episoda 0.2.0

package/dist/git-helpers/git-credential-helper.js

@@ -0,0 +1,349 @@
+"use strict";
+/**
+ * EP548/EP612: Git Credential Helper Script Generator
+ *
+ * This module generates the git credential helper script that is installed
+ * during `episoda auth`. The script is called by git when credentials are needed.
+ *
+ * The generated script:
+ * 1. Detects the environment (local vs cloud)
+ * 2. Calls GET /api/git/credentials with appropriate auth
+ * 3. Returns credentials in git credential protocol format
+ * 4. Caches tokens locally (5 min TTL) to avoid API calls on every git operation
+ *
+ * EP612: Removed jq dependency - uses pure bash JSON parsing
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CREDENTIAL_HELPER_SCRIPT = void 0;
+exports.generateCredentialHelperScript = generateCredentialHelperScript;
+/**
+ * Generate the credential helper script content
+ *
+ * The script needs to:
+ * - Be standalone (no external dependencies - just bash and curl)
+ * - Work with curl (available on all platforms)
+ * - Handle both local (OAuth) and cloud (machine ID) auth
+ * - Cache tokens to avoid hitting API on every git operation
+ */
+function generateCredentialHelperScript(apiUrl) {
+    // The script uses bash because it's universally available
+    // No jq dependency - uses pure bash for JSON parsing
+    return `#!/bin/bash
+#
+# Episoda Git Credential Helper
+# EP548/EP612: Unified git authentication for all environments
+#
+# This script is called by git when credentials are needed.
+# It calls the Episoda API to get a fresh GitHub token.
+#
+# Installation: episoda auth
+# Location: ~/.episoda/bin/git-credential-episoda (local)
+#           /usr/local/bin/git-credential-episoda (cloud VM)
+#
+# Git credential protocol:
+# - git calls: git-credential-episoda get
+# - input on stdin: protocol=https\\nhost=github.com\\n
+# - output on stdout: username=x-access-token\\npassword=TOKEN\\n
+#
+# Dependencies: bash, curl (no jq required)
+#
+
+set -euo pipefail
+
+EPISODA_DIR="\${HOME}/.episoda"
+CONFIG_FILE="\${EPISODA_DIR}/config.json"
+CACHE_FILE="\${EPISODA_DIR}/git-token-cache.json"
+API_URL="${apiUrl}"
+
+# Cache TTL in seconds (5 minutes)
+CACHE_TTL=300
+
+# Log function (to stderr so git doesn't see it)
+log() {
+  if [[ "\${GIT_CREDENTIAL_EPISODA_DEBUG:-}" == "1" ]]; then
+    echo "[episoda-git] \$(date '+%H:%M:%S') \$*" >&2
+  fi
+}
+
+# Error log (always shown)
+error() {
+  echo "[episoda-git] ERROR: \$*" >&2
+}
+
+# Pure bash JSON value extraction (no jq needed)
+# Usage: json_get '{"foo":"bar"}' "foo" -> "bar"
+# Handles simple flat JSON and nested paths like "credentials.username"
+json_get() {
+  local json="\$1"
+  local key="\$2"
+  local value=""
+
+  # Handle nested keys (e.g., "credentials.username")
+  if [[ "\$key" == *.* ]]; then
+    local outer="\${key%%.*}"
+    local inner="\${key#*.}"
+    # Extract outer object first, then inner key
+    # Match "outer":{...} and extract the {...} part
+    local nested
+    nested=\$(echo "\$json" | sed -n 's/.*"'\$outer'"[[:space:]]*:[[:space:]]*{\\([^}]*\\)}.*/\\1/p')
+    if [[ -n "\$nested" ]]; then
+      json_get "{\$nested}" "\$inner"
+      return
+    fi
+    return
+  fi
+
+  # Simple key extraction: "key":"value" or "key": "value"
+  # Handle both quoted strings and unquoted values
+  value=\$(echo "\$json" | sed -n 's/.*"'\$key'"[[:space:]]*:[[:space:]]*"\\([^"]*\\)".*/\\1/p')
+
+  if [[ -n "\$value" ]]; then
+    echo "\$value"
+  fi
+}
+
+# Check for required dependencies
+check_dependencies() {
+  if ! command -v curl >/dev/null 2>&1; then
+    error "curl is required but not installed"
+    return 1
+  fi
+  return 0
+}
+
+# Parse git credential input from stdin
+parse_input() {
+  while IFS= read -r line; do
+    [[ -z "\$line" ]] && break
+    case "\$line" in
+      protocol=*) PROTOCOL="\${line#protocol=}" ;;
+      host=*) HOST="\${line#host=}" ;;
+      path=*) PATH_="\${line#path=}" ;;
+    esac
+  done
+}
+
+# Parse ISO 8601 date to unix timestamp (cross-platform)
+parse_iso_date() {
+  local iso_date="\$1"
+  # Try GNU date first (Linux)
+  if date -d "\$iso_date" +%s 2>/dev/null; then
+    return
+  fi
+  # Try BSD date (macOS) - strip timezone for parsing
+  local clean_date="\${iso_date%+*}"  # Remove +00:00
+  clean_date="\${clean_date%Z}"       # Remove Z
+  clean_date="\${clean_date%.*}"      # Remove .milliseconds
+  if date -jf "%Y-%m-%dT%H:%M:%S" "\$clean_date" +%s 2>/dev/null; then
+    return
+  fi
+  # Fallback: return 0 (expired)
+  echo "0"
+}
+
+# Check if cached token is still valid
+get_cached_token() {
+  if [[ ! -f "\$CACHE_FILE" ]]; then
+    log "No cache file"
+    return 1
+  fi
+
+  # Read cache file
+  local cache_content
+  cache_content=\$(cat "\$CACHE_FILE" 2>/dev/null) || return 1
+
+  # Parse cache file using pure bash
+  local expires_at
+  expires_at=\$(json_get "\$cache_content" "expires_at")
+
+  if [[ -z "\$expires_at" ]]; then
+    log "No expires_at in cache"
+    return 1
+  fi
+
+  # Check if expired (with 60 second buffer)
+  local now expires_ts buffer
+  now=\$(date +%s)
+  expires_ts=\$(parse_iso_date "\$expires_at")
+  buffer=60
+
+  if [[ \$((expires_ts - buffer)) -le \$now ]]; then
+    log "Cache expired (expires: \$expires_at)"
+    return 1
+  fi
+
+  # Return cached token
+  CACHED_TOKEN=\$(json_get "\$cache_content" "password")
+  CACHED_USER=\$(json_get "\$cache_content" "username")
+
+  if [[ -n "\$CACHED_TOKEN" && -n "\$CACHED_USER" ]]; then
+    log "Using cached token (expires: \$expires_at)"
+    return 0
+  fi
+
+  log "Invalid cache content"
+  return 1
+}
+
+# Save token to cache
+save_to_cache() {
+  local username="\$1"
+  local password="\$2"
+  local expires_at="\$3"
+
+  mkdir -p "\$EPISODA_DIR"
+  cat > "\$CACHE_FILE" <<CACHE_EOF
+{"username":"\$username","password":"\$password","expires_at":"\$expires_at","cached_at":"\$(date -u +"%Y-%m-%dT%H:%M:%SZ")"}
+CACHE_EOF
+  chmod 600 "\$CACHE_FILE"
+  log "Token cached until \$expires_at"
+}
+
+# Get credentials from Episoda API
+fetch_credentials() {
+  local api_url="\${EPISODA_API_URL:-\${API_URL}}"
+  local response=""
+  local http_code=""
+
+  # Detect environment - check multiple ways to identify a cloud VM
+  local machine_id=""
+
+  # Check FLY_MACHINE_ID (set by Fly.io on all machines)
+  if [[ -n "\${FLY_MACHINE_ID:-}" ]]; then
+    machine_id="\$FLY_MACHINE_ID"
+    log "Cloud environment detected via FLY_MACHINE_ID: \$machine_id"
+  # Legacy: check /app/.machine_id file
+  elif [[ -f "/app/.machine_id" ]]; then
+    machine_id=\$(cat /app/.machine_id)
+    log "Cloud environment detected via /app/.machine_id: \$machine_id"
+  fi
+
+  if [[ -n "\$machine_id" ]]; then
+    # Cloud VM: use machine ID header
+    log "Fetching credentials for machine: \$machine_id"
+    response=\$(curl -s -w "\\n%{http_code}" --max-time 10 "\${api_url}/api/git/credentials" \\
+      -H "X-Machine-ID: \$machine_id" \\
+      -H "Content-Type: application/json" 2>&1) || {
+      error "curl failed: \$response"
+      return 1
+    }
+  else
+    # Local: use OAuth token from config
+    if [[ ! -f "\$CONFIG_FILE" ]]; then
+      error "No config found at \$CONFIG_FILE. Run 'episoda auth' first."
+      return 1
+    fi
+
+    # Parse config using pure bash
+    local config_content
+    config_content=\$(cat "\$CONFIG_FILE" 2>/dev/null) || {
+      error "Cannot read config file"
+      return 1
+    }
+
+    local access_token project_id
+    access_token=\$(json_get "\$config_content" "access_token")
+    project_id=\$(json_get "\$config_content" "project_id")
+
+    if [[ -z "\$access_token" ]]; then
+      error "No access token in config. Run 'episoda auth' to authenticate."
+      return 1
+    fi
+
+    log "Local environment (project: \$project_id)"
+    response=\$(curl -s -w "\\n%{http_code}" --max-time 10 "\${api_url}/api/git/credentials" \\
+      -H "Authorization: Bearer \$access_token" \\
+      -H "X-Project-ID: \$project_id" \\
+      -H "Content-Type: application/json" 2>&1) || {
+      error "curl failed: \$response"
+      return 1
+    }
+  fi
+
+  # Split response and HTTP code
+  http_code=\$(echo "\$response" | tail -n1)
+  response=\$(echo "\$response" | sed '\$d')
+
+  # Check HTTP status
+  if [[ "\$http_code" != "200" ]]; then
+    error "API returned HTTP \$http_code"
+    log "Response: \$response"
+    return 1
+  fi
+
+  # Parse response using pure bash
+  CRED_USERNAME=\$(json_get "\$response" "credentials.username")
+  CRED_PASSWORD=\$(json_get "\$response" "credentials.password")
+  CRED_EXPIRES=\$(json_get "\$response" "credentials.expires_at")
+
+  if [[ -z "\$CRED_USERNAME" || -z "\$CRED_PASSWORD" ]]; then
+    error "Invalid credentials in response"
+    log "Response: \$response"
+    return 1
+  fi
+
+  # Cache the token
+  save_to_cache "\$CRED_USERNAME" "\$CRED_PASSWORD" "\$CRED_EXPIRES"
+
+  log "Credentials fetched successfully"
+  return 0
+}
+
+# Main
+main() {
+  local command="\${1:-}"
+
+  # Check dependencies before processing
+  if ! check_dependencies; then
+    exit 0  # Exit gracefully so git tries other helpers
+  fi
+
+  case "\$command" in
+    get)
+      parse_input
+
+      # Only handle github.com
+      if [[ "\${HOST:-}" != "github.com" ]]; then
+        log "Not handling host: \${HOST:-unknown}"
+        exit 0
+      fi
+
+      # Try cache first
+      if get_cached_token; then
+        echo "username=\$CACHED_USER"
+        echo "password=\$CACHED_TOKEN"
+        exit 0
+      fi
+
+      # Fetch fresh credentials
+      if fetch_credentials; then
+        echo "username=\$CRED_USERNAME"
+        echo "password=\$CRED_PASSWORD"
+        exit 0
+      fi
+
+      # Failed - let git try other credential helpers
+      log "Failed to get credentials, falling back to other helpers"
+      exit 0
+      ;;
+
+    store|erase)
+      # We don't store or erase credentials
+      exit 0
+      ;;
+
+    *)
+      # Unknown command
+      exit 0
+      ;;
+  esac
+}
+
+main "\$@"
+`;
+}
+/**
+ * Get the content of the credential helper for embedding in the CLI
+ */
+exports.CREDENTIAL_HELPER_SCRIPT = generateCredentialHelperScript('https://episoda.dev');
+//# sourceMappingURL=git-credential-helper.js.map

package/dist/git-helpers/git-credential-helper.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"git-credential-helper.js","sourceRoot":"","sources":["../../src/git-helpers/git-credential-helper.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AAWH,wEA4TC;AArUD;;;;;;;;GAQG;AACH,SAAgB,8BAA8B,CAAC,MAAc;IAC3D,0DAA0D;IAC1D,qDAAqD;IACrD,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;WAyBE,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+RhB,CAAA;AACD,CAAC;AAED;;GAEG;AACU,QAAA,wBAAwB,GAAG,8BAA8B,CAAC,qBAAqB,CAAC,CAAA"}

package/dist/hooks/post-checkout

@@ -0,0 +1,296 @@
+#!/bin/bash
+# Git post-checkout hook to update module.checkout_* fields for realtime badge updates
+# EP534: Also checks branch locks and auto-reverts if branch is locked by another user
+# EP649: Added support for cloud VM checkout tracking (Fly.io, Codespaces, Gitpod, etc.)
+# EP749: Simplified to use module.checkout_* as single source of truth (removed branch_checkout table)
+# This runs after every successful git checkout (from API or terminal)
+
+# Set up logging
+LOG_FILE=".git/hooks/post-checkout.log"
+log() {
+  echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
+}
+
+# Get hook parameters
+PREV_HEAD=$1
+NEW_HEAD=$2
+BRANCH_CHECKOUT=$3  # 1 if branch checkout, 0 if file checkout
+
+# Get the old and new branch names
+OLD_BRANCH=$(git name-rev --name-only $PREV_HEAD 2>/dev/null | sed 's/^remotes\/origin\///')
+NEW_BRANCH=$(git rev-parse --abbrev-ref HEAD)
+
+# If in detached HEAD state, try to get actual branch from reflog or skip update
+if [ "$NEW_BRANCH" = "HEAD" ]; then
+  # Try to get branch from git reflog
+  ACTUAL_BRANCH=$(git reflog show --all | grep -o "checkout: moving from .* to \(.*\)" | head -1 | sed 's/.*to //')
+  if [ -n "$ACTUAL_BRANCH" ] && [ "$ACTUAL_BRANCH" != "HEAD" ]; then
+    NEW_BRANCH="$ACTUAL_BRANCH"
+    log "Detected branch from reflog: $NEW_BRANCH"
+  else
+    # Still HEAD - skip update to avoid breaking UI
+    log "Skipping update - detached HEAD state"
+    exit 0
+  fi
+fi
+
+log "Branch checkout: $OLD_BRANCH → $NEW_BRANCH"
+
+# Get database connection info from .env.local
+if [ -f .env.local ]; then
+  export $(grep -v '^#' .env.local | grep -E 'NEXT_PUBLIC_SUPABASE_URL|SUPABASE_SERVICE_ROLE_KEY' | xargs)
+fi
+
+# EP553: Atomic branch checkout using checkout_branch_atomic() function
+# Combines lock check and checkout update in a single transaction to prevent race conditions
+CHECKOUT_RESULT=$(node -e "
+const { createClient } = require('@supabase/supabase-js');
+const { execSync } = require('child_process');
+
+const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
+const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY;
+
+if (!supabaseUrl || !supabaseKey) {
+  console.log('SKIP:Missing Supabase credentials');
+  process.exit(0);
+}
+
+const supabase = createClient(supabaseUrl, supabaseKey);
+
+(async () => {
+  try {
+    // EP553: Get user ID and workspace ID from git config
+    let userId = null;
+    let configuredWorkspaceId = null;
+
+    try {
+      userId = execSync('git config episoda.userId', { encoding: 'utf8' }).trim();
+    } catch (e) {
+      console.log('SKIP:No user configured');
+      process.exit(0);
+    }
+
+    try {
+      configuredWorkspaceId = execSync('git config episoda.workspaceId', { encoding: 'utf8' }).trim();
+    } catch (e) {
+      console.log('SKIP:No workspace configured');
+      process.exit(0);
+    }
+
+    if (!userId || !configuredWorkspaceId) {
+      console.log('SKIP:Configuration incomplete');
+      process.exit(0);
+    }
+
+    // EP553: Verify user exists and is not banned
+    const { data: userData, error: userError } = await supabase.auth.admin.getUserById(userId);
+
+    if (userError || !userData.user) {
+      console.log('ERROR:Invalid user ID');
+      process.exit(1);
+    }
+
+    if (userData.user.banned) {
+      console.log('ERROR:User account suspended');
+      process.exit(1);
+    }
+
+    // EP553: Get user's actual workspace via workspace_member table
+    const { data: membership, error: membershipError } = await supabase
+      .from('workspace_member')
+      .select('workspace_id')
+      .eq('user_id', userId)
+      .maybeSingle();
+
+    if (membershipError || !membership) {
+      console.log('ERROR:User not member of workspace');
+      process.exit(1);
+    }
+
+    const workspaceId = membership.workspace_id;
+
+    // EP553: Multi-user machine protection
+    if (configuredWorkspaceId !== workspaceId) {
+      console.log('ERROR:Workspace mismatch');
+      process.exit(1);
+    }
+
+    // EP725: Get project ID from git config for main/master checkout tracking
+    // This ensures main branch checkouts are recorded with project_id for badge display
+    let configuredProjectId = null;
+    try {
+      configuredProjectId = execSync('git config episoda.projectId', { encoding: 'utf8' }).trim();
+    } catch (e) {
+      // No projectId configured - will use null (backwards compatible)
+    }
+
+    // EP556: Extract UID from branch name and look up by UID instead of branch_name
+    // This eliminates race conditions during Ready→Doing transitions
+    // Branch pattern: module/EP{number}-{description}
+    let moduleId = null;
+    let projectId = configuredProjectId || null;  // EP725: Default to configured project for main/master
+    if ('${NEW_BRANCH}' !== 'main' && '${NEW_BRANCH}' !== 'master') {
+      const branchMatch = '${NEW_BRANCH}'.match(/^module\/EP(\d+)-/);
+      if (branchMatch) {
+        const uid = 'EP' + branchMatch[1];
+        const { data: module } = await supabase
+          .from('module')
+          .select('id, project_id')
+          .eq('uid', uid)
+          .maybeSingle();
+
+        if (module) {
+          moduleId = module.id;
+          projectId = module.project_id;
+        }
+      }
+    }
+
+    // EP553: Detect environment type based on where the hook is running
+    // EP649: Added Fly.io cloud VM detection
+    // Check for common cloud development environment variables
+    let environment = 'local';
+    let cloudMachineId = null;
+
+    if (process.env.FLY_MACHINE_ID) {
+      environment = 'cloud';  // Fly.io VM (Episoda cloud dev)
+      cloudMachineId = process.env.FLY_MACHINE_ID;
+    } else if (process.env.CODESPACES === 'true' || process.env.GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN) {
+      environment = 'cloud';  // GitHub Codespaces
+      cloudMachineId = process.env.CODESPACE_NAME || null;
+    } else if (process.env.GITPOD_WORKSPACE_ID) {
+      environment = 'cloud';  // Gitpod
+      cloudMachineId = process.env.GITPOD_WORKSPACE_ID;
+    } else if (process.env.C9_PROJECT || process.env.AWS_CLOUD9_USER) {
+      environment = 'cloud';  // AWS Cloud9
+      cloudMachineId = process.env.C9_PROJECT || null;
+    } else if (process.env.REPL_ID || process.env.REPLIT_DB_URL) {
+      environment = 'cloud';  // Replit
+      cloudMachineId = process.env.REPL_ID || null;
+    }
+
+    // EP726: Get device UUID for checkout tracking
+    // EP773: Tables renamed: local_device → local_machine, cloud_device → cloud_machine
+    // For local: read local_machine.id from git config (cached by CLI daemon)
+    // For cloud: read cloud_machine.id from git config (set during VM provisioning)
+    let localDeviceId = null;
+    let cloudDeviceId = null;
+
+    if (environment === 'local') {
+      // Local checkout: get local_machine.id from git config
+      try {
+        localDeviceId = execSync('git config episoda.deviceId', { encoding: 'utf8' }).trim();
+      } catch (e) {
+        // No deviceId configured yet - will use null (backwards compatible)
+      }
+    } else {
+      // Cloud checkout: get cloud_machine.id from git config
+      // EP773: Renamed cloud_device → cloud_machine
+      try {
+        cloudDeviceId = execSync('git config episoda.cloudDeviceId', { encoding: 'utf8' }).trim();
+      } catch (e) {
+        // No cloudDeviceId configured - try to look up by FLY_MACHINE_ID
+        if (cloudMachineId) {
+          const { data: cloudMachine } = await supabase
+            .from('cloud_machine')
+            .select('id')
+            .eq('machine_id', cloudMachineId)
+            .maybeSingle();
+          if (cloudMachine) {
+            cloudDeviceId = cloudMachine.id;
+          }
+        }
+      }
+    }
+
+    // EP726: Call atomic checkout function with unified machine IDs
+    // EP768: Renamed p_*_device_id → p_*_machine_id to match function signature
+    // - p_local_machine_id: UUID FK to local_machine (for local checkouts)
+    // - p_cloud_machine_id: UUID FK to cloud_machine (for cloud checkouts)
+    const { data: result, error: rpcError } = await supabase
+      .rpc('checkout_branch_atomic', {
+        p_branch_name: '${NEW_BRANCH}',
+        p_user_id: userId,
+        p_workspace_id: workspaceId,
+        p_project_id: projectId,
+        p_environment: environment,
+        p_module_id: moduleId,
+        p_cloud_machine_id: cloudDeviceId,
+        p_local_machine_id: localDeviceId
+      });
+
+    if (rpcError) {
+      console.log('ERROR:' + rpcError.message);
+      process.exit(1);
+    }
+
+    if (!result.success) {
+      if (result.error === 'BRANCH_LOCKED') {
+        console.log('LOCKED:' + result.locked_by + ':' + result.environment);
+      } else if (result.error === 'BRANCH_BUSY') {
+        console.log('BUSY:' + result.message);
+      } else {
+        console.log('ERROR:' + (result.message || 'Unknown error'));
+      }
+      process.exit(0);
+    }
+
+    // Success - branch checked out atomically
+    console.log('SUCCESS:${NEW_BRANCH}');
+  } catch (err) {
+    console.log('ERROR:' + err.message);
+  }
+})();
+")
+
+# Handle the checkout result
+if [[ "$CHECKOUT_RESULT" == SKIP:* ]]; then
+  # Configuration incomplete or credentials missing - skip quietly
+  log "Skipping checkout update: ${CHECKOUT_RESULT#SKIP:}"
+  exit 0
+elif [[ "$CHECKOUT_RESULT" == ERROR:* ]]; then
+  # Fatal error - abort
+  echo ""
+  echo "❌ ERROR: ${CHECKOUT_RESULT#ERROR:}"
+  echo ""
+  exit 1
+elif [[ "$CHECKOUT_RESULT" == LOCKED:* ]]; then
+  # Branch is locked by another user - revert checkout
+  LOCKED_USER=$(echo "$CHECKOUT_RESULT" | cut -d':' -f2)
+  LOCK_ENV=$(echo "$CHECKOUT_RESULT" | cut -d':' -f3)
+
+  echo ""
+  echo "❌ ERROR: Branch '$NEW_BRANCH' is currently checked out by $LOCKED_USER in $LOCK_ENV mode."
+  echo ""
+  echo "This branch is locked to prevent conflicts. Options:"
+  echo "  1. Ask $LOCKED_USER to check in via GitHub Integration modal"
+  echo "  2. Work on a different module/branch"
+  echo "  3. Wait for the lock to be released"
+  echo ""
+  echo "Reverting to previous branch: $OLD_BRANCH"
+  echo ""
+
+  # Revert to old branch
+  git checkout "$OLD_BRANCH" 2>/dev/null
+  exit 1
+elif [[ "$CHECKOUT_RESULT" == BUSY:* ]]; then
+  # Another user is currently checking out - suggest retry
+  echo ""
+  echo "⏳ Branch checkout in progress by another user"
+  echo "Please try again in a moment"
+  echo ""
+  echo "Reverting to previous branch: $OLD_BRANCH"
+  echo ""
+
+  # Revert to old branch
+  git checkout "$OLD_BRANCH" 2>/dev/null
+  exit 1
+elif [[ "$CHECKOUT_RESULT" == SUCCESS:* ]]; then
+  # Success
+  log "Successfully checked out branch: $NEW_BRANCH"
+  exit 0
+else
+  # Unexpected result
+  log "Unexpected checkout result: $CHECKOUT_RESULT"
+  exit 0
+fi