PRD 0028: git-gate new-branch push scan scope #107

Merged

didericis-codex merged 3 commits from prd-0028-git-gate-new-branch-scan into main 2026-05-29 02:29:30 -04:00

Conversation 1 Commits 3 Files Changed 3

+205 -3

didericis-claude commented 2026-05-29 01:53:06 -04:00

Collaborator

Copy Link

Copy Source

Closes #106.

Tracking PR for PRD 0028. Implementation follows on this branch.

Summary

git-gate's pre-receive scans the entire ancestry of a new branch, so the repo's 11 historical test-fixture/demo findings reject every new-branch push (diagnosed live in #106 — presents as a silent hang). Scope the new-ref scan to the commits the push introduces ($new --not --all), with a security argument that this loses no coverage, and harden the forward ssh against hangs.

Why scoping is safe

Commits enter the gate's bare repo only via (1) mirror-fetch from the trusted upstream or (2) a gitleaks-scanned push. So any commit excluded by --not --all is already-upstream or already-scanned — it can't be a new secret reaching the upstream via this push. The only commits that can introduce a new secret are the ones the push adds, which is exactly what $new --not --all scans. (Full argument in the PRD + issue #106 thread.)

Plan

1. PRD (this commit).
2. Hook: new-ref range -> $new --not --all; ssh_cmd += BatchMode=yes + ConnectTimeout. Unit tests.
3. Integration: clean new branch forwards despite fixture history; secret-bearing new branch still rejected.
4. (Follow-up) client visibility of rejections over git:// + smolmachines.

Closes #106. Tracking PR for [PRD 0028](docs/prds/0028-git-gate-new-branch-scan-scope.md). Implementation follows on this branch. ## Summary git-gate's pre-receive scans the **entire ancestry** of a *new* branch, so the repo's 11 historical test-fixture/demo findings reject every new-branch push (diagnosed live in #106 — presents as a silent hang). Scope the new-ref scan to the commits the push introduces (`$new --not --all`), with a security argument that this loses no coverage, and harden the forward `ssh` against hangs. ## Why scoping is safe Commits enter the gate's bare repo only via (1) mirror-fetch from the trusted upstream or (2) a gitleaks-scanned push. So any commit excluded by `--not --all` is already-upstream or already-scanned — it can't be a *new* secret reaching the upstream via this push. The only commits that can introduce a new secret are the ones the push adds, which is exactly what `$new --not --all` scans. (Full argument in the PRD + issue #106 thread.) ## Plan 1. PRD (this commit). 2. Hook: new-ref range -> `$new --not --all`; `ssh_cmd` += `BatchMode=yes` + `ConnectTimeout`. Unit tests. 3. Integration: clean new branch forwards despite fixture history; secret-bearing new branch still rejected. 4. (Follow-up) client visibility of rejections over git:// + smolmachines.

didericis-claude added 1 commit 2026-05-29 01:53:07 -04:00

docs(prd): PRD 0028 — git-gate new-branch push scan scope ... 9dc0dfd5ee

git-gate's pre-receive scans the full ancestry of a new branch, so the
repo's historical test-fixture findings block every new-branch push
(issue #106). Scope the new-ref scan to incoming commits
(`$new --not --all`) with no loss of coverage, and harden the forward
ssh against hangs.

Refs #106

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

didericis added 1 commit 2026-05-29 01:59:24 -04:00

fix(git-gate): scope new-branch scan to incoming commits ... 6c673bece6

A new ref made the pre-receive hook scan the full ancestry
(`log_opts="$new"`), so historical test-fixture findings rejected every
new-branch push (#106). Scope it to `$new --not --all` — only commits
new to the gate, which (since the bare repo is populated solely by
upstream mirror-fetch and gitleaks-gated pushes) loses no coverage on
what a push actually brings to the upstream. Also add BatchMode=yes +
ConnectTimeout=10 to both the forward and access-hook ssh so an
unreachable upstream fails fast instead of hanging.

Refs #106

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

didericis approved these changes 2026-05-29 02:00:42 -04:00

didericis added 1 commit 2026-05-29 02:28:02 -04:00

docs(prd): mark PRD 0028 active 50baf63669

didericis-codex merged commit 50baf63669 into main 2026-05-29 02:29:30 -04:00

didericis deleted branch prd-0028-git-gate-new-branch-scan 2026-05-29 02:29:44 -04:00

Sign in to join this conversation.

Reviewers

No Reviewers

didericis

Labels

Clear labels

Compat/Breaking

Breaking change that won't be backward compatible

Kind/Bug

Something is not working

Kind/Documentation

Documentation changes

Kind/Enhancement

Improve existing functionality

Kind/Feature

New functionality

Kind/Security

This is security issue

Kind/Testing

Issue or pull request related to testing

Priority

Critical

1

The priority is critical

Priority

High

2

The priority is high

Priority

Low

4

The priority is low

Priority

Medium

3

The priority is medium

Reviewed

Confirmed

1

Issue has been confirmed

Reviewed

Duplicate

2

This issue or pull request already exists

Reviewed

Invalid

3

Invalid issue

Reviewed

Won't Fix

3

This issue won't be fixed

Status

Abandoned

3

Somebody has started to work on this but abandoned work

Status

Blocked

1

Something is blocking this issue or pull request

Status

Need More Info

2

Feedback is required to reproduce issue or to continue work

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: didericis/bot-bottle#107