just-git 1.5.0 → 1.5.2

package/dist/repo/index.d.ts

@@ -1,5 +1,5 @@
-import { g as GitRepo, Z as RefEntry, e as Commit, a3 as TreeEntry, i as ObjectId, h as Identity, a4 as TreeDiffEntry, d as GitContext, F as FileSystem } from '../hooks-C7c_BLqp.js';
-export { B as BuildCommitOptions, C as CommitAuthor, a as CommitIdentity, b as CommitOptions, c as CommitResult, d as CreateAnnotatedTagOptions, e as CreateCommitOptions, T as TreeEntryInput, f as TreeUpdate, g as buildCommit, h as commit, i as createAnnotatedTag, j as createCommit, u as updateTree, w as writeBlob, k as writeTree } from '../writing-CnM1ufDP.js';
+import { g as GitRepo, Z as RefEntry, e as Commit, a3 as TreeEntry, i as ObjectId, h as Identity, a4 as TreeDiffEntry, d as GitContext, F as FileSystem } from '../hooks-CimfP56a.js';
+export { B as BuildCommitOptions, C as CommitAuthor, a as CommitIdentity, b as CommitOptions, c as CommitResult, d as CreateAnnotatedTagOptions, e as CreateCommitOptions, T as TreeEntryInput, f as TreeUpdate, g as buildCommit, h as commit, i as createAnnotatedTag, j as createCommit, u as updateTree, w as writeBlob, k as writeTree } from '../writing-IwfRRrts.js';
 
 /**
  * Core grep matching logic shared by the `git grep` command and the

package/dist/server/index.d.ts

@@ -1,5 +1,5 @@
-import { i as ObjectId, W as RawObject, X as Ref, g as GitRepo, $ as Rejection, N as NetworkPolicy } from '../hooks-C7c_BLqp.js';
-import { b as CommitOptions, c as CommitResult } from '../writing-CnM1ufDP.js';
+import { i as ObjectId, W as RawObject, X as Ref, g as GitRepo, $ as Rejection, N as NetworkPolicy } from '../hooks-CimfP56a.js';
+import { b as CommitOptions, c as CommitResult } from '../writing-IwfRRrts.js';
 
 /** Shallow boundary delta: what to add/remove from `.git/shallow`. */
 interface ShallowUpdate {
@@ -350,6 +350,47 @@ interface GitServerConfig<A = Auth> {
         /** Delta window size (default 10). Smaller = faster, worse compression ratio. */
         deltaWindow?: number;
     };
+    /**
+     * Safety limits for incoming receive-pack requests.
+     *
+     * These bounds are enforced on buffered HTTP bodies and on pack ingestion
+     * for both HTTP and SSH push paths.
+     */
+    receiveLimits?: {
+        /** Maximum compressed/raw HTTP request body size in bytes. */
+        maxRequestBytes?: number;
+        /**
+         * Maximum decompressed HTTP request body size in bytes.
+         *
+         * Guards against gzip decompression bombs (`Content-Encoding: gzip`).
+         * Only applies to HTTP — SSH has no application-layer compression,
+         * so `maxRequestBytes` alone is sufficient there.
+         */
+        maxInflatedBytes?: number;
+        /** Maximum pack payload size in bytes. */
+        maxPackBytes?: number;
+        /** Maximum number of objects declared by a received pack. */
+        maxPackObjects?: number;
+    };
+    /**
+     * Safety limits for incoming upload-pack (fetch/clone) requests.
+     *
+     * Upload-pack request bodies contain only pkt-line want/have lists,
+     * so they are much smaller than receive-pack bodies. Defaults are
+     * tighter than receiveLimits (10 MB raw, 20 MB inflated).
+     */
+    fetchLimits?: {
+        /** Maximum compressed/raw HTTP request body size in bytes. */
+        maxRequestBytes?: number;
+        /**
+         * Maximum decompressed HTTP request body size in bytes.
+         *
+         * Guards against gzip decompression bombs (`Content-Encoding: gzip`).
+         * Only applies to HTTP — SSH has no application-layer compression,
+         * so `maxRequestBytes` alone is sufficient there.
+         */
+        maxInflatedBytes?: number;
+    };
     /**
      * Called when the server catches an unhandled error.
      *
@@ -903,37 +944,52 @@ interface UploadPackOptions {
     /** Delta window size (default 10). Ignored when noDelta is true. */
     deltaWindow?: number;
 }
+interface AuthorizedFetchSet {
+    allowedRefHashes: Map<string, string>;
+    allowedWantHashes: Set<string>;
+}
+interface ReceivePackLimitOptions {
+    maxPackBytes?: number;
+    maxPackObjects?: number;
+}
 /**
  * Handle a `POST /git-upload-pack` request.
  *
  * Returns `Uint8Array` for buffered responses (cache hits, deltified packs)
  * or `ReadableStream<Uint8Array>` for streaming no-delta responses.
  */
-declare function handleUploadPack(repo: GitRepo, requestBody: Uint8Array, options?: UploadPackOptions): Promise<Uint8Array | ReadableStream<Uint8Array>>;
+declare function handleUploadPack(repo: GitRepo, requestBody: Uint8Array, options?: UploadPackOptions & {
+    authorizedFetchSet?: AuthorizedFetchSet;
+}): Promise<Uint8Array | ReadableStream<Uint8Array> | Rejection>;
 interface ReceivePackResult {
     updates: RefUpdate[];
     unpackOk: boolean;
     capabilities: string[];
     /** Whether the request body contained a valid pkt-line flush packet. */
     sawFlush: boolean;
+    /** Hashes of objects ingested from the pack (for rollback on hook rejection). Only populated when the object store supports deferred ingestion (server-backed stores). Undefined for VFS-backed stores. */
+    ingestedHashes?: string[];
 }
 /**
  * Ingest a receive-pack request: parse commands, ingest the packfile,
  * and compute enriched RefUpdate objects. Does NOT apply ref updates —
  * call `applyReceivePack` to run hooks and apply refs.
+ *
+ * Objects are persisted immediately (needed by `buildRefUpdates` for
+ * ancestry checks). If hooks later reject the push, `applyReceivePack`
+ * rolls back the ingested objects.
  */
-declare function ingestReceivePack(repo: GitRepo, requestBody: Uint8Array): Promise<ReceivePackResult>;
+declare function ingestReceivePack(repo: GitRepo, requestBody: Uint8Array, limits?: ReceivePackLimitOptions): Promise<ReceivePackResult>;
 /**
  * Streaming variant of `ingestReceivePack`. Accepts pre-parsed push
- * commands and a raw pack byte stream. Uses `readPackStreaming` →
- * `ingestPackStream` so pack bytes are consumed incrementally without
- * buffering the entire pack in memory.
+ * commands and a raw pack byte stream. Uses `readPackStreaming` for
+ * incremental consumption.
  *
  * The HTTP handler continues using `ingestReceivePack` (runtime buffers
  * POST bodies anyway). The SSH handler calls this directly after parsing
  * pkt-line commands.
  */
-declare function ingestReceivePackFromStream(repo: GitRepo, commands: PushCommand[], capabilities: string[], packStream: AsyncIterable<Uint8Array>, sawFlush?: boolean): Promise<ReceivePackResult>;
+declare function ingestReceivePackFromStream(repo: GitRepo, commands: PushCommand[], capabilities: string[], packStream: AsyncIterable<Uint8Array>, sawFlush?: boolean, limits?: ReceivePackLimitOptions): Promise<ReceivePackResult>;
 /**
  * Apply ref updates with CAS protection only — no hooks.
  *
@@ -979,7 +1035,9 @@ declare function handleLsRefs<A>(repo: GitRepo, repoId: string, args: string[],
  * enumeration and pack building via the shared pipeline, then
  * builds a v2 section-based response.
  */
-declare function handleV2Fetch(repo: GitRepo, args: string[], options?: UploadPackOptions): Promise<Uint8Array | ReadableStream<Uint8Array>>;
+declare function handleV2Fetch(repo: GitRepo, args: string[], options?: UploadPackOptions & {
+    authorizedFetchSet?: AuthorizedFetchSet;
+}): Promise<Uint8Array | ReadableStream<Uint8Array> | Rejection>;
 
 /**
  * In-memory storage backend with multi-repo support.