lib/auth.sh

#!/usr/bin/env bash
# lib/auth.sh — Authenticated URLs, remote queries, and PR creation
#
# Requires: lib/core.sh and lib/config.sh sourced first
# Expects: JOSH_PROXY_URL, MONOREPO_PATH, BOT_USER, GITEA_TOKEN, JOSH_FILTER,
#           SUBREPO_URL, SUBREPO_AUTH, SUBREPO_TOKEN (set by parse_config + load_target)

# ─── Josh-Proxy Auth URL ───────────────────────────────────────────
# Josh always uses HTTPS. Filter is embedded in the URL path.
# Result: https://user:token@proxy/org/repo.git:/services/app.git

josh_auth_url() {
  local base="${JOSH_PROXY_URL}/${MONOREPO_PATH}.git${JOSH_FILTER}.git"
  # shellcheck disable=SC2001  # sed is clearer than ${var//} for URL injection
  echo "$base" | sed "s|https://|https://${BOT_USER}:${GITEA_TOKEN}@|"
}

# ─── Subrepo Auth URL ──────────────────────────────────────────────
# HTTPS: injects user:token into URL
# SSH: returns bare URL (auth via GIT_SSH_COMMAND set by load_target)

subrepo_auth_url() {
  if [ "${SUBREPO_AUTH:-https}" = "ssh" ]; then
    echo "$SUBREPO_URL"
  else
    # shellcheck disable=SC2001
    echo "$SUBREPO_URL" | sed "s|https://|https://${BOT_USER}:${SUBREPO_TOKEN}@|"
  fi
}

# ─── Remote Queries ─────────────────────────────────────────────────

subrepo_ls_remote() {
  local ref="${1:-HEAD}"
  local output
  output=$(git ls-remote "$(subrepo_auth_url)" "refs/heads/${ref}") \
    || die "Failed to reach subrepo (check SSH key / auth)"
  echo "$output" | awk '{print $1}'
}

# ─── PR Creation ────────────────────────────────────────────────────
# Shared helper for creating PRs on Gitea/GitHub API.
# Usage: create_pr <api_url> <token> <base> <head> <title> <body>

create_pr() {
  local api_url="$1"
  local token="$2"
  local base="$3"
  local head="$4"
  local title="$5"
  local body="$6"

  curl -sf -X POST \
    -H "Authorization: token ${token}" \
    -H "Content-Type: application/json" \
    -d "$(jq -n \
      --arg base "$base" \
      --arg head "$head" \
      --arg title "$title" \
      --arg body "$body" \
      '{base:$base, head:$head, title:$title, body:$body}')" \
    "${api_url}/pulls" >/dev/null
}
"#" 2026-02-12 09:20:55 +03:00			`#!/usr/bin/env bash`
			`# lib/auth.sh — Authenticated URLs, remote queries, and PR creation`
			`#`
			`# Requires: lib/core.sh and lib/config.sh sourced first`
			`# Expects: JOSH_PROXY_URL, MONOREPO_PATH, BOT_USER, GITEA_TOKEN, JOSH_FILTER,`
			`# SUBREPO_URL, SUBREPO_AUTH, SUBREPO_TOKEN (set by parse_config + load_target)`

			`# ─── Josh-Proxy Auth URL ───────────────────────────────────────────`
			`# Josh always uses HTTPS. Filter is embedded in the URL path.`
			`# Result: https://user:token@proxy/org/repo.git:/services/app.git`

			`josh_auth_url() {`
			`local base="${JOSH_PROXY_URL}/${MONOREPO_PATH}.git${JOSH_FILTER}.git"`
Fix all shellcheck warnings for nix build gate - SC2015: Wrap A && B \|\| C patterns in brace groups for directive scope - SC2064: Suppress for intentional early trap expansion (local vars) - SC2164: Add \|\| exit to cd commands in subshells - SC2001: Suppress for sed URL injection (clearer than parameter expansion) - SC1083: Handle {tree} git syntax (quote or suppress) - SC1091: Suppress for runtime-resolved source paths - SC2034: Remove unused exit codes (E_OK, E_CONFIG, E_AUTH) - SC2116: Eliminate useless echo in mono_auth_url construction Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-12 14:33:26 +03:00			`# shellcheck disable=SC2001 # sed is clearer than ${var//} for URL injection`
"#" 2026-02-12 09:20:55 +03:00			`echo "$base" \| sed "s\|https://\|https://${BOT_USER}:${GITEA_TOKEN}@\|"`
			`}`

			`# ─── Subrepo Auth URL ──────────────────────────────────────────────`
			`# HTTPS: injects user:token into URL`
			`# SSH: returns bare URL (auth via GIT_SSH_COMMAND set by load_target)`

			`subrepo_auth_url() {`
			`if [ "${SUBREPO_AUTH:-https}" = "ssh" ]; then`
			`echo "$SUBREPO_URL"`
			`else`
Fix all shellcheck warnings for nix build gate - SC2015: Wrap A && B \|\| C patterns in brace groups for directive scope - SC2064: Suppress for intentional early trap expansion (local vars) - SC2164: Add \|\| exit to cd commands in subshells - SC2001: Suppress for sed URL injection (clearer than parameter expansion) - SC1083: Handle {tree} git syntax (quote or suppress) - SC1091: Suppress for runtime-resolved source paths - SC2034: Remove unused exit codes (E_OK, E_CONFIG, E_AUTH) - SC2116: Eliminate useless echo in mono_auth_url construction Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-12 14:33:26 +03:00			`# shellcheck disable=SC2001`
"#" 2026-02-12 09:20:55 +03:00			`echo "$SUBREPO_URL" \| sed "s\|https://\|https://${BOT_USER}:${SUBREPO_TOKEN}@\|"`
			`fi`
			`}`

			`# ─── Remote Queries ─────────────────────────────────────────────────`

			`subrepo_ls_remote() {`
			`local ref="${1:-HEAD}"`
			`local output`
			`output=$(git ls-remote "$(subrepo_auth_url)" "refs/heads/${ref}") \`
			`\|\| die "Failed to reach subrepo (check SSH key / auth)"`
			`echo "$output" \| awk '{print $1}'`
			`}`

			`# ─── PR Creation ────────────────────────────────────────────────────`
			`# Shared helper for creating PRs on Gitea/GitHub API.`
			`# Usage: create_pr <api_url> <token> <base> <head> <title> <body>`

			`create_pr() {`
			`local api_url="$1"`
			`local token="$2"`
			`local base="$3"`
			`local head="$4"`
			`local title="$5"`
			`local body="$6"`

			`curl -sf -X POST \`
			`-H "Authorization: token ${token}" \`
			`-H "Content-Type: application/json" \`
			`-d "$(jq -n \`
			`--arg base "$base" \`
			`--arg head "$head" \`
			`--arg title "$title" \`
			`--arg body "$body" \`
			`'{base:$base, head:$head, title:$title, body:$body}')" \`
			`"${api_url}/pulls" >/dev/null`
			`}`