@usecontextlayer/pggit 1.0.0

package/dist/index.mjs

@@ -0,0 +1,1362 @@
+import { gunzipSync } from "node:zlib";
+import { Hono } from "hono";
+import { cors } from "hono/cors";
+import { AsyncLocalStorage } from "node:async_hooks";
+import { performance } from "node:perf_hooks";
+import { Kysely, sql } from "kysely";
+import { PostgresJSDialect } from "kysely-postgres-js";
+
+//#region src/instrument.ts
+const als = new AsyncLocalStorage();
+const collected = [];
+function newCollector(method, path) {
+	return {
+		counters: /* @__PURE__ */ new Map(),
+		current: "request",
+		label: "",
+		method,
+		path,
+		phaseMs: /* @__PURE__ */ new Map(),
+		queries: []
+	};
+}
+/** Run `fn` inside a fresh per-request collector; record the collector when done. */
+async function runRequest(meta, fn) {
+	const collector = newCollector(meta.method, meta.path);
+	return als.run(collector, async () => {
+		try {
+			return await fn();
+		} finally {
+			collected.push(collector);
+		}
+	});
+}
+/** Measure `fn`'s wall time into the active collector under `name`; no-op when inactive. */
+async function withPhase(name, fn) {
+	const collector = als.getStore();
+	if (!collector) return fn();
+	const previous = collector.current;
+	collector.current = name;
+	const start = performance.now();
+	try {
+		return await fn();
+	} finally {
+		const elapsed = performance.now() - start;
+		collector.phaseMs.set(name, (collector.phaseMs.get(name) ?? 0) + elapsed);
+		collector.current = previous;
+	}
+}
+function count(metric, n = 1) {
+	const collector = als.getStore();
+	if (!collector) return;
+	collector.counters.set(metric, (collector.counters.get(metric) ?? 0) + n);
+}
+function label(name) {
+	const collector = als.getStore();
+	if (collector) collector.label = name;
+}
+function recordQuery(sql, durationMs) {
+	const collector = als.getStore();
+	if (!collector) return;
+	collector.queries.push({
+		durationMs,
+		phase: collector.current,
+		sql
+	});
+}
+
+//#endregion
+//#region src/protocol/errors.ts
+/**
+* A malformed-request / unsupported-capability error detected at the git wire
+* boundary (bad command list, unknown command, unsupported object-format or
+* filter, a request body in an encoding we don't accept). It is the CLIENT's
+* fault, so the HTTP layer maps it to a 400 with the message — distinct from an
+* internal failure (a missing object mid-serve, a DB error), which stays a 500.
+* Validate at the boundary, fail loud, and let the type carry the status.
+*/
+var GitProtocolError = class extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "GitProtocolError";
+	}
+};
+/**
+* A fetch `want` names an object this repo does not have — a CLIENT condition (a
+* stale/force-pushed tip, a lost promisor blob), not an internal failure. Real git
+* upload-pack answers it IN-BAND with `ERR upload-pack: not our ref <oid>` (an HTTP
+* 200 protocol error the client reads), so it must NOT escape as a 500. Carries the
+* absent OIDs; `handleFetch` maps it to the ERR pkt-line. Distinct from a generic
+* `Error` out of the serve path (a real backend fault), which still propagates → 500.
+*/
+var WantNotFoundError = class extends Error {
+	oids;
+	constructor(oids) {
+		super(`upload-pack: not our ref ${oids.join(" ")}`);
+		this.oids = oids;
+		this.name = "WantNotFoundError";
+	}
+};
+
+//#endregion
+//#region src/protocol/pkt-line.ts
+/**
+* pkt-line framing (git wire protocol). A pkt-line is a 4-byte hex length prefix
+* (the length INCLUDES the 4 prefix bytes) followed by `length - 4` payload bytes.
+* Three special zero-payload packets: flush `0000`, delim `0001`, response-end
+* `0002`. See gitprotocol-common + design spec §5.
+*/
+const FLUSH_PKT = Buffer.from("0000", "latin1");
+const DELIM_PKT = Buffer.from("0001", "latin1");
+const RESPONSE_END_PKT = Buffer.from("0002", "latin1");
+/** Largest payload we will emit (git's conservative writer cap). */
+const WRITER_MAX_PAYLOAD = 65515;
+/** Largest payload we will accept on read (git's LARGE_PACKET_DATA_MAX). */
+const READER_MAX_PAYLOAD = 65516;
+/** Frame a data payload as a pkt-line: `<4-hex len><payload>`. */
+function encodePktLine(payload) {
+	if (payload.length > 65515) throw new Error(`pkt-line: payload ${payload.length} exceeds writer cap ${WRITER_MAX_PAYLOAD}`);
+	const prefix = (payload.length + 4).toString(16).padStart(4, "0");
+	return Buffer.concat([Buffer.from(prefix, "latin1"), payload]);
+}
+/** Frame any packet — data or one of the three special zero-payload markers. */
+function encodePkt(pkt) {
+	switch (pkt.type) {
+		case "data": return encodePktLine(pkt.payload);
+		case "flush": return FLUSH_PKT;
+		case "delim": return DELIM_PKT;
+		case "response-end": return RESPONSE_END_PKT;
+	}
+}
+function parseLen(buf, offset) {
+	const hex = buf.toString("latin1", offset, offset + 4);
+	if (!/^[0-9a-f]{4}$/i.test(hex)) throw new GitProtocolError(`pkt-line: invalid length prefix ${JSON.stringify(hex)}`);
+	return Number.parseInt(hex, 16);
+}
+/**
+* Decode a buffer into a sequence of packets. Streaming-safe: a trailing
+* partial packet is left in `rest` for the caller to prepend to the next chunk.
+*
+* With `stopAtFlush`, decoding returns at the first flush (which is NOT included
+* in `packets`), leaving the bytes after it in `rest`. The receive-pack request
+* splits here: a pkt-line command list, a flush, then the raw (un-framed) pack.
+*
+* `flushed` reports whether a flush actually terminated the stream in
+* `stopAtFlush` mode — the parser uses it to reject an unterminated command list
+* on a COMPLETE request body (where "more bytes coming" is not an option).
+*/
+function decodePktStream(buf, opts = {}) {
+	const packets = [];
+	let offset = 0;
+	while (offset + 4 <= buf.length) {
+		const len = parseLen(buf, offset);
+		if (len === 0) {
+			offset += 4;
+			if (opts.stopAtFlush) return {
+				flushed: true,
+				packets,
+				rest: buf.subarray(offset)
+			};
+			packets.push({ type: "flush" });
+			continue;
+		}
+		if (len === 1) {
+			packets.push({ type: "delim" });
+			offset += 4;
+			continue;
+		}
+		if (len === 2) {
+			packets.push({ type: "response-end" });
+			offset += 4;
+			continue;
+		}
+		if (len === 3) throw new GitProtocolError("pkt-line: reserved length 0003");
+		const payloadLen = len - 4;
+		if (payloadLen > 65516) throw new GitProtocolError(`pkt-line: declared payload ${payloadLen} exceeds reader bound ${READER_MAX_PAYLOAD}`);
+		if (offset + len > buf.length) break;
+		const payload = buf.subarray(offset + 4, offset + len);
+		packets.push({
+			payload,
+			type: "data"
+		});
+		offset += len;
+	}
+	return {
+		flushed: false,
+		packets,
+		rest: buf.subarray(offset)
+	};
+}
+
+//#endregion
+//#region src/protocol/capabilities.ts
+const AGENT = "pggit/0.0.0";
+/**
+* Reject a client negotiating a non-sha1 object hash. pggit is SHA-1 only (the
+* charter) and assumes 40-hex / 20-byte OIDs everywhere; a sha256 client would
+* otherwise fail deep in the parser on a 64-hex OID. Catch it at the boundary
+* with a clear message. An absent `object-format` cap defaults to sha1 (git's
+* default), so it is accepted.
+*/
+function assertSupportedObjectFormat(caps) {
+	const fmt = caps.find((c) => c.startsWith("object-format="));
+	if (fmt !== void 0 && fmt !== "object-format=sha1") throw new GitProtocolError(`unsupported ${fmt} — only object-format=sha1 is supported`);
+}
+
+//#endregion
+//#region src/protocol/sideband.ts
+const MAX_BAND_DATA = 65514;
+/**
+* Multiplex `data` onto sideband `band`: each ≤MAX_BAND_DATA slice becomes a
+* pkt-line of `[band byte | slice]`. Returns the concatenated band pkt-lines with
+* NO trailing flush — the caller owns the section framing (the `packfile\n` header
+* for fetch, the bare report for push) and appends its own flush.
+*/
+function encodeSideband(band, data) {
+	const parts = [];
+	for (let i = 0; i < data.length; i += MAX_BAND_DATA) {
+		const chunk = data.subarray(i, i + MAX_BAND_DATA);
+		parts.push(encodePktLine(Buffer.concat([Buffer.from([band]), chunk])));
+	}
+	return Buffer.concat(parts);
+}
+
+//#endregion
+//#region src/protocol/receive-pack.ts
+const ZERO_OID$1 = "0".repeat(40);
+/** A ref name longer than this (bytes) is rejected at the boundary: `git_ref`'s PK is
+* a btree on (repo_id, name) whose index entry overflows past ~2704 bytes, which
+* Postgres raises as an opaque storage error. The cap sits far above any real ref name
+* and safely under the btree limit, so a too-long name fails loud + in-band (`ng`),
+* never as an HTTP 500 that has already orphaned the ingested pack. */
+const MAX_REF_NAME_BYTES = 2e3;
+const RECEIVE_CAPS = [
+	"report-status",
+	"delete-refs",
+	"side-band-64k",
+	"atomic",
+	"object-format=sha1",
+	`agent=${AGENT}`
+];
+/**
+* v0 ref advertisement for receive-pack (push). An empty repo — the dominant
+* first-push state — emits the synthetic `0{40} capabilities^{}` line so the
+* client has somewhere to read the push capabilities.
+*/
+function encodeReceivePackAdvertisement(refs) {
+	const capStr = RECEIVE_CAPS.join(" ");
+	const lines = [];
+	if (refs.length === 0) lines.push(encodePktLine(Buffer.from(`${ZERO_OID$1} capabilities^{}\0${capStr}\n`)));
+	else refs.forEach((r, i) => {
+		const base = `${r.oid} ${r.name}`;
+		lines.push(encodePktLine(Buffer.from(i === 0 ? `${base}\0${capStr}\n` : `${base}\n`)));
+	});
+	lines.push(encodePkt({ type: "flush" }));
+	return Buffer.concat(lines);
+}
+/**
+* Parse the receive-pack POST body: a pkt-line command list (`<old> <new> <ref>`,
+* caps after a NUL on the first line), a flush, then the raw packfile.
+*/
+function parseReceivePack(body) {
+	const { packets, rest, flushed } = decodePktStream(body, { stopAtFlush: true });
+	if (!flushed && body.length > 0) throw new GitProtocolError("receive-pack: command list not terminated by a flush (truncated or length-overrunning pkt-line)");
+	const commands = [];
+	let caps = [];
+	for (const p of packets) {
+		if (p.type !== "data") continue;
+		let line = p.payload.toString("utf8").replace(/\n$/, "");
+		const nul = line.indexOf("\0");
+		if (nul >= 0) {
+			caps = line.slice(nul + 1).split(" ").filter(Boolean);
+			line = line.slice(0, nul);
+		}
+		const parts = line.split(" ");
+		const [oldOid, newOid, ref] = parts;
+		if (parts.length !== 3 || !oldOid || !newOid || !ref) throw new GitProtocolError(`receive-pack: malformed command line ${JSON.stringify(line)}`);
+		commands.push({
+			newOid,
+			oldOid,
+			ref
+		});
+	}
+	return {
+		caps,
+		commands,
+		pack: rest
+	};
+}
+/**
+* report-status: `unpack <status>` then `ok <ref>` / `ng <ref> <reason>` per
+* command, flush. When side-band-64k is negotiated the whole stream rides band 1.
+*/
+function encodeReportStatus(unpack, results, useSideband) {
+	const lines = [encodePktLine(Buffer.from(`unpack ${unpack}\n`))];
+	for (const r of results) {
+		const line = r.ok ? `ok ${r.ref}\n` : `ng ${r.ref} ${r.reason ?? "failed"}\n`;
+		lines.push(encodePktLine(Buffer.from(line)));
+	}
+	lines.push(encodePkt({ type: "flush" }));
+	const report = Buffer.concat(lines);
+	if (!useSideband) return report;
+	return Buffer.concat([encodeSideband(1, report), encodePkt({ type: "flush" })]);
+}
+/**
+* Handle a receive-pack POST: ingest the pack (if any), then apply the ref
+* commands under CAS — atomically when the client negotiated `atomic` — and
+* report status. A failed unpack fails every ref; an atomic failure ng's every
+* ref (none applied). Non-ff is accepted by default (CAS guards concurrency, not
+* ancestry — spec §3.6).
+*/
+async function handleReceivePack(body, backend) {
+	const { commands, caps, pack } = parseReceivePack(body);
+	assertSupportedObjectFormat(caps);
+	const useSideband = caps.includes("side-band-64k");
+	const atomic = caps.includes("atomic");
+	const nameTooLong = commands.map((c) => Buffer.byteLength(c.ref, "utf8") > MAX_REF_NAME_BYTES);
+	const anyApplicable = nameTooLong.length === 0 || nameTooLong.some((t) => !t);
+	let unpackStatus = "ok";
+	if (pack.length > 0 && anyApplicable) try {
+		await backend.ingest(pack);
+	} catch (e) {
+		unpackStatus = (e instanceof Error ? e.message : "unpack failed").replace(/\n/g, " ");
+	}
+	if (unpackStatus !== "ok") {
+		const failed = commands.map((c) => ({
+			ok: false,
+			reason: "unpacker error",
+			ref: c.ref
+		}));
+		return encodeReportStatus(unpackStatus, failed, useSideband);
+	}
+	const connected = await Promise.all(commands.map((c, i) => nameTooLong[i] || c.newOid === ZERO_OID$1 ? Promise.resolve(true) : backend.isConnected(c.newOid)));
+	const reasons = commands.map((_, i) => nameTooLong[i] ? "funny refname (too long to store)" : connected[i] ? null : "missing necessary objects");
+	if (atomic && reasons.some((r) => r !== null)) {
+		const failed = commands.map((c, i) => ({
+			ok: false,
+			reason: reasons[i] ?? "atomic transaction failed",
+			ref: c.ref
+		}));
+		return encodeReportStatus(unpackStatus, failed, useSideband);
+	}
+	const oks = await backend.applyRefUpdates(commands.filter((_, i) => reasons[i] === null), atomic);
+	let applied = 0;
+	const results = commands.map((c, i) => {
+		const reason = reasons[i];
+		if (reason !== null) return {
+			ok: false,
+			reason,
+			ref: c.ref
+		};
+		return oks[applied++] ? {
+			ok: true,
+			ref: c.ref
+		} : {
+			ok: false,
+			reason: atomic ? "atomic transaction failed" : "stale ref (compare-and-swap failed)",
+			ref: c.ref
+		};
+	});
+	for (const [i, c] of commands.entries()) {
+		if (!results[i]?.ok) continue;
+		try {
+			await backend.syncRefSnapshot?.(c.ref, c.newOid);
+		} catch (err) {
+			console.error(`pggit: snapshot refresh failed for ${c.ref} (the push is already applied):`, err);
+		}
+	}
+	return encodeReportStatus(unpackStatus, results, useSideband);
+}
+
+//#endregion
+//#region src/protocol/v2.ts
+/**
+* The v2 capability advertisement (GET info/refs body, minus HTTP framing).
+* We advertise ONLY what we honor (spec §4): ls-refs (with `unborn`) and fetch
+* with the `filter` (partial clone) and `include-tag` (auto-follow annotated tags)
+* features. No shallow / ref-in-want — those have no milestone owner and
+* advertising them flips clients onto unimplemented paths.
+*/
+function encodeAdvertisement() {
+	const caps = [
+		"version 2",
+		`agent=${AGENT}`,
+		"ls-refs=unborn",
+		"fetch=filter include-tag",
+		"object-format=sha1"
+	];
+	return Buffer.concat([...caps.map((c) => encodePktLine(Buffer.from(`${c}\n`))), encodePkt({ type: "flush" })]);
+}
+/** Decode a `command=… <caps> 0001 <args> 0000` v2 request body. */
+function parseV2Request(body) {
+	const { packets, rest } = decodePktStream(body);
+	if (rest.length > 0) throw new GitProtocolError(`pkt-line: ${rest.length} trailing bytes after the request — incomplete or length-overrunning packet`);
+	let command = "";
+	const capabilities = [];
+	const args = [];
+	let afterDelim = false;
+	for (const p of packets) {
+		if (p.type === "delim") {
+			afterDelim = true;
+			continue;
+		}
+		if (p.type !== "data") continue;
+		const line = p.payload.toString("utf8").replace(/\n$/, "");
+		if (afterDelim) args.push(line);
+		else if (line.startsWith("command=")) command = line.slice(8);
+		else capabilities.push(line);
+	}
+	return {
+		args,
+		capabilities,
+		command
+	};
+}
+/** Fetch features pggit deliberately does NOT advertise (encodeAdvertisement): a
+* client that drives one anyway must FAIL LOUDLY, never be silently dropped to an
+* empty result (the charter). `ref-in-want` (`want-ref`) and the `shallow`/`deepen`
+* family are the unimplemented ones. */
+const UNSUPPORTED_FETCH_ARG = /^(want-ref|deepen|shallow)\b/;
+const OID = /^[0-9a-f]{40}$/;
+function parseFetch(req) {
+	const wants = [];
+	const haves = [];
+	let done = false;
+	let filter;
+	let includeTag = false;
+	for (const arg of req.args) {
+		if (UNSUPPORTED_FETCH_ARG.test(arg)) throw new GitProtocolError(`fetch: unsupported feature ${JSON.stringify(arg.split(" ")[0])} — pggit does not advertise it`);
+		if (arg.startsWith("want ")) {
+			const oid = arg.slice(5);
+			if (!OID.test(oid)) throw new GitProtocolError(`fetch: malformed want object id ${JSON.stringify(oid)}`);
+			wants.push(oid);
+		} else if (arg.startsWith("have ")) haves.push(arg.slice(5));
+		else if (arg.startsWith("filter ")) filter = arg.slice(7);
+		else if (arg === "include-tag") includeTag = true;
+		else if (arg === "done") done = true;
+	}
+	return {
+		done,
+		filter,
+		haves,
+		includeTag,
+		wants
+	};
+}
+/** ls-refs response: one line per ref (+ symref-target / peeled), then flush. */
+function encodeLsRefsResponse(entries) {
+	const lines = entries.map((e) => {
+		let line = "unborn" in e ? `unborn ${e.name}` : `${e.oid} ${e.name}`;
+		if (e.symrefTarget) line += ` symref-target:${e.symrefTarget}`;
+		if ("peeled" in e && e.peeled) line += ` peeled:${e.peeled}`;
+		return encodePktLine(Buffer.from(`${line}\n`));
+	});
+	return Buffer.concat([...lines, encodePkt({ type: "flush" })]);
+}
+/** The `acknowledgments` section lines: header, ACKs / NAK, optional `ready`. */
+function acknowledgmentLines(common, ready) {
+	const lines = [encodePktLine(Buffer.from("acknowledgments\n"))];
+	if (common.length === 0 && !ready) lines.push(encodePktLine(Buffer.from("NAK\n")));
+	else {
+		for (const oid of common) lines.push(encodePktLine(Buffer.from(`ACK ${oid}\n`)));
+		if (ready) lines.push(encodePktLine(Buffer.from("ready\n")));
+	}
+	return Buffer.concat(lines);
+}
+/**
+* fetch `acknowledgments` response for a negotiation round that is NOT yet ready
+* (no `done`): the section + flush, no pack. The client sends more haves or
+* `done` (spec §4 shape b).
+*/
+function encodeAcknowledgments(common, ready) {
+	return Buffer.concat([acknowledgmentLines(common, ready), encodePkt({ type: "flush" })]);
+}
+/**
+* fetch response when the server becomes `ready` mid-negotiation: the
+* acknowledgments section (with `ready`), a delim-pkt, then the packfile — git
+* requires the pack to follow `ready` in the same response (not a later round).
+*/
+function encodeReadyWithPack(common, pack) {
+	return Buffer.concat([
+		acknowledgmentLines(common, true),
+		encodePkt({ type: "delim" }),
+		encodePackfileResponse(pack)
+	]);
+}
+/**
+* A v2 error response: a single `ERR <message>` pkt-line. git's packet reader
+* recognizes the `ERR ` prefix and the client dies with `remote error: <message>`
+* — the in-band channel for a request that cannot be served (e.g. a `want` the repo
+* does not have): an HTTP-200 protocol error the client can read, NOT a transport 500.
+*/
+function encodeErr(message) {
+	return encodePktLine(Buffer.from(`ERR ${message}\n`));
+}
+/**
+* fetch response for the clone path (client sent `done`, no haves): the
+* `packfile` section header, the pack multiplexed over sideband band-1, flush.
+*/
+function encodePackfileResponse(pack) {
+	return Buffer.concat([
+		encodePktLine(Buffer.from("packfile\n")),
+		encodeSideband(1, pack),
+		encodePkt({ type: "flush" })
+	]);
+}
+
+//#endregion
+//#region src/protocol/upload-pack.ts
+async function handleLsRefs(req, backend) {
+	label("ls-refs");
+	return withPhase("ref-advertise", async () => {
+		const wantPeel = req.args.includes("peel");
+		const wantSymrefs = req.args.includes("symrefs");
+		const prefixes = req.args.filter((a) => a.startsWith("ref-prefix ")).map((a) => a.slice(11));
+		const matches = (name) => prefixes.length === 0 || prefixes.some((p) => name.startsWith(p));
+		const refs = await backend.listRefs();
+		const byName = new Map(refs.map((r) => [r.name, r.oid]));
+		const entries = [];
+		const wantUnborn = req.args.includes("unborn");
+		const headTarget = await backend.getSymref("HEAD");
+		if (headTarget && matches("HEAD")) {
+			const headOid = byName.get(headTarget);
+			if (headOid) entries.push({
+				name: "HEAD",
+				oid: headOid,
+				symrefTarget: wantSymrefs ? headTarget : void 0
+			});
+			else if (wantUnborn && wantSymrefs) entries.push({
+				name: "HEAD",
+				symrefTarget: headTarget,
+				unborn: true
+			});
+		}
+		for (const ref of refs) {
+			if (!matches(ref.name)) continue;
+			const entry = {
+				name: ref.name,
+				oid: ref.oid
+			};
+			if (wantPeel && ref.peeled) entry.peeled = ref.peeled;
+			entries.push(entry);
+		}
+		return encodeLsRefsResponse(entries);
+	});
+}
+/**
+* Translate the wire filter spec to a walk option. We optimize the common
+* `blob:none` (blobless partial clone) by omitting blobs; any other filter
+* (`tree:0`, `blob:limit=…`, …) serves the FULL closure. The protocol lets a
+* server send more than a filter requests — the client accepts the superset and
+* has nothing to lazily fetch — so over-serving completes the clone that a hard
+* rejection would abort, without implementing every filter spec.
+*/
+function filterOmitsBlobs(filter) {
+	return filter === "blob:none";
+}
+async function handleFetch(req, backend) {
+	label("fetch");
+	const { wants, haves, done, filter, includeTag } = parseFetch(req);
+	const omitBlobs = filterOmitsBlobs(filter);
+	const common = await backend.commonHaves(haves);
+	try {
+		if (!done) {
+			if (!await backend.readyToGiveUp(wants, common)) return encodeAcknowledgments(common, false);
+			return encodeReadyWithPack(common, await backend.buildPack(wants, common, omitBlobs, includeTag));
+		}
+		return encodePackfileResponse(await backend.buildPack(wants, common, omitBlobs, includeTag));
+	} catch (err) {
+		if (err instanceof WantNotFoundError) return encodeErr(err.message);
+		throw err;
+	}
+}
+/** Dispatch a v2 upload-pack POST body to ls-refs or fetch. */
+async function handleUploadPack(body, backend) {
+	const req = parseV2Request(body);
+	assertSupportedObjectFormat(req.capabilities);
+	if (req.command === "ls-refs") return handleLsRefs(req, backend);
+	if (req.command === "fetch") return handleFetch(req, backend);
+	throw new GitProtocolError(`upload-pack: unsupported command ${JSON.stringify(req.command)}`);
+}
+
+//#endregion
+//#region src/object/format-error.ts
+var GitFormatError = class extends Error {
+	code;
+	constructor(code, message) {
+		super(message);
+		this.name = "GitFormatError";
+		this.code = code;
+	}
+};
+
+//#endregion
+//#region src/object/object.ts
+/** OIDs in the leading `key <oid>` headers (up to the blank line) for given keys. */
+function headerOids(content, keys) {
+	const oids = [];
+	for (const line of content.toString("latin1").split("\n")) {
+		if (line === "") break;
+		const sp = line.indexOf(" ");
+		if (sp > 0 && keys.has(line.slice(0, sp))) oids.push(line.slice(sp + 1));
+	}
+	return oids;
+}
+/** A tree's entries — `<mode> <name>\0<20-byte oid>` repeated. */
+function treeEntries(content) {
+	const entries = [];
+	let pos = 0;
+	while (pos < content.length) {
+		const space = content.indexOf(32, pos);
+		const nul = content.indexOf(0, pos);
+		if (space < 0 || nul < 0 || space > nul || nul + 21 > content.length) throw new GitFormatError("malformed-tree", `tree: malformed entry at offset ${pos}`);
+		const mode = content.subarray(pos, space).toString("latin1");
+		const name = content.subarray(space + 1, nul).toString("utf8");
+		const oid = content.subarray(nul + 1, nul + 21).toString("hex");
+		entries.push({
+			mode,
+			name,
+			oid
+		});
+		pos = nul + 21;
+	}
+	return entries;
+}
+/** A tree entry's mode marks a subtree (directory), not a blob or gitlink. */
+function isTreeEntryMode(mode) {
+	return mode === "40000";
+}
+/** A commit's root tree OID. Every commit has exactly one `tree` header. */
+function commitTreeOid(content) {
+	const [tree] = headerOids(content, /* @__PURE__ */ new Set(["tree"]));
+	if (!tree) throw new GitFormatError("missing-tree-header", "commitTreeOid: commit has no tree header");
+	return tree;
+}
+
+//#endregion
+//#region src/repo-view/build-file-list.ts
+/** Gitlink/submodule entries point at a commit in another repo — no blob here. */
+const GITLINK_MODE$1 = "160000";
+/**
+* The flat path→blob index of a commit's tree (the `git ls-tree -r` of a commit,
+* read straight from the object store): one FileEntry per blob — full path from the
+* root, raw mode, blob oid. Subtrees are recursed; gitlinks (submodules) are skipped
+* (no blob in this repo). Blob CONTENT is NOT read — it lives in git_object and is
+* joined at query time (§4.5 collapse), so this walk touches only commits + trees.
+*/
+async function buildFileList(read, commitOid) {
+	const commit = await read(commitOid);
+	const files = [];
+	const walk = async (treeOid, prefix) => {
+		const tree = await read(treeOid);
+		for (const entry of treeEntries(tree.content)) {
+			const path = prefix + entry.name;
+			if (isTreeEntryMode(entry.mode)) await walk(entry.oid, `${path}/`);
+			else if (entry.mode !== GITLINK_MODE$1) files.push({
+				blobOid: entry.oid,
+				mode: entry.mode,
+				path
+			});
+		}
+	};
+	await walk(commitTreeOid(commit.content), "");
+	return { files };
+}
+
+//#endregion
+//#region src/repo-view/config.ts
+/**
+* Which refs get a queryable file snapshot. Branches only — tags, notes, and
+* `refs/pull/*` are skipped. One edit to widen the projection later.
+*/
+const SNAPSHOT_REFS = (refName) => refName.startsWith("refs/heads/");
+
+//#endregion
+//#region src/repo-view/rebuild.ts
+const ZERO_OID = "0".repeat(40);
+/**
+* Refresh `refName`'s file snapshot after a push applied it. Non-branch refs are
+* ignored (§ SNAPSHOT_REFS); a delete (zero oid) drops the snapshot; otherwise
+* the new tip's tree is walked — objects are already present post-ingest — into a
+* fresh snapshot. Runs after the push commits, so a failure here never rolls back
+* the git operation (the projection is rebuildable from the packs).
+*/
+async function syncRefSnapshot(deps, repoId, refName, newOid) {
+	if (!SNAPSHOT_REFS(refName)) return;
+	if (newOid === ZERO_OID) {
+		await deps.snapshots.dropRefSnapshot(repoId, refName);
+		return;
+	}
+	const read = async (oid) => {
+		const obj = await deps.objects.getObject(repoId, oid);
+		if (!obj) throw new Error(`repo-view: object ${oid} missing while building ${refName}`);
+		return obj;
+	};
+	await deps.snapshots.rebuildRefSnapshot(repoId, refName, await buildFileList(read, newOid));
+}
+
+//#endregion
+//#region src/database/postgres.ts
+const EVENT_SIGNS = {
+	error: "🔴",
+	query: "🟢"
+};
+/** Wrap a porsager client in a typed Kysely. Dev builds log query/error events. */
+function initKysely(pg) {
+	return new Kysely({
+		dialect: new PostgresJSDialect({ postgres: pg }),
+		log(event) {
+			if (event.level === "query" || event.level === "error") {
+				recordQuery(event.query.sql, event.queryDurationMillis);
+				if (process.env.NODE_ENV === "development") console.debug(`${EVENT_SIGNS[event.level]} ${event.queryDurationMillis}ms ${event.query.sql}`);
+			}
+		}
+	});
+}
+
+//#endregion
+//#region src/database/copy-insert.ts
+const HEADER = Buffer.concat([Buffer.from([
+	80,
+	71,
+	67,
+	79,
+	80,
+	89,
+	10,
+	255,
+	13,
+	10,
+	0
+]), Buffer.alloc(8)]);
+const TRAILER = (() => {
+	const b = Buffer.alloc(2);
+	b.writeInt16BE(-1);
+	return b;
+})();
+function encodeValue(field) {
+	switch (field.t) {
+		case "int2": {
+			const b = Buffer.alloc(2);
+			b.writeInt16BE(field.v);
+			return b;
+		}
+		case "int4": {
+			const b = Buffer.alloc(4);
+			b.writeInt32BE(field.v);
+			return b;
+		}
+		case "int8": {
+			const b = Buffer.alloc(8);
+			b.writeBigInt64BE(BigInt(field.v));
+			return b;
+		}
+		case "bytea": return field.v;
+		case "text": return Buffer.from(field.v, "utf8");
+	}
+}
+/** Encode rows as one PGCOPY binary payload: header, then per row a field count
+* and each field as `<int32 length><raw bytes>`, then the trailer. */
+function encodeBinaryCopy(rows) {
+	const parts = [HEADER];
+	for (const row of rows) {
+		const fieldCount = Buffer.alloc(2);
+		fieldCount.writeInt16BE(row.length);
+		parts.push(fieldCount);
+		for (const field of row) {
+			const value = encodeValue(field);
+			const len = Buffer.alloc(4);
+			len.writeInt32BE(value.length);
+			parts.push(len, value);
+		}
+	}
+	parts.push(TRAILER);
+	return Buffer.concat(parts);
+}
+/**
+* COPY `rows` into `target` (a temp staging table shaped from `target`'s columns,
+* then `INSERT … SELECT … ON CONFLICT DO NOTHING`). `tx` must be a
+* transaction-scoped porsager `Sql`. `target` and `columns` are internal constants
+* (never client input), interpolated as SQL identifiers.
+*/
+async function copyInsert(tx, target, columns, rows) {
+	if (rows.length === 0) return;
+	const cols = columns.join(", ");
+	const staging = `copy_stg_${target}`;
+	await tx.unsafe(`create temp table ${staging} on commit drop as select ${cols} from ${target} with no data`);
+	const writable = await tx`copy ${tx(staging)} (${tx.unsafe(cols)}) from stdin (format binary)`.writable();
+	await new Promise((resolve, reject) => {
+		writable.on("error", reject);
+		writable.on("finish", () => resolve());
+		writable.write(encodeBinaryCopy(rows), (err) => {
+			if (err) reject(err);
+			else writable.end();
+		});
+	});
+	await tx.unsafe(`insert into ${target} (${cols}) select ${cols} from ${staging} on conflict do nothing`);
+}
+
+//#endregion
+//#region src/object/edges.ts
+/** A tree entry pointing at a commit in *another* repo — no blob, no edge here. */
+const GITLINK_MODE = "160000";
+/**
+* The blob OIDs directly in a tree — the §4.3 standing rule's other half: blobs
+* are enumerated from tree content, never stored as edges. A tree entry is a blob
+* unless it is a subtree (`deriveEdges` covers those as kind-3 edges) or a gitlink
+* (`160000`, a submodule commit living in another repo — neither blob nor edge).
+* Connectivity uses this to find the blobs a present tree requires, since no
+* tree→blob edge exists to anchor a missing one.
+*/
+function treeBlobOids(content) {
+	return treeEntries(content).filter((e) => !isTreeEntryMode(e.mode) && e.mode !== GITLINK_MODE).map((e) => e.oid);
+}
+
+//#endregion
+//#region src/pack/object-header.ts
+/**
+* Pack object header: a variable-length encoding of (type, uncompressed size)
+* that prefixes every object entry in a packfile.
+*
+* First byte: `[c|ttt|ssss]` — continuation bit `c`, 3-bit type `ttt`, low 4 bits
+* of size. Each continuation byte contributes 7 more size bits, least-significant
+* group first. See gitformat-pack.
+*
+* Size arithmetic uses `*`/`Math.floor`, NOT `<<`/`>>` — JS bitwise ops are
+* 32-bit and would corrupt object sizes ≥ 2³¹.
+*/
+const PACK_OBJ_TYPE = {
+	BLOB: 3,
+	COMMIT: 1,
+	OFS_DELTA: 6,
+	REF_DELTA: 7,
+	TAG: 4,
+	TREE: 2
+};
+
+//#endregion
+//#region src/store/reachability.ts
+/** Objects looked up per round-trip when chunking tree/blob existence queries. */
+const LOOKUP_BATCH = 1e3;
+/** Split `items` into consecutive batches of at most `size`. */
+function batches(items, size) {
+	const out = [];
+	for (let i = 0; i < items.length; i += size) out.push(items.slice(i, i + size));
+	return out;
+}
+/**
+* The objects reachable from `roots` over the stored DAG — the ONE reachability
+* engine shared by connectivity, clone, and incremental fetch (so they can never
+* disagree). A recursive CTE walks `git_edge` (all stored kinds 1,2,3,5) for the
+* commit/tree/tag closure; the LEFT JOIN marks which are present. Blobs are not
+* edges (§4.3), so unless `omitBlobs` they are enumerated from each present tree's
+* content (mode-aware) and their presence checked. Returns the reachable set
+* partitioned into present / missing. `::bigint`/`::bytea` casts and the
+* `VALUES (…::bytea)` seed pin types in the raw CTE (the porsager driver can't
+* bind a raw `bytea[]`, OQ-13); array lookups use Kysely's `in`-expansion.
+*/
+async function reachableClosure(db, id, roots, omitBlobs) {
+	const present = /* @__PURE__ */ new Set();
+	const missing = /* @__PURE__ */ new Set();
+	if (roots.length === 0) return {
+		missing,
+		present
+	};
+	const closure = await sql`
+		with recursive closure(oid) as (
+			select oid from (values ${sql.join(roots.map((r) => sql`(${Buffer.from(r, "hex")}::bytea)`))}) as roots(oid)
+			union
+			select e.child from git_edge e
+				join closure c on e.parent = c.oid
+				where e.repo_id = ${id}::bigint
+		)
+		select c.oid, o.type
+		from closure c
+		left join git_object o on o.repo_id = ${id}::bigint and o.oid = c.oid
+	`.execute(db);
+	const treeOids = [];
+	for (const r of closure.rows) {
+		const hex = r.oid.toString("hex");
+		if (r.type === null) missing.add(hex);
+		else {
+			present.add(hex);
+			if (r.type === PACK_OBJ_TYPE.TREE) treeOids.push(r.oid);
+		}
+	}
+	if (omitBlobs || treeOids.length === 0) return {
+		missing,
+		present
+	};
+	const blobCandidates = /* @__PURE__ */ new Set();
+	for (const batch of batches(treeOids, LOOKUP_BATCH)) {
+		const trees = await db.selectFrom("git_object").select("content").where("repo_id", "=", id).where("oid", "in", batch).execute();
+		for (const t of trees) for (const blob of treeBlobOids(t.content)) blobCandidates.add(blob);
+	}
+	if (blobCandidates.size === 0) return {
+		missing,
+		present
+	};
+	const presentBlobs = /* @__PURE__ */ new Set();
+	for (const batch of batches([...blobCandidates], LOOKUP_BATCH)) {
+		const rows = await db.selectFrom("git_object").select("oid").where("repo_id", "=", id).where("oid", "in", batch.map((h) => Buffer.from(h, "hex"))).execute();
+		for (const r of rows) presentBlobs.add(r.oid.toString("hex"));
+	}
+	for (const b of blobCandidates) (presentBlobs.has(b) ? present : missing).add(b);
+	return {
+		missing,
+		present
+	};
+}
+
+//#endregion
+//#region src/store/repo-resolver.ts
+/**
+* Resolves a wire repo name to its `repos.id` surrogate, memoized. The object and
+* ref stores both key on the bigint `repo_id`, so each builds one of these as its
+* name→id boundary.
+*
+* The mapping is immutable once a repo exists (ids are `generated always`, names
+* are unique), so a found id is cached for the resolver's lifetime — keeping the
+* per-object hot path (getObject) at one point-read, not a join. Misses are NEVER
+* cached: a name the lookup didn't find may be created by a later push, and a
+* cached `null` would mask it.
+*
+* Reads resolve (lookup; `null` ⇒ the repo has never been written, i.e. empty).
+* Writes ensure (race-safe get-or-create).
+*/
+function createRepoResolver(db) {
+	const cache = /* @__PURE__ */ new Map();
+	return {
+		/** The repo's id, creating the row if absent. Race-safe under concurrent
+		* first-pushes, and avoids a no-op UPDATE on the common (exists) path. */
+		async ensureRepoId(name) {
+			const cached = cache.get(name);
+			if (cached !== void 0) return cached;
+			const existing = await db.selectFrom("repos").select("id").where("name", "=", name).executeTakeFirst();
+			if (existing) {
+				cache.set(name, existing.id);
+				return existing.id;
+			}
+			const id = (await db.insertInto("repos").values({ name }).onConflict((oc) => oc.doNothing()).returning("id").executeTakeFirst())?.id ?? (await db.selectFrom("repos").select("id").where("name", "=", name).executeTakeFirstOrThrow()).id;
+			cache.set(name, id);
+			return id;
+		},
+		/** The repo's id, or `null` if it has never been written to. */
+		async resolveRepoId(name) {
+			const cached = cache.get(name);
+			if (cached !== void 0) return cached;
+			const row = await db.selectFrom("repos").select("id").where("name", "=", name).executeTakeFirst();
+			if (!row) return null;
+			cache.set(name, row.id);
+			return row.id;
+		}
+	};
+}
+
+//#endregion
+//#region src/store/gc.ts
+/** Default per-batch DELETE cap when the caller omits `batchLimit`. Large enough to
+* sweep a typical force-commit orphan set in one or two batches, small enough to
+* bound the dead-tuple burst and lock duration per transaction (§7). */
+const DEFAULT_BATCH_LIMIT = 1e4;
+/** OIDs loaded per COPY round-trip into the live table (the live set can be the whole
+* reachable tree, so it streams in bounded batches, never one giant payload). */
+const LIVE_LOAD_BATCH = 1e4;
+/**
+* Build the GC over a porsager client (the same wire→DB boundary the object and ref
+* stores take). `gc(repo, opts)` reclaims a single repo's unreachable-and-old-enough
+* objects offline; reachable objects are always retained.
+*/
+function createGc(pg) {
+	const repos = createRepoResolver(initKysely(pg));
+	return { async gc(repo, opts) {
+		const id = await repos.resolveRepoId(repo);
+		if (id === null) return {
+			deletedEdges: 0,
+			deletedObjects: 0
+		};
+		const batchLimit = opts.batchLimit ?? DEFAULT_BATCH_LIMIT;
+		const live = `gc_live_${id}`;
+		await pg.unsafe(`create unlogged table if not exists ${live} (oid bytea primary key)`);
+		try {
+			await pg.unsafe(`truncate ${live}`);
+			await loadLive(live, await liveSet(id));
+			await opts._hooks?.afterLiveSet?.();
+			const deletedObjects = await sweepObjects(id, live, opts.graceSeconds, batchLimit);
+			const deletedEdges = await sweepEdges(id, batchLimit);
+			if (opts.maintain !== false && deletedObjects + deletedEdges > 0) await maintain();
+			return {
+				deletedEdges,
+				deletedObjects
+			};
+		} finally {
+			await pg.unsafe(`drop table if exists ${live}`);
+		}
+	} };
+	/**
+	* The live set: the reachable closure from every ref tip, read under ONE
+	* REPEATABLE READ snapshot so the ref-tip read and the multi-statement closure
+	* walk cannot interleave with a concurrent push's ref update (§5 defense (a)).
+	*
+	* `reachableClosure` is the shared engine and takes a `Kysely`, but the
+	* kysely-postgres-js dialect drives queries by calling `.reserve()` on its
+	* `postgres` client for EACH query — so a plain pooled Kysely would scatter the
+	* closure's statements across connections (no shared snapshot), and a
+	* transaction-scoped `Sql` has no `.reserve()` at all. So we pin ONE porsager
+	* connection, open a REPEATABLE READ transaction on it, and back a Kysely with a
+	* shim whose `reserve()` always returns that pinned connection with a no-op
+	* `release()` — every closure statement then runs on the one snapshotted
+	* connection. The transaction is read-only; it commits (releasing the snapshot)
+	* before the sweep's own short write transactions begin.
+	*/
+	async function liveSet(id) {
+		const conn = await pg.reserve();
+		try {
+			await conn`begin isolation level repeatable read`;
+			const pinned = pinnedKysely(conn);
+			const rows = await conn`
+				select oid, peeled_oid from git_ref where repo_id = ${id} and oid is not null
+			`;
+			const tips = /* @__PURE__ */ new Set();
+			for (const r of rows) {
+				if (r.oid) tips.add(r.oid.toString("hex"));
+				if (r.peeled_oid) tips.add(r.peeled_oid.toString("hex"));
+			}
+			const { present } = await reachableClosure(pinned, id, [...tips], false);
+			await conn`commit`;
+			return present;
+		} finally {
+			conn.release();
+		}
+	}
+	/** A Kysely pinned to a single porsager connection: its dialect `reserve()`s the
+	* same connection for every statement (so a multi-statement read shares one MVCC
+	* snapshot) and `release()` is a no-op (the caller owns the connection's lifetime).
+	* The shim is a callable with a `reserve` property, the shape the dialect probes
+	* for (`isPostgresJSSql`). */
+	function pinnedKysely(conn) {
+		const nonReleasing = new Proxy(conn, { get: (target, prop) => prop === "release" ? () => {} : Reflect.get(target, prop, target) });
+		return initKysely(Object.assign(() => {
+			throw new Error("pggit gc: pinned client used as a tagged template");
+		}, { reserve: async () => nonReleasing }));
+	}
+	/** Bulk-load the live OID set into the UNLOGGED `live` table via binary COPY (the
+	* one bytea-safe bulk path, copy-insert.ts), batched so the payload stays bounded.
+	* Each COPY runs in its own transaction so the staging temp table drops on commit. */
+	async function loadLive(live, oids) {
+		if (oids.size === 0) return;
+		const all = [...oids];
+		for (let i = 0; i < all.length; i += LIVE_LOAD_BATCH) {
+			const chunk = all.slice(i, i + LIVE_LOAD_BATCH);
+			await pg.begin(async (tx) => {
+				await copyInsert(tx, live, ["oid"], chunk.map((hex) => [{
+					t: "bytea",
+					v: Buffer.from(hex, "hex")
+				}]));
+			});
+		}
+	}
+	/** Batched object sweep. Postgres `DELETE` has no `LIMIT`, so each batch picks a
+	* `LIMIT`-bounded set of victim OIDs then deletes them by PRIMARY KEY `(repo_id,
+	* oid)`. The match is on the PK — NOT `ctid`: `ctid` is per-partition-relative, so
+	* matching `ctid` across the HASH-partitioned table would delete same-ctid rows in
+	* OTHER partitions (other tenants). The loop ends when a batch deletes nothing.
+	* Each batch is its own (implicit) transaction, so `clock_timestamp()` re-evaluates
+	* per batch and the grace cutoff advances. Returns total rows deleted. */
+	async function sweepObjects(id, live, graceSeconds, batchLimit) {
+		let total = 0;
+		for (;;) {
+			const deleted = await pg.unsafe(`with victims as (
+					select o.oid from git_object o
+					where o.repo_id = $1::bigint
+						and not exists (select 1 from ${live} l where l.oid = o.oid)
+						and o.created_at < clock_timestamp() - make_interval(secs => $2::float8)
+					limit $3::int
+				)
+				delete from git_object o using victims v
+				where o.repo_id = $1::bigint and o.oid = v.oid returning 1 as n`, [
+				String(id),
+				String(graceSeconds),
+				String(batchLimit)
+			]);
+			if (deleted.length === 0) break;
+			total += deleted.length;
+		}
+		return total;
+	}
+	/** Batched edge sweep: delete every `git_edge` row whose PARENT object no longer
+	* exists in `git_object` (a deleted object's outgoing edges). No FK cascade exists
+	* (0003_git_edge.ts), so dangling edges must be swept explicitly. Anti-join on the
+	* parent only: a surviving parent is reachable, so all its children are reachable
+	* and present — its edges never dangle. Like the object sweep, each batch picks a
+	* `LIMIT`-bounded victim set then deletes by PRIMARY KEY `(repo_id, parent, child)`
+	* — never `ctid`, which is per-partition and would reach into other tenants. */
+	async function sweepEdges(id, batchLimit) {
+		let total = 0;
+		for (;;) {
+			const deleted = await pg.unsafe(`with victims as (
+					select e.parent, e.child from git_edge e
+					where e.repo_id = $1::bigint
+						and not exists (
+							select 1 from git_object o where o.repo_id = e.repo_id and o.oid = e.parent
+						)
+					limit $2::int
+				)
+				delete from git_edge e using victims v
+				where e.repo_id = $1::bigint and e.parent = v.parent and e.child = v.child
+				returning 1 as n`, [String(id), String(batchLimit)]);
+			if (deleted.length === 0) break;
+			total += deleted.length;
+		}
+		return total;
+	}
+	/** Post-sweep maintenance (best-effort): reclaim the dead tuples GC produced in
+	* the heap + TOAST and refresh planner stats, then reindex the walk index.
+	* `VACUUM` cannot run inside a transaction block, so these are standalone
+	* statements run outside any txn. */
+	async function maintain() {
+		await pg.unsafe(`vacuum (analyze) git_object`);
+		await pg.unsafe(`vacuum (analyze) git_edge`);
+		await pg.unsafe(`reindex index git_edge_walk`);
+	}
+}
+
+//#endregion
+//#region src/gc-scheduler.ts
+/**
+* Build the GC scheduler over a porsager client (the same wire→DB boundary the
+* stores take). `drainOnce()` runs one poll+sweep pass; `start()`/`stop()` drive
+* it on `intervalMs`. Reachable objects are never touched — it only invokes the
+* per-repo GC primitive, which is reachability-safe.
+*/
+function createGcScheduler(pg, opts) {
+	const gc = createGc(pg);
+	let timer;
+	let inFlight;
+	/** The eligible repos for this pass — the §2 predicate. */
+	async function selectCandidates() {
+		return pg`
+			select r.id::text as id, r.name
+			from repos r
+			where r.last_pushed_at is not null
+				and (r.last_gc_at is null or r.last_pushed_at > r.last_gc_at)
+		`;
+	}
+	/**
+	* GC one candidate. `t0 = clock_timestamp()` is captured BEFORE `gc()` opens its
+	* snapshot, then written as `last_gc_at` after the sweep: any push committing
+	* after t0 re-stamps `last_pushed_at > t0` (the store stamps after commit) and
+	* re-qualifies the repo next pass (no lost garbage). A per-repo failure is
+	* ISOLATED — logged and skipped (the repo keeps its old `last_gc_at`, so it
+	* re-qualifies and is retried next pass) — so one poison repo never aborts the
+	* rest of the pass. `maintain: false`: the drain leans on autovacuum, never a
+	* per-pass full-table VACUUM (gc.ts).
+	*/
+	async function drainRepo(c) {
+		try {
+			const [t] = await pg`select clock_timestamp()::text as t0`;
+			if (!t) throw new Error("pggit gc-scheduler: clock_timestamp() returned no row");
+			const { deletedObjects, deletedEdges } = await gc.gc(c.name, {
+				graceSeconds: opts.graceSeconds,
+				maintain: false
+			});
+			await pg`update repos set last_gc_at = ${t.t0}::timestamptz where id = ${c.id}::bigint`;
+			return {
+				deletedEdges,
+				deletedObjects,
+				repo: c.name
+			};
+		} catch (err) {
+			console.error(`pggit gc-scheduler: GC of repo ${JSON.stringify(c.name)} failed (retried next pass):`, err);
+			return null;
+		}
+	}
+	/** One drain pass: GC every eligible repo (bounded concurrency, distinct repos so
+	* a pass never double-GCs one). Returns an entry per repo GC'd this pass — a repo
+	* whose GC threw is skipped (not in the summary) and retried next pass. */
+	async function drainOnce() {
+		return (await mapPool(await selectCandidates(), Math.max(1, opts.concurrency), drainRepo)).filter((e) => e !== null);
+	}
+	/** Run the drain on `intervalMs`. The `inFlight` guard ensures passes never
+	* overlap — so two passes can never touch the same repo at once — and a slow pass
+	* simply skips the next tick. A pass failure is logged, never thrown into the
+	* timer. The timer is `unref`'d so it alone does not keep the process alive (the
+	* server's socket does). */
+	function start() {
+		if (timer) return;
+		timer = setInterval(() => {
+			if (inFlight) return;
+			inFlight = drainOnce().catch((err) => {
+				console.error("pggit gc-scheduler: drain pass failed:", err);
+			}).finally(() => {
+				inFlight = void 0;
+			});
+		}, opts.intervalMs);
+		timer.unref?.();
+	}
+	/** Halt the background drain and AWAIT any pass already in flight, so a caller may
+	* safely tear the connection pool down afterwards (no query runs into a closed
+	* pool). Idempotent. */
+	async function stop() {
+		if (timer) {
+			clearInterval(timer);
+			timer = void 0;
+		}
+		await inFlight;
+	}
+	return {
+		drainOnce,
+		start,
+		stop
+	};
+}
+/** Run `fn` over `items` with at most `limit` concurrent, preserving result order.
+* A bounded worker pool — `limit` workers pull from a shared cursor — so one
+* large-orphan repo cannot head-of-line-block the rest of a pass. */
+async function mapPool(items, limit, fn) {
+	const results = new Array(items.length);
+	let cursor = 0;
+	async function worker() {
+		for (;;) {
+			const i = cursor++;
+			if (i >= items.length) return;
+			results[i] = await fn(items[i]);
+		}
+	}
+	const workers = Array.from({ length: Math.min(limit, items.length) }, worker);
+	await Promise.all(workers);
+	return results;
+}
+
+//#endregion
+//#region src/index.ts
+const UPLOAD_PACK_ADVERTISEMENT = Buffer.concat([
+	encodePktLine(Buffer.from("# service=git-upload-pack\n")),
+	encodePkt({ type: "flush" }),
+	encodeAdvertisement()
+]);
+function toArrayBuffer(buf) {
+	return buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength);
+}
+const ADVERTISEMENT_BODY = toArrayBuffer(UPLOAD_PACK_ADVERTISEMENT);
+/**
+* Read a smart-HTTP POST body, honoring `Content-Encoding`. Git compresses the
+* upload-pack/receive-pack request body with gzip once it is large enough
+* (`remote-curl.c`), exactly as `git http-backend` decompresses on the server
+* side — so we must too. Any other declared encoding is a hard error, never fed
+* raw to the pkt-line parser.
+*/
+async function readRequestBody(c) {
+	const raw = Buffer.from(await c.req.arrayBuffer());
+	const encoding = c.req.header("content-encoding")?.toLowerCase();
+	if (encoding === void 0 || encoding === "identity") return raw;
+	if (encoding === "gzip" || encoding === "x-gzip") try {
+		return gunzipSync(raw);
+	} catch (err) {
+		throw new GitProtocolError(`request body declared Content-Encoding ${JSON.stringify(encoding)} but failed to gunzip: ${err instanceof Error ? err.message : String(err)}`);
+	}
+	throw new GitProtocolError(`unsupported request Content-Encoding: ${JSON.stringify(encoding)}`);
+}
+/**
+* Fetch is served over git protocol v2 ONLY (the charter). git requests v2 with a
+* `Git-Protocol: version=2` header (a `:`-joined key list; git ≥ 2.26 sends it by
+* default). A v0/v1 client sends no such header and cannot parse the v2
+* advertisement — it would read the `version 2` line + flush as an empty repo and
+* silently clone nothing. So reject the unnegotiated case loudly at the boundary
+* (400) instead of handing back an advertisement it will misread.
+*/
+function assertProtocolV2(header) {
+	if (!(header ?? "").split(":").map((s) => s.trim()).includes("version=2")) throw new GitProtocolError("pggit serves fetch over git protocol v2 only; set protocol.version=2 (git ≥ 2.26 negotiates it by default)");
+}
+function backendFor(deps, repoId) {
+	return {
+		buildPack: (wants, haves, omitBlobs, includeTag) => deps.objects.buildPack(repoId, wants, haves, omitBlobs, includeTag),
+		commonHaves: (haves) => deps.objects.commonHaves(repoId, haves),
+		getSymref: (name) => deps.refs.getSymref(repoId, name),
+		listRefs: () => deps.refs.listRefs(repoId),
+		readyToGiveUp: (wants, common) => deps.objects.readyToGiveUp(repoId, wants, common)
+	};
+}
+function receiveBackendFor(deps, repoId) {
+	const backend = {
+		applyRefUpdates: (commands, atomic) => deps.refs.applyRefUpdates(repoId, commands, atomic),
+		ingest: async (pack) => {
+			await deps.objects.ingestPack(repoId, pack);
+		},
+		isConnected: (oid) => deps.objects.isConnected(repoId, oid)
+	};
+	if (deps.snapshots) {
+		const sdeps = {
+			objects: deps.objects,
+			snapshots: deps.snapshots
+		};
+		backend.syncRefSnapshot = (ref, newOid) => syncRefSnapshot(sdeps, repoId, ref, newOid);
+	}
+	return backend;
+}
+/** v0 receive-pack ref advertisement body: the `# service` preamble + ref list. */
+async function receivePackAdvertBody(deps, repoId) {
+	const refs = await deps.refs.listRefs(repoId);
+	return Buffer.concat([
+		encodePktLine(Buffer.from("# service=git-receive-pack\n")),
+		encodePkt({ type: "flush" }),
+		encodeReceivePackAdvertisement(refs)
+	]);
+}
+/**
+* Build the git-remote Hono app (smart-HTTP, protocol v2 fetch). Mountable into
+* a host app via `host.route("/git", createGitApp(deps))`; the host owns the
+* Postgres lifecycle behind `deps`.
+*/
+function createGitApp(deps, opts = {}) {
+	const app = new Hono();
+	if (opts.instrument) app.use((c, next) => runRequest({
+		method: c.req.method,
+		path: c.req.path
+	}, () => next()));
+	app.use(cors());
+	app.onError((err, c) => {
+		if (err instanceof GitProtocolError) return c.text(err.message, 400);
+		console.error(err);
+		return c.text("internal server error", 500);
+	});
+	app.get("/health", (c) => c.text("ok"));
+	app.get("/:repo/info/refs", async (c) => {
+		const service = c.req.query("service");
+		if (service === "git-upload-pack") {
+			assertProtocolV2(c.req.header("git-protocol"));
+			return c.body(ADVERTISEMENT_BODY, 200, {
+				"Cache-Control": "no-cache",
+				"Content-Type": "application/x-git-upload-pack-advertisement"
+			});
+		}
+		if (service === "git-receive-pack") {
+			const body = await receivePackAdvertBody(deps, c.req.param("repo"));
+			return c.body(toArrayBuffer(body), 200, {
+				"Cache-Control": "no-cache",
+				"Content-Type": "application/x-git-receive-pack-advertisement"
+			});
+		}
+		return c.text(`unsupported service ${JSON.stringify(service)}`, 403);
+	});
+	app.post("/:repo/git-upload-pack", async (c) => {
+		const out = await handleUploadPack(await readRequestBody(c), backendFor(deps, c.req.param("repo")));
+		count("wireBytes", out.length);
+		return c.body(toArrayBuffer(out), 200, {
+			"Cache-Control": "no-cache",
+			"Content-Type": "application/x-git-upload-pack-result"
+		});
+	});
+	app.post("/:repo/git-receive-pack", async (c) => {
+		const out = await handleReceivePack(await readRequestBody(c), receiveBackendFor(deps, c.req.param("repo")));
+		return c.body(toArrayBuffer(out), 200, {
+			"Cache-Control": "no-cache",
+			"Content-Type": "application/x-git-receive-pack-result"
+		});
+	});
+	return app;
+}
+
+//#endregion
+export { createGc, createGcScheduler, createGitApp };
+//# sourceMappingURL=index.mjs.map