infra/cli/repo.go

package main

import (
	"os"
	"os/exec"
	"os/user"
	"path/filepath"
	"strings"
)

// preferRemote picks the canonical remote: forgejo if present, else origin,
// else the first listed. (For infra, origin and forgejo both point at Forgejo.)
func preferRemote(remotes []string) string {
	has := map[string]bool{}
	for _, r := range remotes {
		has[r] = true
	}
	switch {
	case has["forgejo"]:
		return "forgejo"
	case has["origin"]:
		return "origin"
	case len(remotes) > 0:
		return remotes[0]
	default:
		return ""
	}
}

// hasGitCryptAttr reports whether .gitattributes content enables git-crypt.
func hasGitCryptAttr(gitattributes string) bool {
	return strings.Contains(gitattributes, "filter=git-crypt")
}

// gitCryptFlags are the per-command flags that disable smudge/clean so git
// operations in a git-crypt repo don't try to decrypt (NEVER persisted to config).
func gitCryptFlags() []string {
	return []string{
		"-c", "filter.git-crypt.smudge=cat",
		"-c", "filter.git-crypt.clean=cat",
		"-c", "filter.git-crypt.required=false",
	}
}

// gitOutput runs `git -C dir <args>` and returns trimmed stdout.
func gitOutput(dir string, args ...string) (string, error) {
	cmd := exec.Command("git", append([]string{"-C", dir}, args...)...)
	out, err := cmd.Output()
	return strings.TrimSpace(string(out)), err
}

func gitRepoRoot(dir string) (string, error) {
	return gitOutput(dir, "rev-parse", "--show-toplevel")
}

// gitRemotes lists configured remote names for the repo at dir.
func gitRemotes(dir string) ([]string, error) {
	out, err := gitOutput(dir, "remote")
	if err != nil {
		return nil, err
	}
	if out == "" {
		return nil, nil
	}
	return strings.Split(out, "\n"), nil
}

// isGitCryptRepo reports whether the repo at repoRoot uses git-crypt.
func isGitCryptRepo(repoRoot string) bool {
	b, err := os.ReadFile(filepath.Join(repoRoot, ".gitattributes"))
	if err != nil {
		return false
	}
	return hasGitCryptAttr(string(b))
}

// cryptFlagsFor returns the git-crypt filter flags when repoRoot is encrypted,
// else nil. These are injected per-command and never persisted.
func cryptFlagsFor(repoRoot string) []string {
	if isGitCryptRepo(repoRoot) {
		return gitCryptFlags()
	}
	return nil
}

// gitStream runs `git [cryptFlags] -C repoRoot <args>` with live output.
func gitStream(repoRoot string, cryptFlags []string, args ...string) error {
	full := append(append([]string{}, cryptFlags...), append([]string{"-C", repoRoot}, args...)...)
	return runStreamingIn("", "git", full...)
}

// currentUser returns the OS username for branch naming (<user>/<topic>).
func currentUser() string {
	if u := os.Getenv("USER"); u != "" {
		return u
	}
	if u, err := user.Current(); err == nil && u.Username != "" {
		return u.Username
	}
	return "user"
}
homelab: add tf verbs + stack/git-crypt substrate Adds the tf verb-group and the resolver substrate beneath it, continuing the v0.1 infra-loop build. - substrate: findInfraRoot (walk up to terragrunt.hcl + stacks/), stack→dir resolver, and repo/remote/git-crypt detection (preferRemote forgejo>origin, hasGitCryptAttr, gitCryptFlags) — the last is for `work` next. - tf plan/validate/fmt/force-unlock/apply, resolving the stack from cwd and delegating to scripts/tg (which owns state decrypt/encrypt, the Vault lock, and the ingress auth-comment check) rather than calling terragrunt directly. - tf apply is presence-coupled: claims stack:<name>, ALWAYS releases on exit (normal, error, or SIGINT/SIGTERM via sync.Once + signal handler) — fixing the documented ~200-claim leak — and prints an out-of-band reminder since CI applies canonically on push. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-18 19:16:33 +00:00			`package main`

			`import (`
homelab: add work verbs (start/land/clean) with a land verification gate Completes the infra-loop verb surface. work start creates .worktrees/<topic> on <user>/<topic> off <remote>/master (git-crypt-aware, ensures .worktrees is ignored) and prints the path for native EnterWorktree entry. work land fetches, merges master in, verifies, pushes HEAD:master with non-fast-forward retry, and falls back to pushing the feature branch for a PR when the direct push is rejected (branch protection). work clean removes the worktree + branch. Safety: work land REFUSES to push when it cannot verify (no --verify-cmd and no auto-detected suite) unless --no-verify is passed. This was added after an accidental smoke-test invocation pushed unverified WIP to master (benign — the infra CI applied 0 stacks since the diff was cli/-only — but the gate makes an unverified land a deliberate choice, not the default). Known v0.1 limitation: land does not yet block on CI to green; that arrives with the ci/deploy watch verbs. It prints a reminder to follow the pipeline manually. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-18 19:24:08 +00:00			`"os"`
homelab: add tf verbs + stack/git-crypt substrate Adds the tf verb-group and the resolver substrate beneath it, continuing the v0.1 infra-loop build. - substrate: findInfraRoot (walk up to terragrunt.hcl + stacks/), stack→dir resolver, and repo/remote/git-crypt detection (preferRemote forgejo>origin, hasGitCryptAttr, gitCryptFlags) — the last is for `work` next. - tf plan/validate/fmt/force-unlock/apply, resolving the stack from cwd and delegating to scripts/tg (which owns state decrypt/encrypt, the Vault lock, and the ingress auth-comment check) rather than calling terragrunt directly. - tf apply is presence-coupled: claims stack:<name>, ALWAYS releases on exit (normal, error, or SIGINT/SIGTERM via sync.Once + signal handler) — fixing the documented ~200-claim leak — and prints an out-of-band reminder since CI applies canonically on push. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-18 19:16:33 +00:00			`"os/exec"`
homelab: add work verbs (start/land/clean) with a land verification gate Completes the infra-loop verb surface. work start creates .worktrees/<topic> on <user>/<topic> off <remote>/master (git-crypt-aware, ensures .worktrees is ignored) and prints the path for native EnterWorktree entry. work land fetches, merges master in, verifies, pushes HEAD:master with non-fast-forward retry, and falls back to pushing the feature branch for a PR when the direct push is rejected (branch protection). work clean removes the worktree + branch. Safety: work land REFUSES to push when it cannot verify (no --verify-cmd and no auto-detected suite) unless --no-verify is passed. This was added after an accidental smoke-test invocation pushed unverified WIP to master (benign — the infra CI applied 0 stacks since the diff was cli/-only — but the gate makes an unverified land a deliberate choice, not the default). Known v0.1 limitation: land does not yet block on CI to green; that arrives with the ci/deploy watch verbs. It prints a reminder to follow the pipeline manually. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-18 19:24:08 +00:00			`"os/user"`
			`"path/filepath"`
homelab: add tf verbs + stack/git-crypt substrate Adds the tf verb-group and the resolver substrate beneath it, continuing the v0.1 infra-loop build. - substrate: findInfraRoot (walk up to terragrunt.hcl + stacks/), stack→dir resolver, and repo/remote/git-crypt detection (preferRemote forgejo>origin, hasGitCryptAttr, gitCryptFlags) — the last is for `work` next. - tf plan/validate/fmt/force-unlock/apply, resolving the stack from cwd and delegating to scripts/tg (which owns state decrypt/encrypt, the Vault lock, and the ingress auth-comment check) rather than calling terragrunt directly. - tf apply is presence-coupled: claims stack:<name>, ALWAYS releases on exit (normal, error, or SIGINT/SIGTERM via sync.Once + signal handler) — fixing the documented ~200-claim leak — and prints an out-of-band reminder since CI applies canonically on push. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-18 19:16:33 +00:00			`"strings"`
			`)`

			`// preferRemote picks the canonical remote: forgejo if present, else origin,`
			`// else the first listed. (For infra, origin and forgejo both point at Forgejo.)`
			`func preferRemote(remotes []string) string {`
			`has := map[string]bool{}`
			`for _, r := range remotes {`
			`has[r] = true`
			`}`
			`switch {`
			`case has["forgejo"]:`
			`return "forgejo"`
			`case has["origin"]:`
			`return "origin"`
			`case len(remotes) > 0:`
			`return remotes[0]`
			`default:`
			`return ""`
			`}`
			`}`

			`// hasGitCryptAttr reports whether .gitattributes content enables git-crypt.`
			`func hasGitCryptAttr(gitattributes string) bool {`
			`return strings.Contains(gitattributes, "filter=git-crypt")`
			`}`

			`// gitCryptFlags are the per-command flags that disable smudge/clean so git`
			`// operations in a git-crypt repo don't try to decrypt (NEVER persisted to config).`
			`func gitCryptFlags() []string {`
			`return []string{`
			`"-c", "filter.git-crypt.smudge=cat",`
			`"-c", "filter.git-crypt.clean=cat",`
			`"-c", "filter.git-crypt.required=false",`
			`}`
			`}`

			// gitOutput runs `git -C dir <args>` and returns trimmed stdout.
			`func gitOutput(dir string, args ...string) (string, error) {`
			`cmd := exec.Command("git", append([]string{"-C", dir}, args...)...)`
			`out, err := cmd.Output()`
			`return strings.TrimSpace(string(out)), err`
			`}`

			`func gitRepoRoot(dir string) (string, error) {`
			`return gitOutput(dir, "rev-parse", "--show-toplevel")`
			`}`

			`// gitRemotes lists configured remote names for the repo at dir.`
			`func gitRemotes(dir string) ([]string, error) {`
			`out, err := gitOutput(dir, "remote")`
			`if err != nil {`
			`return nil, err`
			`}`
			`if out == "" {`
			`return nil, nil`
			`}`
			`return strings.Split(out, "\n"), nil`
			`}`
homelab: add work verbs (start/land/clean) with a land verification gate Completes the infra-loop verb surface. work start creates .worktrees/<topic> on <user>/<topic> off <remote>/master (git-crypt-aware, ensures .worktrees is ignored) and prints the path for native EnterWorktree entry. work land fetches, merges master in, verifies, pushes HEAD:master with non-fast-forward retry, and falls back to pushing the feature branch for a PR when the direct push is rejected (branch protection). work clean removes the worktree + branch. Safety: work land REFUSES to push when it cannot verify (no --verify-cmd and no auto-detected suite) unless --no-verify is passed. This was added after an accidental smoke-test invocation pushed unverified WIP to master (benign — the infra CI applied 0 stacks since the diff was cli/-only — but the gate makes an unverified land a deliberate choice, not the default). Known v0.1 limitation: land does not yet block on CI to green; that arrives with the ci/deploy watch verbs. It prints a reminder to follow the pipeline manually. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-18 19:24:08 +00:00
			`// isGitCryptRepo reports whether the repo at repoRoot uses git-crypt.`
			`func isGitCryptRepo(repoRoot string) bool {`
			`b, err := os.ReadFile(filepath.Join(repoRoot, ".gitattributes"))`
			`if err != nil {`
			`return false`
			`}`
			`return hasGitCryptAttr(string(b))`
			`}`

			`// cryptFlagsFor returns the git-crypt filter flags when repoRoot is encrypted,`
			`// else nil. These are injected per-command and never persisted.`
			`func cryptFlagsFor(repoRoot string) []string {`
			`if isGitCryptRepo(repoRoot) {`
			`return gitCryptFlags()`
			`}`
			`return nil`
			`}`

			// gitStream runs `git [cryptFlags] -C repoRoot <args>` with live output.
			`func gitStream(repoRoot string, cryptFlags []string, args ...string) error {`
			`full := append(append([]string{}, cryptFlags...), append([]string{"-C", repoRoot}, args...)...)`
			`return runStreamingIn("", "git", full...)`
			`}`

			`// currentUser returns the OS username for branch naming (<user>/<topic>).`
			`func currentUser() string {`
			`if u := os.Getenv("USER"); u != "" {`
			`return u`
			`}`
			`if u, err := user.Current(); err == nil && u.Username != "" {`
			`return u.Username`
			`}`
			`return "user"`
			`}`