lib/auth.sh

#!/usr/bin/env bash
# lib/auth.sh — Authenticated URLs, remote queries, and PR creation
#
# Requires: lib/core.sh and lib/config.sh sourced first
# Expects: JOSH_PROXY_URL, MONOREPO_PATH, BOT_USER, GITEA_TOKEN, JOSH_FILTER,
#           SUBREPO_URL, SUBREPO_AUTH, SUBREPO_TOKEN (set by parse_config + load_target)

# ─── Josh-Proxy Auth URL ───────────────────────────────────────────
# Josh always uses HTTPS. Filter is embedded in the URL path.
# Result: https://user:token@proxy/org/repo.git:/services/app.git

josh_auth_url() {
  local base="${JOSH_PROXY_URL}/${MONOREPO_PATH}.git${JOSH_FILTER}.git"
  # shellcheck disable=SC2001  # sed is clearer than ${var//} for URL injection
  echo "$base" | sed "s|https://|https://${BOT_USER}:${GITEA_TOKEN}@|"
}

# ─── Subrepo Auth URL ──────────────────────────────────────────────
# HTTPS: injects user:token into URL
# SSH: returns bare URL (auth via GIT_SSH_COMMAND set by load_target)

subrepo_auth_url() {
  if [ "${SUBREPO_AUTH:-https}" = "ssh" ]; then
    echo "$SUBREPO_URL"
  else
    # shellcheck disable=SC2001
    echo "$SUBREPO_URL" | sed "s|https://|https://${BOT_USER}:${SUBREPO_TOKEN}@|"
  fi
}

# ─── Remote Queries ─────────────────────────────────────────────────

subrepo_ls_remote() {
  local ref="${1:-HEAD}"
  local output
  output=$(git ls-remote "$(subrepo_auth_url)" "refs/heads/${ref}") \
    || die "Failed to reach subrepo (check SSH key / auth)"
  echo "$output" | awk '{print $1}'
}

# ─── PR Creation ────────────────────────────────────────────────────
# Shared helpers for creating PRs on Gitea/GitHub API.
# Usage: create_pr <api_url> <token> <base> <head> <title> <body>
#        number=$(create_pr_number <api_url> <token> <base> <head> <title> <body>)
#
# create_pr      — fire-and-forget (stdout suppressed, safe inside sync functions)
# create_pr_number — returns the new PR number via stdout

create_pr_number() {
  local api_url="$1" token="$2" base="$3" head="$4" title="$5" body="$6"

  curl -sf -X POST \
    -H "Authorization: token ${token}" \
    -H "Content-Type: application/json" \
    -d "$(jq -n \
      --arg base "$base" \
      --arg head "$head" \
      --arg title "$title" \
      --arg body "$body" \
      '{base:$base, head:$head, title:$title, body:$body}')" \
    "${api_url}/pulls" | jq -r '.number'
}

create_pr() {
  create_pr_number "$@" >/dev/null
}

# ─── PR API Helpers ──────────────────────────────────────────────
# Used by onboard and migrate-pr commands.

# List open PRs on a repo. Returns JSON array.
# Usage: list_open_prs <api_url> <token>
list_open_prs() {
  local api_url="$1" token="$2"
  curl -sf -H "Authorization: token ${token}" \
    "${api_url}/pulls?state=open&limit=50"
}

# Get PR diff as plain text.
# Usage: get_pr_diff <api_url> <token> <pr_number>
get_pr_diff() {
  local api_url="$1" token="$2" pr_number="$3"
  curl -sf -H "Authorization: token ${token}" \
    "${api_url}/pulls/${pr_number}.diff"
}

# Get single PR as JSON (for checking merge status, metadata, etc.).
# Usage: get_pr <api_url> <token> <pr_number>
get_pr() {
  local api_url="$1" token="$2" pr_number="$3"
  curl -sf -H "Authorization: token ${token}" \
    "${api_url}/pulls/${pr_number}"
}
"#" 2026-02-12 09:20:55 +03:00			`#!/usr/bin/env bash`
			`# lib/auth.sh — Authenticated URLs, remote queries, and PR creation`
			`#`
			`# Requires: lib/core.sh and lib/config.sh sourced first`
			`# Expects: JOSH_PROXY_URL, MONOREPO_PATH, BOT_USER, GITEA_TOKEN, JOSH_FILTER,`
			`# SUBREPO_URL, SUBREPO_AUTH, SUBREPO_TOKEN (set by parse_config + load_target)`

			`# ─── Josh-Proxy Auth URL ───────────────────────────────────────────`
			`# Josh always uses HTTPS. Filter is embedded in the URL path.`
			`# Result: https://user:token@proxy/org/repo.git:/services/app.git`

			`josh_auth_url() {`
			`local base="${JOSH_PROXY_URL}/${MONOREPO_PATH}.git${JOSH_FILTER}.git"`
Fix all shellcheck warnings for nix build gate - SC2015: Wrap A && B \|\| C patterns in brace groups for directive scope - SC2064: Suppress for intentional early trap expansion (local vars) - SC2164: Add \|\| exit to cd commands in subshells - SC2001: Suppress for sed URL injection (clearer than parameter expansion) - SC1083: Handle {tree} git syntax (quote or suppress) - SC1091: Suppress for runtime-resolved source paths - SC2034: Remove unused exit codes (E_OK, E_CONFIG, E_AUTH) - SC2116: Eliminate useless echo in mono_auth_url construction Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-12 14:33:26 +03:00			`# shellcheck disable=SC2001 # sed is clearer than ${var//} for URL injection`
"#" 2026-02-12 09:20:55 +03:00			`echo "$base" \| sed "s\|https://\|https://${BOT_USER}:${GITEA_TOKEN}@\|"`
			`}`

			`# ─── Subrepo Auth URL ──────────────────────────────────────────────`
			`# HTTPS: injects user:token into URL`
			`# SSH: returns bare URL (auth via GIT_SSH_COMMAND set by load_target)`

			`subrepo_auth_url() {`
			`if [ "${SUBREPO_AUTH:-https}" = "ssh" ]; then`
			`echo "$SUBREPO_URL"`
			`else`
Fix all shellcheck warnings for nix build gate - SC2015: Wrap A && B \|\| C patterns in brace groups for directive scope - SC2064: Suppress for intentional early trap expansion (local vars) - SC2164: Add \|\| exit to cd commands in subshells - SC2001: Suppress for sed URL injection (clearer than parameter expansion) - SC1083: Handle {tree} git syntax (quote or suppress) - SC1091: Suppress for runtime-resolved source paths - SC2034: Remove unused exit codes (E_OK, E_CONFIG, E_AUTH) - SC2116: Eliminate useless echo in mono_auth_url construction Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-12 14:33:26 +03:00			`# shellcheck disable=SC2001`
"#" 2026-02-12 09:20:55 +03:00			`echo "$SUBREPO_URL" \| sed "s\|https://\|https://${BOT_USER}:${SUBREPO_TOKEN}@\|"`
			`fi`
			`}`

			`# ─── Remote Queries ─────────────────────────────────────────────────`

			`subrepo_ls_remote() {`
			`local ref="${1:-HEAD}"`
			`local output`
			`output=$(git ls-remote "$(subrepo_auth_url)" "refs/heads/${ref}") \`
			`\|\| die "Failed to reach subrepo (check SSH key / auth)"`
			`echo "$output" \| awk '{print $1}'`
			`}`

			`# ─── PR Creation ────────────────────────────────────────────────────`
Add onboard and migrate-pr commands (v1.1.0) New commands for safely onboarding existing subrepos into the monorepo without losing open PRs: - josh-sync onboard <target>: interactive, resumable 5-step flow (import → wait for merge → reset to new repo) - josh-sync migrate-pr <target> [PR#...] [--all]: migrate PRs from archived repo to new repo via patch application Also refactors create_pr() to wrap create_pr_number(), eliminating duplicated curl/jq logic. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-13 12:41:44 +03:00			`# Shared helpers for creating PRs on Gitea/GitHub API.`
"#" 2026-02-12 09:20:55 +03:00			`# Usage: create_pr <api_url> <token> <base> <head> <title> <body>`
Add onboard and migrate-pr commands (v1.1.0) New commands for safely onboarding existing subrepos into the monorepo without losing open PRs: - josh-sync onboard <target>: interactive, resumable 5-step flow (import → wait for merge → reset to new repo) - josh-sync migrate-pr <target> [PR#...] [--all]: migrate PRs from archived repo to new repo via patch application Also refactors create_pr() to wrap create_pr_number(), eliminating duplicated curl/jq logic. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-13 12:41:44 +03:00			`# number=$(create_pr_number <api_url> <token> <base> <head> <title> <body>)`
			`#`
			`# create_pr — fire-and-forget (stdout suppressed, safe inside sync functions)`
			`# create_pr_number — returns the new PR number via stdout`
"#" 2026-02-12 09:20:55 +03:00
Add onboard and migrate-pr commands (v1.1.0) New commands for safely onboarding existing subrepos into the monorepo without losing open PRs: - josh-sync onboard <target>: interactive, resumable 5-step flow (import → wait for merge → reset to new repo) - josh-sync migrate-pr <target> [PR#...] [--all]: migrate PRs from archived repo to new repo via patch application Also refactors create_pr() to wrap create_pr_number(), eliminating duplicated curl/jq logic. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-13 12:41:44 +03:00			`create_pr_number() {`
			`local api_url="$1" token="$2" base="$3" head="$4" title="$5" body="$6"`
"#" 2026-02-12 09:20:55 +03:00
			`curl -sf -X POST \`
			`-H "Authorization: token ${token}" \`
			`-H "Content-Type: application/json" \`
			`-d "$(jq -n \`
			`--arg base "$base" \`
			`--arg head "$head" \`
			`--arg title "$title" \`
			`--arg body "$body" \`
			`'{base:$base, head:$head, title:$title, body:$body}')" \`
Add onboard and migrate-pr commands (v1.1.0) New commands for safely onboarding existing subrepos into the monorepo without losing open PRs: - josh-sync onboard <target>: interactive, resumable 5-step flow (import → wait for merge → reset to new repo) - josh-sync migrate-pr <target> [PR#...] [--all]: migrate PRs from archived repo to new repo via patch application Also refactors create_pr() to wrap create_pr_number(), eliminating duplicated curl/jq logic. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-13 12:41:44 +03:00			`"${api_url}/pulls" \| jq -r '.number'`
			`}`

			`create_pr() {`
			`create_pr_number "$@" >/dev/null`
			`}`

			`# ─── PR API Helpers ──────────────────────────────────────────────`
			`# Used by onboard and migrate-pr commands.`

			`# List open PRs on a repo. Returns JSON array.`
			`# Usage: list_open_prs <api_url> <token>`
			`list_open_prs() {`
			`local api_url="$1" token="$2"`
			`curl -sf -H "Authorization: token ${token}" \`
			`"${api_url}/pulls?state=open&limit=50"`
			`}`

			`# Get PR diff as plain text.`
			`# Usage: get_pr_diff <api_url> <token> <pr_number>`
			`get_pr_diff() {`
			`local api_url="$1" token="$2" pr_number="$3"`
			`curl -sf -H "Authorization: token ${token}" \`
			`"${api_url}/pulls/${pr_number}.diff"`
			`}`

			`# Get single PR as JSON (for checking merge status, metadata, etc.).`
			`# Usage: get_pr <api_url> <token> <pr_number>`
			`get_pr() {`
			`local api_url="$1" token="$2" pr_number="$3"`
			`curl -sf -H "Authorization: token ${token}" \`
			`"${api_url}/pulls/${pr_number}"`
"#" 2026-02-12 09:20:55 +03:00			`}`