tenseleyflow/shithub / ca28f68

+# Architecture

+

+A bird's-eye view of how shithub fits together. For depth on any

+one subsystem, see the linked per-area doc.

+

+## Process model

+

+One Go binary, three roles:

+

+- `shithubd web` — the HTTP server. Renders the UI, serves

+  `/api/v1/`, handles git over HTTPS.

+- `shithubd worker` — pulls from the Postgres-backed job queue.

+  Owns webhook delivery, notification fan-out, async fan-out,

+  search reindex.

+- `shithubd cron` — periodic chores (lifecycle sweeps, queue

+  janitor, webhook purge). Triggered by a systemd timer; one-shot.

+

+All three read the same config and the same DB. They differ only

+in which `cmd/shithubd/<role>.go` they boot into.

+

+Plus a small admin/operator CLI surface (`shithubd admin …`,

+`shithubd migrate …`, `shithubd config …`, `shithubd hook …`)

+that runs as one-shot subprocesses.

+

+## Layered packages

+

+```

+                 +------------------------+

+HTTP request --> | internal/web/handlers  | Per-area handlers (auth, repo, …)

+                 +------------------------+

+                            |

+                 +------------------------+

+                 | internal/web/render    | html/template + helpers

+                 | internal/web/middleware| auth, csrf, ratelimit, body cap

+                 +------------------------+

+                            |

+                 +------------------------+

+                 | internal/<domain>      | repos, issues, pulls, orgs, …

+                 +------------------------+

+                            |

+                 +------------------------+

+                 | internal/auth/policy   | the only place "can X do Y" lives

+                 +------------------------+

+                            |

+                 +------------------------+

+                 | internal/<domain>/sqlc | sqlc-generated DB code

+                 +------------------------+

+                            |

+                          Postgres

+```

+

+Cross-cutting:

+

+- `internal/markdown` — sole renderer for user-authored markdown.

+  Lint-enforced: nothing outside this package may import goldmark

+  or bluemonday.

+- `internal/security/{ssrf,openredirect}` — outbound HTTP defense

+  + redirect validation.

+- `internal/cache/lru` — generic LRU + singleflight.

+- `internal/pagination/keyset` — cursor pagination with

+  HMAC-signed cursors.

+- `internal/webhook` — outbound webhook delivery + signing.

+

+## Request lifecycle (web)

+

+1. Caddy terminates TLS, forwards to `127.0.0.1:8080`.

+2. The chi router matches the route. Middleware stack on every

+   request:

+   - Request ID + access log

+   - `OptionalUser` (resolves session cookie or anon)

+   - CSRF (nosurf-derived) — enabled by default; `/api/v1/` and

+     git transports are explicit exemptions

+   - Rate limit (per-IP for anon, per-user for logged-in on hot

+     paths)

+3. Auth-gated routes have `RequireUser` or `RequireSiteAdmin`

+   middleware in their group.

+4. The handler resolves the domain object, calls `policy.Can(...)`

+   to authorize the action, executes, renders.

+5. Templates render through `internal/web/render`. Markdown bodies

+   pass through `internal/markdown` for sanitization.

+

+## Request lifecycle (API)

+

+`/api/v1/*` is under a CSRF-exempt group with PAT auth:

+

+1. `MaxBodySize` cap (256 KiB).

+2. `PATAuthMiddleware` — resolves token to user; 401 on missing,

+   403 on insufficient scope.

+3. Per-route `RequireScope` checks the specific scope.

+4. Handler runs.

+

+## Data flow: a push

+

+```

+   git client

+       |

+       v   git-receive-pack POST

+   web service ──> shithubd hook pre-receive ──> Postgres (auth check)

+       |                          |

+       |              <── decision (accept/reject)

+       v                          |

+   accept push,                   v

+   write to /data/repos    INSERT push_events (shithub_hook role)

+                                  |

+                                  v

+                          INSERT jobs (search reindex, notify, ...)

+                                  |

+                                  v

+                          worker picks up job (FOR UPDATE SKIP LOCKED)

+                                  |

+                                  v

+                          fan-out (webhooks, notifications, search)

+```

+

+The `shithub_hook` role has minimum-needed grants

+(`docs/internal/db-roles.md`). The web role can do everything

+the runtime needs but is intentionally separate from the migration

+role used at deploy time.

+

+## Deployment topology

+

+```

+                +----------------------------+

+   public --->  |  Caddy (TLS, rate limits)  |  :443

+                +----------------------------+

+                       |  127.0.0.1:8080

+                +----------------------------+

+                |  shithubd web (systemd)    |

+                |  shithubd worker (systemd) |

+                |  shithubd cron  (timer)    |

+                +----------------------------+

+                       |

+                +-----------+         +-----------------+

+                | Postgres  |         | Spaces (S3)     |

+                +-----------+         | - WAL archive   |

+                                      | - daily dumps   |

+                                      | - LFS / blobs   |

+                                      +-----------------+

+                       \                    /

+                        \      WireGuard mesh (10.50.0.0/24)

+                         \________ ________/

+                                  |

+                          +----------------+

+                          |  Monitoring    |

+                          |  Prom/Loki/AM  |

+                          |  Grafana       |

+                          +----------------+

+```

+

+Monitoring is on the WireGuard mesh; metrics ports never face the

+public internet. See [deploy.md](./deploy.md) for the full

+operator guide.

+

+## Observability

+

+Three independent channels:

+

+- **Structured logs** (`internal/infra/log`) → stdout → journald

+  → promtail → Loki.

+- **Metrics** (Prometheus) at `/metrics`, basic-auth gated in

+  prod.

+- **Tracing** (OTel HTTP) optional, sample-rate controlled.

+- **Error reporting** (Sentry-protocol DSN, GlitchTip-compatible).

+

+See [observability.md](./observability.md).

+

+## What's deliberately not here

+

+- **No microservices.** One binary per role; everything else is

+  premature.

+- **No background ETL pipeline.** Work that doesn't fit a job-row

+  shape doesn't exist yet; if it does, add it as a new job kind

+  rather than a new daemon.

+- **No message bus.** Postgres LISTEN/NOTIFY suffices for the

+  intra-process signaling we need.

+- **No Redis.** The LRU + singleflight cache is in-process; if a

+  shared cache becomes necessary, the seam is `internal/cache`

+  and we'd swap in a Redis-backed implementation behind the same

+  interface.

+

+## Where to read next

+

+- New to the code: [code-tab.md](./code-tab.md) walks how a single

+  request flows end-to-end on the most-traveled page.

+- New to ops: [deploy.md](./deploy.md), then

+  [runbooks/](./runbooks/).

+- New to security: [threat-model.md](./threat-model.md) +

+  [security-checklist.md](./security-checklist.md).

+# Internal docs index

+

+These docs live next to the code; they're for the people running

+shithub the project (operators + contributors). The public-facing

+subset is mirrored under `docs/public/` and built into the docs

+site.

+

+> **Convention.** Internal docs answer "why" and link to the

+> code. Public docs answer "how do I" and explain only what a

+> user/operator needs.

+

+## Architecture & wiring

+

+- [architecture.md](./architecture.md) — system overview, request

+  lifecycle, data flow, deployment topology.

+- [config.md](./config.md) — config loader, key reference, secrets

+  handling.

+- [db.md](./db.md) — schema overview, migration tooling.

+- [db-indexes.md](./db-indexes.md) — index catalog with the

+  rationale per index.

+- [db-roles.md](./db-roles.md) — Postgres role/grant scheme.

+- [observability.md](./observability.md) — logging, tracing,

+  metrics, error reporting.

+- [storage.md](./storage.md) — bare-repo + object store.

+- [worker.md](./worker.md) — job queue + handlers.

+- [caching.md](./caching.md) — LRU + singleflight + cache

+  invariants.

+- [bench.md](./bench.md) — bench harness usage + N+1 audit

+  pattern.

+

+## Auth & security

+

+- [auth.md](./auth.md) — sessions, password, TOTP, recovery

+  codes.

+- [tokens.md](./tokens.md) — PAT format, scopes, revocation.

+- [permissions.md](./permissions.md) — `policy.Can` semantics.

+- [2fa.md](./2fa.md) — TOTP enrollment, recovery flow.

+- [ssh-deploy.md](./ssh-deploy.md) — AKC contract.

+- [git-ssh.md](./git-ssh.md), [git-http.md](./git-http.md) — git

+  transports.

+- [security-checklist.md](./security-checklist.md) — controls + the

+  tests proving them.

+- [threat-model.md](./threat-model.md) — v1 attacker model.

+- [hooks.md](./hooks.md) — pre/post-receive contracts.

+

+## Domain features

+

+- [profile.md](./profile.md), [settings.md](./settings.md)

+- [repo-create.md](./repo-create.md),

+  [repo-lifecycle.md](./repo-lifecycle.md)

+- [code-tab.md](./code-tab.md), [diffs.md](./diffs.md),

+  [commits-blame.md](./commits-blame.md)

+- [forks.md](./forks.md), [stars-watchers.md](./stars-watchers.md)

+- [issues.md](./issues.md), [pull-requests.md](./pull-requests.md),

+  [pr-review.md](./pr-review.md)

+- [branch-protection.md](./branch-protection.md),

+  [checks.md](./checks.md)

+- [orgs.md](./orgs.md), [teams.md](./teams.md)

+- [notifications.md](./notifications.md)

+- [search.md](./search.md), [markdown.md](./markdown.md)

+

+## Operations

+

+- [deploy.md](./deploy.md) — Ansible playbook + topology.

+- [runbooks/](./runbooks/) — incident, backup, restore, upgrade,

+  rollback, plus rotation procedures.

+

+## Conventions for adding a new doc

+

+1. One markdown file per subsystem; name it after the subsystem,

+   not the sprint.

+2. Link to the relevant package directory in the first paragraph.

+3. Public-facing material that should appear on

+   [docs.shithub.tld](https://docs.shithub.tld) goes in

+   `docs/public/...` and follows the operator/user voice; the

+   internal version is the authoritative source on "why".

+4. Update this index when you add a new file.