@enbox/gitd 0.1.0 → 0.3.0

package/src/cli/commands/migrate.ts

@@ -23,8 +23,14 @@
 
 import type { AgentContext } from '../agent.js';
 
+import { createFullBundle } from '../../git-server/bundle-sync.js';
+import { flagValue } from '../flags.js';
+import { getRepoContext } from '../repo-context.js';
 import { getRepoContextId } from '../repo-context.js';
-import { spawnSync } from 'node:child_process';
+import { GitBackend } from '../../git-server/git-backend.js';
+import { readGitRefs } from '../../git-server/ref-sync.js';
+import { readFile, unlink } from 'node:fs/promises';
+import { spawn, spawnSync } from 'node:child_process';
 
 // ---------------------------------------------------------------------------
 // GitHub auth — resolve a token from env or the gh CLI
@@ -63,7 +69,7 @@ export function resolveGitHubToken(): string | undefined {
   try {
     const result = spawnSync('gh', ['auth', 'token'], {
       stdio   : ['pipe', 'pipe', 'pipe'],
-      timeout : 5_000,
+      timeout : 2_000,
     });
     const token = result.stdout?.toString().trim();
     if (result.status === 0 && token) {
@@ -230,7 +236,7 @@ export async function migrateCommand(ctx: AgentContext, args: string[]): Promise
     case 'pulls': return migratePulls(ctx, rest);
     case 'releases': return migrateReleases(ctx, rest);
     default:
-      console.error('Usage: gitd migrate <all|repo|issues|pulls|releases> <owner/repo>');
+      console.error('Usage: gitd migrate <all|repo|issues|pulls|releases> [owner/repo] [--repos <path>]');
       process.exit(1);
   }
 }
@@ -327,8 +333,18 @@ function prependAuthor(body: string, ghLogin: string): string {
 // migrate all
 // ---------------------------------------------------------------------------
 
+/**
+ * Resolve the repos base path from CLI flags or environment.
+ * Returns `null` when no explicit path was provided, so callers can
+ * decide whether to skip git content migration.
+ */
+function resolveReposPath(args: string[]): string | null {
+  return flagValue(args, '--repos') ?? process.env.GITD_REPOS ?? null;
+}
+
 async function migrateAll(ctx: AgentContext, args: string[]): Promise<void> {
   const { owner, repo } = resolveGhRepo(args);
+  const reposPath = resolveReposPath(args);
   const slug = `${owner}/${repo}`;
 
   const token = resolveGitHubToken();
@@ -343,13 +359,26 @@ async function migrateAll(ctx: AgentContext, args: string[]): Promise<void> {
     // Step 1: repo metadata.
     await migrateRepoInner(ctx, owner, repo);
 
-    // Step 2: issues + comments.
+    // Step 2: git content (clone, bundle, refs).
+    if (reposPath) {
+      try {
+        await migrateGitContent(ctx, owner, repo, reposPath);
+      } catch (err) {
+        console.error(`  Warning: git content migration failed: ${(err as Error).message}`);
+        console.error('  Metadata, issues, PRs, and releases will still be imported.');
+        console.error('  Re-run with a valid --repos path to retry git content migration.\n');
+      }
+    } else {
+      console.log('  Skipping git content — pass --repos <path> or set GITD_REPOS to include git data.');
+    }
+
+    // Step 3: issues + comments.
     const issueCount = await migrateIssuesInner(ctx, owner, repo);
 
-    // Step 3: pull requests + reviews.
+    // Step 4: pull requests + reviews.
     const pullCount = await migratePullsInner(ctx, owner, repo);
 
-    // Step 4: releases.
+    // Step 5: releases.
     const releaseCount = await migrateReleasesInner(ctx, owner, repo);
 
     console.log(`\nMigration complete: ${slug}`);
@@ -368,8 +397,14 @@ async function migrateAll(ctx: AgentContext, args: string[]): Promise<void> {
 
 async function migrateRepo(ctx: AgentContext, args: string[]): Promise<void> {
   const { owner, repo } = resolveGhRepo(args);
+  const reposPath = resolveReposPath(args);
   try {
     await migrateRepoInner(ctx, owner, repo);
+    if (reposPath) {
+      await migrateGitContent(ctx, owner, repo, reposPath);
+    } else {
+      console.log('  Skipping git content — pass --repos <path> or set GITD_REPOS to include git data.');
+    }
   } catch (err) {
     console.error(`Failed to migrate repo: ${(err as Error).message}`);
     process.exit(1);
@@ -413,6 +448,131 @@ async function migrateRepoInner(ctx: AgentContext, owner: string, repo: string):
   console.log(`  Source:    ${gh.html_url}`);
 }
 
+// ---------------------------------------------------------------------------
+// migrate git content (clone + bundle + refs)
+// ---------------------------------------------------------------------------
+
+/**
+ * Clone the GitHub repository as a bare repo, create a full git bundle,
+ * upload it to DWN, and sync all refs to DWN records.
+ *
+ * This is the "git content" migration step that turns the metadata-only
+ * repo record into a fully cloneable repo.
+ */
+async function migrateGitContent(
+  ctx: AgentContext,
+  owner: string,
+  repo: string,
+  reposPath: string,
+): Promise<void> {
+  const slug = `${owner}/${repo}`;
+  console.log(`Importing git content from ${slug}...`);
+
+  const backend = new GitBackend({ basePath: reposPath });
+  const repoPath = backend.repoPath(ctx.did, repo);
+
+  // Step 1: Clone bare repo from GitHub (or skip if already on disk).
+  if (backend.exists(ctx.did, repo)) {
+    console.log(`  Bare repo already exists at ${repoPath} — skipping clone.`);
+  } else {
+    const cloneUrl = buildCloneUrl(owner, repo);
+    console.log(`  Cloning ${cloneUrl} → ${repoPath}`);
+    await cloneBare(cloneUrl, repoPath);
+    console.log('  Clone complete.');
+  }
+
+  // Step 2: Create full git bundle.
+  console.log('  Creating git bundle...');
+  const bundleInfo = await createFullBundle(repoPath);
+  console.log(`  Bundle: ${bundleInfo.size} bytes, ${bundleInfo.refCount} ref(s), tip: ${bundleInfo.tipCommit.slice(0, 8)}`);
+
+  // Step 3: Upload bundle to DWN.
+  const { contextId: repoContextId, visibility } = await getRepoContext(ctx);
+  const encrypt = visibility === 'private';
+
+  try {
+    const bundleData = new Uint8Array(await readFile(bundleInfo.path));
+
+    const { status } = await ctx.repo.records.create('repo/bundle', {
+      data       : bundleData,
+      dataFormat : 'application/x-git-bundle',
+      tags       : {
+        tipCommit : bundleInfo.tipCommit,
+        isFull    : true,
+        refCount  : bundleInfo.refCount,
+        size      : bundleInfo.size,
+      },
+      parentContextId : repoContextId,
+      encryption      : encrypt,
+    } as any);
+
+    if (status.code >= 300) {
+      throw new Error(`Failed to create bundle record: ${status.code} ${status.detail}`);
+    }
+    console.log('  Bundle uploaded to DWN.');
+  } finally {
+    await unlink(bundleInfo.path).catch(() => {});
+  }
+
+  // Step 4: Sync git refs to DWN.
+  console.log('  Syncing refs to DWN...');
+  const gitRefs = await readGitRefs(repoPath);
+
+  let refCount = 0;
+  for (const ref of gitRefs) {
+    const { status } = await ctx.refs.records.create('repo/ref', {
+      data            : { name: ref.name, target: ref.target, type: ref.type },
+      tags            : { name: ref.name, type: ref.type, target: ref.target },
+      parentContextId : repoContextId,
+    });
+
+    if (status.code >= 300) {
+      console.error(`  Failed to sync ref ${ref.name}: ${status.code} ${status.detail}`);
+      continue;
+    }
+    refCount++;
+  }
+
+  console.log(`  Synced ${refCount} ref(s) to DWN.`);
+  console.log(`  Git content migration complete.`);
+}
+
+/**
+ * Build the clone URL for a GitHub repository.
+ * Uses the token (if available) for authenticated HTTPS clone.
+ */
+function buildCloneUrl(owner: string, repo: string): string {
+  const token = resolveGitHubToken();
+  if (token) {
+    return `https://${token}@github.com/${owner}/${repo}.git`;
+  }
+  return `https://github.com/${owner}/${repo}.git`;
+}
+
+/**
+ * Clone a git repository as a bare repo using `git clone --bare`.
+ */
+function cloneBare(url: string, destPath: string): Promise<void> {
+  return new Promise((resolve, reject) => {
+    const child = spawn('git', ['clone', '--bare', url, destPath], {
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+
+    const stderrChunks: Buffer[] = [];
+    child.stderr!.on('data', (chunk: Buffer) => stderrChunks.push(chunk));
+
+    child.on('error', reject);
+    child.on('exit', (code: number | null) => {
+      if (code !== 0) {
+        const stderr = Buffer.concat(stderrChunks).toString('utf-8');
+        reject(new Error(`git clone --bare failed (exit ${code}): ${stderr}`));
+      } else {
+        resolve();
+      }
+    });
+  });
+}
+
 // ---------------------------------------------------------------------------
 // migrate issues
 // ---------------------------------------------------------------------------

package/src/cli/main.ts

@@ -66,10 +66,13 @@
  * @module
  */
 
+import { authCommand } from './commands/auth.js';
 import { ciCommand } from './commands/ci.js';
 import { cloneCommand } from './commands/clone.js';
 import { connectAgent } from './agent.js';
+import { createRequire } from 'node:module';
 import { daemonCommand } from './commands/daemon.js';
+import { flagValue } from './flags.js';
 import { githubApiCommand } from './commands/github-api.js';
 import { indexerCommand } from '../indexer/main.js';
 import { initCommand } from './commands/init.js';
@@ -88,6 +91,7 @@ import { shimCommand } from './commands/shim.js';
 import { socialCommand } from './commands/social.js';
 import { webCommand } from './commands/web.js';
 import { wikiCommand } from './commands/wiki.js';
+import { profileDataPath, resolveProfile } from '../profiles/config.js';
 
 // ---------------------------------------------------------------------------
 // Arg parsing
@@ -104,6 +108,11 @@ const rest = args.slice(1);
 function printUsage(): void {
   console.log('gitd — decentralized forge powered by DWN protocols\n');
   console.log('Commands:');
+  console.log('  auth                                        Show current identity info');
+  console.log('  auth login                                  Create or import an identity');
+  console.log('  auth list                                   List all profiles');
+  console.log('  auth use <profile> [--global]               Set active profile');
+  console.log('');
   console.log('  setup                                       Configure git for DID-based remotes');
   console.log('  clone <did>/<repo>                          Clone a repository via DID');
   console.log('  init <name>                                 Create a repo record + bare git repo');
@@ -216,8 +225,49 @@ async function getPassword(): Promise<string> {
   const env = process.env.GITD_PASSWORD;
   if (env) { return env; }
 
-  // Interactive prompt via stdin.
+  // Interactive prompt — hide input when running in a TTY.
   process.stdout.write('Vault password: ');
+
+  if (process.stdin.isTTY) {
+    // Raw mode: read character-by-character, echo nothing.
+    const password = await new Promise<string>((resolve) => {
+      let buf = '';
+      process.stdin.setRawMode(true);
+      process.stdin.setEncoding('utf8');
+      process.stdin.resume();
+
+      const onData = (ch: string): void => {
+        const code = ch.charCodeAt(0);
+
+        if (ch === '\r' || ch === '\n') {
+          // Enter — done.
+          process.stdin.setRawMode(false);
+          process.stdin.pause();
+          process.stdin.removeListener('data', onData);
+          process.stdout.write('\n');
+          resolve(buf);
+        } else if (code === 3) {
+          // Ctrl-C — abort.
+          process.stdin.setRawMode(false);
+          process.stdout.write('\n');
+          process.exit(130);
+        } else if (code === 127 || code === 8) {
+          // Backspace / Delete.
+          if (buf.length > 0) {
+            buf = buf.slice(0, -1);
+          }
+        } else if (code >= 32) {
+          // Printable character.
+          buf += ch;
+        }
+      };
+
+      process.stdin.on('data', onData);
+    });
+    return password;
+  }
+
+  // Non-TTY fallback (piped input).
   const response = await new Promise<string>((resolve) => {
     let buf = '';
     process.stdin.setEncoding('utf8');
@@ -234,7 +284,18 @@ async function getPassword(): Promise<string> {
 // Main
 // ---------------------------------------------------------------------------
 
+function printVersion(): void {
+  const require = createRequire(import.meta.url);
+  const pkg = require('../../package.json') as { version: string };
+  console.log(`gitd ${pkg.version}`);
+}
+
 async function main(): Promise<void> {
+  if (command === '--version' || command === '-v' || command === 'version') {
+    printVersion();
+    return;
+  }
+
   if (!command || command === 'help' || command === '--help' || command === '-h') {
     printUsage();
     return;
@@ -249,11 +310,19 @@ async function main(): Promise<void> {
     case 'clone':
       await cloneCommand(rest);
       return;
+
+    case 'auth':
+      // Auth can run without a pre-existing profile (for `login`).
+      await authCommand(null, rest);
+      return;
   }
 
   // Commands that require the Web5 agent.
   const password = await getPassword();
-  const ctx = await connectAgent(password);
+  const profileFlag = flagValue(rest, '--profile');
+  const profileName = resolveProfile(profileFlag);
+  const dataPath = profileName ? profileDataPath(profileName) : undefined;
+  const ctx = await connectAgent({ password, dataPath });
 
   switch (command) {
     case 'init':
@@ -342,6 +411,13 @@ async function main(): Promise<void> {
       printUsage();
       process.exit(1);
   }
+
+  // One-shot commands reach here after completing.  The Web5 agent keeps
+  // LevelDB stores and other handles open, which prevents the process from
+  // exiting naturally.  Long-running commands (serve, web, daemon, indexer,
+  // github-api, shim) never reach this point because they block on an
+  // infinite promise internally.
+  process.exit(0);
 }
 
 main().catch((err: Error) => {

package/src/git-remote/credential-main.ts

@@ -16,12 +16,15 @@
  *     helper = /path/to/git-remote-did-credential
  *
  * Environment:
- *   GITD_PASSWORD — vault password for the local agent
+ *   GITD_PASSWORD    — vault password for the local agent
+ *   ENBOX_PROFILE    — (optional) profile name override
  *
  * @module
  */
 
-import { Web5 } from '@enbox/api';
+import type { BearerDid } from '@enbox/dids';
+
+import { Web5UserAgent } from '@enbox/agent';
 
 import {
   createPushTokenPayload,
@@ -33,6 +36,7 @@ import {
   formatCredentialResponse,
   parseCredentialRequest,
 } from './credential-helper.js';
+import { profileDataPath, resolveProfile } from '../profiles/config.js';
 
 // ---------------------------------------------------------------------------
 // Main
@@ -63,10 +67,7 @@ async function main(): Promise<void> {
     return;
   }
 
-  const { web5, did } = await Web5.connect({
-    password,
-    sync: 'off',
-  });
+  const { did, bearerDid } = await connectForCredentials(password);
 
   // Extract the owner DID and repo from the URL path.
   const path = request.path ?? '';
@@ -82,8 +83,8 @@ async function main(): Promise<void> {
   const payload = createPushTokenPayload(did, ownerDid, repo);
   const token = encodePushToken(payload);
 
-  // Sign the token using the agent's DID signer.
-  const signer = await web5.agent.agentDid.getSigner();
+  // Sign the token using the identity's DID signer (not the agent DID).
+  const signer = await bearerDid.getSigner();
   const tokenBytes = new TextEncoder().encode(token);
   const signature = await signer.sign({ data: tokenBytes });
   const signatureBase64url = Buffer.from(signature).toString('base64url');
@@ -96,6 +97,38 @@ async function main(): Promise<void> {
   process.stdout.write(formatCredentialResponse(creds));
 }
 
+// ---------------------------------------------------------------------------
+// Agent connection
+// ---------------------------------------------------------------------------
+
+/**
+ * Connect to the Web5 agent and return the identity DID and its BearerDid.
+ *
+ * Resolves the active profile (env, git config, global default, or single
+ * fallback) and connects using the profile's agent data path.  Falls back
+ * to the legacy CWD-relative `DATA/AGENT` path when no profile exists.
+ */
+async function connectForCredentials(
+  password: string,
+): Promise<{ did: string; bearerDid: BearerDid }> {
+  // Resolve profile (env, git config, global default, single fallback).
+  // When a profile exists, the agent lives at ~/.enbox/profiles/<name>/DATA/AGENT.
+  // Otherwise, fall back to the CWD-relative default path (legacy).
+  const profileName = resolveProfile();
+  const dataPath = profileName ? profileDataPath(profileName) : undefined;
+
+  const agent = await Web5UserAgent.create(dataPath ? { dataPath } : undefined);
+  await agent.start({ password });
+
+  const identities = await agent.identity.list();
+  const identity = identities[0];
+  if (!identity) {
+    throw new Error('No identity found in agent');
+  }
+
+  return { did: identity.did.uri, bearerDid: identity.did };
+}
+
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------

package/src/profiles/config.ts

@@ -0,0 +1,188 @@
+/**
+ * Profile configuration — persistent config at `~/.enbox/config.json`.
+ *
+ * Manages the set of named identity profiles and the default selection.
+ * This module handles reading, writing, and resolving profiles across
+ * multiple selection sources (flag, env, git config, global default).
+ *
+ * Storage layout:
+ *   ~/.enbox/
+ *     config.json               Global config (this module)
+ *     profiles/
+ *       <name>/DATA/AGENT/...   Per-profile Web5 agent stores
+ *
+ * @module
+ */
+
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { spawnSync } from 'node:child_process';
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+
+/** Base directory for all enbox data.  Override with `ENBOX_HOME`. */
+export function enboxHome(): string {
+  return process.env.ENBOX_HOME ?? join(homedir(), '.enbox');
+}
+
+/** Path to the global config file. */
+export function configPath(): string {
+  return join(enboxHome(), 'config.json');
+}
+
+/** Base directory for all profile agent data. */
+export function profilesDir(): string {
+  return join(enboxHome(), 'profiles');
+}
+
+/** Path to a specific profile's agent data directory. */
+export function profileDataPath(name: string): string {
+  return join(profilesDir(), name, 'DATA', 'AGENT');
+}
+
+// ---------------------------------------------------------------------------
+// Config types
+// ---------------------------------------------------------------------------
+
+/** Metadata about a single profile stored in config.json. */
+export type ProfileEntry = {
+  /** Display name for the profile. */
+  name : string;
+  /** The DID URI associated with this profile. */
+  did : string;
+  /** ISO 8601 timestamp when the profile was created. */
+  createdAt : string;
+};
+
+/** Top-level config.json shape. */
+export type EnboxConfig = {
+  /** Schema version for forward-compatibility. */
+  version : number;
+  /** Name of the default profile. */
+  defaultProfile : string;
+  /** Map of profile name → metadata. */
+  profiles : Record<string, ProfileEntry>;
+};
+
+// ---------------------------------------------------------------------------
+// Config I/O
+// ---------------------------------------------------------------------------
+
+/** Read the global config.  Returns a default if the file doesn't exist. */
+export function readConfig(): EnboxConfig {
+  const path = configPath();
+  if (!existsSync(path)) {
+    return { version: 1, defaultProfile: '', profiles: {} };
+  }
+  const raw = readFileSync(path, 'utf-8');
+  return JSON.parse(raw) as EnboxConfig;
+}
+
+/** Write the global config atomically. */
+export function writeConfig(config: EnboxConfig): void {
+  const path = configPath();
+  mkdirSync(join(path, '..'), { recursive: true });
+  writeFileSync(path, JSON.stringify(config, null, 2) + '\n', 'utf-8');
+}
+
+/** Add or update a profile entry in the global config. */
+export function upsertProfile(name: string, entry: ProfileEntry): void {
+  const config = readConfig();
+  config.profiles[name] = entry;
+
+  // If this is the first profile, make it the default.
+  if (!config.defaultProfile || Object.keys(config.profiles).length === 1) {
+    config.defaultProfile = name;
+  }
+
+  writeConfig(config);
+}
+
+/** Remove a profile entry from the global config. */
+export function removeProfile(name: string): void {
+  const config = readConfig();
+  delete config.profiles[name];
+
+  // If we removed the default, pick the first remaining (or clear).
+  if (config.defaultProfile === name) {
+    const remaining = Object.keys(config.profiles);
+    config.defaultProfile = remaining[0] ?? '';
+  }
+
+  writeConfig(config);
+}
+
+/** List all profile names. */
+export function listProfiles(): string[] {
+  return Object.keys(readConfig().profiles);
+}
+
+// ---------------------------------------------------------------------------
+// Profile resolution
+// ---------------------------------------------------------------------------
+
+/**
+ * Resolve which profile to use.
+ *
+ * Precedence (highest to lowest):
+ *   1. `--profile <name>` flag (passed as `flagProfile`)
+ *   2. `ENBOX_PROFILE` environment variable
+ *   3. `.git/config` → `[enbox] profile = <name>`
+ *   4. `~/.enbox/config.json` → `defaultProfile`
+ *   5. First (and only) profile, if exactly one exists
+ *
+ * Returns `null` when no profile can be resolved (i.e. none exist).
+ */
+export function resolveProfile(flagProfile?: string): string | null {
+  // 1. Explicit flag.
+  if (flagProfile) { return flagProfile; }
+
+  // 2. Environment variable.
+  const envProfile = process.env.ENBOX_PROFILE;
+  if (envProfile) { return envProfile; }
+
+  // 3. Per-repo git config.
+  const gitProfile = readGitConfigProfile();
+  if (gitProfile) { return gitProfile; }
+
+  // 4. Global default.
+  const config = readConfig();
+  if (config.defaultProfile) { return config.defaultProfile; }
+
+  // 5. Single profile fallback.
+  const names = Object.keys(config.profiles);
+  if (names.length === 1) { return names[0]; }
+
+  return null;
+}
+
+/**
+ * Read the `[enbox] profile` setting from the current repo's `.git/config`.
+ * Returns `null` if not in a git repo or the setting is absent.
+ */
+function readGitConfigProfile(): string | null {
+  try {
+    const result = spawnSync('git', ['config', '--local', 'enbox.profile'], {
+      stdio   : ['pipe', 'pipe', 'pipe'],
+      timeout : 2_000,
+    });
+    const value = result.stdout?.toString().trim();
+    if (result.status === 0 && value) { return value; }
+  } catch {
+    // Not in a git repo or git not available.
+  }
+  return null;
+}
+
+/**
+ * Write the `[enbox] profile` setting to the current repo's `.git/config`.
+ */
+export function setGitConfigProfile(name: string): void {
+  spawnSync('git', ['config', '--local', 'enbox.profile', name], {
+    stdio   : ['pipe', 'pipe', 'pipe'],
+    timeout : 2_000,
+  });
+}