@lobu/connector-sdk 7.1.0 → 8.0.0

package/dist/sources/cache.js

@@ -0,0 +1,169 @@
+/**
+ * Cache-layout helpers shared by all FileSystemSource implementations.
+ *
+ *   ${WORKSPACE_DIR}/.lobu-cache/sources/<sha256(uri)[:32]>/
+ *     ├── snapshot/        ← actual files (connector-visible via Snapshot.readFile)
+ *     ├── manifest.json    ← { ref, files: [{ path, sha256 }], fetched_at }
+ *     └── meta.json        ← { uri, kind }
+ *
+ *  - `WORKSPACE_DIR` env var is the cache root; falls back to `process.cwd()`.
+ *  - URI is hashed (sha256, first 32 hex chars = 128 bits) for filesystem-safe
+ *    naming. 128 bits is collision-resistant even against adversarial URIs
+ *    (1e19 URIs before 50% collision odds).
+ *  - One cache directory per URI — same URI yields the same directory across
+ *    runs so re-fetch is incremental for git, manifest-comparable for the rest.
+ *    On reuse, `meta.json`'s `uri` field is verified to match — a mismatch
+ *    (theoretical hash collision OR cache-root reuse across schemes) throws.
+ *  - The cache layout is intentionally NOT exported on the public API; this
+ *    module is internal to the SDK.
+ */
+import { createHash } from 'node:crypto';
+import { readFile, writeFile } from 'node:fs/promises';
+import { join } from 'node:path';
+/** Build the cache paths for `uri`, anchored under `cacheRoot`. */
+export function cachePathsFor(uri, cacheRoot = defaultCacheRoot()) {
+    const hash = createHash('sha256').update(uri).digest('hex').slice(0, 32);
+    const root = join(cacheRoot, '.lobu-cache', 'sources', hash);
+    return {
+        root,
+        snapshotDir: join(root, 'snapshot'),
+        manifestPath: join(root, 'manifest.json'),
+        metaPath: join(root, 'meta.json'),
+    };
+}
+/**
+ * Read `meta.json` if present and assert it matches `uri`. Throws on URI
+ * mismatch (defends against an adversarial collision OR an operator copying
+ * a cache dir across sources). Returns `null` for a fresh cache.
+ */
+export async function readAndVerifyMeta(metaPath, expectedUri) {
+    const meta = await readMeta(metaPath);
+    if (!meta)
+        return null;
+    if (meta.uri !== expectedUri) {
+        throw new Error(`FileSystemSource cache mismatch: ${metaPath} belongs to ${meta.uri}, ` +
+            `but ${expectedUri} was requested. Refusing to reuse cache directory.`);
+    }
+    return meta;
+}
+/**
+ * Like `readAndVerifyMeta`, but rejects when the cache is uninitialised.
+ * Use this from `diffSinceRef()` paths — calling diff before fetch is a
+ * caller bug, and a missing meta also means a stale/collided cache dir
+ * should not be silently consumed.
+ */
+export async function requireMeta(metaPath, expectedUri) {
+    const meta = await readAndVerifyMeta(metaPath, expectedUri);
+    if (!meta) {
+        throw new Error(`FileSystemSource: source not fetched yet — call fetch() before diffSinceRef() (${expectedUri})`);
+    }
+    return meta;
+}
+/**
+ * Per-source mutex. Same URI → shared `Promise` chain so concurrent
+ * `fetch()` calls serialize. Process-local only — fine for the embedded
+ * worker model where one worker subprocess owns its cache.
+ *
+ * v1 limitation: two processes sharing the same
+ * `${WORKSPACE_DIR}/.lobu-cache` are NOT coordinated by this lock —
+ * each gets its own in-memory `_sourceLocks` map, and they can
+ * race-prune each other's per-ref dirs (see `pruneOldRefDirs` in each
+ * source impl). v1 assumes one cache owner per workspace. If we ever
+ * need multi-process sharing, replace this with a filesystem advisory
+ * lock (e.g. `proper-lockfile` against `${root}/.lock`) around
+ * fetch+prune.
+ *
+ * The map stores the *guarded* (error-swallowed) promise so a rejection in
+ * `fn` doesn't poison the chain. Identity comparison in `finally` uses the
+ * same stored reference, so cleanup actually removes the entry — an
+ * earlier draft created a fresh `.catch()` inside `finally` and leaked one
+ * entry per distinct URI.
+ */
+const _sourceLocks = new Map();
+export async function withSourceLock(uri, fn) {
+    const prev = _sourceLocks.get(uri) ?? Promise.resolve();
+    const next = prev.then(fn, fn);
+    const guarded = next.catch(() => undefined);
+    _sourceLocks.set(uri, guarded);
+    try {
+        return await next;
+    }
+    finally {
+        if (_sourceLocks.get(uri) === guarded) {
+            _sourceLocks.delete(uri);
+        }
+    }
+}
+/** Default cache root: `WORKSPACE_DIR` env, else `process.cwd()`. */
+export function defaultCacheRoot() {
+    return process.env.WORKSPACE_DIR ?? process.cwd();
+}
+export async function readManifest(path) {
+    try {
+        const raw = await readFile(path, 'utf8');
+        return JSON.parse(raw);
+    }
+    catch (err) {
+        if (err.code === 'ENOENT')
+            return null;
+        throw err;
+    }
+}
+export async function writeManifest(path, manifest) {
+    await writeFile(path, JSON.stringify(manifest, null, 2), 'utf8');
+}
+export async function readMeta(path) {
+    try {
+        const raw = await readFile(path, 'utf8');
+        return JSON.parse(raw);
+    }
+    catch (err) {
+        if (err.code === 'ENOENT')
+            return null;
+        throw err;
+    }
+}
+export async function writeMeta(path, meta) {
+    await writeFile(path, JSON.stringify(meta, null, 2), 'utf8');
+}
+/**
+ * Diff two manifests by `(path, sha256)`. Order-independent.
+ */
+export function diffManifests(prev, next) {
+    const prevMap = new Map(prev.files.map((f) => [f.path, f.sha256]));
+    const nextMap = new Map(next.files.map((f) => [f.path, f.sha256]));
+    const added = [];
+    const modified = [];
+    const removed = [];
+    for (const [path, sha] of nextMap) {
+        const prevSha = prevMap.get(path);
+        if (prevSha === undefined)
+            added.push(path);
+        else if (prevSha !== sha)
+            modified.push(path);
+    }
+    for (const path of prevMap.keys()) {
+        if (!nextMap.has(path))
+            removed.push(path);
+    }
+    return { added, modified, removed };
+}
+/**
+ * Canonicalize a manifest's `ref` from its file list:
+ *
+ *  sha256 over lines of `<path>\0<sha256>\n`, sorted by path.
+ *
+ * Deterministic across runs and platforms.
+ */
+export function canonicalManifestRef(files) {
+    const sorted = [...files].sort((a, b) => (a.path < b.path ? -1 : a.path > b.path ? 1 : 0));
+    const h = createHash('sha256');
+    for (const f of sorted) {
+        h.update(f.path);
+        h.update('\0');
+        h.update(f.sha256);
+        h.update('\n');
+    }
+    return h.digest('hex');
+}
+//# sourceMappingURL=cache.js.map

package/dist/sources/cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache.js","sourceRoot":"","sources":["../../src/sources/cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AA+BjC,mEAAmE;AACnE,MAAM,UAAU,aAAa,CAAC,GAAW,EAAE,YAAoB,gBAAgB,EAAE;IAC/E,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACzE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,aAAa,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;IAC7D,OAAO;QACL,IAAI;QACJ,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC;QACnC,YAAY,EAAE,IAAI,CAAC,IAAI,EAAE,eAAe,CAAC;QACzC,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC;KAClC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,QAAgB,EAChB,WAAmB;IAEnB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACtC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,IAAI,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,oCAAoC,QAAQ,eAAe,IAAI,CAAC,GAAG,IAAI;YACrE,OAAO,WAAW,oDAAoD,CACzE,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,QAAgB,EAAE,WAAmB;IACrE,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IAC5D,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CACb,kFAAkF,WAAW,GAAG,CACjG,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,YAAY,GAAG,IAAI,GAAG,EAA4B,CAAC;AACzD,MAAM,CAAC,KAAK,UAAU,cAAc,CAAI,GAAW,EAAE,EAAoB;IACvE,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;IACxD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IAC5C,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAC/B,IAAI,CAAC;QACH,OAAO,MAAM,IAAI,CAAC;IACpB,CAAC;YAAS,CAAC;QACT,IAAI,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,OAAO,EAAE,CAAC;YACtC,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;AACH,CAAC;AAED,qEAAqE;AACrE,MAAM,UAAU,gBAAgB;IAC9B,OAAO,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;AACpD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,IAAY;IAC7C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAC;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAClE,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAAY,EAAE,QAAkB;IAClE,MAAM,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AACnE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,IAAY;IACzC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACzC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAc,CAAC;IACtC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAClE,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,IAAY,EAAE,IAAe;IAC3D,MAAM,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AAC/D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAC3B,IAAc,EACd,IAAc;IAEd,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACnE,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAEnE,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,OAAO,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,OAAO,KAAK,SAAS;YAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;aACvC,IAAI,OAAO,KAAK,GAAG;YAAE,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChD,CAAC;IACD,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;QAClC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7C,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;AACtC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAsB;IACzD,MAAM,MAAM,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3F,MAAM,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAC/B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACjB,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACf,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QACnB,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACjB,CAAC;IACD,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzB,CAAC"}

package/dist/sources/git-file-source.d.ts

@@ -0,0 +1,33 @@
+/**
+ * GitFileSource — shallow git clone backed by `isomorphic-git`.
+ *
+ *  - URI shape: `git+https://github.com/owner/repo.git[@<ref>]`. Ref may be
+ *    a branch name, tag, or full commit SHA. If omitted, defaults to `main`.
+ *  - Initial fetch: shallow clone (`depth: 1`, `singleBranch: true`).
+ *  - Subsequent fetch: `git.fetch` against the same single branch with
+ *    `depth: 1` — pulls only the new tip if upstream advanced.
+ *  - `ref` = `resolveRef('HEAD')` (full commit SHA).
+ *  - `diffSinceRef(prevRef)` walks two trees with `git.walk` and classifies
+ *    each path by OID equality (`added`/`modified`/`removed`).
+ *
+ * Caveats called out in JSDoc rather than hidden:
+ *
+ *  - With `depth: 1`, history before the current tip is NOT in the local
+ *    repo. `git.walk` requires both trees to be reachable; if the caller
+ *    passes a `prevRef` we no longer have on disk we throw a clear error.
+ *  - Snapshot reads point at the working tree inside the cache. Git itself
+ *    is not exposed.
+ */
+import type { FileDelta, FileSystemSource, Snapshot } from '../file-source.js';
+export interface ParsedGitUri {
+    url: string;
+    ref: string;
+}
+export declare function parseGitUri(uri: string): ParsedGitUri;
+export declare class GitFileSource implements FileSystemSource {
+    #private;
+    constructor(uri: string);
+    fetch(): Promise<Snapshot>;
+    diffSinceRef(prevRef: string): Promise<FileDelta>;
+}
+//# sourceMappingURL=git-file-source.d.ts.map

package/dist/sources/git-file-source.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"git-file-source.d.ts","sourceRoot":"","sources":["../../src/sources/git-file-source.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAUH,OAAO,KAAK,EAAE,SAAS,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAiB/E,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAED,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,YAAY,CAkBrD;AAED,qBAAa,aAAc,YAAW,gBAAgB;;gBAKxC,GAAG,EAAE,MAAM;IAMvB,KAAK,IAAI,OAAO,CAAC,QAAQ,CAAC;IAmD1B,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CA2DlD"}

package/dist/sources/git-file-source.js

@@ -0,0 +1,207 @@
+/**
+ * GitFileSource — shallow git clone backed by `isomorphic-git`.
+ *
+ *  - URI shape: `git+https://github.com/owner/repo.git[@<ref>]`. Ref may be
+ *    a branch name, tag, or full commit SHA. If omitted, defaults to `main`.
+ *  - Initial fetch: shallow clone (`depth: 1`, `singleBranch: true`).
+ *  - Subsequent fetch: `git.fetch` against the same single branch with
+ *    `depth: 1` — pulls only the new tip if upstream advanced.
+ *  - `ref` = `resolveRef('HEAD')` (full commit SHA).
+ *  - `diffSinceRef(prevRef)` walks two trees with `git.walk` and classifies
+ *    each path by OID equality (`added`/`modified`/`removed`).
+ *
+ * Caveats called out in JSDoc rather than hidden:
+ *
+ *  - With `depth: 1`, history before the current tip is NOT in the local
+ *    repo. `git.walk` requires both trees to be reachable; if the caller
+ *    passes a `prevRef` we no longer have on disk we throw a clear error.
+ *  - Snapshot reads point at the working tree inside the cache. Git itself
+ *    is not exposed.
+ */
+import { mkdir, readFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import * as git from 'isomorphic-git';
+// `fs` is passed as a plain Node fs module — isomorphic-git accepts it.
+// We import the callback-style module so isomorphic-git's promisified
+// adapter works out of the box (it auto-detects promises if present).
+import nodeFs from 'node:fs';
+import { cachePathsFor, readAndVerifyMeta, requireMeta, withSourceLock, writeMeta, } from './cache.js';
+import { GitSnapshot } from './git-snapshot.js';
+// Custom https-only http client — rejects plaintext redirects that the
+// stock `isomorphic-git/http/node` (simple-get under the hood) would
+// silently follow.
+import { gitHttpsOnlyClient as http } from './git-http.js';
+const DEFAULT_BRANCH = 'main';
+export function parseGitUri(uri) {
+    if (uri.startsWith('git+http://')) {
+        throw new Error('GitFileSource: plaintext HTTP rejected, use git+https://');
+    }
+    if (!uri.startsWith('git+https://')) {
+        throw new Error(`GitFileSource: expected git+https:// URI, got ${uri}`);
+    }
+    const stripped = uri.slice('git+'.length); // → https://...
+    // Split on the LAST `@` that follows the host's `/`, not the user@host form.
+    const slashIdx = stripped.indexOf('/', stripped.indexOf('://') + 3);
+    const atIdx = slashIdx === -1 ? -1 : stripped.lastIndexOf('@');
+    if (atIdx > slashIdx) {
+        return {
+            url: stripped.slice(0, atIdx),
+            ref: stripped.slice(atIdx + 1) || DEFAULT_BRANCH,
+        };
+    }
+    return { url: stripped, ref: DEFAULT_BRANCH };
+}
+export class GitFileSource {
+    #uri;
+    #parsed;
+    #paths;
+    constructor(uri) {
+        this.#uri = uri;
+        this.#parsed = parseGitUri(uri);
+        this.#paths = cachePathsFor(uri);
+    }
+    fetch() {
+        return withSourceLock(this.#uri, () => this.#fetchLocked());
+    }
+    async #fetchLocked() {
+        await mkdir(this.#paths.root, { recursive: true });
+        await readAndVerifyMeta(this.#paths.metaPath, this.#uri);
+        const dir = this.#paths.snapshotDir;
+        // Detect whether we already have a clone.
+        const alreadyCloned = await pathExists(join(dir, '.git'));
+        if (!alreadyCloned) {
+            await mkdir(dir, { recursive: true });
+            await git.clone({
+                fs: nodeFs,
+                http,
+                dir,
+                url: this.#parsed.url,
+                ref: this.#parsed.ref,
+                singleBranch: true,
+                depth: 1,
+            });
+        }
+        else {
+            // Existing repo — fetch the same branch shallow.
+            await git.fetch({
+                fs: nodeFs,
+                http,
+                dir,
+                ref: this.#parsed.ref,
+                singleBranch: true,
+                depth: 1,
+                tags: false,
+            });
+            // Move HEAD/working tree to the fetched tip.
+            await git.checkout({
+                fs: nodeFs,
+                dir,
+                ref: this.#parsed.ref,
+                force: true,
+            });
+        }
+        const ref = await git.resolveRef({ fs: nodeFs, dir, ref: 'HEAD' });
+        await writeMeta(this.#paths.metaPath, { uri: this.#uri, kind: 'git' });
+        // Read from the captured commit's tree/blobs — immutable view even if a
+        // later fetch() moves HEAD or rewrites the working tree on disk.
+        return new GitSnapshot(dir, ref, nodeFs, { exclude: isGitInternalPath });
+    }
+    diffSinceRef(prevRef) {
+        return withSourceLock(this.#uri, () => this.#diffLocked(prevRef));
+    }
+    async #diffLocked(prevRef) {
+        await requireMeta(this.#paths.metaPath, this.#uri);
+        const dir = this.#paths.snapshotDir;
+        const currentRef = await git.resolveRef({ fs: nodeFs, dir, ref: 'HEAD' });
+        if (currentRef === prevRef)
+            return { added: [], modified: [], removed: [] };
+        // If `prevRef` isn't reachable in the local (shallow) repo, return a
+        // full-reingest delta — every current file as `added`. Matches the
+        // tarball and local-source contract: an unknown prevRef yields a
+        // re-ingest, never a thrown error.
+        let prevReachable = true;
+        try {
+            await git.readCommit({ fs: nodeFs, dir, oid: prevRef });
+        }
+        catch {
+            prevReachable = false;
+        }
+        if (!prevReachable) {
+            const allFiles = await listCurrentFiles(dir, currentRef);
+            return { added: allFiles, modified: [], removed: [] };
+        }
+        const added = [];
+        const modified = [];
+        const removed = [];
+        await git.walk({
+            fs: nodeFs,
+            dir,
+            trees: [git.TREE({ ref: prevRef }), git.TREE({ ref: currentRef })],
+            map: async (filepath, entries) => {
+                // The root entry has filepath '.'. Don't classify it but DO let the
+                // walk descend (returning null prunes the subtree).
+                if (filepath === '.')
+                    return undefined;
+                if (!entries)
+                    return undefined;
+                const [a, b] = entries;
+                // Skip directories — they're emitted as their own map() calls; we
+                // only classify file (blob) entries.
+                const aType = a ? await a.type() : null;
+                const bType = b ? await b.type() : null;
+                if (aType === 'tree' || bType === 'tree')
+                    return undefined;
+                const aOid = aType ? await a.oid() : null;
+                const bOid = bType ? await b.oid() : null;
+                if (aOid === null && bOid !== null)
+                    added.push(filepath);
+                else if (aOid !== null && bOid === null)
+                    removed.push(filepath);
+                else if (aOid !== null && bOid !== null && aOid !== bOid)
+                    modified.push(filepath);
+                return undefined;
+            },
+        });
+        return { added, modified, removed };
+    }
+}
+/** Walk a commit's tree and return every blob path (POSIX-separated). */
+async function listCurrentFiles(dir, ref) {
+    const collected = [];
+    await git.walk({
+        fs: nodeFs,
+        dir,
+        trees: [git.TREE({ ref })],
+        map: async (filepath, entries) => {
+            if (filepath === '.')
+                return undefined;
+            if (!entries)
+                return undefined;
+            const [entry] = entries;
+            if (!entry)
+                return undefined;
+            const type = await entry.type();
+            if (type === 'blob')
+                collected.push(filepath);
+            return undefined;
+        },
+    });
+    return collected;
+}
+/** Filter for git internals — matches `.git` itself and anything under it. */
+function isGitInternalPath(rel) {
+    return rel === '.git' || rel.startsWith('.git/');
+}
+async function pathExists(p) {
+    try {
+        await readFile(p).catch(async () => {
+            const { stat } = await import('node:fs/promises');
+            await stat(p);
+        });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=git-file-source.js.map

package/dist/sources/git-file-source.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"git-file-source.js","sourceRoot":"","sources":["../../src/sources/git-file-source.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAC;AACtC,wEAAwE;AACxE,sEAAsE;AACtE,sEAAsE;AACtE,OAAO,MAAM,MAAM,SAAS,CAAC;AAG7B,OAAO,EAEL,aAAa,EACb,iBAAiB,EACjB,WAAW,EACX,cAAc,EACd,SAAS,GACV,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,uEAAuE;AACvE,qEAAqE;AACrE,mBAAmB;AACnB,OAAO,EAAE,kBAAkB,IAAI,IAAI,EAAE,MAAM,eAAe,CAAC;AAE3D,MAAM,cAAc,GAAG,MAAM,CAAC;AAO9B,MAAM,UAAU,WAAW,CAAC,GAAW;IACrC,IAAI,GAAG,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;IAC9E,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,iDAAiD,GAAG,EAAE,CAAC,CAAC;IAC1E,CAAC;IACD,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,gBAAgB;IAC3D,6EAA6E;IAC7E,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;IACpE,MAAM,KAAK,GAAG,QAAQ,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IAC/D,IAAI,KAAK,GAAG,QAAQ,EAAE,CAAC;QACrB,OAAO;YACL,GAAG,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC;YAC7B,GAAG,EAAE,QAAQ,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,IAAI,cAAc;SACjD,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,cAAc,EAAE,CAAC;AAChD,CAAC;AAED,MAAM,OAAO,aAAa;IACf,IAAI,CAAS;IACb,OAAO,CAAe;IACtB,MAAM,CAAa;IAE5B,YAAY,GAAW;QACrB,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC;QAChB,IAAI,CAAC,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,CAAC,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC;IAED,KAAK;QACH,OAAO,cAAc,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACnD,MAAM,iBAAiB,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;QACzD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;QAEpC,0CAA0C;QAC1C,MAAM,aAAa,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC;QAE1D,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACtC,MAAM,GAAG,CAAC,KAAK,CAAC;gBACd,EAAE,EAAE,MAAM;gBACV,IAAI;gBACJ,GAAG;gBACH,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG;gBACrB,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG;gBACrB,YAAY,EAAE,IAAI;gBAClB,KAAK,EAAE,CAAC;aACT,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,iDAAiD;YACjD,MAAM,GAAG,CAAC,KAAK,CAAC;gBACd,EAAE,EAAE,MAAM;gBACV,IAAI;gBACJ,GAAG;gBACH,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG;gBACrB,YAAY,EAAE,IAAI;gBAClB,KAAK,EAAE,CAAC;gBACR,IAAI,EAAE,KAAK;aACZ,CAAC,CAAC;YACH,6CAA6C;YAC7C,MAAM,GAAG,CAAC,QAAQ,CAAC;gBACjB,EAAE,EAAE,MAAM;gBACV,GAAG;gBACH,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG;gBACrB,KAAK,EAAE,IAAI;aACZ,CAAC,CAAC;QACL,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,UAAU,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC;QACnE,MAAM,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAEvE,wEAAwE;QACxE,iEAAiE;QACjE,OAAO,IAAI,WAAW,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC,CAAC;IAC3E,CAAC;IAED,YAAY,CAAC,OAAe;QAC1B,OAAO,cAAc,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC;IACpE,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,OAAe;QAC/B,MAAM,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;QACnD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;QACpC,MAAM,UAAU,GAAG,MAAM,GAAG,CAAC,UAAU,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC;QAC1E,IAAI,UAAU,KAAK,OAAO;YAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAE5E,qEAAqE;QACrE,mEAAmE;QACnE,iEAAiE;QACjE,mCAAmC;QACnC,IAAI,aAAa,GAAG,IAAI,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,GAAG,CAAC,UAAU,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;QAC1D,CAAC;QAAC,MAAM,CAAC;YACP,aAAa,GAAG,KAAK,CAAC;QACxB,CAAC;QACD,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;YACzD,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACxD,CAAC;QAED,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,MAAM,OAAO,GAAa,EAAE,CAAC;QAE7B,MAAM,GAAG,CAAC,IAAI,CAAC;YACb,EAAE,EAAE,MAAM;YACV,GAAG;YACH,KAAK,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC,CAAC;YAClE,GAAG,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE;gBAC/B,oEAAoE;gBACpE,oDAAoD;gBACpD,IAAI,QAAQ,KAAK,GAAG;oBAAE,OAAO,SAAS,CAAC;gBACvC,IAAI,CAAC,OAAO;oBAAE,OAAO,SAAS,CAAC;gBAC/B,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,OAAO,CAAC;gBAEvB,kEAAkE;gBAClE,qCAAqC;gBACrC,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;gBACxC,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;gBACxC,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,MAAM;oBAAE,OAAO,SAAS,CAAC;gBAE3D,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,MAAM,CAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;gBAC3C,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,MAAM,CAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;gBAE3C,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,IAAI;oBAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;qBACpD,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,IAAI;oBAAE,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;qBAC3D,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,IAAI;oBAAE,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAElF,OAAO,SAAS,CAAC;YACnB,CAAC;SACF,CAAC,CAAC;QAEH,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;IACtC,CAAC;CACF;AAED,yEAAyE;AACzE,KAAK,UAAU,gBAAgB,CAAC,GAAW,EAAE,GAAW;IACtD,MAAM,SAAS,GAAa,EAAE,CAAC;IAC/B,MAAM,GAAG,CAAC,IAAI,CAAC;QACb,EAAE,EAAE,MAAM;QACV,GAAG;QACH,KAAK,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;QAC1B,GAAG,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE;YAC/B,IAAI,QAAQ,KAAK,GAAG;gBAAE,OAAO,SAAS,CAAC;YACvC,IAAI,CAAC,OAAO;gBAAE,OAAO,SAAS,CAAC;YAC/B,MAAM,CAAC,KAAK,CAAC,GAAG,OAAO,CAAC;YACxB,IAAI,CAAC,KAAK;gBAAE,OAAO,SAAS,CAAC;YAC7B,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;YAChC,IAAI,IAAI,KAAK,MAAM;gBAAE,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC9C,OAAO,SAAS,CAAC;QACnB,CAAC;KACF,CAAC,CAAC;IACH,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,8EAA8E;AAC9E,SAAS,iBAAiB,CAAC,GAAW;IACpC,OAAO,GAAG,KAAK,MAAM,IAAI,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,CAAS;IACjC,IAAI,CAAC;QACH,MAAM,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE;YACjC,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;YAClD,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC;QAChB,CAAC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/sources/git-http.d.ts

@@ -0,0 +1,48 @@
+/**
+ * HttpClient for isomorphic-git that:
+ *
+ *  - Talks https only — refuses to issue any request whose URL is not
+ *    `https://...`.
+ *  - Follows redirects manually (max 5 hops). Every `Location` is re-validated
+ *    https before the next request — closes the https-to-http downgrade hole
+ *    that an https endpoint replying with `Location: http://...` would
+ *    otherwise open against the default `isomorphic-git/http/node` impl
+ *    (which uses `simple-get`'s built-in redirect follower and does NOT
+ *    enforce a scheme on the next hop).
+ *
+ * Implemented on top of Node's `https.request` so the SDK doesn't pull in
+ * an extra HTTP client. The body-as-async-iterator contract matches
+ * isomorphic-git's `GitHttpRequest` / `GitHttpResponse` types.
+ */
+interface GitHttpRequest {
+    url: string;
+    method?: string;
+    headers?: Record<string, string>;
+    body?: AsyncIterable<Uint8Array> | Uint8Array | Buffer;
+}
+interface GitHttpResponse {
+    url: string;
+    method: string;
+    statusCode: number;
+    statusMessage: string;
+    headers: Record<string, string>;
+    body: AsyncIterableIterator<Uint8Array>;
+}
+/**
+ * Send `req`, manually following 3xx redirects up to MAX_REDIRECTS. Every
+ * hop validates the next URL is https. On a 30x→non-https Location, throws.
+ *
+ * Per RFC 7231 §6.4: 301/302/303 turn POST into GET and drop the request
+ * body; 307/308 preserve the method and body. isomorphic-git's traffic is
+ * GET (info/refs) and POST (upload-pack / receive-pack). For a POST that
+ * gets redirected with a method-changing status we drop the body — git
+ * smart servers don't typically issue method-changing redirects mid-flow,
+ * but if they did, the resulting GET would surface as a server-side error
+ * rather than silently completing.
+ */
+export declare function gitHttpRequest(req: GitHttpRequest): Promise<GitHttpResponse>;
+export declare const gitHttpsOnlyClient: {
+    request: typeof gitHttpRequest;
+};
+export {};
+//# sourceMappingURL=git-http.d.ts.map

package/dist/sources/git-http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"git-http.d.ts","sourceRoot":"","sources":["../../src/sources/git-http.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAMH,UAAU,cAAc;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,EAAE,aAAa,CAAC,UAAU,CAAC,GAAG,UAAU,GAAG,MAAM,CAAC;CACxD;AAED,UAAU,eAAe;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,EAAE,qBAAqB,CAAC,UAAU,CAAC,CAAC;CACzC;AAgGD;;;;;;;;;;;GAWG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,CAAC,CAkElF;AAED,eAAO,MAAM,kBAAkB;;CAA8B,CAAC"}

package/dist/sources/git-http.js

@@ -0,0 +1,179 @@
+/**
+ * HttpClient for isomorphic-git that:
+ *
+ *  - Talks https only — refuses to issue any request whose URL is not
+ *    `https://...`.
+ *  - Follows redirects manually (max 5 hops). Every `Location` is re-validated
+ *    https before the next request — closes the https-to-http downgrade hole
+ *    that an https endpoint replying with `Location: http://...` would
+ *    otherwise open against the default `isomorphic-git/http/node` impl
+ *    (which uses `simple-get`'s built-in redirect follower and does NOT
+ *    enforce a scheme on the next hop).
+ *
+ * Implemented on top of Node's `https.request` so the SDK doesn't pull in
+ * an extra HTTP client. The body-as-async-iterator contract matches
+ * isomorphic-git's `GitHttpRequest` / `GitHttpResponse` types.
+ */
+import { request as httpsRequest } from 'node:https';
+import { Readable } from 'node:stream';
+const MAX_REDIRECTS = 5;
+async function bodyToBuffer(body) {
+    if (!body)
+        return undefined;
+    if (Buffer.isBuffer(body))
+        return body;
+    if (body instanceof Uint8Array)
+        return Buffer.from(body);
+    const chunks = [];
+    for await (const chunk of body) {
+        chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+    }
+    return Buffer.concat(chunks);
+}
+function flattenHeaders(raw) {
+    const out = {};
+    for (const [k, v] of Object.entries(raw)) {
+        if (v === undefined)
+            continue;
+        out[k] = Array.isArray(v) ? v.join(', ') : v;
+    }
+    return out;
+}
+function nodeStreamToAsyncIterableIterator(stream) {
+    // IncomingMessage is already AsyncIterable<Buffer>. Wrap it as an
+    // AsyncIterableIterator since that's what isomorphic-git's type
+    // demands (it has a `next()` method).
+    const iter = stream[Symbol.asyncIterator]();
+    return {
+        next: () => iter.next(),
+        return: iter.return ? (v) => iter.return(v) : undefined,
+        throw: iter.throw ? (e) => iter.throw(e) : undefined,
+        [Symbol.asyncIterator]() {
+            return this;
+        },
+    };
+}
+async function singleRequest(req) {
+    if (!req.url.startsWith('https://')) {
+        throw new Error(`GitFileSource: refusing non-https request: ${req.url}`);
+    }
+    const parsed = new URL(req.url);
+    const bodyBuf = await bodyToBuffer(req.body);
+    const method = (req.method ?? 'GET').toUpperCase();
+    const headers = { ...(req.headers ?? {}) };
+    if (bodyBuf) {
+        headers['content-length'] = bodyBuf.length;
+    }
+    return new Promise((resolve, reject) => {
+        const r = httpsRequest({
+            protocol: parsed.protocol,
+            hostname: parsed.hostname,
+            port: parsed.port || undefined,
+            path: `${parsed.pathname}${parsed.search}`,
+            method,
+            headers,
+        }, (res) => {
+            resolve({
+                statusCode: res.statusCode ?? 0,
+                statusMessage: res.statusMessage ?? '',
+                headers: flattenHeaders(res.headers),
+                bodyStream: res,
+                url: req.url,
+            });
+        });
+        r.on('error', reject);
+        if (bodyBuf)
+            r.write(bodyBuf);
+        r.end();
+    });
+}
+async function drain(stream) {
+    return new Promise((resolve) => {
+        stream.on('data', () => undefined);
+        stream.on('end', () => resolve());
+        stream.on('error', () => resolve());
+        stream.resume();
+    });
+}
+/**
+ * Send `req`, manually following 3xx redirects up to MAX_REDIRECTS. Every
+ * hop validates the next URL is https. On a 30x→non-https Location, throws.
+ *
+ * Per RFC 7231 §6.4: 301/302/303 turn POST into GET and drop the request
+ * body; 307/308 preserve the method and body. isomorphic-git's traffic is
+ * GET (info/refs) and POST (upload-pack / receive-pack). For a POST that
+ * gets redirected with a method-changing status we drop the body — git
+ * smart servers don't typically issue method-changing redirects mid-flow,
+ * but if they did, the resulting GET would surface as a server-side error
+ * rather than silently completing.
+ */
+export async function gitHttpRequest(req) {
+    let cur = req;
+    let lastBuffered;
+    for (let i = 0; i <= MAX_REDIRECTS; i++) {
+        if (cur.body && !Buffer.isBuffer(cur.body) && !(cur.body instanceof Uint8Array)) {
+            // Eagerly buffer the body so a redirect can replay it without
+            // re-consuming an already-iterated source.
+            lastBuffered = await bodyToBuffer(cur.body);
+            cur = { ...cur, body: lastBuffered };
+        }
+        const res = await singleRequest(cur);
+        const status = res.statusCode;
+        const isRedirect = status >= 300 && status < 400 && res.headers['location'];
+        if (!isRedirect) {
+            return {
+                url: res.url,
+                method: cur.method ?? 'GET',
+                statusCode: status,
+                statusMessage: res.statusMessage,
+                headers: res.headers,
+                body: nodeStreamToAsyncIterableIterator(res.bodyStream),
+            };
+        }
+        const locHeader = res.headers['location'];
+        if (!locHeader) {
+            return {
+                url: res.url,
+                method: cur.method ?? 'GET',
+                statusCode: status,
+                statusMessage: res.statusMessage,
+                headers: res.headers,
+                body: nodeStreamToAsyncIterableIterator(res.bodyStream),
+            };
+        }
+        let nextUrl;
+        try {
+            nextUrl = new URL(locHeader, cur.url).toString();
+        }
+        catch {
+            throw new Error(`GitFileSource: invalid redirect location: ${locHeader}`);
+        }
+        if (!nextUrl.startsWith('https://')) {
+            throw new Error(`GitFileSource: redirect to plaintext URL rejected: ${nextUrl}`);
+        }
+        // Drain the redirect's body so the socket can be reused.
+        await drain(res.bodyStream);
+        // RFC 7231 §6.4.2/6.4.3: 301/302/303 strip the body and change the
+        // method to GET. 307/308 preserve method + body.
+        let nextMethod = cur.method ?? 'GET';
+        let nextBody = lastBuffered;
+        if (status === 301 || status === 302 || status === 303) {
+            if (nextMethod !== 'GET' && nextMethod !== 'HEAD') {
+                nextMethod = 'GET';
+                nextBody = undefined;
+            }
+        }
+        cur = {
+            url: nextUrl,
+            method: nextMethod,
+            headers: { ...(cur.headers ?? {}) },
+            body: nextBody,
+        };
+    }
+    throw new Error(`GitFileSource: too many redirects (>${MAX_REDIRECTS}) for ${req.url}`);
+}
+export const gitHttpsOnlyClient = { request: gitHttpRequest };
+// Force Readable import to be retained (avoids unused-import elision and
+// keeps the contract explicit for future stream-conversion changes).
+void Readable;
+//# sourceMappingURL=git-http.js.map