fix(git-http): log access-hook denial detail to stdout #161

Merged

didericis merged 1 commits from fix-git-http-log-403-detail into main 2026-06-02 23:41:59 -04:00

Conversation 1 Commits 1 Files Changed 2

+103

didericis-claude commented 2026-06-02 23:13:39 -04:00

Collaborator

Copy Link

Copy Source

Summary

When the access-hook returned non-zero, git-http piped its stderr into the 403 body sent back to the agent's git client but never logged it locally. Operators saw "GET /repo.git/info/refs?... 403 -" in docker logs with no explanation and had to shell into the sidecar to re-run the hook by hand.

This change routes the hook's stderr/stdout through the existing log_message channel before sending the 403:

• One log line per output line so the default request-log format stays readable.
• If the hook exits non-zero with no output, the log line still includes the exit code.
• Wire format / 403 body to the client is unchanged.

Why now

Surfaced today while diagnosing a failed clone from inside a claude-dev bottle. Docker showed only 403 -; the actual cause (ssh: connect to host gitea.dideric.is port 30009: Connection refused from the access-hook's upstream fetch) was only visible after manually invoking /etc/git-gate/access-hook inside the sidecar.

Test plan

• pytest tests/unit/test_git_http_backend.py — 8/8 pass, including two new tests
  • test_access_hook_denial_is_logged_to_stdout — stderr message appears on stdout and in 403 body
  • test_access_hook_denial_without_output_logs_exit_code — empty-output denials still log the exit code
• Full unit suite (excluding pre-existing unrelated test_smolmachines_pty_resize stdin failure): 867 pass

🤖 Generated with Claude Code

## Summary When the access-hook returned non-zero, git-http piped its stderr into the 403 body sent back to the agent's git client but never logged it locally. Operators saw `"GET /repo.git/info/refs?... 403 -"` in `docker logs` with no explanation and had to shell into the sidecar to re-run the hook by hand. This change routes the hook's stderr/stdout through the existing `log_message` channel before sending the 403: - One log line per output line so the default request-log format stays readable. - If the hook exits non-zero with no output, the log line still includes the exit code. - Wire format / 403 body to the client is unchanged. ## Why now Surfaced today while diagnosing a failed clone from inside a claude-dev bottle. Docker showed only `403 -`; the actual cause (`ssh: connect to host gitea.dideric.is port 30009: Connection refused` from the access-hook's upstream fetch) was only visible after manually invoking `/etc/git-gate/access-hook` inside the sidecar. ## Test plan - [x] `pytest tests/unit/test_git_http_backend.py` — 8/8 pass, including two new tests - `test_access_hook_denial_is_logged_to_stdout` — stderr message appears on stdout *and* in 403 body - `test_access_hook_denial_without_output_logs_exit_code` — empty-output denials still log the exit code - [x] Full unit suite (excluding pre-existing unrelated `test_smolmachines_pty_resize` stdin failure): 867 pass 🤖 Generated with [Claude Code](https://claude.com/claude-code)

didericis approved these changes 2026-06-02 23:29:30 -04:00

didericis added 1 commit 2026-06-02 23:29:43 -04:00

fix(git-http): log access-hook denial detail to stdout ... f427d35e72

Previously when the access-hook returned non-zero, git-http would pipe
the hook's stderr into the 403 body sent back to the agent's git
client but never log it locally, so docker logs just showed
`"GET ... 403 -"` with no explanation. Operators had to shell into
the sidecar and re-run the hook by hand to find out why a clone was
being refused (e.g. upstream SSH unreachable, missing credentials).

Route the hook's stderr/stdout through the existing log_message
channel before sending the 403, one log line per output line so the
default request-log format stays readable. When the hook exits
non-zero with no output, log the exit code so the line is still
informative.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

didericis force-pushed fix-git-http-log-403-detail from b5b694acb8 to f427d35e72 2026-06-02 23:29:43 -04:00 Compare

didericis merged commit f427d35e72 into main 2026-06-02 23:41:59 -04:00

didericis deleted branch fix-git-http-log-403-detail 2026-06-02 23:42:00 -04:00

Sign in to join this conversation.

Reviewers

No Reviewers

didericis

Labels

Clear labels

Compat/Breaking

Breaking change that won't be backward compatible

Kind/Bug

Something is not working

Kind/Documentation

Documentation changes

Kind/Enhancement

Improve existing functionality

Kind/Feature

New functionality

Kind/Security

This is security issue

Kind/Testing

Issue or pull request related to testing

Priority

Critical

1

The priority is critical

Priority

High

2

The priority is high

Priority

Low

4

The priority is low

Priority

Medium

3

The priority is medium

Reviewed

Confirmed

1

Issue has been confirmed

Reviewed

Duplicate

2

This issue or pull request already exists

Reviewed

Invalid

3

Invalid issue

Reviewed

Won't Fix

3

This issue won't be fixed

Status

Abandoned

3

Somebody has started to work on this but abandoned work

Status

Blocked

1

Something is blocking this issue or pull request

Status

Need More Info

2

Feedback is required to reproduce issue or to continue work

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: didericis/bot-bottle#161