_github_import_repos_import_status_idx;
++DROP INDEX IF EXISTS org_github_imports_org_created_idx;
++DROP INDEX IF EXISTS org_github_import_repos_import_target_idx;
++DROP TABLE IF EXISTS org_github_import_repos;
++DROP TABLE IF EXISTS org_github_imports;

internal/notif/sqlc/models.gomodified

  	UpdatedAt             pgtype.Timestamptz
+ }
++type OrgGithubImport struct {
++	ID                int64
++	OrgID             int64
++	SourceHost        string
++	SourceOrg         string
++	RequestedByUserID pgtype.Int8
++	Status            string
++	IncludePrivate    bool
++	TokenPresent      bool
++	TokenCiphertext   []byte
++	TokenNonce        []byte
++	TotalCount        int32
++	LastError         pgtype.Text
++	StartedAt         pgtype.Timestamptz
++	CompletedAt       pgtype.Timestamptz
++	CreatedAt         pgtype.Timestamptz
++	UpdatedAt         pgtype.Timestamptz
++}
++
++type OrgGithubImportRepo struct {
++	ID               int64
++	ImportID         int64
++	GithubID         pgtype.Int8
++	SourceFullName   string
++	SourceName       string
++	TargetName       string
++	CloneUrl         string
++	Description      string
++	DefaultBranch    string
++	TargetVisibility RepoVisibility
++	IsPrivate        bool
++	IsFork           bool
++	Status           string
++	RepoID           pgtype.Int8
++	LastError        pgtype.Text
++	StartedAt        pgtype.Timestamptz
++	CompletedAt      pgtype.Timestamptz
++	CreatedAt        pgtype.Timestamptz
++	UpdatedAt        pgtype.Timestamptz
++}
++
  type OrgInvitation struct {
  	ID              int64
  	OrgID           int64

internal/orgs/github_import.goadded

++// SPDX-License-Identifier: AGPL-3.0-or-later
++
++package orgs
++
++import (
++	"bytes"
++	"context"
++	"encoding/json"
++	"errors"
++	"fmt"
++	"io"
++	"log/slog"
++	"net/http"
++	"net/url"
++	"regexp"
++	"strconv"
++	"strings"
++	"time"
++
++	"github.com/jackc/pgx/v5"
++	"github.com/jackc/pgx/v5/pgtype"
++	"github.com/jackc/pgx/v5/pgxpool"
++
++	"github.com/tenseleyFlow/shithub/internal/auth/secretbox"
++	orgsdb "github.com/tenseleyFlow/shithub/internal/orgs/sqlc"
++	"github.com/tenseleyFlow/shithub/internal/worker"
++)
++
++const GitHubHost = "github.com"
++
++const (
++	ImportStatusQueued      = "queued"
++	ImportStatusDiscovering = "discovering"
++	ImportStatusImporting   = "importing"
++	ImportStatusCompleted   = "completed"
++	ImportStatusFailed      = "failed"
++
++	ImportRepoStatusQueued    = "queued"
++	ImportRepoStatusImporting = "importing"
++	ImportRepoStatusImported  = "imported"
++	ImportRepoStatusSkipped   = "skipped"
++	ImportRepoStatusFailed    = "failed"
++)
++
++var (
++	ErrInvalidGitHubOrg     = errors.New("orgs: invalid GitHub organization")
++	ErrImportTokenKeyNeeded = errors.New("orgs: import token encryption key is not configured")
++)
++
++var githubOrgRE = regexp.MustCompile(`^[A-Za-z0-9](?:[A-Za-z0-9-]{0,99})$`)
++
++// ImportDeps wires org-import orchestration.
++type ImportDeps struct {
++	Pool   *pgxpool.Pool
++	Box    *secretbox.Box
++	Logger *slog.Logger
++}
++
++// StartGitHubImportParams describes a single org import request.
++type StartGitHubImportParams struct {
++	OrgID             int64
++	SourceOrg         string
++	RequestedByUserID int64
++	Token             string
++}
++
++// StartGitHubImport persists a GitHub import request and enqueues discovery.
++func StartGitHubImport(ctx context.Context, deps ImportDeps, p StartGitHubImportParams) (orgsdb.OrgGithubImport, error) {
++	sourceOrg, err := NormalizeGitHubOrg(p.SourceOrg)
++	if err != nil {
++		return orgsdb.OrgGithubImport{}, err
++	}
++	token := strings.TrimSpace(p.Token)
++	var ciphertext, nonce []byte
++	tokenPresent := token != ""
++	if tokenPresent {
++		if deps.Box == nil {
++			return orgsdb.OrgGithubImport{}, ErrImportTokenKeyNeeded
++		}
++		ciphertext, nonce, err = deps.Box.Seal([]byte(token))
++		if err != nil {
++			return orgsdb.OrgGithubImport{}, fmt.Errorf("github import: seal token: %w", err)
++		}
++	}
++
++	tx, err := deps.Pool.Begin(ctx)
++	if err != nil {
++		return orgsdb.OrgGithubImport{}, err
++	}
++	committed := false
++	defer func() {
++		if !committed {
++			_ = tx.Rollback(ctx)
++		}
++	}()
++
++	q := orgsdb.New()
++	row, err := q.CreateOrgGithubImport(ctx, tx, orgsdb.CreateOrgGithubImportParams{
++		OrgID:             p.OrgID,
++		SourceOrg:         sourceOrg,
++		RequestedByUserID: pgtype.Int8{Int64: p.RequestedByUserID, Valid: p.RequestedByUserID != 0},
++		IncludePrivate:    tokenPresent,
++		TokenPresent:      tokenPresent,
++		TokenCiphertext:   ciphertext,
++		TokenNonce:        nonce,
++	})
++	if err != nil {
++		return orgsdb.OrgGithubImport{}, fmt.Errorf("github import: create: %w", err)
++	}
++	if _, err := worker.Enqueue(ctx, tx, worker.KindOrgGitHubImportDiscover, map[string]any{
++		"import_id": row.ID,
++	}, worker.EnqueueOptions{}); err != nil {
++		return orgsdb.OrgGithubImport{}, err
++	}
++	if err := worker.Notify(ctx, tx); err != nil && deps.Logger != nil {
++		deps.Logger.WarnContext(ctx, "github import: notify", "error", err, "import_id", row.ID)
++	}
++	if err := tx.Commit(ctx); err != nil {
++		return orgsdb.OrgGithubImport{}, err
++	}
++	committed = true
++	return row, nil
++}
++
++func NormalizeGitHubOrg(raw string) (string, error) {
++	org := strings.TrimSpace(raw)
++	org = strings.TrimPrefix(org, "https://github.com/")
++	org = strings.TrimPrefix(org, "http://github.com/")
++	org = strings.Trim(org, "/")
++	if org == "" || strings.Contains(org, "/") || !githubOrgRE.MatchString(org) {
++		return "", ErrInvalidGitHubOrg
++	}
++	return org, nil
++}
++
++func DecryptGitHubImportToken(row orgsdb.OrgGithubImport, box *secretbox.Box) (string, error) {
++	if len(row.TokenCiphertext) == 0 && len(row.TokenNonce) == 0 {
++		return "", nil
++	}
++	if box == nil {
++		return "", ErrImportTokenKeyNeeded
++	}
++	pt, err := box.Open(row.TokenCiphertext, row.TokenNonce)
++	if err != nil {
++		return "", fmt.Errorf("github import: decrypt token: %w", err)
++	}
++	return string(pt), nil
++}
++
++type GitHubClient struct {
++	HTTPClient *http.Client
++	BaseURL    string
++	UserAgent  string
++}
++
++type GitHubRepo struct {
++	ID            int64
++	Name          string
++	FullName      string
++	CloneURL      string
++	Description   string
++	DefaultBranch string
++	Private       bool
++	Fork          bool
++}
++
++func (c GitHubClient) ListOrgRepos(ctx context.Context, org, token string) ([]GitHubRepo, error) {
++	org, err := NormalizeGitHubOrg(org)
++	if err != nil {
++		return nil, err
++	}
++	base := strings.TrimRight(c.BaseURL, "/")
++	if base == "" {
++		base = "https://api.github.com"
++	}
++	client := c.HTTPClient
++	if client == nil {
++		client = &http.Client{Timeout: 30 * time.Second}
++	}
++	token = strings.TrimSpace(token)
++	repoType := "public"
++	if token != "" {
++		repoType = "all"
++	}
++	var out []GitHubRepo
++	for page := 1; page <= 100; page++ {
++		u, err := url.Parse(base + "/orgs/" + url.PathEscape(org) + "/repos")
++		if err != nil {
++			return nil, err
++		}
++		q := u.Query()
++		q.Set("type", repoType)
++		q.Set("per_page", "100")
++		q.Set("page", strconv.Itoa(page))
++		q.Set("sort", "full_name")
++		u.RawQuery = q.Encode()
++
++		req, err := http.NewRequestWithContext(ctx, http.MethodGet, u.String(), nil)
++		if err != nil {
++			return nil, err
++		}
++		req.Header.Set("Accept", "application/vnd.github+json")
++		req.Header.Set("X-GitHub-Api-Version", "2022-11-28")
++		req.Header.Set("User-Agent", userAgent(c.UserAgent))
++		if token != "" {
++			req.Header.Set("Authorization", "Bearer "+token)
++		}
++		resp, err := client.Do(req)
++		if err != nil {
++			return nil, err
++		}
++		repos, err := decodeGitHubRepos(resp)
++		if err != nil {
++			return nil, err
++		}
++		out = append(out, repos...)
++		if len(repos) < 100 {
++			return out, nil
++		}
++	}
++	return nil, fmt.Errorf("github import: too many repositories in %s", org)
++}
++
++func decodeGitHubRepos(resp *http.Response) ([]GitHubRepo, error) {
++	defer resp.Body.Close()
++	body, err := io.ReadAll(io.LimitReader(resp.Body, 2<<20))
++	if err != nil {
++		return nil, err
++	}
++	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
++		msg := strings.TrimSpace(string(body))
++		if msg == "" {
++			msg = resp.Status
++		}
++		return nil, fmt.Errorf("github import: GitHub API returned %s: %s", resp.Status, msg)
++	}
++	var payload []struct {
++		ID            int64   `json:"id"`
++		Name          string  `json:"name"`
++		FullName      string  `json:"full_name"`
++		CloneURL      string  `json:"clone_url"`
++		Description   *string `json:"description"`
++		DefaultBranch string  `json:"default_branch"`
++		Private       bool    `json:"private"`
++		Fork          bool    `json:"fork"`
++	}
++	dec := json.NewDecoder(bytes.NewReader(body))
++	if err := dec.Decode(&payload); err != nil {
++		return nil, err
++	}
++	out := make([]GitHubRepo, 0, len(payload))
++	for _, r := range payload {
++		desc := ""
++		if r.Description != nil {
++			desc = strings.TrimSpace(*r.Description)
++		}
++		out = append(out, GitHubRepo{
++			ID:            r.ID,
++			Name:          r.Name,
++			FullName:      r.FullName,
++			CloneURL:      r.CloneURL,
++			Description:   desc,
++			DefaultBranch: strings.TrimSpace(r.DefaultBranch),
++			Private:       r.Private,
++			Fork:          r.Fork,
++		})
++	}
++	return out, nil
++}
++
++func userAgent(custom string) string {
++	custom = strings.TrimSpace(custom)
++	if custom != "" {
++		return custom
++	}
++	return "shithub"
++}
++
++func IsTerminalImportStatus(status string) bool {
++	return status == ImportStatusCompleted || status == ImportStatusFailed
++}
++
++func IsTerminalImportRepoStatus(status string) bool {
++	return status == ImportRepoStatusImported || status == ImportRepoStatusSkipped || status == ImportRepoStatusFailed
++}
++
++func IgnoreNoRows(err error) error {
++	if errors.Is(err, pgx.ErrNoRows) {
++		return nil
++	}
++	return err
++}

internal/orgs/queries/github_imports.sqladded

++-- SPDX-License-Identifier: AGPL-3.0-or-later
++
++-- name: CreateOrgGithubImport :one
++INSERT INTO org_github_imports (
++    org_id, source_org, requested_by_user_id, include_private,
++    token_present, token_ciphertext, token_nonce
++) VALUES (
++    $1, $2, sqlc.narg(requested_by_user_id)::bigint, $3,
++    $4, sqlc.narg(token_ciphertext)::bytea, sqlc.narg(token_nonce)::bytea
++)
++RETURNING *;
++
++-- name: GetOrgGithubImport :one
++SELECT * FROM org_github_imports WHERE id = $1;
++
++-- name: GetOrgGithubImportForOrg :one
++SELECT * FROM org_github_imports
++WHERE id = $1 AND org_id = $2;
++
++-- name: ListOrgGithubImportsForOrg :many
++SELECT * FROM org_github_imports
++WHERE org_id = $1
++ORDER BY created_at DESC
++LIMIT $2;
++
++-- name: MarkOrgGithubImportDiscovering :exec
++UPDATE org_github_imports
++   SET status = 'discovering',
++       started_at = COALESCE(started_at, now()),
++       last_error = NULL,
++       updated_at = now()
++ WHERE id = $1
++   AND status IN ('queued', 'discovering');
++
++-- name: MarkOrgGithubImportImporting :exec
++UPDATE org_github_imports
++   SET status = 'importing',
++       total_count = $2,
++       started_at = COALESCE(started_at, now()),
++       last_error = NULL,
++       updated_at = now()
++ WHERE id = $1
++   AND status IN ('queued', 'discovering', 'importing');
++
++-- name: MarkOrgGithubImportFailed :exec
++UPDATE org_github_imports
++   SET status = 'failed',
++       last_error = $2,
++       token_ciphertext = NULL,
++       token_nonce = NULL,
++       completed_at = COALESCE(completed_at, now()),
++       updated_at = now()
++ WHERE id = $1;
++
++-- name: MarkOrgGithubImportCompleted :exec
++UPDATE org_github_imports
++   SET status = 'completed',
++       token_ciphertext = NULL,
++       token_nonce = NULL,
++       completed_at = COALESCE(completed_at, now()),
++       updated_at = now()
++ WHERE id = $1;
++
++-- name: MarkOrgGithubImportCompletedIfDone :one
++UPDATE org_github_imports AS i
++   SET status = 'completed',
++       token_ciphertext = NULL,
++       token_nonce = NULL,
++       completed_at = COALESCE(completed_at, now()),
++       updated_at = now()
++ WHERE i.id = $1
++   AND i.status = 'importing'
++   AND NOT EXISTS (
++       SELECT 1
++         FROM org_github_import_repos
++        WHERE import_id = $1
++          AND status IN ('queued', 'importing')
++   )
++RETURNING i.*;
++
++-- name: InsertOrgGithubImportRepo :one
++INSERT INTO org_github_import_repos (
++    import_id, github_id, source_full_name, source_name, target_name,
++    clone_url, description, default_branch, target_visibility,
++    is_private, is_fork
++) VALUES (
++    $1, sqlc.narg(github_id)::bigint, $2, $3, $4,
++    $5, $6, $7, $8, $9, $10
++)
++ON CONFLICT (import_id, target_name) DO UPDATE
++   SET github_id = EXCLUDED.github_id,
++       source_full_name = EXCLUDED.source_full_name,
++       source_name = EXCLUDED.source_name,
++       clone_url = EXCLUDED.clone_url,
++       description = EXCLUDED.description,
++       default_branch = EXCLUDED.default_branch,
++       target_visibility = EXCLUDED.target_visibility,
++       is_private = EXCLUDED.is_private,
++       is_fork = EXCLUDED.is_fork,
++       updated_at = now()
++RETURNING *;
++
++-- name: GetOrgGithubImportRepo :one
++SELECT * FROM org_github_import_repos WHERE id = $1;
++
++-- name: ListOrgGithubImportRepos :many
++SELECT * FROM org_github_import_repos
++WHERE import_id = $1
++ORDER BY source_name ASC;
++
++-- name: MarkOrgGithubImportRepoImporting :exec
++UPDATE org_github_import_repos
++   SET status = 'importing',
++       started_at = COALESCE(started_at, now()),
++       last_error = NULL,
++       updated_at = now()
++ WHERE id = $1
++   AND status = 'queued';
++
++-- name: MarkOrgGithubImportRepoImported :exec
++UPDATE org_github_import_repos
++   SET status = 'imported',
++       repo_id = $2,
++       last_error = NULL,
++       completed_at = COALESCE(completed_at, now()),
++       updated_at = now()
++ WHERE id = $1;
++
++-- name: MarkOrgGithubImportRepoSkipped :exec
++UPDATE org_github_import_repos
++   SET status = 'skipped',
++       last_error = $2,
++       completed_at = COALESCE(completed_at, now()),
++       updated_at = now()
++ WHERE id = $1;
++
++-- name: MarkOrgGithubImportRepoFailed :exec
++UPDATE org_github_import_repos
++   SET status = 'failed',
++       repo_id = COALESCE(sqlc.narg(repo_id)::bigint, repo_id),
++       last_error = $2,
++       completed_at = COALESCE(completed_at, now()),
++       updated_at = now()
++ WHERE id = $1;
++
++-- name: GetOrgGithubImportProgress :one
++SELECT
++    i.*,
++    count(r.id)::integer AS discovered_count,
++    count(r.id) FILTER (WHERE r.status = 'queued')::integer AS queued_count,
++    count(r.id) FILTER (WHERE r.status = 'importing')::integer AS importing_count,
++    count(r.id) FILTER (WHERE r.status = 'imported')::integer AS imported_count,
++    count(r.id) FILTER (WHERE r.status = 'skipped')::integer AS skipped_count,
++    count(r.id) FILTER (WHERE r.status = 'failed')::integer AS failed_count
++FROM org_github_imports i
++LEFT JOIN org_github_import_repos r ON r.import_id = i.id
++WHERE i.id = $1 AND i.org_id = $2
++GROUP BY i.id;

internal/orgs/sqlc/github_imports.sql.goadded

++// Code generated by sqlc. DO NOT EDIT.
++// versions:
++//   sqlc v1.31.1
++// source: github_imports.sql
++
++package orgsdb
++
++import (
++	"context"
++
++	"github.com/jackc/pgx/v5/pgtype"
++)
++
++const createOrgGithubImport = `-- name: CreateOrgGithubImport :one
++
++INSERT INTO org_github_imports (
++    org_id, source_org, requested_by_user_id, include_private,
++    token_present, token_ciphertext, token_nonce
++) VALUES (
++    $1, $2, $5::bigint, $3,
++    $4, $6::bytea, $7::bytea
++)
++RETURNING id, org_id, source_host, source_org, requested_by_user_id, status, include_private, token_present, token_ciphertext, token_nonce, total_count, last_error, started_at, completed_at, created_at, updated_at
++`
++
++type CreateOrgGithubImportParams struct {
++	OrgID             int64
++	SourceOrg         string
++	IncludePrivate    bool
++	TokenPresent      bool
++	RequestedByUserID pgtype.Int8
++	TokenCiphertext   []byte
++	TokenNonce        []byte
++}
++
++// SPDX-License-Identifier: AGPL-3.0-or-later
++func (q *Queries) CreateOrgGithubImport(ctx context.Context, db DBTX, arg CreateOrgGithubImportParams) (OrgGithubImport, error) {
++	row := db.QueryRow(ctx, createOrgGithubImport,
++		arg.OrgID,
++		arg.SourceOrg,
++		arg.IncludePrivate,
++		arg.TokenPresent,
++		arg.RequestedByUserID,
++		arg.TokenCiphertext,
++		arg.TokenNonce,
++	)
++	var i OrgGithubImport
++	err := row.Scan(
++		&i.ID,
++		&i.OrgID,
++		&i.SourceHost,
++		&i.SourceOrg,
++		&i.RequestedByUserID,
++		&i.Status,
++		&i.IncludePrivate,
++		&i.TokenPresent,
++		&i.TokenCiphertext,
++		&i.TokenNonce,
++		&i.TotalCount,
++		&i.LastError,
++		&i.StartedAt,
++		&i.CompletedAt,
++		&i.CreatedAt,
++		&i.UpdatedAt,
++	)
++	return i, err
++}
++
++const getOrgGithubImport = `-- name: GetOrgGithubImport :one
++SELECT id, org_id, source_host, source_org, requested_by_user_id, status, include_private, token_present, token_ciphertext, token_nonce, total_count, last_error, started_at, completed_at, created_at, updated_at FROM org_github_imports WHERE id = $1
++`
++
++func (q *Queries) GetOrgGithubImport(ctx context.Context, db DBTX, id int64) (OrgGithubImport, error) {
++	row := db.QueryRow(ctx, getOrgGithubImport, id)
++	var i OrgGithubImport
++	err := row.Scan(
++		&i.ID,
++		&i.OrgID,
++		&i.SourceHost,
++		&i.SourceOrg,
++		&i.RequestedByUserID,
++		&i.Status,
++		&i.IncludePrivate,
++		&i.TokenPresent,
++		&i.TokenCiphertext,
++		&i.TokenNonce,
++		&i.TotalCount,
++		&i.LastError,
++		&i.StartedAt,
++		&i.CompletedAt,
++		&i.CreatedAt,
++		&i.UpdatedAt,
++	)
++	return i, err
++}
++
++const getOrgGithubImportForOrg = `-- name: GetOrgGithubImportForOrg :one
++SELECT id, org_id, source_host, source_org, requested_by_user_id, status, include_private, token_present, token_ciphertext, token_nonce, total_count, last_error, started_at, completed_at, created_at, updated_at FROM org_github_imports
++WHERE id = $1 AND org_id = $2
++`
++
++type GetOrgGithubImportForOrgParams struct {
++	ID    int64
++	OrgID int64
++}
++
++func (q *Queries) GetOrgGithubImportForOrg(ctx context.Context, db DBTX, arg GetOrgGithubImportForOrgParams) (OrgGithubImport, error) {
++	row := db.QueryRow(ctx, getOrgGithubImportForOrg, arg.ID, arg.OrgID)
++	var i OrgGithubImport
++	err := row.Scan(
++		&i.ID,
++		&i.OrgID,
++		&i.SourceHost,
++		&i.SourceOrg,
++		&i.RequestedByUserID,
++		&i.Status,
++		&i.IncludePrivate,
++		&i.TokenPresent,
++		&i.TokenCiphertext,
++		&i.TokenNonce,
++		&i.TotalCount,
++		&i.LastError,
++		&i.StartedAt,
++		&i.CompletedAt,
++		&i.CreatedAt,
++		&i.UpdatedAt,
++	)
++	return i, err
++}
++
++const getOrgGithubImportProgress = `-- name: GetOrgGithubImportProgress :one
++SELECT
++    i.id, i.org_id, i.source_host, i.source_org, i.requested_by_user_id, i.status, i.include_private, i.token_present, i.token_ciphertext, i.token_nonce, i.total_count, i.last_error, i.started_at, i.completed_at, i.created_at, i.updated_at,
++    count(r.id)::integer AS discovered_count,
++    count(r.id) FILTER (WHERE r.status = 'queued')::integer AS queued_count,
++    count(r.id) FILTER (WHERE r.status = 'importing')::integer AS importing_count,
++    count(r.id) FILTER (WHERE r.status = 'imported')::integer AS imported_count,
++    count(r.id) FILTER (WHERE r.status = 'skipped')::integer AS skipped_count,
++    count(r.id) FILTER (WHERE r.status = 'failed')::integer AS failed_count
++FROM org_github_imports i
++LEFT JOIN org_github_import_repos r ON r.import_id = i.id
++WHERE i.id = $1 AND i.org_id = $2
++GROUP BY i.id
++`
++
++type GetOrgGithubImportProgressParams struct {
++	ID    int64
++	OrgID int64
++}
++
++type GetOrgGithubImportProgressRow struct {
++	ID                int64
++	OrgID             int64
++	SourceHost        string
++	SourceOrg         string
++	RequestedByUserID pgtype.Int8
++	Status            string
++	IncludePrivate    bool
++	TokenPresent      bool
++	TokenCiphertext   []byte
++	TokenNonce        []byte
++	TotalCount        int32
++	LastError         pgtype.Text
++	StartedAt         pgtype.Timestamptz
++	CompletedAt       pgtype.Timestamptz
++	CreatedAt         pgtype.Timestamptz
++	UpdatedAt         pgtype.Timestamptz
++	DiscoveredCount   int32
++	QueuedCount       int32
++	ImportingCount    int32
++	ImportedCount     int32
++	SkippedCount      int32
++	FailedCount       int32
++}
++
++func (q *Queries) GetOrgGithubImportProgress(ctx context.Context, db DBTX, arg GetOrgGithubImportProgressParams) (GetOrgGithubImportProgressRow, error) {
++	row := db.QueryRow(ctx, getOrgGithubImportProgress, arg.ID, arg.OrgID)
++	var i GetOrgGithubImportProgressRow
++	err := row.Scan(
++		&i.ID,
++		&i.OrgID,
++		&i.SourceHost,
++		&i.SourceOrg,
++		&i.RequestedByUserID,
++		&i.Status,
++		&i.IncludePrivate,
++		&i.TokenPresent,
++		&i.TokenCiphertext,
++		&i.TokenNonce,
++		&i.TotalCount,
++		&i.LastError,
++		&i.StartedAt,
++		&i.CompletedAt,
++		&i.CreatedAt,
++		&i.UpdatedAt,
++		&i.DiscoveredCount,
++		&i.QueuedCount,
++		&i.ImportingCount,
++		&i.ImportedCount,
++		&i.SkippedCount,
++		&i.FailedCount,
++	)
++	return i, err
++}
++
++const getOrgGithubImportRepo = `-- name: GetOrgGithubImportRepo :one
++SELECT id, import_id, github_id, source_full_name, source_name, target_name, clone_url, description, default_branch, target_visibility, is_private, is_fork, status, repo_id, last_error, started_at, completed_at, created_at, updated_at FROM org_github_import_repos WHERE id = $1
++`
++
++func (q *Queries) GetOrgGithubImportRepo(ctx context.Context, db DBTX, id int64) (OrgGithubImportRepo, error) {
++	row := db.QueryRow(ctx, getOrgGithubImportRepo, id)
++	var i OrgGithubImportRepo
++	err := row.Scan(
++		&i.ID,
++		&i.ImportID,
++		&i.GithubID,
++		&i.SourceFullName,
++		&i.SourceName,
++		&i.TargetName,
++		&i.CloneUrl,
++		&i.Description,
++		&i.DefaultBranch,
++		&i.TargetVisibility,
++		&i.IsPrivate,
++		&i.IsFork,
++		&i.Status,
++		&i.RepoID,
++		&i.LastError,
++		&i.StartedAt,
++		&i.CompletedAt,
++		&i.CreatedAt,
++		&i.UpdatedAt,
++	)
++	return i, err
++}
++
++const insertOrgGithubImportRepo = `-- name: InsertOrgGithubImportRepo :one
++INSERT INTO org_github_import_repos (
++    import_id, github_id, source_full_name, source_name, target_name,
++    clone_url, description, default_branch, target_visibility,
++    is_private, is_fork
++) VALUES (
++    $1, $11::bigint, $2, $3, $4,
++    $5, $6, $7, $8, $9, $10
++)
++ON CONFLICT (import_id, target_name) DO UPDATE
++   SET github_id = EXCLUDED.github_id,
++       source_full_name = EXCLUDED.source_full_name,
++       source_name = EXCLUDED.source_name,
++       clone_url = EXCLUDED.clone_url,
++       description = EXCLUDED.description,
++       default_branch = EXCLUDED.default_branch,
++       target_visibility = EXCLUDED.target_visibility,
++       is_private = EXCLUDED.is_private,
++       is_fork = EXCLUDED.is_fork,
++       updated_at = now()
++RETURNING id, import_id, github_id, source_full_name, source_name, target_name, clone_url, description, default_branch, target_visibility, is_private, is_fork, status, repo_id, last_error, started_at, completed_at, created_at, updated_at
++`
++
++type InsertOrgGithubImportRepoParams struct {
++	ImportID         int64
++	SourceFullName   string
++	SourceName       string
++	TargetName       string
++	CloneUrl         string
++	Description      string
++	DefaultBranch    string
++	TargetVisibility RepoVisibility
++	IsPrivate        bool
++	IsFork           bool
++	GithubID         pgtype.Int8
++}
++
++func (q *Queries) InsertOrgGithubImportRepo(ctx context.Context, db DBTX, arg InsertOrgGithubImportRepoParams) (OrgGithubImportRepo, error) {
++	row := db.QueryRow(ctx, insertOrgGithubImportRepo,
++		arg.ImportID,
++		arg.SourceFullName,
++		arg.SourceName,
++		arg.TargetName,
++		arg.CloneUrl,
++		arg.Description,
++		arg.DefaultBranch,
++		arg.TargetVisibility,
++		arg.IsPrivate,
++		arg.IsFork,
++		arg.GithubID,
++	)
++	var i OrgGithubImportRepo
++	err := row.Scan(
++		&i.ID,
++		&i.ImportID,
++		&i.GithubID,
++		&i.SourceFullName,
++		&i.SourceName,
++		&i.TargetName,
++		&i.CloneUrl,
++		&i.Description,
++		&i.DefaultBranch,
++		&i.TargetVisibility,
++		&i.IsPrivate,
++		&i.IsFork,
++		&i.Status,
++		&i.RepoID,
++		&i.LastError,
++		&i.StartedAt,
++		&i.CompletedAt,
++		&i.CreatedAt,
++		&i.UpdatedAt,
++	)
++	return i, err
++}
++
++const listOrgGithubImportRepos = `-- name: ListOrgGithubImportRepos :many
++SELECT id, import_id, github_id, source_full_name, source_name, target_name, clone_url, description, default_branch, target_visibility, is_private, is_fork, status, repo_id, last_error, started_at, completed_at, created_at, updated_at FROM org_github_import_repos
++WHERE import_id = $1
++ORDER BY source_name ASC
++`
++
++func (q *Queries) ListOrgGithubImportRepos(ctx context.Context, db DBTX, importID int64) ([]OrgGithubImportRepo, error) {
++	rows, err := db.Query(ctx, listOrgGithubImportRepos, importID)
++	if err != nil {
++		return nil, err
++	}
++	defer rows.Close()
++	items := []OrgGithubImportRepo{}
++	for rows.Next() {
++		var i OrgGithubImportRepo
++		if err := rows.Scan(
++			&i.ID,
++			&i.ImportID,
++			&i.GithubID,
++			&i.SourceFullName,
++			&i.SourceName,
++			&i.TargetName,
++			&i.CloneUrl,
++			&i.Description,
++			&i.DefaultBranch,
++			&i.TargetVisibility,
++			&i.IsPrivate,
++			&i.IsFork,
++			&i.Status,
++			&i.RepoID,
++			&i.LastError,
++			&i.StartedAt,
++			&i.CompletedAt,
++			&i.CreatedAt,
++			&i.UpdatedAt,
++		); err != nil {
++			return nil, err
++		}
++		items = append(items, i)
++	}
++	if err := rows.Err(); err != nil {
++		return nil, err
++	}
++	return items, nil
++}
++
++const listOrgGithubImportsForOrg = `-- name: ListOrgGithubImportsForOrg :many
++SELECT id, org_id, source_host, source_org, requested_by_user_id, status, include_private, token_present, token_ciphertext, token_nonce, total_count, last_error, started_at, completed_at, created_at, updated_at FROM org_github_imports
++WHERE org_id = $1
++ORDER BY created_at DESC
++LIMIT $2
++`
++
++type ListOrgGithubImportsForOrgParams struct {
++	OrgID int64
++	Limit int32
++}
++
++func (q *Queries) ListOrgGithubImportsForOrg(ctx context.Context, db DBTX, arg ListOrgGithubImportsForOrgParams) ([]OrgGithubImport, error) {
++	rows, err := db.Query(ctx, listOrgGithubImportsForOrg, arg.OrgID, arg.Limit)
++	if err != nil {
++		return nil, err
++	}
++	defer rows.Close()
++	items := []OrgGithubImport{}
++	for rows.Next() {
++		var i OrgGithubImport
++		if err := rows.Scan(
++			&i.ID,
++			&i.OrgID,
++			&i.SourceHost,
++			&i.SourceOrg,
++			&i.RequestedByUserID,
++			&i.Status,
++			&i.IncludePrivate,
++			&i.TokenPresent,
++			&i.TokenCiphertext,
++			&i.TokenNonce,
++			&i.TotalCount,
++			&i.LastError,
++			&i.StartedAt,
++			&i.CompletedAt,
++			&i.CreatedAt,
++			&i.UpdatedAt,
++		); err != nil {
++			return nil, err
++		}
++		items = append(items, i)
++	}
++	if err := rows.Err(); err != nil {
++		return nil, err
++	}
++	return items, nil
++}
++
++const markOrgGithubImportCompleted = `-- name: MarkOrgGithubImportCompleted :exec
++UPDATE org_github_imports
++   SET status = 'completed',
++       token_ciphertext = NULL,
++       token_nonce = NULL,
++       completed_at = COALESCE(completed_at, now()),
++       updated_at = now()
++ WHERE id = $1
++`
++
++func (q *Queries) MarkOrgGithubImportCompleted(ctx context.Context, db DBTX, id int64) error {
++	_, err := db.Exec(ctx, markOrgGithubImportCompleted, id)
++	return err
++}
++
++const markOrgGithubImportCompletedIfDone = `-- name: MarkOrgGithubImportCompletedIfDone :one
++UPDATE org_github_imports AS i
++   SET status = 'completed',
++       token_ciphertext = NULL,
++       token_nonce = NULL,
++       completed_at = COALESCE(completed_at, now()),
++       updated_at = now()
++ WHERE i.id = $1
++   AND i.status = 'importing'
++   AND NOT EXISTS (
++       SELECT 1
++         FROM org_github_import_repos
++        WHERE import_id = $1
++          AND status IN ('queued', 'importing')
++   )
++RETURNING i.id, i.org_id, i.source_host, i.source_org, i.requested_by_user_id, i.status, i.include_private, i.token_present, i.token_ciphertext, i.token_nonce, i.total_count, i.last_error, i.started_at, i.completed_at, i.created_at, i.updated_at
++`
++
++func (q *Queries) MarkOrgGithubImportCompletedIfDone(ctx context.Context, db DBTX, id int64) (OrgGithubImport, error) {
++	row := db.QueryRow(ctx, markOrgGithubImportCompletedIfDone, id)
++	var i OrgGithubImport
++	err := row.Scan(
++		&i.ID,
++		&i.OrgID,
++		&i.SourceHost,
++		&i.SourceOrg,
++		&i.RequestedByUserID,
++		&i.Status,
++		&i.IncludePrivate,
++		&i.TokenPresent,
++		&i.TokenCiphertext,
++		&i.TokenNonce,
++		&i.TotalCount,
++		&i.LastError,
++		&i.StartedAt,
++		&i.CompletedAt,
++		&i.CreatedAt,
++		&i.UpdatedAt,
++	)
++	return i, err
++}
++
++const markOrgGithubImportDiscovering = `-- name: MarkOrgGithubImportDiscovering :exec
++UPDATE org_github_imports
++   SET status = 'discovering',
++       started_at = COALESCE(started_at, now()),
++       last_error = NULL,
++       updated_at = now()
++ WHERE id = $1
++   AND status IN ('queued', 'discovering')
++`
++
++func (q *Queries) MarkOrgGithubImportDiscovering(ctx context.Context, db DBTX, id int64) error {
++	_, err := db.Exec(ctx, markOrgGithubImportDiscovering, id)
++	return err
++}
++
++const markOrgGithubImportFailed = `-- name: MarkOrgGithubImportFailed :exec
++UPDATE org_github_imports
++   SET status = 'failed',
++       last_error = $2,
++       token_ciphertext = NULL,
++       token_nonce = NULL,
++       completed_at = COALESCE(completed_at, now()),
++       updated_at = now()
++ WHERE id = $1
++`
++
++type MarkOrgGithubImportFailedParams struct {
++	ID        int64
++	LastError pgtype.Text
++}
++
++func (q *Queries) MarkOrgGithubImportFailed(ctx context.Context, db DBTX, arg MarkOrgGithubImportFailedParams) error {
++	_, err := db.Exec(ctx, markOrgGithubImportFailed, arg.ID, arg.LastError)
++	return err
++}
++
++const markOrgGithubImportImporting = `-- name: MarkOrgGithubImportImporting :exec
++UPDATE org_github_imports
++   SET status = 'importing',
++       total_count = $2,
++       started_at = COALESCE(started_at, now()),
++       last_error = NULL,
++       updated_at = now()
++ WHERE id = $1
++   AND status IN ('queued', 'discovering', 'importing')
++`
++
++type MarkOrgGithubImportImportingParams struct {
++	ID         int64
++	TotalCount int32
++}
++
++func (q *Queries) MarkOrgGithubImportImporting(ctx context.Context, db DBTX, arg MarkOrgGithubImportImportingParams) error {
++	_, err := db.Exec(ctx, markOrgGithubImportImporting, arg.ID, arg.TotalCount)
++	return err
++}
++
++const markOrgGithubImportRepoFailed = `-- name: MarkOrgGithubImportRepoFailed :exec
++UPDATE org_github_import_repos
++   SET status = 'failed',
++       repo_id = COALESCE($3::bigint, repo_id),
++       last_error = $2,
++       completed_at = COALESCE(completed_at, now()),
++       updated_at = now()
++ WHERE id = $1
++`
++
++type MarkOrgGithubImportRepoFailedParams struct {
++	ID        int64
++	LastError pgtype.Text
++	RepoID    pgtype.Int8
++}
++
++func (q *Queries) MarkOrgGithubImportRepoFailed(ctx context.Context, db DBTX, arg MarkOrgGithubImportRepoFailedParams) error {
++	_, err := db.Exec(ctx, markOrgGithubImportRepoFailed, arg.ID, arg.LastError, arg.RepoID)
++	return err
++}
++
++const markOrgGithubImportRepoImported = `-- name: MarkOrgGithubImportRepoImported :exec
++UPDATE org_github_import_repos
++   SET status = 'imported',
++       repo_id = $2,
++       last_error = NULL,
++       completed_at = COALESCE(completed_at, now()),
++       updated_at = now()
++ WHERE id = $1
++`
++
++type MarkOrgGithubImportRepoImportedParams struct {
++	ID     int64
++	RepoID pgtype.Int8
++}
++
++func (q *Queries) MarkOrgGithubImportRepoImported(ctx context.Context, db DBTX, arg MarkOrgGithubImportRepoImportedParams) error {
++	_, err := db.Exec(ctx, markOrgGithubImportRepoImported, arg.ID, arg.RepoID)
++	return err
++}
++
++const markOrgGithubImportRepoImporting = `-- name: MarkOrgGithubImportRepoImporting :exec
++UPDATE org_github_import_repos
++   SET status = 'importing',
++       started_at = COALESCE(started_at, now()),
++       last_error = NULL,
++       updated_at = now()
++ WHERE id = $1
++   AND status = 'queued'
++`
++
++func (q *Queries) MarkOrgGithubImportRepoImporting(ctx context.Context, db DBTX, id int64) error {
++	_, err := db.Exec(ctx, markOrgGithubImportRepoImporting, id)
++	return err
++}
++
++const markOrgGithubImportRepoSkipped = `-- name: MarkOrgGithubImportRepoSkipped :exec
++UPDATE org_github_import_repos
++   SET status = 'skipped',
++       last_error = $2,
++       completed_at = COALESCE(completed_at, now()),
++       updated_at = now()
++ WHERE id = $1
++`
++
++type MarkOrgGithubImportRepoSkippedParams struct {
++	ID        int64
++	LastError pgtype.Text
++}
++
++func (q *Queries) MarkOrgGithubImportRepoSkipped(ctx context.Context, db DBTX, arg MarkOrgGithubImportRepoSkippedParams) error {
++	_, err := db.Exec(ctx, markOrgGithubImportRepoSkipped, arg.ID, arg.LastError)
++	return err
++}

internal/orgs/sqlc/models.gomodified

  	UpdatedAt             pgtype.Timestamptz
+ }
++type OrgGithubImport struct {
++	ID                int64
++	OrgID             int64
++	SourceHost        string
++	SourceOrg         string
++	RequestedByUserID pgtype.Int8
++	Status            string
++	IncludePrivate    bool
++	TokenPresent      bool
++	TokenCiphertext   []byte
++	TokenNonce        []byte
++	TotalCount        int32
++	LastError         pgtype.Text
++	StartedAt         pgtype.Timestamptz
++	CompletedAt       pgtype.Timestamptz
++	CreatedAt         pgtype.Timestamptz
++	UpdatedAt         pgtype.Timestamptz
++}
++
++type OrgGithubImportRepo struct {
++	ID               int64
++	ImportID         int64
++	GithubID         pgtype.Int8
++	SourceFullName   string
++	SourceName       string
++	TargetName       string
++	CloneUrl         string
++	Description      string
++	DefaultBranch    string
++	TargetVisibility RepoVisibility
++	IsPrivate        bool
++	IsFork           bool
++	Status           string
++	RepoID           pgtype.Int8
++	LastError        pgtype.Text
++	StartedAt        pgtype.Timestamptz
++	CompletedAt      pgtype.Timestamptz
++	CreatedAt        pgtype.Timestamptz
++	UpdatedAt        pgtype.Timestamptz
++}
++
  type OrgInvitation struct {
  	ID              int64
  	OrgID           int64

internal/orgs/sqlc/querier.gomodified

  	// tx (separate query so the orchestrator owns ordering).
  	CreateOrg(ctx context.Context, db DBTX, arg CreateOrgParams) (Org, error)
  	// SPDX-License-Identifier: AGPL-3.0-or-later
++	CreateOrgGithubImport(ctx context.Context, db DBTX, arg CreateOrgGithubImportParams) (OrgGithubImport, error)
++	// SPDX-License-Identifier: AGPL-3.0-or-later
  	// ─── org_invitations ───────────────────────────────────────────────
  	CreateOrgInvitation(ctx context.Context, db DBTX, arg CreateOrgInvitationParams) (OrgInvitation, error)
  	// SPDX-License-Identifier: AGPL-3.0-or-later
  	// column for grace-period restore).
  	GetOrgBySlug(ctx context.Context, db DBTX, slug string) (Org, error)
  	GetOrgBySlugIncludingDeleted(ctx context.Context, db DBTX, slug string) (Org, error)
++	GetOrgGithubImport(ctx context.Context, db DBTX, id int64) (OrgGithubImport, error)
++	GetOrgGithubImportForOrg(ctx context.Context, db DBTX, arg GetOrgGithubImportForOrgParams) (OrgGithubImport, error)
++	GetOrgGithubImportProgress(ctx context.Context, db DBTX, arg GetOrgGithubImportProgressParams) (GetOrgGithubImportProgressRow, error)
++	GetOrgGithubImportRepo(ctx context.Context, db DBTX, id int64) (OrgGithubImportRepo, error)
  	GetOrgInvitationByID(ctx context.Context, db DBTX, id int64) (OrgInvitation, error)
  	GetOrgInvitationByTokenHash(ctx context.Context, db DBTX, tokenHash []byte) (OrgInvitation, error)
  	GetOrgMember(ctx context.Context, db DBTX, arg GetOrgMemberParams) (OrgMember, error)
  	// Final row removal after the cascade finished. The principals
  	// trigger drops the matching principals row in the same tx.
  	HardDeleteOrgRow(ctx context.Context, db DBTX, id int64) error
++	InsertOrgGithubImportRepo(ctx context.Context, db DBTX, arg InsertOrgGithubImportRepoParams) (OrgGithubImportRepo, error)
  	// Replaces the inline EXISTS query in handlers/orgs/teams.go
  	// canSeeTeam + filterSecretTeams (SR2 M2). Used by the visibility
  	// gate for secret teams.
  	IsTeamMember(ctx context.Context, db DBTX, arg IsTeamMemberParams) (bool, error)
  	ListChildTeams(ctx context.Context, db DBTX, parentTeamID pgtype.Int8) ([]Team, error)
++	ListOrgGithubImportRepos(ctx context.Context, db DBTX, importID int64) ([]OrgGithubImportRepo, error)
++	ListOrgGithubImportsForOrg(ctx context.Context, db DBTX, arg ListOrgGithubImportsForOrgParams) ([]OrgGithubImport, error)
  	// Sweep input for the lifecycle worker: every soft-deleted org whose
  	// 14-day grace window has elapsed. The interval is intentionally a
  	// DB literal (not a parameter) so the policy lives next to the data.
  	// policy aggregator unions this with each row's parent_team_id to
  	// get the inherited set.
  	ListTeamsForUserInOrg(ctx context.Context, db DBTX, arg ListTeamsForUserInOrgParams) ([]ListTeamsForUserInOrgRow, error)
++	MarkOrgGithubImportCompleted(ctx context.Context, db DBTX, id int64) error
++	MarkOrgGithubImportCompletedIfDone(ctx context.Context, db DBTX, id int64) (OrgGithubImport, error)
++	MarkOrgGithubImportDiscovering(ctx context.Context, db DBTX, id int64) error
++	MarkOrgGithubImportFailed(ctx context.Context, db DBTX, arg MarkOrgGithubImportFailedParams) error
++	MarkOrgGithubImportImporting(ctx context.Context, db DBTX, arg MarkOrgGithubImportImportingParams) error
++	MarkOrgGithubImportRepoFailed(ctx context.Context, db DBTX, arg MarkOrgGithubImportRepoFailedParams) error
++	MarkOrgGithubImportRepoImported(ctx context.Context, db DBTX, arg MarkOrgGithubImportRepoImportedParams) error
++	MarkOrgGithubImportRepoImporting(ctx context.Context, db DBTX, id int64) error
++	MarkOrgGithubImportRepoSkipped(ctx context.Context, db DBTX, arg MarkOrgGithubImportRepoSkippedParams) error
  	RemoveOrgMember(ctx context.Context, db DBTX, arg RemoveOrgMemberParams) error
  	RemoveTeamMember(ctx context.Context, db DBTX, arg RemoveTeamMemberParams) error
  	// ─── principals (read-only from this domain) ───────────────────────

internal/pulls/sqlc/models.gomodified

  	UpdatedAt             pgtype.Timestamptz
+ }
++type OrgGithubImport struct {
++	ID                int64
++	OrgID             int64
++	SourceHost        string
++	SourceOrg         string
++	RequestedByUserID pgtype.Int8
++	Status            string
++	IncludePrivate    bool
++	TokenPresent      bool
++	TokenCiphertext   []byte
++	TokenNonce        []byte
++	TotalCount        int32
++	LastError         pgtype.Text
++	StartedAt         pgtype.Timestamptz
++	CompletedAt       pgtype.Timestamptz
++	CreatedAt         pgtype.Timestamptz
++	UpdatedAt         pgtype.Timestamptz
++}
++
++type OrgGithubImportRepo struct {
++	ID               int64
++	ImportID         int64
++	GithubID         pgtype.Int8
++	SourceFullName   string
++	SourceName       string
++	TargetName       string
++	CloneUrl         string
++	Description      string
++	DefaultBranch    string
++	TargetVisibility RepoVisibility
++	IsPrivate        bool
++	IsFork           bool
++	Status           string
++	RepoID           pgtype.Int8
++	LastError        pgtype.Text
++	StartedAt        pgtype.Timestamptz
++	CompletedAt      pgtype.Timestamptz
++	CreatedAt        pgtype.Timestamptz
++	UpdatedAt        pgtype.Timestamptz
++}
++
  type OrgInvitation struct {
  	ID              int64
  	OrgID           int64

internal/ratelimit/sqlc/models.gomodified

  	UpdatedAt             pgtype.Timestamptz
+ }
++type OrgGithubImport struct {
++	ID                int64
++	OrgID             int64
++	SourceHost        string
++	SourceOrg         string
++	RequestedByUserID pgtype.Int8
++	Status            string
++	IncludePrivate    bool
++	TokenPresent      bool
++	TokenCiphertext   []byte
++	TokenNonce        []byte
++	TotalCount        int32
++	LastError         pgtype.Text
++	StartedAt         pgtype.Timestamptz
++	CompletedAt       pgtype.Timestamptz
++	CreatedAt         pgtype.Timestamptz
++	UpdatedAt         pgtype.Timestamptz
++}
++
++type OrgGithubImportRepo struct {
++	ID               int64
++	ImportID         int64
++	GithubID         pgtype.Int8
++	SourceFullName   string
++	SourceName       string
++	TargetName       string
++	CloneUrl         string
++	Description      string
++	DefaultBranch    string
++	TargetVisibility RepoVisibility
++	IsPrivate        bool
++	IsFork           bool
++	Status           string
++	RepoID           pgtype.Int8
++	LastError        pgtype.Text
++	StartedAt        pgtype.Timestamptz
++	CompletedAt      pgtype.Timestamptz
++	CreatedAt        pgtype.Timestamptz
++	UpdatedAt        pgtype.Timestamptz
++}
++
  type OrgInvitation struct {
  	ID              int64
  	OrgID           int64

internal/repos/create.gomodified

  	// accounts, not to throttle staff.
  	ActorIsSiteAdmin bool
++	// BypassCreateRateLimit lets trusted server-side bulk operations
++	// create many repos for the same actor without tripping the browser
++	// anti-abuse throttle. Keep false for direct user submits.
++	BypassCreateRateLimit bool
++
  	Name        string // already lowercased + trimmed
  	Description string
  	Visibility  string // "public" | "private"
  	// Rate-limit per actor (NOT per owner) so a user can't bypass the
  	// per-account cap by spreading creates across orgs they manage.
  	// Site admins skip the cap entirely.
--	if !p.ActorIsSiteAdmin {
++	if !p.ActorIsSiteAdmin && !p.BypassCreateRateLimit {
  		if err := deps.Limiter.Hit(ctx, deps.Pool, throttle.Limit{
  			Scope:      "repo_create",
  			Identifier: fmt.Sprintf("user:%d", p.ActorUserID),

internal/repos/git/remotes.gomodified

  	"fmt"
  	"os"
  	"os/exec"
++	"path/filepath"
  	"strings"
+ )
  // if a local branch or tag has diverged, git rejects the update instead of
  // overwriting local history.
  func FetchRemoteHeadsAndTags(ctx context.Context, gitDir, remoteURL string) error {
++	return fetchRemoteHeadsAndTags(ctx, gitDir, remoteURL, "")
++}
++
++// FetchRemoteHeadsAndTagsWithToken is the authenticated variant used by
++// GitHub imports for private repositories. The token is supplied through a
++// short-lived askpass helper, not embedded in the remote URL or git argv.
++func FetchRemoteHeadsAndTagsWithToken(ctx context.Context, gitDir, remoteURL, token string) error {
++	return fetchRemoteHeadsAndTags(ctx, gitDir, remoteURL, strings.TrimSpace(token))
++}
++
++func fetchRemoteHeadsAndTags(ctx context.Context, gitDir, remoteURL, token string) error {
  	if gitDir == "" {
  		return errors.New("git fetch: gitDir is required")
+ 	}
  	if strings.TrimSpace(remoteURL) == "" {
  		return errors.New("git fetch: remoteURL is required")
+ 	}
++	env := append(os.Environ(),
++		"GIT_CONFIG_NOSYSTEM=1",
++		"GIT_CONFIG_GLOBAL=/dev/null",
++		"GIT_CONFIG_XDG=/dev/null",
++		"GIT_TERMINAL_PROMPT=0",
++	)
++	if token != "" {
++		askpass, cleanup, err := writeAskpass(token)
++		if err != nil {
++			return err
++		}
++		defer cleanup()
++		env = append(env, "GIT_ASKPASS="+askpass)
++	}
  	//nolint:gosec // G204: gitDir is RepoFS-derived at call sites; remoteURL is caller-allowlisted and passed as argv, not shell.
  	cmd := exec.CommandContext(ctx, "git",
  		"-c", "protocol.ext.allow=never",
  		"refs/heads/*:refs/heads/*",
  		"refs/tags/*:refs/tags/*",
+ 	)
--	cmd.Env = append(os.Environ(),
++	cmd.Env = env
--		"GIT_CONFIG_NOSYSTEM=1",
--		"GIT_CONFIG_GLOBAL=/dev/null",
--		"GIT_CONFIG_XDG=/dev/null",
--	)
  	out, err := cmd.CombinedOutput()
  	if err != nil {
  		return fmt.Errorf("git fetch remote refs: %w (%s)", err, strings.TrimSpace(string(out)))
+ 	}
  	return nil
+ }
++
++func writeAskpass(token string) (path string, cleanup func(), err error) {
++	dir, err := os.MkdirTemp("", "shithub-git-askpass-*")
++	if err != nil {
++		return "", func() {}, fmt.Errorf("git fetch: askpass tempdir: %w", err)
++	}
++	cleanup = func() { _ = os.RemoveAll(dir) }
++	path = filepath.Join(dir, "askpass.sh")
++	body := "#!/bin/sh\n" +
++		"case \"$1\" in\n" +
++		"*Username*) printf '%s\\n' 'x-access-token' ;;\n" +
++		"*Password*) printf '%s\\n' " + shellQuote(token) + " ;;\n" +
++		"*) printf '\\n' ;;\n" +
++		"esac\n"
++	if err := os.WriteFile(path, []byte(body), 0o700); err != nil {
++		cleanup()
++		return "", func() {}, fmt.Errorf("git fetch: askpass write: %w", err)
++	}
++	return path, cleanup, nil
++}
++
++func shellQuote(s string) string {
++	return "'" + strings.ReplaceAll(s, "'", "'\"'\"'") + "'"
++}

internal/repos/queries/repos.sqlmodified

  WHERE id = $1;
  -- name: GetRepoOwnerUsernameByID :one
---- Returns the owner_username for a repo. Used by size-recalc and other
++-- Returns the owner slug for a repo. Used by size-recalc, indexing, and
---- jobs that need to derive the bare-repo on-disk path without round-
++-- other jobs that need the bare-repo on-disk path. Org-owned repos use the
---- tripping through the full user row.
++-- org slug in the same path position as user-owned repos.
--SELECT u.username AS owner_username, r.name AS repo_name
++SELECT COALESCE(u.username::varchar, o.slug::varchar) AS owner_username, r.name AS repo_name
  FROM repos r
--JOIN users u ON u.id = r.owner_user_id
++LEFT JOIN users u ON u.id = r.owner_user_id
++LEFT JOIN orgs o ON o.id = r.owner_org_id
  WHERE r.id = $1;
  -- name: GetRepoByOwnerUserAndName :one

internal/repos/source_remote.gomodified

  	"context"
  	"errors"
  	"fmt"
++	"log/slog"
  	"net/url"
  	"strings"
++	"time"
++	"github.com/jackc/pgx/v5/pgtype"
++	"github.com/jackc/pgx/v5/pgxpool"
++
++	"github.com/tenseleyFlow/shithub/internal/infra/storage"
++	repogit "github.com/tenseleyFlow/shithub/internal/repos/git"
++	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
  	"github.com/tenseleyFlow/shithub/internal/security/ssrf"
++	"github.com/tenseleyFlow/shithub/internal/worker"
+ )
  const MaxSourceRemoteURLLen = 2048
++const SourceRemoteFetchTimeout = 45 * time.Second
  var ErrInvalidSourceRemote = errors.New("repos: invalid source remote URL")
+ 	}
  	return normalized, nil
+ }
++
++// SourceRemoteDeps wires source-remote fetches. FetchToken is optional and
++// only used for private GitHub imports; it is not stored in repo_source_remotes.
++type SourceRemoteDeps struct {
++	Pool       *pgxpool.Pool
++	RepoFS     *storage.RepoFS
++	Logger     *slog.Logger
++	FetchToken string
++}
++
++// SaveSourceRemote validates and persists the credential-free source remote.
++func SaveSourceRemote(ctx context.Context, deps SourceRemoteDeps, repoID int64, rawURL string) (string, error) {
++	remoteURL, err := ValidateSourceRemoteURL(ctx, rawURL)
++	if err != nil || remoteURL == "" {
++		return remoteURL, err
++	}
++	_, err = reposdb.New().UpsertRepoSourceRemote(ctx, deps.Pool, reposdb.UpsertRepoSourceRemoteParams{
++		RepoID:    repoID,
++		RemoteUrl: remoteURL,
++	})
++	return remoteURL, err
++}
++
++// FetchSourceRemote imports public heads/tags from a configured source remote
++// and updates cached default-branch/index/size state.
++func FetchSourceRemote(ctx context.Context, deps SourceRemoteDeps, row reposdb.Repo, ownerSlug, remoteURL string) error {
++	remoteURL, err := ValidateSourceRemoteURL(ctx, remoteURL)
++	if err != nil {
++		MarkSourceRemoteFetchError(ctx, deps, row.ID, err)
++		return err
++	}
++	gitDir, err := deps.RepoFS.RepoPath(ownerSlug, row.Name)
++	if err != nil {
++		MarkSourceRemoteFetchError(ctx, deps, row.ID, err)
++		return err
++	}
++	fetchCtx, cancel := context.WithTimeout(ctx, SourceRemoteFetchTimeout)
++	defer cancel()
++	if strings.TrimSpace(deps.FetchToken) != "" {
++		err = repogit.FetchRemoteHeadsAndTagsWithToken(fetchCtx, gitDir, remoteURL, deps.FetchToken)
++	} else {
++		err = repogit.FetchRemoteHeadsAndTags(fetchCtx, gitDir, remoteURL)
++	}
++	if err != nil {
++		MarkSourceRemoteFetchError(ctx, deps, row.ID, err)
++		return err
++	}
++	if err := RefreshFetchedRepoState(ctx, deps, row, gitDir); err != nil {
++		MarkSourceRemoteFetchError(ctx, deps, row.ID, err)
++		return err
++	}
++	q := reposdb.New()
++	if err := q.MarkRepoSourceRemoteFetched(ctx, deps.Pool, row.ID); err != nil && deps.Logger != nil {
++		deps.Logger.WarnContext(ctx, "source-remote: mark fetched", "error", err, "repo_id", row.ID)
++	}
++	return nil
++}
++
++// RefreshFetchedRepoState reconciles the repo row after a source fetch.
++func RefreshFetchedRepoState(ctx context.Context, deps SourceRemoteDeps, row reposdb.Repo, gitDir string) error {
++	refs, err := repogit.ListRefs(ctx, gitDir)
++	if err != nil {
++		return err
++	}
++	branch, oid := ChooseFetchedDefaultBranch(row.DefaultBranch, refs.Branches)
++	if branch == "" {
++		return nil
++	}
++	q := reposdb.New()
++	if branch != row.DefaultBranch {
++		if err := q.UpdateRepoDefaultBranch(ctx, deps.Pool, reposdb.UpdateRepoDefaultBranchParams{
++			ID:            row.ID,
++			DefaultBranch: branch,
++		}); err != nil {
++			return err
++		}
++		if err := repogit.SetSymbolicRef(ctx, gitDir, "HEAD", "refs/heads/"+branch); err != nil && deps.Logger != nil {
++			deps.Logger.WarnContext(ctx, "source-remote: set symbolic head", "error", err, "repo_id", row.ID, "branch", branch)
++		}
++	}
++	if !row.DefaultBranchOid.Valid || row.DefaultBranchOid.String != oid {
++		if err := q.UpdateRepoDefaultBranchOID(ctx, deps.Pool, reposdb.UpdateRepoDefaultBranchOIDParams{
++			ID:               row.ID,
++			DefaultBranchOid: pgtype.Text{String: oid, Valid: true},
++		}); err != nil {
++			return err
++		}
++		if _, err := worker.Enqueue(ctx, deps.Pool, worker.KindRepoIndexCode, map[string]any{"repo_id": row.ID}, worker.EnqueueOptions{}); err != nil && deps.Logger != nil {
++			deps.Logger.WarnContext(ctx, "source-remote: enqueue index", "error", err, "repo_id", row.ID)
++		}
++	}
++	if _, err := worker.Enqueue(ctx, deps.Pool, worker.KindRepoSizeRecalc, map[string]any{"repo_id": row.ID}, worker.EnqueueOptions{}); err != nil && deps.Logger != nil {
++		deps.Logger.WarnContext(ctx, "source-remote: enqueue size", "error", err, "repo_id", row.ID)
++	}
++	_ = worker.Notify(ctx, deps.Pool)
++	return nil
++}
++
++// ChooseFetchedDefaultBranch mirrors GitHub import behavior: keep the current
++// default if present, otherwise prefer trunk/main/master before falling back to
++// the first fetched branch.
++func ChooseFetchedDefaultBranch(current string, branches []repogit.RefEntry) (name, oid string) {
++	if len(branches) == 0 {
++		return "", ""
++	}
++	for _, candidate := range []string{current, "trunk", "main", "master"} {
++		if candidate == "" {
++			continue
++		}
++		for _, branch := range branches {
++			if branch.Name == candidate {
++				return branch.Name, branch.OID
++			}
++		}
++	}
++	return branches[0].Name, branches[0].OID
++}
++
++// MarkSourceRemoteFetchError stores the latest source-fetch failure without
++// leaking credentials; callers pass credential-free remote URLs.
++func MarkSourceRemoteFetchError(ctx context.Context, deps SourceRemoteDeps, repoID int64, err error) {
++	if err == nil {
++		return
++	}
++	msg := strings.TrimSpace(err.Error())
++	if len(msg) > 500 {
++		msg = msg[:500]
++	}
++	if markErr := reposdb.New().MarkRepoSourceRemoteFetchError(ctx, deps.Pool, reposdb.MarkRepoSourceRemoteFetchErrorParams{
++		RepoID:    repoID,
++		LastError: pgtype.Text{String: msg, Valid: true},
++	}); markErr != nil && deps.Logger != nil {
++		deps.Logger.WarnContext(ctx, "source-remote: mark fetch error", "error", markErr, "cause", err, "repo_id", repoID)
++	}
++}
++
++func IsInvalidSourceRemote(err error) bool {
++	return errors.Is(err, ErrInvalidSourceRemote)
++}

internal/repos/sqlc/models.gomodified

  	UpdatedAt             pgtype.Timestamptz
+ }
++type OrgGithubImport struct {
++	ID                int64
++	OrgID             int64
++	SourceHost        string
++	SourceOrg         string
++	RequestedByUserID pgtype.Int8
++	Status            string
++	IncludePrivate    bool
++	TokenPresent      bool
++	TokenCiphertext   []byte
++	TokenNonce        []byte
++	TotalCount        int32
++	LastError         pgtype.Text
++	StartedAt         pgtype.Timestamptz
++	CompletedAt       pgtype.Timestamptz
++	CreatedAt         pgtype.Timestamptz
++	UpdatedAt         pgtype.Timestamptz
++}
++
++type OrgGithubImportRepo struct {
++	ID               int64
++	ImportID         int64
++	GithubID         pgtype.Int8
++	SourceFullName   string
++	SourceName       string
++	TargetName       string
++	CloneUrl         string
++	Description      string
++	DefaultBranch    string
++	TargetVisibility RepoVisibility
++	IsPrivate        bool
++	IsFork           bool
++	Status           string
++	RepoID           pgtype.Int8
++	LastError        pgtype.Text
++	StartedAt        pgtype.Timestamptz
++	CompletedAt      pgtype.Timestamptz
++	CreatedAt        pgtype.Timestamptz
++	UpdatedAt        pgtype.Timestamptz
++}
++
  type OrgInvitation struct {
  	ID              int64
  	OrgID           int64

internal/repos/sqlc/querier.gomodified

  	// O(1) cost the user-side path enjoys.
  	GetRepoByOwnerOrgAndName(ctx context.Context, db DBTX, arg GetRepoByOwnerOrgAndNameParams) (Repo, error)
  	GetRepoByOwnerUserAndName(ctx context.Context, db DBTX, arg GetRepoByOwnerUserAndNameParams) (Repo, error)
--	// Returns the owner_username for a repo. Used by size-recalc and other
++	// Returns the owner slug for a repo. Used by size-recalc, indexing, and
--	// jobs that need to derive the bare-repo on-disk path without round-
++	// other jobs that need the bare-repo on-disk path. Org-owned repos use the
--	// tripping through the full user row.
++	// org slug in the same path position as user-owned repos.
  	GetRepoOwnerUsernameByID(ctx context.Context, db DBTX, id int64) (GetRepoOwnerUsernameByIDRow, error)
  	// SPDX-License-Identifier: AGPL-3.0-or-later
  	GetRepoSourceRemote(ctx context.Context, db DBTX, repoID int64) (RepoSourceRemote, error)

internal/repos/sqlc/repos.sql.gomodified

+ }
  const getRepoOwnerUsernameByID = `-- name: GetRepoOwnerUsernameByID :one
--SELECT u.username AS owner_username, r.name AS repo_name
++SELECT COALESCE(u.username::varchar, o.slug::varchar) AS owner_username, r.name AS repo_name
  FROM repos r
--JOIN users u ON u.id = r.owner_user_id
++LEFT JOIN users u ON u.id = r.owner_user_id
++LEFT JOIN orgs o ON o.id = r.owner_org_id
  WHERE r.id = $1
+ `
  type GetRepoOwnerUsernameByIDRow struct {
--	OwnerUsername string
++	OwnerUsername interface{}
  	RepoName      string
+ }
--// Returns the owner_username for a repo. Used by size-recalc and other
++// Returns the owner slug for a repo. Used by size-recalc, indexing, and
--// jobs that need to derive the bare-repo on-disk path without round-
++// other jobs that need the bare-repo on-disk path. Org-owned repos use the
--// tripping through the full user row.
++// org slug in the same path position as user-owned repos.
  func (q *Queries) GetRepoOwnerUsernameByID(ctx context.Context, db DBTX, id int64) (GetRepoOwnerUsernameByIDRow, error) {
  	row := db.QueryRow(ctx, getRepoOwnerUsernameByID, id)
  	var i GetRepoOwnerUsernameByIDRow

internal/social/sqlc/models.gomodified

  	UpdatedAt             pgtype.Timestamptz
+ }
++type OrgGithubImport struct {
++	ID                int64
++	OrgID             int64
++	SourceHost        string
++	SourceOrg         string
++	RequestedByUserID pgtype.Int8
++	Status            string
++	IncludePrivate    bool
++	TokenPresent      bool
++	TokenCiphertext   []byte
++	TokenNonce        []byte
++	TotalCount        int32
++	LastError         pgtype.Text
++	StartedAt         pgtype.Timestamptz
++	CompletedAt       pgtype.Timestamptz
++	CreatedAt         pgtype.Timestamptz
++	UpdatedAt         pgtype.Timestamptz
++}
++
++type OrgGithubImportRepo struct {
++	ID               int64
++	ImportID         int64
++	GithubID         pgtype.Int8
++	SourceFullName   string
++	SourceName       string
++	TargetName       string
++	CloneUrl         string
++	Description      string
++	DefaultBranch    string
++	TargetVisibility RepoVisibility
++	IsPrivate        bool
++	IsFork           bool
++	Status           string
++	RepoID           pgtype.Int8
++	LastError        pgtype.Text
++	StartedAt        pgtype.Timestamptz
++	CompletedAt      pgtype.Timestamptz
++	CreatedAt        pgtype.Timestamptz
++	UpdatedAt        pgtype.Timestamptz
++}
++
  type OrgInvitation struct {
  	ID              int64
  	OrgID           int64

internal/users/sqlc/models.gomodified

  	UpdatedAt             pgtype.Timestamptz
+ }
++type OrgGithubImport struct {
++	ID                int64
++	OrgID             int64
++	SourceHost        string
++	SourceOrg         string
++	RequestedByUserID pgtype.Int8
++	Status            string
++	IncludePrivate    bool
++	TokenPresent      bool
++	TokenCiphertext   []byte
++	TokenNonce        []byte
++	TotalCount        int32
++	LastError         pgtype.Text
++	StartedAt         pgtype.Timestamptz
++	CompletedAt       pgtype.Timestamptz
++	CreatedAt         pgtype.Timestamptz
++	UpdatedAt         pgtype.Timestamptz
++}
++
++type OrgGithubImportRepo struct {
++	ID               int64
++	ImportID         int64
++	GithubID         pgtype.Int8
++	SourceFullName   string
++	SourceName       string
++	TargetName       string
++	CloneUrl         string
++	Description      string
++	DefaultBranch    string
++	TargetVisibility RepoVisibility
++	IsPrivate        bool
++	IsFork           bool
++	Status           string
++	RepoID           pgtype.Int8
++	LastError        pgtype.Text
++	StartedAt        pgtype.Timestamptz
++	CompletedAt      pgtype.Timestamptz
++	CreatedAt        pgtype.Timestamptz
++	UpdatedAt        pgtype.Timestamptz
++}
++
  type OrgInvitation struct {
  	ID              int64
  	OrgID           int64

internal/web/handlers/repo/source_remote.gomodified

  import (
  	"context"
--	"errors"
--	"strings"
--	"time"
--
--	"github.com/jackc/pgx/v5/pgtype"
  	"github.com/tenseleyFlow/shithub/internal/repos"
  	repogit "github.com/tenseleyFlow/shithub/internal/repos/git"
  	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
--	"github.com/tenseleyFlow/shithub/internal/worker"
+ )
--const sourceRemoteFetchTimeout = 45 * time.Second
--
  func (h *Handlers) saveRepoSourceRemote(ctx context.Context, repoID int64, rawURL string) (string, error) {
--	remoteURL, err := repos.ValidateSourceRemoteURL(ctx, rawURL)
++	return repos.SaveSourceRemote(ctx, h.sourceRemoteDeps(""), repoID, rawURL)
--	if err != nil || remoteURL == "" {
--		return remoteURL, err
--	}
--	_, err = h.rq.UpsertRepoSourceRemote(ctx, h.d.Pool, reposdb.UpsertRepoSourceRemoteParams{
--		RepoID:    repoID,
--		RemoteUrl: remoteURL,
--	})
--	return remoteURL, err
+ }
  func (h *Handlers) fetchRepoSourceRemote(ctx context.Context, row reposdb.Repo, ownerSlug, remoteURL string) error {
--	remoteURL, err := repos.ValidateSourceRemoteURL(ctx, remoteURL)
++	return repos.FetchSourceRemote(ctx, h.sourceRemoteDeps(""), row, ownerSlug, remoteURL)
--	if err != nil {
--		h.markRepoSourceRemoteFetchError(ctx, row.ID, err)
--		return err
--	}
--	gitDir, err := h.d.RepoFS.RepoPath(ownerSlug, row.Name)
--	if err != nil {
--		h.markRepoSourceRemoteFetchError(ctx, row.ID, err)
--		return err
--	}
--	fetchCtx, cancel := context.WithTimeout(ctx, sourceRemoteFetchTimeout)
--	defer cancel()
--	if err := repogit.FetchRemoteHeadsAndTags(fetchCtx, gitDir, remoteURL); err != nil {
--		h.markRepoSourceRemoteFetchError(ctx, row.ID, err)
--		return err
--	}
--	if err := h.refreshFetchedRepoState(ctx, row, gitDir); err != nil {
--		h.markRepoSourceRemoteFetchError(ctx, row.ID, err)
--		return err
--	}
--	if err := h.rq.MarkRepoSourceRemoteFetched(ctx, h.d.Pool, row.ID); err != nil && h.d.Logger != nil {
--		h.d.Logger.WarnContext(ctx, "source-remote: mark fetched", "error", err, "repo_id", row.ID)
--	}
--	return nil
+ }
  func (h *Handlers) refreshFetchedRepoState(ctx context.Context, row reposdb.Repo, gitDir string) error {
--	refs, err := repogit.ListRefs(ctx, gitDir)
++	return repos.RefreshFetchedRepoState(ctx, h.sourceRemoteDeps(""), row, gitDir)
--	if err != nil {
--		return err
--	}
--	branch, oid := chooseFetchedDefaultBranch(row.DefaultBranch, refs.Branches)
--	if branch == "" {
--		return nil
--	}
--	if branch != row.DefaultBranch {
--		if err := h.rq.UpdateRepoDefaultBranch(ctx, h.d.Pool, reposdb.UpdateRepoDefaultBranchParams{
--			ID:            row.ID,
--			DefaultBranch: branch,
--		}); err != nil {
--			return err
--		}
--		if err := repogit.SetSymbolicRef(ctx, gitDir, "HEAD", "refs/heads/"+branch); err != nil && h.d.Logger != nil {
--			h.d.Logger.WarnContext(ctx, "source-remote: set symbolic head", "error", err, "repo_id", row.ID, "branch", branch)
--		}
--	}
--	if !row.DefaultBranchOid.Valid || row.DefaultBranchOid.String != oid {
--		if err := h.rq.UpdateRepoDefaultBranchOID(ctx, h.d.Pool, reposdb.UpdateRepoDefaultBranchOIDParams{
--			ID:               row.ID,
--			DefaultBranchOid: pgtype.Text{String: oid, Valid: true},
--		}); err != nil {
--			return err
--		}
--		if _, err := worker.Enqueue(ctx, h.d.Pool, worker.KindRepoIndexCode, map[string]any{"repo_id": row.ID}, worker.EnqueueOptions{}); err != nil && h.d.Logger != nil {
--			h.d.Logger.WarnContext(ctx, "source-remote: enqueue index", "error", err, "repo_id", row.ID)
--		}
--	}
--	if _, err := worker.Enqueue(ctx, h.d.Pool, worker.KindRepoSizeRecalc, map[string]any{"repo_id": row.ID}, worker.EnqueueOptions{}); err != nil && h.d.Logger != nil {
--		h.d.Logger.WarnContext(ctx, "source-remote: enqueue size", "error", err, "repo_id", row.ID)
--	}
--	_ = worker.Notify(ctx, h.d.Pool)
--	return nil
+ }
  func chooseFetchedDefaultBranch(current string, branches []repogit.RefEntry) (name, oid string) {
--	if len(branches) == 0 {
++	return repos.ChooseFetchedDefaultBranch(current, branches)
--		return "", ""
--	}
--	for _, candidate := range []string{current, "trunk", "main", "master"} {
--		if candidate == "" {
--			continue
--		}
--		for _, branch := range branches {
--			if branch.Name == candidate {
--				return branch.Name, branch.OID
--			}
--		}
--	}
--	return branches[0].Name, branches[0].OID
+ }
  func (h *Handlers) markRepoSourceRemoteFetchError(ctx context.Context, repoID int64, err error) {
--	if err == nil {
++	repos.MarkSourceRemoteFetchError(ctx, h.sourceRemoteDeps(""), repoID, err)
--		return
--	}
--	msg := strings.TrimSpace(err.Error())
--	if len(msg) > 500 {
--		msg = msg[:500]
--	}
--	if markErr := h.rq.MarkRepoSourceRemoteFetchError(ctx, h.d.Pool, reposdb.MarkRepoSourceRemoteFetchErrorParams{
--		RepoID:    repoID,
--		LastError: pgtype.Text{String: msg, Valid: true},
--	}); markErr != nil && h.d.Logger != nil {
--		h.d.Logger.WarnContext(ctx, "source-remote: mark fetch error", "error", markErr, "cause", err, "repo_id", repoID)
--	}
+ }
  func isInvalidSourceRemote(err error) bool {
--	return errors.Is(err, repos.ErrInvalidSourceRemote)
++	return repos.IsInvalidSourceRemote(err)
++}
++
++func (h *Handlers) sourceRemoteDeps(token string) repos.SourceRemoteDeps {
++	return repos.SourceRemoteDeps{
++		Pool:       h.d.Pool,
++		RepoFS:     h.d.RepoFS,
++		Logger:     h.d.Logger,
++		FetchToken: token,
++	}
+ }

internal/webhook/sqlc/models.gomodified

  	UpdatedAt             pgtype.Timestamptz
+ }
++type OrgGithubImport struct {
++	ID                int64
++	OrgID             int64
++	SourceHost        string
++	SourceOrg         string
++	RequestedByUserID pgtype.Int8
++	Status            string
++	IncludePrivate    bool
++	TokenPresent      bool
++	TokenCiphertext   []byte
++	TokenNonce        []byte
++	TotalCount        int32
++	LastError         pgtype.Text
++	StartedAt         pgtype.Timestamptz
++	CompletedAt       pgtype.Timestamptz
++	CreatedAt         pgtype.Timestamptz
++	UpdatedAt         pgtype.Timestamptz
++}
++
++type OrgGithubImportRepo struct {
++	ID               int64
++	ImportID         int64
++	GithubID         pgtype.Int8
++	SourceFullName   string
++	SourceName       string
++	TargetName       string
++	CloneUrl         string
++	Description      string
++	DefaultBranch    string
++	TargetVisibility RepoVisibility
++	IsPrivate        bool
++	IsFork           bool
++	Status           string
++	RepoID           pgtype.Int8
++	LastError        pgtype.Text
++	StartedAt        pgtype.Timestamptz
++	CompletedAt      pgtype.Timestamptz
++	CreatedAt        pgtype.Timestamptz
++	UpdatedAt        pgtype.Timestamptz
++}
++
  type OrgInvitation struct {
  	ID              int64
  	OrgID           int64

internal/worker/jobs/org_github_import.goadded

++// SPDX-License-Identifier: AGPL-3.0-or-later
++
++package jobs
++
++import (
++	"context"
++	"encoding/json"
++	"errors"
++	"fmt"
++	"log/slog"
++	"strings"
++
++	"github.com/jackc/pgx/v5"
++	"github.com/jackc/pgx/v5/pgtype"
++	"github.com/jackc/pgx/v5/pgxpool"
++
++	"github.com/tenseleyFlow/shithub/internal/auth/audit"
++	"github.com/tenseleyFlow/shithub/internal/auth/secretbox"
++	"github.com/tenseleyFlow/shithub/internal/auth/throttle"
++	"github.com/tenseleyFlow/shithub/internal/infra/storage"
++	"github.com/tenseleyFlow/shithub/internal/orgs"
++	orgsdb "github.com/tenseleyFlow/shithub/internal/orgs/sqlc"
++	"github.com/tenseleyFlow/shithub/internal/repos"
++	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
++	"github.com/tenseleyFlow/shithub/internal/worker"
++)
++
++type OrgGitHubImportDeps struct {
++	Pool         *pgxpool.Pool
++	RepoFS       *storage.RepoFS
++	Box          *secretbox.Box
++	Audit        *audit.Recorder
++	Limiter      *throttle.Limiter
++	Logger       *slog.Logger
++	ShithubdPath string
++	GitHubClient orgs.GitHubClient
++}
++
++type OrgGitHubImportDiscoverPayload struct {
++	ImportID int64 `json:"import_id"`
++}
++
++type OrgGitHubImportRepoPayload struct {
++	ImportRepoID int64 `json:"import_repo_id"`
++}
++
++func OrgGitHubImportDiscover(deps OrgGitHubImportDeps) worker.Handler {
++	return func(ctx context.Context, raw json.RawMessage) error {
++		var p OrgGitHubImportDiscoverPayload
++		if err := json.Unmarshal(raw, &p); err != nil {
++			return worker.PoisonError(fmt.Errorf("bad payload: %w", err))
++		}
++		if p.ImportID == 0 {
++			return worker.PoisonError(errors.New("missing import_id"))
++		}
++
++		q := orgsdb.New()
++		imp, err := q.GetOrgGithubImport(ctx, deps.Pool, p.ImportID)
++		if err != nil {
++			if errors.Is(err, pgx.ErrNoRows) {
++				return worker.PoisonError(fmt.Errorf("import %d not found", p.ImportID))
++			}
++			return err
++		}
++		if orgs.IsTerminalImportStatus(imp.Status) {
++			return nil
++		}
++		token, err := orgs.DecryptGitHubImportToken(imp, deps.Box)
++		if err != nil {
++			_ = markImportFailed(ctx, deps, imp.ID, err)
++			return worker.PoisonError(err)
++		}
++		if err := q.MarkOrgGithubImportDiscovering(ctx, deps.Pool, imp.ID); err != nil {
++			return err
++		}
++		ghRepos, err := deps.GitHubClient.ListOrgRepos(ctx, imp.SourceOrg, token)
++		if err != nil {
++			_ = markImportFailed(ctx, deps, imp.ID, err)
++			return nil
++		}
++
++		tx, err := deps.Pool.Begin(ctx)
++		if err != nil {
++			return err
++		}
++		committed := false
++		defer func() {
++			if !committed {
++				_ = tx.Rollback(ctx)
++			}
++		}()
++
++		for _, gh := range ghRepos {
++			targetName := repos.NormalizeName(gh.Name)
++			visibility := orgsdb.RepoVisibilityPublic
++			if gh.Private {
++				visibility = orgsdb.RepoVisibilityPrivate
++			}
++			row, err := q.InsertOrgGithubImportRepo(ctx, tx, orgsdb.InsertOrgGithubImportRepoParams{
++				ImportID:         imp.ID,
++				GithubID:         pgtype.Int8{Int64: gh.ID, Valid: gh.ID != 0},
++				SourceFullName:   fallbackFullName(imp.SourceOrg, gh),
++				SourceName:       strings.TrimSpace(gh.Name),
++				TargetName:       targetName,
++				CloneUrl:         strings.TrimSpace(gh.CloneURL),
++				Description:      truncateRunes(gh.Description, repos.MaxDescriptionLen),
++				DefaultBranch:    strings.TrimSpace(gh.DefaultBranch),
++				TargetVisibility: visibility,
++				IsPrivate:        gh.Private,
++				IsFork:           gh.Fork,
++			})
++			if err != nil {
++				return err
++			}
++			if _, err := worker.Enqueue(ctx, tx, worker.KindOrgGitHubImportRepo, OrgGitHubImportRepoPayload{
++				ImportRepoID: row.ID,
++			}, worker.EnqueueOptions{}); err != nil {
++				return err
++			}
++		}
++		if len(ghRepos) == 0 {
++			if err := q.MarkOrgGithubImportCompleted(ctx, tx, imp.ID); err != nil {
++				return err
++			}
++		} else if err := q.MarkOrgGithubImportImporting(ctx, tx, orgsdb.MarkOrgGithubImportImportingParams{
++			ID:         imp.ID,
++			TotalCount: int32(len(ghRepos)),
++		}); err != nil {
++			return err
++		}
++		if err := worker.Notify(ctx, tx); err != nil && deps.Logger != nil {
++			deps.Logger.WarnContext(ctx, "github import: notify children", "error", err, "import_id", imp.ID)
++		}
++		if err := tx.Commit(ctx); err != nil {
++			return err
++		}
++		committed = true
++		return nil
++	}
++}
++
++func OrgGitHubImportRepo(deps OrgGitHubImportDeps) worker.Handler {
++	return func(ctx context.Context, raw json.RawMessage) error {
++		var p OrgGitHubImportRepoPayload
++		if err := json.Unmarshal(raw, &p); err != nil {
++			return worker.PoisonError(fmt.Errorf("bad payload: %w", err))
++		}
++		if p.ImportRepoID == 0 {
++			return worker.PoisonError(errors.New("missing import_repo_id"))
++		}
++
++		q := orgsdb.New()
++		rq := reposdb.New()
++		item, err := q.GetOrgGithubImportRepo(ctx, deps.Pool, p.ImportRepoID)
++		if err != nil {
++			if errors.Is(err, pgx.ErrNoRows) {
++				return worker.PoisonError(fmt.Errorf("import repo %d not found", p.ImportRepoID))
++			}
++			return err
++		}
++		if orgs.IsTerminalImportRepoStatus(item.Status) {
++			return nil
++		}
++		imp, err := q.GetOrgGithubImport(ctx, deps.Pool, item.ImportID)
++		if err != nil {
++			return err
++		}
++		if orgs.IsTerminalImportStatus(imp.Status) {
++			return nil
++		}
++		org, err := q.GetOrgByID(ctx, deps.Pool, imp.OrgID)
++		if err != nil {
++			return err
++		}
++		if org.DeletedAt.Valid {
++			if err := markImportRepoFailed(ctx, q, deps.Pool, item.ID, 0, "Organization was deleted during import."); err != nil {
++				return err
++			}
++			return completeImportIfDone(ctx, deps, imp.ID)
++		}
++		if err := q.MarkOrgGithubImportRepoImporting(ctx, deps.Pool, item.ID); err != nil {
++			return err
++		}
++
++		if err := repos.ValidateName(item.TargetName); err != nil {
++			if err := markImportRepoFailed(ctx, q, deps.Pool, item.ID, 0, friendlyRepoImportError(err)); err != nil {
++				return err
++			}
++			return completeImportIfDone(ctx, deps, imp.ID)
++		}
++		exists, err := rq.ExistsRepoForOwnerOrg(ctx, deps.Pool, reposdb.ExistsRepoForOwnerOrgParams{
++			OwnerOrgID: pgtype.Int8{Int64: org.ID, Valid: true},
++			Name:       item.TargetName,
++		})
++		if err != nil {
++			return err
++		}
++		if exists {
++			if err := q.MarkOrgGithubImportRepoSkipped(ctx, deps.Pool, orgsdb.MarkOrgGithubImportRepoSkippedParams{
++				ID:        item.ID,
++				LastError: pgtype.Text{String: "Repository already exists in this organization.", Valid: true},
++			}); err != nil {
++				return err
++			}
++			return completeImportIfDone(ctx, deps, imp.ID)
++		}
++
++		token, err := orgs.DecryptGitHubImportToken(imp, deps.Box)
++		if err != nil {
++			if err := markImportRepoFailed(ctx, q, deps.Pool, item.ID, 0, err.Error()); err != nil {
++				return err
++			}
++			return completeImportIfDone(ctx, deps, imp.ID)
++		}
++		if item.IsPrivate && token == "" {
++			if err := markImportRepoFailed(ctx, q, deps.Pool, item.ID, 0, "GitHub token unavailable for private repository."); err != nil {
++				return err
++			}
++			return completeImportIfDone(ctx, deps, imp.ID)
++		}
++
++		result, err := repos.Create(ctx, repos.Deps{
++			Pool:         deps.Pool,
++			RepoFS:       deps.RepoFS,
++			Audit:        deps.Audit,
++			Limiter:      deps.Limiter,
++			Logger:       deps.Logger,
++			ShithubdPath: deps.ShithubdPath,
++		}, repos.Params{
++			OwnerOrgID:            org.ID,
++			OwnerSlug:             string(org.Slug),
++			ActorUserID:           int64Value(imp.RequestedByUserID),
++			BypassCreateRateLimit: true,
++			Name:                  item.TargetName,
++			Description:           item.Description,
++			Visibility:            string(item.TargetVisibility),
++		})
++		if err != nil {
++			if errors.Is(err, repos.ErrTaken) {
++				if err := q.MarkOrgGithubImportRepoSkipped(ctx, deps.Pool, orgsdb.MarkOrgGithubImportRepoSkippedParams{
++					ID:        item.ID,
++					LastError: pgtype.Text{String: "Repository already exists in this organization.", Valid: true},
++				}); err != nil {
++					return err
++				}
++				return completeImportIfDone(ctx, deps, imp.ID)
++			}
++			if err := markImportRepoFailed(ctx, q, deps.Pool, item.ID, 0, friendlyRepoImportError(err)); err != nil {
++				return err
++			}
++			return completeImportIfDone(ctx, deps, imp.ID)
++		}
++
++		remoteURL, err := repos.SaveSourceRemote(ctx, sourceRemoteDeps(deps, token), result.Repo.ID, item.CloneUrl)
++		if err != nil {
++			if err := markImportRepoFailed(ctx, q, deps.Pool, item.ID, result.Repo.ID, friendlyRepoImportError(err)); err != nil {
++				return err
++			}
++			return completeImportIfDone(ctx, deps, imp.ID)
++		}
++		if err := repos.FetchSourceRemote(ctx, sourceRemoteDeps(deps, token), result.Repo, string(org.Slug), remoteURL); err != nil {
++			if err := markImportRepoFailed(ctx, q, deps.Pool, item.ID, result.Repo.ID, friendlyRepoImportError(err)); err != nil {
++				return err
++			}
++			return completeImportIfDone(ctx, deps, imp.ID)
++		}
++		if err := q.MarkOrgGithubImportRepoImported(ctx, deps.Pool, orgsdb.MarkOrgGithubImportRepoImportedParams{
++			ID:     item.ID,
++			RepoID: pgtype.Int8{Int64: result.Repo.ID, Valid: true},
++		}); err != nil {
++			return err
++		}
++		return completeImportIfDone(ctx, deps, imp.ID)
++	}
++}
++
++func sourceRemoteDeps(deps OrgGitHubImportDeps, token string) repos.SourceRemoteDeps {
++	return repos.SourceRemoteDeps{
++		Pool:       deps.Pool,
++		RepoFS:     deps.RepoFS,
++		Logger:     deps.Logger,
++		FetchToken: token,
++	}
++}
++
++func markImportFailed(ctx context.Context, deps OrgGitHubImportDeps, importID int64, err error) error {
++	msg := friendlyRepoImportError(err)
++	return orgsdb.New().MarkOrgGithubImportFailed(ctx, deps.Pool, orgsdb.MarkOrgGithubImportFailedParams{
++		ID:        importID,
++		LastError: pgtype.Text{String: msg, Valid: true},
++	})
++}
++
++func markImportRepoFailed(ctx context.Context, q *orgsdb.Queries, db orgsdb.DBTX, itemID, repoID int64, msg string) error {
++	if strings.TrimSpace(msg) == "" {
++		msg = "Import failed."
++	}
++	return q.MarkOrgGithubImportRepoFailed(ctx, db, orgsdb.MarkOrgGithubImportRepoFailedParams{
++		ID:        itemID,
++		LastError: pgtype.Text{String: truncateRunes(msg, 500), Valid: true},
++		RepoID:    pgtype.Int8{Int64: repoID, Valid: repoID != 0},
++	})
++}
++
++func completeImportIfDone(ctx context.Context, deps OrgGitHubImportDeps, importID int64) error {
++	_, err := orgsdb.New().MarkOrgGithubImportCompletedIfDone(ctx, deps.Pool, importID)
++	if errors.Is(err, pgx.ErrNoRows) {
++		return nil
++	}
++	return err
++}
++
++func fallbackFullName(sourceOrg string, repo orgs.GitHubRepo) string {
++	if strings.TrimSpace(repo.FullName) != "" {
++		return strings.TrimSpace(repo.FullName)
++	}
++	return sourceOrg + "/" + strings.TrimSpace(repo.Name)
++}
++
++func truncateRunes(s string, max int) string {
++	if max <= 0 {
++		return ""
++	}
++	runes := []rune(strings.TrimSpace(s))
++	if len(runes) <= max {
++		return string(runes)
++	}
++	return string(runes[:max])
++}
++
++func friendlyRepoImportError(err error) string {
++	if err == nil {
++		return ""
++	}
++	msg := strings.TrimSpace(err.Error())
++	if msg == "" {
++		return "Import failed."
++	}
++	return truncateRunes(msg, 500)
++}
++
++func int64Value(v pgtype.Int8) int64 {
++	if !v.Valid {
++		return 0
++	}
++	return v.Int64
++}

internal/worker/jobs/repo_index_code.gomodified

  	"github.com/tenseleyFlow/shithub/internal/infra/storage"
  	repogit "github.com/tenseleyFlow/shithub/internal/repos/git"
  	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
--	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"
  	"github.com/tenseleyFlow/shithub/internal/worker"
  )
  		}
  		rq := reposdb.New()
--		uq := usersdb.New()
  		repo, err := rq.GetRepoByID(ctx, deps.Pool, p.RepoID)
  		if err != nil {
  			if errors.Is(err, pgx.ErrNoRows) {
  			// Repo went away between enqueue and now. Nothing to do.
  			return nil
  		}
--		if !repo.OwnerUserID.Valid {
++		owner, err := rq.GetRepoOwnerUsernameByID(ctx, deps.Pool, repo.ID)
--			return worker.PoisonError(fmt.Errorf("repo %d has no user owner (org-owned arrives in S31)", repo.ID))
++		if err != nil {
++			return err
  		}
--		owner, err := uq.GetUserByID(ctx, deps.Pool, repo.OwnerUserID.Int64)
++		ownerSlug, err := ownerSlugString(owner.OwnerUsername)
  		if err != nil {
  			return err
  		}
--		gitDir, err := deps.RepoFS.RepoPath(owner.Username, repo.Name)
++		gitDir, err := deps.RepoFS.RepoPath(ownerSlug, repo.Name)
  		if err != nil {
  			return err
  		}

internal/worker/jobs/repo_owner_slug.goadded

++// SPDX-License-Identifier: AGPL-3.0-or-later
++
++package jobs
++
++import "fmt"
++
++func ownerSlugString(v any) (string, error) {
++	switch s := v.(type) {
++	case string:
++		return s, nil
++	case []byte:
++		return string(s), nil
++	default:
++		return "", fmt.Errorf("unexpected owner slug type %T", v)
++	}
++}

internal/worker/jobs/repo_size_recalc.gomodified

  			return fmt.Errorf("load repo: %w", err)
+ 		}
--		gitDir, err := deps.RepoFS.RepoPath(ownerRow.OwnerUsername, ownerRow.RepoName)
++		ownerSlug, err := ownerSlugString(ownerRow.OwnerUsername)
++		if err != nil {
++			return worker.PoisonError(fmt.Errorf("repo owner slug: %w", err))
++		}
++		gitDir, err := deps.RepoFS.RepoPath(ownerSlug, ownerRow.RepoName)
  		if err != nil {
  			return worker.PoisonError(fmt.Errorf("repo path: %w", err))
+ 		}

internal/worker/sqlc/models.gomodified

  	UpdatedAt             pgtype.Timestamptz
+ }
++type OrgGithubImport struct {
++	ID                int64
++	OrgID             int64
++	SourceHost        string
++	SourceOrg         string
++	RequestedByUserID pgtype.Int8
++	Status            string
++	IncludePrivate    bool
++	TokenPresent      bool
++	TokenCiphertext   []byte
++	TokenNonce        []byte
++	TotalCount        int32
++	LastError         pgtype.Text
++	StartedAt         pgtype.Timestamptz
++	CompletedAt       pgtype.Timestamptz
++	CreatedAt         pgtype.Timestamptz
++	UpdatedAt         pgtype.Timestamptz
++}
++
++type OrgGithubImportRepo struct {
++	ID               int64
++	ImportID         int64
++	GithubID         pgtype.Int8
++	SourceFullName   string
++	SourceName       string
++	TargetName       string
++	CloneUrl         string
++	Description      string
++	DefaultBranch    string
++	TargetVisibility RepoVisibility
++	IsPrivate        bool
++	IsFork           bool
++	Status           string
++	RepoID           pgtype.Int8
++	LastError        pgtype.Text
++	StartedAt        pgtype.Timestamptz
++	CompletedAt      pgtype.Timestamptz
++	CreatedAt        pgtype.Timestamptz
++	UpdatedAt        pgtype.Timestamptz
++}
++
  type OrgInvitation struct {
  	ID              int64
  	OrgID           int64

internal/worker/types.gomodified

  	KindTrendingCompute Kind = "trending:compute"
+ )
++// Organization import kinds. The discovery job lists GitHub repositories
++// and fans out one child job per repository so large organizations can
++// progress incrementally.
++const (
++	KindOrgGitHubImportDiscover Kind = "org:github_import_discover"
++	KindOrgGitHubImportRepo     Kind = "org:github_import_repo"
++)
++
  // NotifyChannel is the Postgres LISTEN/NOTIFY channel the pool subscribes
  // to so it wakes up immediately when a job is enqueued, instead of
  // polling. Callers wrapping enqueue in a tx must NOTIFY inside the

tenseleyflow/shithub / `c96e2b4`

33 changed files